gem 'gem_name', github: 'author/gem_name' produces insecure source URI #3324
Comments
Hi @vassilevsky. Thanks for your offer to change this. We already have this change made on the 2-0-dev branch (see https://github.com/bundler/bundler/blob/2-0-dev/lib/bundler/dsl.rb#L233) but we can't change it in the 1.x series, because it breaks backward compatibility. Specifically, changing the URL in the lock file can break some deployment scenarios. You can search in this issue tracker for a more detailed discussion... this has come up several times before. |
Thank you for the info. I did search issues and found nothing. I think my search sillz ain't that mad :( |
@vassilevsky check 29fc6b5 |
@vassilevsky @simi I'm open to a pull request that adds a config flag to switch github to https, while we are waiting for 2.0 to be ready. |
I think a config flag might be kind of a hassle, because it would be easy to end up with a mismatch between development and production (or different development machines for that matter). Now that you can define custom git source shortcuts, you can override the definition in the |
@TimMoore We are on the same page. Something similar to example below on top of the Gemfile should solve your problem for now @vassilevsky. git_source(:github) do |repo_name|
repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
opts["git"] = "https://github.com/#{repo_name}.git"
end You can find more informations in documentation in "Custom git sources" and "Security" sections. |
@vassilevsky here are some of the previous issues/pull requests where this has been discussed: |
@simi Why |
I have my own gem repository. When I run Insecure Source URI found: http://gems.vc.datys.cu/
Unpatched versions found! how do I solved this ? |
@RobeDevOps this isn't a support forum, and we don't make |
I'm pretty sure that you need to change the line to: source 'https://gems.vc.datys.cu/' |
Why: * CodeClimate marks the error `Insecure Source URI found: git://github.com/middleman-contrib/middleman-deploy.git` in `Gemfile.lock`. According to rubygems/bundler#3324 this happens because the default for GitHub linked gems is to include the link using the Git scheme. This change addresses the problem by: * Changing the `middleman-deploy` gem to be included using HTTPS.
Why: * CodeClimate marks the error `Insecure Source URI found: git://github.com/middleman-contrib/middleman-deploy.git` in `Gemfile.lock`. According to rubygems/bundler#3324 this happens because the default for GitHub linked gems is to include the link using the Git scheme. * Since the `middleman-deploy` gem is not up to date, we need to use the current version on master. Relying on someone else's repository directly is brittle. We forked the repository for safety so we need to change it to our branch. This change addresses the problem by: * Changing the `middleman-deploy` gem to be included from our repository using HTTPS.
Hello :)
I ran
bundle-audit
(https://github.com/rubysec/bundler-audit) against my app. It warned me about an insecure source URI for a gem. I examined my Gemfile and saw that I used thegithub: 'author/gem_name'
option for this gem. As a result, Gemfile.lock hadremote: git://github.com/author/gem_name.git
. According tobundle-audit
, it was insecure. I believe the corresponding check is here:https://github.com/rubysec/bundler-audit/blob/master/lib/bundler/audit/scanner.rb#L72
I changed gem source to
git: 'https://github.com/author/gem_name'
. Ranbundle
. The URI in Gemfile.lock changed toremote: https://github.com/inossidabile/wash_out
. I ranbundle-audit
again. All was clear.Should I make changes to Bundler for it to use the secure URI by default?
Thanks!
The text was updated successfully, but these errors were encountered: