cocoapods-whitelist 0.5.3 → 0.5.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: df9811a2f73baf94fbffa4b66502c4b2d53235a661f29096662f5d3658584400
-  data.tar.gz: b8e55e5ea04eec1f3760ac15b0809d272ce723e18365bdc728abb01c01d1b206
+  metadata.gz: be3cc02cfe363851d3557978df76db710357563f06ccc737d92f1fb459551690
+  data.tar.gz: 7a4126cc964d3bfff3f72b021595158fd7c773cda14816921c6b98a81d09dc52
 SHA512:
-  metadata.gz: ef87c35379e76239424379d9225cd8646e90ad91b3963ad6d3ae8b0fbc5e435f648bd03d5107709f61be6ccf18f700b381dc837a03e0abddfc920d50d17e1766
-  data.tar.gz: 218f8ab7fc4d67148255629f519302f8c90716664f0fabe2f62e20bdd628ed2a056bc388c82052545ef8a378760e352d9d9d6ccf2e006fb2ab6a245e63acf81c
+  metadata.gz: '04942cc1897281a5faaf62cb7c4ca472adc3fc9062e1c4584eb2947b94baa64c1d4b638831b3856cdc278a6cc5c716c9a49a9bc9ca77a5f1eb9c930231f6e452'
+  data.tar.gz: cd8c782f138e868610fe79f7ef9f009a8e478a14b08e90b6979e992c41f3c3227deaa65f99528adb8e04e8571b627f1c0fed45913eb66076c94d4cc4ccbe7771

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 0.5.5
+### Fixed
+- Update private source spec repo URL to prioritize private sources over public sources in order to address potential Dependency Confusion vulnerability.
+
+## 0.5.4
+### Fixed
+- Changed the way dependencies are comparing by name: using regex instead of compare against the beginning of name
+
 ## 0.5.3
 ### Changed
 - Get podspec specification functions changed to support KMP podspec path.

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    cocoapods-whitelist (0.5.1)
+    cocoapods-whitelist (0.5.5)
 
 GEM
   remote: https://rubygems.org/
@@ -102,6 +102,7 @@ GEM
     zeitwerk (2.6.12)
 
 PLATFORMS
+  ruby
   universal-darwin-22
 
 DEPENDENCIES

data/lib/cocoapods-whitelist/command/whitelist.rb

@@ -3,8 +3,6 @@ require 'json'
 require_relative '../client/whitelist_resolver'
 require_relative '../model/validation_excluded'
 
-POD_NAME_REGEX = /^([^\/]+)(?:\/.*)*$/
-POD_BASE_REGEX_POSITION = 0
 DEFAULT_WHITELIST_URL = "https://raw.githubusercontent.com/mercadolibre/mobile-dependencies_whitelist/master/ios-whitelist.json"
 
 module Pod
@@ -90,7 +88,7 @@ module Pod
           end
 
           allowedDependency = whitelist.select { |item|
-            name.start_with?(item.name.match(POD_NAME_REGEX).captures[POD_BASE_REGEX_POSITION]) && (!item.version || versions.grep(/#{item.version}/).any?) && (item.target == 'production')
+            (/^#{item.name}/ =~ name) && (!item.version || versions.grep(/#{item.version}/).any?) && (item.target == 'production')
           }
 
           allowedDependency.each { |dependency|

data/lib/cocoapods-whitelist/gem_version.rb

@@ -1,3 +1,3 @@
 module CocoapodsWhitelist
-  VERSION = "0.5.3"
+  VERSION = "0.5.5"
 end

data/lib/cocoapods-whitelist/model/sources.rb

@@ -1,3 +1,3 @@
 def get_private_sources
-    [ "git@github.com:mercadolibre/mobile-ios_specs.git" ] 
+    [ "git@github.com:melisource/mobile-ios_specs.git" ] 
 end

data/spec/mocks/allowed_with_granular.podspec

@@ -9,5 +9,6 @@ Pod::Spec.new do |s|
   s.source       = { :git => "git@github.com:mercadolibre/search-ios.git", :tag => s.version.to_s }
   s.requires_arc = true
   s.dependency 'Analytics', '~>5.1'
+  s.dependency 'AndesUI/SwiftUI', '~>5.1'
 
 end

data/spec/mocks/not_allowed_with_granular_v2.podspec

@@ -0,0 +1,13 @@
+Pod::Spec.new do |s|
+  s.name         = "MLCommons"
+  s.version      = "3.17.0"
+  s.summary      = "Componente de search"
+  s.homepage     = "http://www.mercadolibre.com.ar"
+  s.license      = "none"
+  s.author       = { "Mobile team" => "mobile@mercadolibre.com" }
+  s.platform     = :ios, "7.0"
+  s.source       = { :git => "git@github.com:mercadolibre/search-ios.git", :tag => s.version.to_s }
+  s.requires_arc = true
+  s.dependency 'AndesUI/SwiftUI', '~>5.1'
+
+end

data/spec/mocks/whitelist.json

@@ -41,6 +41,29 @@
 			"allows_granular_projects": [
 				"MLSearch"
 			]
+		},
+		{
+			"name": "MercadoPagoSDKV4",
+			"version": null,
+			"target": "production"
+		},
+		{
+			"name": "AndesUI$",
+			"version": "^~>5.[0-9]+$",
+			"target": "production"
+		},
+		{
+			"name": "AndesUI/(Core|AndesCoachmark|AndesBottomSheet|AndesDropdown|AndesTimePicker)",
+			"version": "^~>5.[0-9]+$",
+			"target": "production"
+		},
+		{
+			"name": "AndesUI/SwiftUI",
+			"version": "^~>5.[0-9]+$",
+			"target": "production",
+			"allows_granular_projects": [
+				"MLSearch"
+			]
 		}
 	]
 }

data/spec/mocks/with_allowed_subspec_v2.podspec

@@ -0,0 +1,14 @@
+
+Pod::Spec.new do |s|
+  s.name         = "MLSearch"
+  s.version      = "3.17.0"
+  s.summary      = "Componente de search"
+  s.homepage     = "http://www.mercadolibre.com.ar"
+  s.license      = "none"
+  s.author       = { "Mobile team" => "mobile@mercadolibre.com" }
+  s.platform     = :ios, "7.0"
+  s.source       = { :git => "git@github.com:mercadolibre/search-ios.git", :tag => s.version.to_s }
+  s.requires_arc = true
+  s.dependency 'AndesUI/Core', '~>5.0'
+
+end

data/spec/mocks/with_not_allowed_subspec_v2.podspec

@@ -0,0 +1,14 @@
+
+Pod::Spec.new do |s|
+  s.name         = "MLSearch"
+  s.version      = "3.17.0"
+  s.summary      = "Componente de search"
+  s.homepage     = "http://www.mercadolibre.com.ar"
+  s.license      = "none"
+  s.author       = { "Mobile team" => "mobile@mercadolibre.com" }
+  s.platform     = :ios, "7.0"
+  s.source       = { :git => "git@github.com:mercadolibre/search-ios.git", :tag => s.version.to_s }
+  s.requires_arc = true
+  s.dependency 'AndesUI/Icons', '~>5.0'
+
+end

data/spec/source_validator_spec.rb

@@ -68,5 +68,11 @@ describe SourceValidator do
 
         filtered.size.should.equal 1
       end
+
+
+      it 'private source repo should be valid' do
+        expected_sources = ["git@github.com:melisource/mobile-ios_specs.git"]
+        get_private_sources().should.equal expected_sources
+      end
     end
 end

data/spec/whitelist_resolver_spec.rb

@@ -6,7 +6,7 @@ describe WhitelistResolver do
     describe 'functionality' do
         it 'whitelist should be loaded from an specific url' do
             whitelist = WhitelistResolver.instance.get_whitelist(WHITELIST_PATH)
-            whitelist.size.should.equal 7
+            whitelist.size.should.equal 11
         end
         
         it 'if not URL is specified, whitelist comes from default URL' do

data/spec/whitelist_spec.rb

@@ -27,13 +27,13 @@ module Pod
         lambda { command.run }.should.not.raise
       end
 
-      # it 'dependency with incorrect name should not be valid' do
-      #   # Whitelist: ('MeliSDK', '~>5.*') | Podspec: ('Meli', '~>5.0')
-      #   command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
-      #   specification = Pod::Specification.from_file('./spec/mocks/bad_name.podspec')
-      #   command.expects(:get_podspec_specifications).returns([specification])
-      #   lambda { command.run }.should.raise Informative
-      # end
+      it 'dependency with incorrect name should not be valid' do
+        # Whitelist: ('MeliSDK', '~>5.*') | Podspec: ('Meli', '~>5.0')
+        command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
+        specification = Pod::Specification.from_file('./spec/mocks/bad_name.podspec')
+        command.expects(:get_podspec_specifications).returns([specification])
+        lambda { command.run }.should.raise Informative
+      end
 
       it 'not allowed dependency should not be valid' do
         command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
@@ -100,15 +100,15 @@ module Pod
       it 'subspec dependency allowed in the whitelist should be valid' do
         # Whitelist: ('MeliSDK', '~>5.*') | Podspec: ('MeliSDK/Error')
         command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
-        specification = Pod::Specification.from_file('./spec/mocks/with_allowed_subspec.podspec')
+        specification = Pod::Specification.from_file('./spec/mocks/with_allowed_subspec_v1.podspec')
         command.expects(:get_podspec_specifications).returns([specification])
         lambda { command.run }.should.not.raise
       end
 
-      it 'subspec dependency not allowed in the whitelist should not be valid' do
+      it 'dependency not allowed in the whitelist should not be valid' do
         # Whitelist: ('MeliSDK', '~>5.*') | Podspec: ('MyMeliSDK/Error')
         command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
-        specification = Pod::Specification.from_file('./spec/mocks/with_not_allowed_subspec.podspec')
+        specification = Pod::Specification.from_file('./spec/mocks/with_not_allowed_subspec_v1.podspec')
         command.expects(:get_podspec_specifications).returns([specification])
         lambda { command.run }.should.raise Informative
       end
@@ -181,7 +181,30 @@ module Pod
 
       it 'not allowed granular dependency should not be valid' do
         command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
-        specification = Pod::Specification.from_file('./spec/mocks/not_allowed_with_granular.podspec')
+        specification = Pod::Specification.from_file('./spec/mocks/not_allowed_with_granular_v1.podspec')
+        command.expects(:get_podspec_specifications).returns([specification])
+        lambda { command.run }.should.raise Informative
+      end
+
+      it 'not allowed granular subspec dependency should not be valid' do
+        command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
+        specification = Pod::Specification.from_file('./spec/mocks/not_allowed_with_granular_v2.podspec')
+        command.expects(:get_podspec_specifications).returns([specification])
+        lambda { command.run }.should.raise Informative
+      end
+
+      it 'subspec dependency allowed in the whitelist should be valid' do
+        # Whitelist: ('AndesUI/Core') | Podspec: ('AndesUI/Core')
+        command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
+        specification = Pod::Specification.from_file('./spec/mocks/with_allowed_subspec_v2.podspec')
+        command.expects(:get_podspec_specifications).returns([specification])
+        lambda { command.run }.should.not.raise
+      end
+
+      it 'subspec dependency not allowed in the whitelist should not be valid' do
+        # Whitelist: ('AndesUI/Core') | Podspec: ('AndesUI/Icons')
+        command = Command.parse(['whitelist', "--config=#{WHITELIST_FILE}", "--fail-on-error"])
+        specification = Pod::Specification.from_file('./spec/mocks/with_not_allowed_subspec_v2.podspec')
         command.expects(:get_podspec_specifications).returns([specification])
         lambda { command.run }.should.raise Informative
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cocoapods-whitelist
 version: !ruby/object:Gem::Version
-  version: 0.5.3
+  version: 0.5.5
 platform: ruby
 authors:
 - Mobile Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-01-16 00:00:00.000000000 Z
+date: 2024-04-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -75,17 +75,20 @@ files:
 - spec/mocks/free_version.podspec
 - spec/mocks/major_version_fixed.podspec
 - spec/mocks/not_allowed.podspec
-- spec/mocks/not_allowed_with_granular.podspec
+- spec/mocks/not_allowed_with_granular_v1.podspec
+- spec/mocks/not_allowed_with_granular_v2.podspec
 - spec/mocks/whitelist.json
 - spec/mocks/whitelist_with_expired_dependencies.json
 - spec/mocks/whitelisted_podname.podspec
 - spec/mocks/with_allowed_in_subspec.podspec
-- spec/mocks/with_allowed_subspec.podspec
+- spec/mocks/with_allowed_subspec_v1.podspec
+- spec/mocks/with_allowed_subspec_v2.podspec
 - spec/mocks/with_expired_dependencies.podspec
 - spec/mocks/with_fixed_version.podspec
 - spec/mocks/with_more_than_one_version_in_subspec.podspec
 - spec/mocks/with_not_allowed_in_subspec.podspec
-- spec/mocks/with_not_allowed_subspec.podspec
+- spec/mocks/with_not_allowed_subspec_v1.podspec
+- spec/mocks/with_not_allowed_subspec_v2.podspec
 - spec/mocks/with_not_yet_expired_dependencies.podspec
 - spec/mocks/with_similar_name_not_allowed.podspec
 - spec/mocks/with_two_requirement.podspec
@@ -118,7 +121,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.9
+rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
 summary: A longer description of cocoapods-whitelist.
@@ -128,17 +131,20 @@ test_files:
 - spec/mocks/free_version.podspec
 - spec/mocks/major_version_fixed.podspec
 - spec/mocks/not_allowed.podspec
-- spec/mocks/not_allowed_with_granular.podspec
+- spec/mocks/not_allowed_with_granular_v1.podspec
+- spec/mocks/not_allowed_with_granular_v2.podspec
 - spec/mocks/whitelist.json
 - spec/mocks/whitelist_with_expired_dependencies.json
 - spec/mocks/whitelisted_podname.podspec
 - spec/mocks/with_allowed_in_subspec.podspec
-- spec/mocks/with_allowed_subspec.podspec
+- spec/mocks/with_allowed_subspec_v1.podspec
+- spec/mocks/with_allowed_subspec_v2.podspec
 - spec/mocks/with_expired_dependencies.podspec
 - spec/mocks/with_fixed_version.podspec
 - spec/mocks/with_more_than_one_version_in_subspec.podspec
 - spec/mocks/with_not_allowed_in_subspec.podspec
-- spec/mocks/with_not_allowed_subspec.podspec
+- spec/mocks/with_not_allowed_subspec_v1.podspec
+- spec/mocks/with_not_allowed_subspec_v2.podspec
 - spec/mocks/with_not_yet_expired_dependencies.podspec
 - spec/mocks/with_similar_name_not_allowed.podspec
 - spec/mocks/with_two_requirement.podspec