Allow for ignoring insecure sources.

Ignoring internal sources is already supported with a fixed IP whitelist, but this doesn't support cases where an internal source doesn't fall within those IPs blocks. This change allows specific hostnames to be ignored.
rubysec · Mar 1, 2018 · cb7e5b3 · cb7e5b3
1 parent b84d88f
commit cb7e5b3
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 6 deletions.
diff --git a/lib/bundler/audit/scanner.rb b/lib/bundler/audit/scanner.rb
@@ -99,18 +99,21 @@ def scan(options={},&block)
       def scan_sources(options={})
         return enum_for(__method__,options) unless block_given?
 
+        ignore = Set[]
+        ignore += options[:ignore] if options[:ignore]
+
         @lockfile.sources.map do |source|
           case source
           when Source::Git
             case source.uri
             when /^git:/, /^http:/
-              unless internal_source?(source.uri)
+              unless internal_source?(source.uri) || ignore.include?(source.uri)
                 yield InsecureSource.new(source.uri)
               end
             end
           when Source::Rubygems
             source.remotes.each do |uri|
-              if (uri.scheme == 'http' && !internal_source?(uri))
+              if (uri.scheme == 'http' && !internal_source?(uri)) && !ignore.include?(uri.to_s)
                 yield InsecureSource.new(uri.to_s)
               end
             end

diff --git a/spec/bundle/insecure_sources/Gemfile b/spec/bundle/insecure_sources/Gemfile
@@ -1,6 +1,6 @@
 source 'http://rubygems.org'
 
-gem 'rails', '3.2.12'
+gem 'rails', '~> 4.2.7.1'
 
 # Bundle edge Rails instead:
 # gem 'rails', :git => 'git://github.com/rails/rails.git'
@@ -20,8 +20,7 @@ group :assets do
   # gem 'uglifier', '>= 1.0.3'
 end
 
-gem 'jquery-rails', :git => 'git://github.com/rails/jquery-rails.git',
-                    :tag => 'v2.2.1'
+gem 'jquery-rails', :git => 'git://github.com/rails/jquery-rails.git'
 
 # To use ActiveModel has_secure_password
 # gem 'bcrypt-ruby', '~> 3.0.0'

diff --git a/spec/scanner_spec.rb b/spec/scanner_spec.rb
@@ -41,7 +41,7 @@
 
       it "should ignore the specified advisories" do
         ids = subject.map { |result| result.advisory.id }
-        
+
         expect(ids).not_to include('OSVDB-89026')
       end
     end
@@ -58,6 +58,14 @@
       expect(subject[0].source).to eq('git://github.com/rails/jquery-rails.git')
       expect(subject[1].source).to eq('http://rubygems.org/')
     end
+
+    context "when ignoring insecure sources" do
+      subject { scanner.scan(:ignore => ['http://rubygems.org/', 'git://github.com/rails/jquery-rails.git']).to_a }
+
+      it "should print nothing when otherwise fine" do
+        expect(subject).to be_empty
+      end
+    end
   end
 
   context "when auditing a secure bundle" do