From d6e81e47bbca12e711074752e6cecc83f40accfa Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Mon, 22 Jan 2018 12:07:11 +0100
Subject: [PATCH] gitlab-ci: error if apps use insecure plain HTTP gradle
 repositories

It is very easy to mess up and include plain HTTP URLs for gradle
repositories, which can lead to gradle downloading code from HTTP and
immediately executing it.  The fix is almost always changing "http:" to
"https:".

https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer
---
 .gitlab-ci.yml        |  1 +
 tools/audit-gradle.py | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100755 tools/audit-gradle.py

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 86481da815..e87a5b35cf 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -18,6 +18,7 @@ lint:
            export CHANGED="$CHANGED $appid";
            grep -q "^Repo *Type\W *git" $f && git -C build clone `sed -n "s,^Repo *:,,p" $f` $appid;
         done;
+        ./tools/audit-gradle.py $CHANGED;
       fi
     - export EXITVALUE=0
     - fdroid lint -f $CHANGED || {
diff --git a/tools/audit-gradle.py b/tools/audit-gradle.py
new file mode 100755
index 0000000000..a001d3c64f
--- /dev/null
+++ b/tools/audit-gradle.py
@@ -0,0 +1,30 @@
+#!/usr/bin/env python3
+
+
+import os
+import re
+import sys
+
+# find all repositories that use plain HTTP urls (e.g. not HTTPS)
+url_pattern = re.compile('repositories\s*{[^}]*http://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+[^}]*}', re.DOTALL)
+
+exit_value = 0
+for appid in sys.argv:
+    gitdir = os.path.join('build', appid)
+    if not os.path.isdir(gitdir):
+        continue
+    for root, dirs, files in os.walk(gitdir):
+        for f in files:
+            if f.endswith('.gradle'):
+                path = os.path.join(root, f)
+                with open(path) as fp:
+                    data = fp.read()
+                for url in url_pattern.findall(data):
+                    print('Found plain HTTP URL for gradle repository:\n%s\n%s'
+                          % (path, url))
+                    exit_value += 1
+
+if exit_value:
+    print('gradle build uses plain HTTP URLs for repositories!  This is insecure!')
+    print('https://max.computer/blog/how-to-take-over-the-computer-of-any-java-or-clojure-or-scala-developer/')
+sys.exit(exit_value)