mirrors/fdroidserver
1
0
Fork 0
mirror of https://github.com/f-droid/fdroidserver.git synced 2025-11-07 07:50:28 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions
6897 commits 1 branch 69 tags 38 MiB
Commit graph

3118 commits

Author SHA1 Message Date
Hans-Christoph Steiner
fa09337b4b APK_ID_TRIPLET_REGEX only matches first line of aapt output 
Stop expensive aapt parsing after the first line when looking with
APK_ID_TRIPLET_REGEX.  As is seen with the `aapt dump badging` output files
in tests/build-tools/, the first line is the only line that will ever match.

#557
 2018-09-21 14:56:32 +02:00
Hans-Christoph Steiner
4c4da3d176 update: remove 'SET' debug antifeature, closes #565 
oops, this slipped in in 3011953d0e

Bump the metadata version to purge the cache
 2018-09-18 10:57:10 +02:00
Hans-Christoph Steiner
3e0d1beb09 update: finish porting permissions regex to remove group names 
Finish the job from 3011953d0e

closes #568
 2018-09-18 10:55:51 +02:00
Hans-Christoph Steiner
807bf3d26b build: reuse common methods for getting metadata from APKs 
This splits out the code that gets the list of native ABIs supported, then
uses the standard methods for the rest.
 2018-09-18 10:55:51 +02:00
Hans-Christoph Steiner
487c4d02f3 handle package: line output from aapt v28 
fdroid/fdroiddata!3484
fdroid/fdroiddata!3562
fdroid/fdroidserver!548
 2018-09-18 10:55:51 +02:00
Michael Pöhn
c95cbfdf9c Merge branch 'use_available_buildserver_box' into 'master' 
vmtools: use whatever buildserver box is available

Closes #497

See merge request fdroid/fdroidserver!574
 2018-09-18 08:52:51 +00:00
Michael Pöhn
c005d8c5f4 more detailed error message and handling when fetching buildserverid in build.py 2018-09-13 11:11:18 +02:00
Marcus Hoffmann
1b95452c14 vmtools: use whatever buildserver box is available 
When we don't have an already working builder/.vagrant directory
look for available buildserver vagrant boxes because we'll need to
import one.

Abort if there's no buildserver box.

Fixes: #497
 2018-09-12 14:12:12 +02:00
Marcus Hoffmann
1e90b6118e vmtools: fix comment typos 2018-09-12 12:59:11 +02:00
Marcus Hoffmann
b0cce0b8c4 vmtools: actually use the chosen provider 
Fixes #561
 2018-09-12 12:59:11 +02:00
Hans-Christoph Steiner
9d12b1dc61 add strict, tested validation of Android/F-Droid package names 
Android has stricter rules than Java for Package Names, but anything the
Python regex thinks is valid must be valid according to Java's rules too.

https://developer.android.com/studio/build/application-id
 2018-09-07 14:17:39 +02:00
Hans-Christoph Steiner
3ab66efcfe update: max image size of 16 mil pixels to stop image bomb attacks 
closes #555
 2018-09-07 10:34:56 +02:00
Hans-Christoph Steiner
b254472a99 Merge branch 'exclude-filter' into 'master' 
build: replace exclude with filter during source tar creation

Closes #531

See merge request fdroid/fdroidserver!538
 2018-09-05 12:39:23 +00:00
Hans-Christoph Steiner
9bccb2c73e temp fallback to built-in ElementTree if defusedxml is not there 2018-09-03 23:02:31 +02:00
Hans-Christoph Steiner
11b3e5be3a update: throw exception for APKs with invalid Application ID 
Android Application IDs must be valid Java Package Names.  While the build
tools likely validate the Application ID, it is possible to manually create
a malicious APK.
 2018-09-03 22:56:08 +02:00
Hans-Christoph Steiner
5d161cc9fd validate appid when reading metadata files 
The metadata file must be named after the Application ID of the app it is
describing, and Android Application IDs must be valid Java Package Names.
 2018-09-03 22:56:08 +02:00
Hans-Christoph Steiner
3011953d0e convert apkcache from pickle to JSON 
pickle can serialize executable code, while JSON is only ever pure data.
The APK cache is only ever pure data, so no need for the security risks of
pickle.  For example, if some malicious thing gets write access on the
`fdroid update` machine, it can write out a custom tmp/apkcache which would
then be executed.  That is not possible with JSON.

This does just ignore any existing cache and rebuilds from scratch. That is
so we don't need to maintain pickle anywhere, and to ensure there are no
glitches from a conversion from pickle to JSON.

closes #163
 2018-09-03 18:07:40 +02:00
Hans-Christoph Steiner
3ffe2860f3 gitlab-ci: add 'bandit' security scanner to all runs 
bandit is used by Radically Open Security and is part of the GitLab Ultimate
Static Application Security Testing (SAST) suite.

https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
 2018-08-29 17:48:06 +02:00
Hans-Christoph Steiner
4d13a904f3 use defusedxml to avoid DoS attacks while loading XML 2018-08-29 17:44:54 +02:00
Hans-Christoph Steiner
cc94ebca30 use global constant for the 'xmlns:android' XML namespace 2018-08-29 17:44:54 +02:00
Hans-Christoph Steiner
3e1d313b7c mark manually sanitized input so bandit doesn't complain 2018-08-29 17:44:54 +02:00
Hans-Christoph Steiner
2edc68d6cd mark all required permissions so bandit doesn't complain 2018-08-29 17:44:54 +02:00
Hans-Christoph Steiner
8d3e82913e mark all required usages of MD5 so bandit doesn't complain 2018-08-29 17:44:54 +02:00
Hans-Christoph Steiner
a089614225 checkupdates: remove magic number 99999999 from HTTP checks 
It is vestigal from old code and no longer is needed.
 2018-08-29 17:24:24 +02:00
Hans-Christoph Steiner
5d77fd97ee use posixpath.join() for paths on the buildserver 
This fixes bandit misdetection of hardcoded /tmp dir.  posixpath.join() is
good to use anyway, it highlights what is on the remote server, vs what is
local.  Local paths should use os.path.join() to support Windows, etc.
posixpath is built in since Python 3.4, maybe earlier
 2018-08-29 17:24:04 +02:00
Hans-Christoph Steiner
4503e7a92a replace unneeded eval() call and support negative versionCodes 2018-08-29 17:24:04 +02:00
Michael Pöhn
ee4945cb84 remove unused YamlLoader optimization 2018-08-29 11:25:01 +02:00
Michael Pöhn
e7a34807f7 use yaml.safe_load for parsing metadata 2018-08-29 00:33:58 +02:00
Michael Pöhn
4dcfa95d6e fix: jarsigner and keytool lookup regression 2018-08-21 03:05:43 +02:00
Cyril Russo
81641b4628 Fixed precommit checks 2018-08-20 11:17:36 +02:00
Cyril Russo
4303b0fac1 Apply suggestion from @uniqx to using shutil.which instead of iterating path by hand 2018-08-17 20:14:54 +02:00
Cyril Russo
ace33bcfc0 Reverted the change in the default config.py 
Improved the detection of keytool and jarsigner by also searching the PATH environment variable
 2018-08-17 16:46:46 +02:00
Cyril Russo
4f21045cad Fix keytool not found on MacOSX (when using Java from Apple) 
Fix keytool parsing error due to localisation keytool -list command.
Always fallback to english so the parsing makes sense.
 2018-08-17 15:32:29 +02:00
Hans-Christoph Steiner
05be4bc814 Merge branch '471-lint-check-unknown-keys' into 'master' 
check for unknown app fields and build flags when parsing yml

Closes #471

See merge request fdroid/fdroidserver!554
 2018-08-14 10:50:59 +00:00
Michael Pöhn
6a06944945 better exception and waring message when yaml metadata checks fail; build flags check optional 2018-08-14 12:31:12 +02:00
Michael Pöhn
0d005ab83a make parse_yaml_metadata ignore empty input 2018-08-14 12:31:12 +02:00
Michael Pöhn
e83221eb03 improve yaml build flag check cost; added unit test for unknown app fields, builds flags checks when parsing yaml 2018-08-14 12:31:12 +02:00
Michael Pöhn
25b4a47951 check for unknown app fields and build flags when parsing yml 2018-08-14 12:31:12 +02:00
Michael Pöhn
f53d1abcce fix: make sure ensure_final_value always has a clearly defined return value 2018-08-14 11:07:44 +02:00
Marcus
cf3665b328 Merge branch 'facebook_sdk' into 'master' 
scanner: add facebook sdk to forbidden libraries

Closes #534

See merge request fdroid/fdroidserver!542
 2018-08-10 13:36:44 +00:00
Marcus Hoffmann
a6dfbc6e2e scanner: add facebook sdk to forbidden libraries 
These are sourceavailable but not under a free license.
I made sure that this matches only the facebook sdk's from here:
https://github.com/facebook/facebook-android-sdk and not some real open
source libraries by facebook (fresco, stetho, ...). These seem to be
under a different namespace.

fdroid/fdroidserver#534
 2018-08-10 15:20:01 +02:00
Hans-Christoph Steiner
a01d11ba64 Merge branch '530-lint-issue-with-disable' into 'master' 
Resolve "Lint issues with 'disable: ...` in YAML"

Closes #530

See merge request fdroid/fdroidserver!550
 2018-08-03 09:07:09 +00:00
Michael Pöhn
74ae6a6a3b set locale explicitly when using keytool 2018-08-03 04:36:00 +02:00
Michael Pöhn
1e7d9b854d never interpret "disable" as bool in yaml metadata 2018-08-02 17:31:58 +02:00
Licaon_Kter
da0c541dec Lint - the error should hint that the right word is Categories 2018-07-30 22:56:57 +00:00
Michael Pöhn
27d382e1f4 clean up globals in signatures.py 2018-07-30 13:07:07 +02:00
mimi89999
d76c5dc859
signatures: Don't pass config to extract 
Closes #536
 2018-07-29 17:45:45 +02:00
Hans-Christoph Steiner
481a6274f0 Merge branch 'archive_icons' into 'master' 
update: populate app level info for archive only from archived apks

Closes #365

See merge request fdroid/fdroidserver!537
 2018-07-27 13:09:13 +00:00
Marcus Hoffmann
753e9c8175 scanner: properly combine all gradle compile commands with flavors 2018-07-25 19:00:34 +02:00
Marcus Hoffmann
c44ab190bd scanner: fix reformatting fail 
This was broken by 44e8f425d :-(.
 2018-07-25 19:00:37 +02:00