Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Treat internal git/http hosts as secure #90

Merged
merged 1 commit into from
Jun 1, 2015
Merged

Treat internal git/http hosts as secure #90

merged 1 commit into from
Jun 1, 2015

Conversation

sds
Copy link
Contributor

@sds sds commented Apr 22, 2015

Many organizations have references to internal git repositories in their
Gemfiles. Allow these repositories to be treated as safe since they
are resolvable only internally, and are controlled by the organization.

Closes #72

@sds sds mentioned this pull request Apr 22, 2015
Closed
@sds
Copy link
Contributor Author

sds commented Apr 22, 2015

The build failures are related to installing the i18n gem on EOLed versions of Ruby, and are unrelated to this change.

@retornam
Copy link
Contributor

@sds please rebase your commit to kick off the travis test runs again. The i18n gem issue has been fixed.

@sds
Copy link
Contributor Author

sds commented May 31, 2015

Thanks for the response, @retornam. I've rebased onto the latest master at time of writing (02de26e).

@sds
Treat internal git/http hosts as secure
d414a12 
Many organizations have references to internal git repositories in their
`Gemfile`s. Allow these repositories to be treated as safe since they
are resolvable only internally, and are controlled by the organization.
@sds
Copy link
Contributor Author

sds commented Jun 1, 2015

Incorporated feedback from @postmodern on https://github.com/sds/bundler-audit/commit/15957412f0c7b1d00b2dd7baac00b82c1d89d680 in d414a12, namely:

  • Split out internal_host? helper from internal_ip? to separate URI host lookup from IP subnet-checking logic.
  • Check all addresses returned Resolv.getaddresses instead of just the first address returned by Resolv.getaddress

I also added support for IPv6 private addresses.

postmodern added a commit that referenced this pull request Jun 1, 2015
@postmodern
Merge pull request #90 from sds/ignore-internal-ips
2c43a74 
Treat internal git/http hosts as secure
@postmodern postmodern merged commit 2c43a74 into rubysec:master Jun 1, 2015
@postmodern
Copy link
Member

An aside, I really wish IPAddress provided a method for determining if an address is from one of the RFC1918 ranges. I recently had to build a list of non-routable address ranges recently.

@bhh
Copy link

bhh commented Jun 1, 2015

as it seems people are discussing that topic already in the ipaddress project. ipaddress-gem/ipaddress#54

@sds sds deleted the ignore-internal-ips branch June 5, 2015 17:30
@alxwr alxwr mentioned this pull request Mar 16, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Whitelist insecure git sources if they are internal IPs
4 participants
@sds @retornam @postmodern @bhh