In this particular case bandit was complaining about potential path
escape exploits on urlopen. However the urls are safe enough, because
all template parameters inserted into the url are from:
* config.yml - malicious changes to config.yml are possible that's
already a lot bigger issue than this than redirecting github api
calls.
* git tags witch are present in bot the local index-v2.json file (as
versionName) and the remote github API. (git tags don't allow the
string '..')
Don't deploy versions of to GitHub releases where a `releaseChannels`
value is set in index-v2.json. (This usually would mean it's a alpha or
beta version.)
Use whatsNew text (if available) as release notes text when deploying to
Github releases. This feature will always use 'en-US' locale texts,
since English is the lingua franka on GitHub. Additionally this change
also adds a config option to preprend a static text to those release
notes.
There is no longer any reason for these to be intertwined.
This deliberately avoids touching some files as much as possible because
they are super tangled and due to be replaced. Those files are:
* fdroidserver/build.py
* fdroidserver/update.py
# Conflicts:
# tests/testcommon.py
# Conflicts:
# fdroidserver/btlog.py
# fdroidserver/import_subcommand.py
For some APKs, get_certificate() was returning a different result than
apksigner and keytool. So I just took the algorithm from androguard, which
uses asn1crypto instead of pyasn1. So that removes a dependency as well.
asn1crypto is already required by androguard.
The original get_certificate() came from 6e2d0a9e1
androguard 4.1 uses a new lib called apkInspector instead of zipfile.ZipFile
so that it can handle usable but invalid ZIP files. It will also throw
ValueError on some things, for example:
Traceback (most recent call last):
File "/builds/eighthave/fdroidserver/fdroidserver-2.3a0/tests/update.TestCase", line 878, in test_scan_apk_bad_zip
fdroidserver.update.scan_apk(apkfile)
File "/builds/eighthave/fdroidserver/fdroidserver-2.3a0/fdroidserver/update.py", line 1586, in scan_apk
scan_apk_androguard(apk, apk_file)
File "/builds/eighthave/fdroidserver/fdroidserver-2.3a0/fdroidserver/update.py", line 1725, in scan_apk_androguard
apkobject = common.get_androguard_APK(apkfile)
File "/builds/eighthave/fdroidserver/fdroidserver-2.3a0/fdroidserver/common.py", line 2673, in get_androguard_APK
return APK(apkfile)
File "/usr/local/lib/python3.10/dist-packages/androguard/core/apk/__init__.py", line 273, in __init__
self.zip = ZipEntry.parse(filename, False)
File "/usr/local/lib/python3.10/dist-packages/apkInspector/headers.py", line 410, in parse
eocd = EndOfCentralDirectoryRecord.parse(apk_file)
File "/usr/local/lib/python3.10/dist-packages/apkInspector/headers.py", line 59, in parse
raise ValueError("End of central directory record (EOCD) signature not found")
ValueError: End of central directory record (EOCD) signature not found
/usr/lib/python3/dist-packages/androguard/core/bytecodes/apk.py:884: DeprecationWarning: This method is deprecated since 3.3.5.
It was added in 3.3.5. Debian/bullseye and Ubuntu/20.04/focal both include
new enough versions. Debian/buster's is too old (3.3.3).
This also makes androguard a hard requirement, which has been true for a
while anyway. So the code that handles androguard as an optional
requirement is removed. androguard from Debian/buster is new enough, so
this does not seem like it will cause any problems.
