cocoapods-whitelist 0.5.3 → 0.5.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/Gemfile.lock +2 -1
- data/lib/cocoapods-whitelist/command/whitelist.rb +1 -3
- data/lib/cocoapods-whitelist/gem_version.rb +1 -1
- data/lib/cocoapods-whitelist/model/sources.rb +1 -1
- data/spec/mocks/allowed_with_granular.podspec +1 -0
- data/spec/mocks/not_allowed_with_granular_v2.podspec +13 -0
- data/spec/mocks/whitelist.json +23 -0
- data/spec/mocks/with_allowed_subspec_v2.podspec +14 -0
- data/spec/mocks/with_not_allowed_subspec_v2.podspec +14 -0
- data/spec/source_validator_spec.rb +6 -0
- data/spec/whitelist_resolver_spec.rb +1 -1
- data/spec/whitelist_spec.rb +34 -11
- metadata +15 -9
- /data/spec/mocks/{not_allowed_with_granular.podspec → not_allowed_with_granular_v1.podspec} +0 -0
- /data/spec/mocks/{with_allowed_subspec.podspec → with_allowed_subspec_v1.podspec} +0 -0
- /data/spec/mocks/{with_not_allowed_subspec.podspec → with_not_allowed_subspec_v1.podspec} +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: be3cc02cfe363851d3557978df76db710357563f06ccc737d92f1fb459551690
|
4
|
+
data.tar.gz: 7a4126cc964d3bfff3f72b021595158fd7c773cda14816921c6b98a81d09dc52
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: '04942cc1897281a5faaf62cb7c4ca472adc3fc9062e1c4584eb2947b94baa64c1d4b638831b3856cdc278a6cc5c716c9a49a9bc9ca77a5f1eb9c930231f6e452'
|
7
|
+
data.tar.gz: cd8c782f138e868610fe79f7ef9f009a8e478a14b08e90b6979e992c41f3c3227deaa65f99528adb8e04e8571b627f1c0fed45913eb66076c94d4cc4ccbe7771
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,11 @@
|
|
1
|
+
## 0.5.5
|
2
|
+
### Fixed
|
3
|
+
- Update private source spec repo URL to prioritize private sources over public sources in order to address potential Dependency Confusion vulnerability.
|
4
|
+
|
5
|
+
## 0.5.4
|
6
|
+
### Fixed
|
7
|
+
- Changed the way dependencies are comparing by name: using regex instead of compare against the beginning of name
|
8
|
+
|
1
9
|
## 0.5.3
|
2
10
|
### Changed
|
3
11
|
- Get podspec specification functions changed to support KMP podspec path.
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
cocoapods-whitelist (0.5.
|
4
|
+
cocoapods-whitelist (0.5.5)
|
5
5
|
|
6
6
|
GEM
|
7
7
|
remote: https://rubygems.org/
|
@@ -102,6 +102,7 @@ GEM
|
|
102
102
|
zeitwerk (2.6.12)
|
103
103
|
|
104
104
|
PLATFORMS
|
105
|
+
ruby
|
105
106
|
universal-darwin-22
|
106
107
|
|
107
108
|
DEPENDENCIES
|
@@ -3,8 +3,6 @@ require 'json'
|
|
3
3
|
require_relative '../client/whitelist_resolver'
|
4
4
|
require_relative '../model/validation_excluded'
|
5
5
|
|
6
|
-
POD_NAME_REGEX = /^([^\/]+)(?:\/.*)*$/
|
7
|
-
POD_BASE_REGEX_POSITION = 0
|
8
6
|
DEFAULT_WHITELIST_URL = "https://raw.githubusercontent.com/mercadolibre/mobile-dependencies_whitelist/master/ios-whitelist.json"
|
9
7
|
|
10
8
|
module Pod
|
@@ -90,7 +88,7 @@ module Pod
|
|
90
88
|
end
|
91
89
|
|
92
90
|
allowedDependency = whitelist.select { |item|
|
93
|
-
|
91
|
+
(/^#{item.name}/ =~ name) && (!item.version || versions.grep(/#{item.version}/).any?) && (item.target == 'production')
|
94
92
|
}
|
95
93
|
|
96
94
|
allowedDependency.each { |dependency|
|
@@ -0,0 +1,13 @@
|
|
1
|
+
Pod::Spec.new do |s|
|
2
|
+
s.name = "MLCommons"
|
3
|
+
s.version = "3.17.0"
|
4
|
+
s.summary = "Componente de search"
|
5
|
+
s.homepage = "http://www.mercadolibre.com.ar"
|
6
|
+
s.license = "none"
|
7
|
+
s.author = { "Mobile team" => "mobile@mercadolibre.com" }
|
8
|
+
s.platform = :ios, "7.0"
|
9
|
+
s.source = { :git => "git@github.com:mercadolibre/search-ios.git", :tag => s.version.to_s }
|
10
|
+
s.requires_arc = true
|
11
|
+
s.dependency 'AndesUI/SwiftUI', '~>5.1'
|
12
|
+
|
13
|
+
end
|
data/spec/mocks/whitelist.json
CHANGED
@@ -41,6 +41,29 @@
|
|
41
41
|
"allows_granular_projects": [
|
42
42
|
"MLSearch"
|
43
43
|
]
|
44
|
+
},
|
45
|
+
{
|
46
|
+
"name": "MercadoPagoSDKV4",
|
47
|
+
"version": null,
|
48
|
+
"target": "production"
|
49
|
+
},
|
50
|
+
{
|
51
|
+
"name": "AndesUI$",
|
52
|
+
"version": "^~>5.[0-9]+$",
|
53
|
+
"target": "production"
|
54
|
+
},
|
55
|
+
{
|
56
|
+
"name": "AndesUI/(Core|AndesCoachmark|AndesBottomSheet|AndesDropdown|AndesTimePicker)",
|
57
|
+
"version": "^~>5.[0-9]+$",
|
58
|
+
"target": "production"
|
59
|
+
},
|
60
|
+
{
|
61
|
+
"name": "AndesUI/SwiftUI",
|
62
|
+
"version": "^~>5.[0-9]+$",
|
63
|
+
"target": "production",
|
64
|
+
"allows_granular_projects": [
|
65
|
+
"MLSearch"
|
66
|
+
]
|
44
67
|
}
|
45
68
|
]
|
46
69
|
}
|
@@ -0,0 +1,14 @@
|
|
1
|
+
|
2
|
+
Pod::Spec.new do |s|
|
3
|
+
s.name = "MLSearch"
|
4
|
+
s.version = "3.17.0"
|
5
|
+
s.summary = "Componente de search"
|
6
|
+
s.homepage = "http://www.mercadolibre.com.ar"
|
7
|
+
s.license = "none"
|
8
|
+
s.author = { "Mobile team" => "mobile@mercadolibre.com" }
|
9
|
+
s.platform = :ios, "7.0"
|
10
|
+
s.source = { :git => "git@github.com:mercadolibre/search-ios.git", :tag => s.version.to_s }
|
11
|
+
s.requires_arc = true
|
12
|
+
s.dependency 'AndesUI/Core', '~>5.0'
|
13
|
+
|
14
|
+
end
|
@@ -0,0 +1,14 @@
|
|
1
|
+
|
2
|
+
Pod::Spec.new do |s|
|
3
|
+
s.name = "MLSearch"
|
4
|
+
s.version = "3.17.0"
|
5
|
+
s.summary = "Componente de search"
|
6
|
+
s.homepage = "http://www.mercadolibre.com.ar"
|
7
|
+
s.license = "none"
|
8
|
+
s.author = { "Mobile team" => "mobile@mercadolibre.com" }
|
9
|
+
s.platform = :ios, "7.0"
|
10
|
+
s.source = { :git => "git@github.com:mercadolibre/search-ios.git", :tag => s.version.to_s }
|
11
|
+
s.requires_arc = true
|
12
|
+
s.dependency 'AndesUI/Icons', '~>5.0'
|
13
|
+
|
14
|
+
end
|
@@ -68,5 +68,11 @@ describe SourceValidator do
|
|
68
68
|
|
69
69
|
filtered.size.should.equal 1
|
70
70
|
end
|
71
|
+
|
72
|
+
|
73
|
+
it 'private source repo should be valid' do
|
74
|
+
expected_sources = ["git@github.com:melisource/mobile-ios_specs.git"]
|
75
|
+
get_private_sources().should.equal expected_sources
|
76
|
+
end
|
71
77
|
end
|
72
78
|
end
|
@@ -6,7 +6,7 @@ describe WhitelistResolver do
|
|
6
6
|
describe 'functionality' do
|
7
7
|
it 'whitelist should be loaded from an specific url' do
|
8
8
|
whitelist = WhitelistResolver.instance.get_whitelist(WHITELIST_PATH)
|
9
|
-
whitelist.size.should.equal
|
9
|
+
whitelist.size.should.equal 11
|
10
10
|
end
|
11
11
|
|
12
12
|
it 'if not URL is specified, whitelist comes from default URL' do
|
data/spec/whitelist_spec.rb
CHANGED
@@ -27,13 +27,13 @@ module Pod
|
|
27
27
|
lambda { command.run }.should.not.raise
|
28
28
|
end
|
29
29
|
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
30
|
+
it 'dependency with incorrect name should not be valid' do
|
31
|
+
# Whitelist: ('MeliSDK', '~>5.*') | Podspec: ('Meli', '~>5.0')
|
32
|
+
command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
|
33
|
+
specification = Pod::Specification.from_file('./spec/mocks/bad_name.podspec')
|
34
|
+
command.expects(:get_podspec_specifications).returns([specification])
|
35
|
+
lambda { command.run }.should.raise Informative
|
36
|
+
end
|
37
37
|
|
38
38
|
it 'not allowed dependency should not be valid' do
|
39
39
|
command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
|
@@ -100,15 +100,15 @@ module Pod
|
|
100
100
|
it 'subspec dependency allowed in the whitelist should be valid' do
|
101
101
|
# Whitelist: ('MeliSDK', '~>5.*') | Podspec: ('MeliSDK/Error')
|
102
102
|
command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
|
103
|
-
specification = Pod::Specification.from_file('./spec/mocks/
|
103
|
+
specification = Pod::Specification.from_file('./spec/mocks/with_allowed_subspec_v1.podspec')
|
104
104
|
command.expects(:get_podspec_specifications).returns([specification])
|
105
105
|
lambda { command.run }.should.not.raise
|
106
106
|
end
|
107
107
|
|
108
|
-
it '
|
108
|
+
it 'dependency not allowed in the whitelist should not be valid' do
|
109
109
|
# Whitelist: ('MeliSDK', '~>5.*') | Podspec: ('MyMeliSDK/Error')
|
110
110
|
command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
|
111
|
-
specification = Pod::Specification.from_file('./spec/mocks/
|
111
|
+
specification = Pod::Specification.from_file('./spec/mocks/with_not_allowed_subspec_v1.podspec')
|
112
112
|
command.expects(:get_podspec_specifications).returns([specification])
|
113
113
|
lambda { command.run }.should.raise Informative
|
114
114
|
end
|
@@ -181,7 +181,30 @@ module Pod
|
|
181
181
|
|
182
182
|
it 'not allowed granular dependency should not be valid' do
|
183
183
|
command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
|
184
|
-
specification = Pod::Specification.from_file('./spec/mocks/
|
184
|
+
specification = Pod::Specification.from_file('./spec/mocks/not_allowed_with_granular_v1.podspec')
|
185
|
+
command.expects(:get_podspec_specifications).returns([specification])
|
186
|
+
lambda { command.run }.should.raise Informative
|
187
|
+
end
|
188
|
+
|
189
|
+
it 'not allowed granular subspec dependency should not be valid' do
|
190
|
+
command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
|
191
|
+
specification = Pod::Specification.from_file('./spec/mocks/not_allowed_with_granular_v2.podspec')
|
192
|
+
command.expects(:get_podspec_specifications).returns([specification])
|
193
|
+
lambda { command.run }.should.raise Informative
|
194
|
+
end
|
195
|
+
|
196
|
+
it 'subspec dependency allowed in the whitelist should be valid' do
|
197
|
+
# Whitelist: ('AndesUI/Core') | Podspec: ('AndesUI/Core')
|
198
|
+
command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
|
199
|
+
specification = Pod::Specification.from_file('./spec/mocks/with_allowed_subspec_v2.podspec')
|
200
|
+
command.expects(:get_podspec_specifications).returns([specification])
|
201
|
+
lambda { command.run }.should.not.raise
|
202
|
+
end
|
203
|
+
|
204
|
+
it 'subspec dependency not allowed in the whitelist should not be valid' do
|
205
|
+
# Whitelist: ('AndesUI/Core') | Podspec: ('AndesUI/Icons')
|
206
|
+
command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
|
207
|
+
specification = Pod::Specification.from_file('./spec/mocks/with_not_allowed_subspec_v2.podspec')
|
185
208
|
command.expects(:get_podspec_specifications).returns([specification])
|
186
209
|
lambda { command.run }.should.raise Informative
|
187
210
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cocoapods-whitelist
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Mobile Team
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-04-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -75,17 +75,20 @@ files:
|
|
75
75
|
- spec/mocks/free_version.podspec
|
76
76
|
- spec/mocks/major_version_fixed.podspec
|
77
77
|
- spec/mocks/not_allowed.podspec
|
78
|
-
- spec/mocks/
|
78
|
+
- spec/mocks/not_allowed_with_granular_v1.podspec
|
79
|
+
- spec/mocks/not_allowed_with_granular_v2.podspec
|
79
80
|
- spec/mocks/whitelist.json
|
80
81
|
- spec/mocks/whitelist_with_expired_dependencies.json
|
81
82
|
- spec/mocks/whitelisted_podname.podspec
|
82
83
|
- spec/mocks/with_allowed_in_subspec.podspec
|
83
|
-
- spec/mocks/
|
84
|
+
- spec/mocks/with_allowed_subspec_v1.podspec
|
85
|
+
- spec/mocks/with_allowed_subspec_v2.podspec
|
84
86
|
- spec/mocks/with_expired_dependencies.podspec
|
85
87
|
- spec/mocks/with_fixed_version.podspec
|
86
88
|
- spec/mocks/with_more_than_one_version_in_subspec.podspec
|
87
89
|
- spec/mocks/with_not_allowed_in_subspec.podspec
|
88
|
-
- spec/mocks/
|
90
|
+
- spec/mocks/with_not_allowed_subspec_v1.podspec
|
91
|
+
- spec/mocks/with_not_allowed_subspec_v2.podspec
|
89
92
|
- spec/mocks/with_not_yet_expired_dependencies.podspec
|
90
93
|
- spec/mocks/with_similar_name_not_allowed.podspec
|
91
94
|
- spec/mocks/with_two_requirement.podspec
|
@@ -118,7 +121,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
118
121
|
- !ruby/object:Gem::Version
|
119
122
|
version: '0'
|
120
123
|
requirements: []
|
121
|
-
rubygems_version: 3.
|
124
|
+
rubygems_version: 3.3.26
|
122
125
|
signing_key:
|
123
126
|
specification_version: 4
|
124
127
|
summary: A longer description of cocoapods-whitelist.
|
@@ -128,17 +131,20 @@ test_files:
|
|
128
131
|
- spec/mocks/free_version.podspec
|
129
132
|
- spec/mocks/major_version_fixed.podspec
|
130
133
|
- spec/mocks/not_allowed.podspec
|
131
|
-
- spec/mocks/
|
134
|
+
- spec/mocks/not_allowed_with_granular_v1.podspec
|
135
|
+
- spec/mocks/not_allowed_with_granular_v2.podspec
|
132
136
|
- spec/mocks/whitelist.json
|
133
137
|
- spec/mocks/whitelist_with_expired_dependencies.json
|
134
138
|
- spec/mocks/whitelisted_podname.podspec
|
135
139
|
- spec/mocks/with_allowed_in_subspec.podspec
|
136
|
-
- spec/mocks/
|
140
|
+
- spec/mocks/with_allowed_subspec_v1.podspec
|
141
|
+
- spec/mocks/with_allowed_subspec_v2.podspec
|
137
142
|
- spec/mocks/with_expired_dependencies.podspec
|
138
143
|
- spec/mocks/with_fixed_version.podspec
|
139
144
|
- spec/mocks/with_more_than_one_version_in_subspec.podspec
|
140
145
|
- spec/mocks/with_not_allowed_in_subspec.podspec
|
141
|
-
- spec/mocks/
|
146
|
+
- spec/mocks/with_not_allowed_subspec_v1.podspec
|
147
|
+
- spec/mocks/with_not_allowed_subspec_v2.podspec
|
142
148
|
- spec/mocks/with_not_yet_expired_dependencies.podspec
|
143
149
|
- spec/mocks/with_similar_name_not_allowed.podspec
|
144
150
|
- spec/mocks/with_two_requirement.podspec
|
File without changes
|
File without changes
|
File without changes
|