Skip to content
This repository has been archived by the owner. It is now read-only.

gem 'gem_name', github: 'author/gem_name' produces insecure source URI #3324

Closed
vassilevsky opened this issue Dec 25, 2014 · 11 comments
Closed

gem 'gem_name', github: 'author/gem_name' produces insecure source URI #3324

vassilevsky opened this issue Dec 25, 2014 · 11 comments

Comments

@vassilevsky
Copy link
Contributor

@vassilevsky vassilevsky commented Dec 25, 2014

Hello :)

I ran bundle-audit (https://github.com/rubysec/bundler-audit) against my app. It warned me about an insecure source URI for a gem. I examined my Gemfile and saw that I used the github: 'author/gem_name' option for this gem. As a result, Gemfile.lock had remote: git://github.com/author/gem_name.git. According to bundle-audit, it was insecure. I believe the corresponding check is here:

https://github.com/rubysec/bundler-audit/blob/master/lib/bundler/audit/scanner.rb#L72

I changed gem source to git: 'https://github.com/author/gem_name'. Ran bundle. The URI in Gemfile.lock changed to remote: https://github.com/inossidabile/wash_out. I ran bundle-audit again. All was clear.

Should I make changes to Bundler for it to use the secure URI by default?

Thanks!

@TimMoore
Copy link
Contributor

@TimMoore TimMoore commented Dec 25, 2014

Hi @vassilevsky. Thanks for your offer to change this. We already have this change made on the 2-0-dev branch (see https://github.com/bundler/bundler/blob/2-0-dev/lib/bundler/dsl.rb#L233) but we can't change it in the 1.x series, because it breaks backward compatibility. Specifically, changing the URL in the lock file can break some deployment scenarios.

You can search in this issue tracker for a more detailed discussion... this has come up several times before.

@TimMoore TimMoore closed this Dec 25, 2014
@vassilevsky
Copy link
Contributor Author

@vassilevsky vassilevsky commented Dec 25, 2014

Thank you for the info. I did search issues and found nothing. I think my search sillz ain't that mad :(

@simi
Copy link
Member

@simi simi commented Dec 25, 2014

@indirect
Copy link
Member

@indirect indirect commented Dec 25, 2014

@vassilevsky @simi I'm open to a pull request that adds a config flag to switch github to https, while we are waiting for 2.0 to be ready.

@TimMoore
Copy link
Contributor

@TimMoore TimMoore commented Dec 26, 2014

I think a config flag might be kind of a hassle, because it would be easy to end up with a mismatch between development and production (or different development machines for that matter).

Now that you can define custom git source shortcuts, you can override the definition in the Gemfile, which I think is a better way to do it. We might want to consider changing the default Gemfile template to include the https override by default.

@simi
Copy link
Member

@simi simi commented Dec 26, 2014

@TimMoore We are on the same page.

Something similar to example below on top of the Gemfile should solve your problem for now @vassilevsky.

git_source(:github) do |repo_name|
  repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
  opts["git"] = "https://github.com/#{repo_name}.git"
end

You can find more informations in documentation in "Custom git sources" and "Security" sections.

@TimMoore
Copy link
Contributor

@TimMoore TimMoore commented Dec 26, 2014

@vassilevsky here are some of the previous issues/pull requests where this has been discussed:

@weakish
Copy link

@weakish weakish commented Jan 2, 2015

@simi Why opts["git"]? bundler.io/git.html just uses https// ....

@RobeDevOps
Copy link

@RobeDevOps RobeDevOps commented Jan 16, 2015

I have my own gem repository. When I run bundle-audit I see this:

Insecure Source URI found: http://gems.vc.datys.cu/
Unpatched versions found!

how do I solved this ?

@indirect
Copy link
Member

@indirect indirect commented Jan 16, 2015

@RobeDevOps this isn't a support forum, and we don't make bundle-audit. Try Stack Overflow.

@vassilevsky
Copy link
Contributor Author

@vassilevsky vassilevsky commented Jan 16, 2015

I'm pretty sure that you need to change the line to:

source 'https://gems.vc.datys.cu/'
pfac added a commit to semetpt/semet.pt that referenced this issue Feb 27, 2016
Why:

* CodeClimate marks the error `Insecure Source URI found:
git://github.com/middleman-contrib/middleman-deploy.git` in
`Gemfile.lock`. According to rubygems/bundler#3324 this happens because
the default for GitHub linked gems is to include the link using the
Git scheme.

This change addresses the problem by:

* Changing the `middleman-deploy` gem to be included using HTTPS.
pfac added a commit to semetpt/semet.pt that referenced this issue Feb 27, 2016
Why:

* CodeClimate marks the error `Insecure Source URI found:
git://github.com/middleman-contrib/middleman-deploy.git` in
`Gemfile.lock`. According to rubygems/bundler#3324 this happens because
the default for GitHub linked gems is to include the link using the
Git scheme.
* Since the `middleman-deploy` gem is not up to date, we need to use the
current version on master. Relying on someone else's repository directly
is brittle. We forked the repository for safety so we need to change it
to our branch.

This change addresses the problem by:

* Changing the `middleman-deploy` gem to be included from our repository
using HTTPS.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants