├── .gitignore ├── spec ├── fixtures │ ├── BadPodfile.lock │ ├── GoodPodfile.lock │ ├── DoubleBadPodfile.lock │ └── blocklist.json ├── spec_helper.rb └── command │ └── blocklist_spec.rb ├── lib ├── cocoapods-blocklist.rb ├── cocoapods_plugin.rb └── cocoapods-blocklist │ ├── gem_version.rb │ └── command │ └── blocklist.rb ├── Rakefile ├── Gemfile ├── CHANGELOG.md ├── .travis.yml ├── LICENSE ├── cocoapods-blocklist.gemspec ├── README.md └── Gemfile.lock /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | pkg 3 | .idea/ 4 | *.gem 5 | .bundle 6 | vendor 7 | 8 | -------------------------------------------------------------------------------- /spec/fixtures/BadPodfile.lock: -------------------------------------------------------------------------------- 1 | PODS: 2 | - BananaKit (3.4.7) 3 | 4 | DEPENDENCIES: 5 | - BananaKit (~>3.4.0) 6 | 7 | SPEC CHECKSUMS: 8 | BananaKit: 12148377a117d52b3ab1c61d164b65011d0c3eae 9 | 10 | COCOAPODS: 0.35.0 11 | -------------------------------------------------------------------------------- /spec/fixtures/GoodPodfile.lock: -------------------------------------------------------------------------------- 1 | PODS: 2 | - BananaKit (3.6.2) 3 | 4 | DEPENDENCIES: 5 | - BananaKit (~>3.6.0) 6 | 7 | SPEC CHECKSUMS: 8 | BananaKit: 12148377a117d52b3ab1c61d164b65011d0c3eae 9 | 10 | COCOAPODS: 0.35.0 11 | -------------------------------------------------------------------------------- /lib/cocoapods-blocklist.rb: -------------------------------------------------------------------------------- 1 | # Created by David Grandinetti 4/27/2015 2 | # Copyright (c) 2015 Yahoo, Inc. 3 | # Licensed under the terms of the MIT License. See LICENSE file in the project root. 4 | 5 | require 'cocoapods-blocklist/gem_version' 6 | -------------------------------------------------------------------------------- /lib/cocoapods_plugin.rb: -------------------------------------------------------------------------------- 1 | # Created by David Grandinetti 4/27/2015 2 | # Copyright (c) 2015 Yahoo, Inc. 3 | # Licensed under the terms of the MIT License. See LICENSE file in the project root. 4 | 5 | require 'cocoapods-blocklist/command/blocklist' 6 | -------------------------------------------------------------------------------- /lib/cocoapods-blocklist/gem_version.rb: -------------------------------------------------------------------------------- 1 | # Created by David Grandinetti 4/27/2015 2 | # Copyright (c) 2015 Yahoo, Inc. 3 | # Licensed under the terms of the MIT License. See LICENSE file in the project root. 4 | 5 | module CocoapodsBlocklist 6 | VERSION = "0.1.4" 7 | end 8 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | require 'bundler/gem_tasks' 2 | 3 | def specs(dir) 4 | FileList["spec/#{dir}/*_spec.rb"].shuffle.join(' ') 5 | end 6 | 7 | desc 'Runs all the specs' 8 | task :specs do 9 | sh "bundle exec bacon #{specs('**')}" 10 | end 11 | 12 | task :default => :specs 13 | 14 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | # Specify your gem's dependencies in cocoapods-blocklist.gemspec 4 | gemspec 5 | 6 | group :development do 7 | gem 'activesupport', '>= 4.2.2', '< 5' 8 | gem 'bacon' 9 | gem 'cocoapods', '~> 1.9.0' 10 | gem 'prettybacon' 11 | gem 'webmock' 12 | end 13 | -------------------------------------------------------------------------------- /spec/fixtures/DoubleBadPodfile.lock: -------------------------------------------------------------------------------- 1 | PODS: 2 | - BananaKit (3.4.7) 3 | - FooKit (1.2.2) 4 | 5 | DEPENDENCIES: 6 | - BananaKit (~>3.4.0) 7 | - FooKit (~>1.2.0) 8 | 9 | SPEC CHECKSUMS: 10 | BananaKit: 12148377a117d52b3ab1c61d164b65011d0c3eae 11 | FooKit: 21239286b026e43a49c2b70e255a74102cfd2f9f 12 | 13 | COCOAPODS: 0.35.0 14 | -------------------------------------------------------------------------------- /spec/fixtures/blocklist.json: -------------------------------------------------------------------------------- 1 | { 2 | "pods":[ 3 | { 4 | "name":"FooKit", 5 | "reason":"FooKit 1.2.2 did not check passwords on Thursdays", 6 | "versions":"1.2.2" 7 | }, 8 | { 9 | "name":"BananaKit", 10 | "reason":"Vulnerable to code injection with malformed BQL queries", 11 | "versions": [">=3.4.2", "<3.6.0"] 12 | } 13 | ] 14 | } 15 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## CHANGELOG 2 | 3 | # 0.1.4 4 | - Rename to cocoapods-blocklist (@dbgrandi 6/11/2020) 5 | 6 | # 0.1.3 7 | - Mark current gem name as deprecated with a post_install message (@dbgrandi 6/11/2020) 8 | 9 | # 0.1.2 10 | - More idiomatic CLAide usage (@segiddins 11/16/2015) 11 | 12 | # 0.1.1 13 | - Updated Pod metadata (@clarkda 8/14/2015) 14 | 15 | # 0.1.0 16 | - Public release (@dbgrandi 5/18/2015) 17 | 18 | # 0.0.2 19 | - Show output for all failed pods (@dbgrandi 5/16/2015) 20 | 21 | # 0.0.1 22 | - Added `check` command (@dbgrandi 4/27/2015) 23 | 24 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | # Sets Travis to run the Ruby specs on OS X machines to be as close as possible 2 | # to the user environment. 3 | # 4 | language: objective-c 5 | 6 | env: 7 | - RVM_RUBY_VERSION=system 8 | # - RVM_RUBY_VERSION=1.8.7-p358 9 | 10 | before_install: 11 | - export LANG=en_US.UTF-8 12 | - curl http://curl.haxx.se/ca/cacert.pem -o /usr/local/share/cacert.pem 13 | - source ~/.rvm/scripts/rvm 14 | - if [[ $RVM_RUBY_VERSION != 'system' ]]; then rvm install $RVM_RUBY_VERSION; fi 15 | - rvm use $RVM_RUBY_VERSION 16 | - if [[ $RVM_RUBY_VERSION == 'system' ]]; then sudo gem install bundler --no-ri --no-rdoc; else gem install bundler --no-ri --no-rdoc; fi 17 | 18 | install: 19 | - sudo bundle install --without=documentation 20 | 21 | script: bundle exec rake specs 22 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2015 Yahoo, Inc. All rights reserved. 2 | 3 | MIT License 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining 6 | a copy of this software and associated documentation files (the 7 | "Software"), to deal in the Software without restriction, including 8 | without limitation the rights to use, copy, modify, merge, publish, 9 | distribute, sublicense, and/or sell copies of the Software, and to 10 | permit persons to whom the Software is furnished to do so, subject to 11 | the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be 14 | included in all copies or substantial portions of the Software. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 19 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 20 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 21 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 22 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 23 | -------------------------------------------------------------------------------- /cocoapods-blocklist.gemspec: -------------------------------------------------------------------------------- 1 | lib = File.expand_path('lib', __dir__) 2 | $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib) 3 | require 'cocoapods-blocklist/gem_version.rb' 4 | 5 | Gem::Specification.new do |spec| 6 | spec.name = 'cocoapods-blocklist' 7 | spec.version = CocoapodsBlocklist::VERSION 8 | spec.authors = ['David Grandinetti'] 9 | spec.email = ['dbgrandi@verizonmedia.com'] 10 | spec.description = 'Block pods from being used in your project.' 11 | spec.summary = 'A CocoaPods plugin used to check a project against a list of pods that you do not want included in your build. Security is the primary use, but keeping specific pods that have conflicting licenses is another possible use.' 12 | spec.homepage = 'https://github.com/yahoo/cocoapods-blocklist' 13 | spec.license = 'MIT' 14 | 15 | spec.files = `git ls-files`.split($/) 16 | spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) } 17 | spec.test_files = spec.files.grep(%r{^(test|spec|features)/}) 18 | spec.require_paths = ['lib'] 19 | 20 | spec.add_development_dependency 'bundler', '~> 1.3' 21 | spec.add_development_dependency 'rake', '>= 12.3.3' 22 | 23 | end 24 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # cocoapods-blocklist 2 | 3 | [![Build Status](https://travis-ci.org/yahoo/cocoapods-blocklist.svg?branch=main)](https://travis-ci.org/yahoo/cocoapods-blocklist) 4 | 5 | A CocoaPods plugin used to check a project against a list of pods that you do not want included in your build. Security is the primary use, but keeping specific pods that have conflicting licenses is another possible use. 6 | 7 | We use this in our continuous integration builds. If a security issue is found with a pod, we can update our `blocklist.json` file and builds will start to fail immediately. Developers don't always read the email about a new vulnerability. They definitely notice when the build fails. :smile: 8 | 9 | ## Installation 10 | 11 | $ gem install cocoapods-blocklist 12 | 13 | ## Usage 14 | 15 | $ pod blocklist [LOCKFILE] --config=BLOCKLIST_CONFIG 16 | 17 | The `LOCKFILE` is optional, and `./Podfile.lock` is assumed if one is not explicitly passed in. 18 | 19 | ## Blocklist config file 20 | 21 | The blocklist config file is a JSON file that has an array of pods, each one containing a hash with: 22 | 23 | - name: the same string you would use to include a pod in a `Podfile` 24 | - versions: a version string (or array of version strings) used to match the version 25 | - reason: a string used to explain why a pod is blocked, will be printed out when a check fails 26 | 27 | ``` 28 | { 29 | "pods":[ 30 | { 31 | "name":"FooKit", 32 | "reason":"FooKit 1.2.2 did not check passwords on Thursdays", 33 | "versions":"1.2.2" 34 | }, 35 | { 36 | "name":"BananaKit", 37 | "reason":"Vulnerable to code injection with malformed BQL queries", 38 | "versions":[">=3.4.2", "<3.6.0"] 39 | } 40 | ] 41 | } 42 | ``` 43 | 44 | ## Contributors 45 | 46 | - David Grandinetti ([@dbgrandi](https://twitter.com/dbgrandi)) 47 | - Samuel E. Giddins ([@segiddins](https://twitter.com/segiddins)) 48 | 49 | ## License 50 | 51 | Code licensed under the MIT license. See [LICENSE](https://github.com/yahoo/cocoapods-blocklist/blob/master/LICENSE) file for terms. 52 | -------------------------------------------------------------------------------- /spec/spec_helper.rb: -------------------------------------------------------------------------------- 1 | # Created by David Grandinetti 4/27/2015 2 | # Copyright (c) 2015 Yahoo, Inc. 3 | # Licensed under the terms of the MIT License. See LICENSE file in the project root. 4 | 5 | require 'pathname' 6 | ROOT = Pathname.new(File.expand_path('../../', __FILE__)) 7 | $:.unshift((ROOT + 'lib').to_s) 8 | $:.unshift((ROOT + 'spec').to_s) 9 | 10 | require 'bundler/setup' 11 | require 'bacon' 12 | require 'pretty_bacon' 13 | require 'cocoapods' 14 | 15 | require 'webmock' 16 | WebMock.enable! 17 | WebMock.disable_net_connect! 18 | 19 | require 'cocoapods_plugin' 20 | 21 | #-----------------------------------------------------------------------------# 22 | 23 | module Pod 24 | 25 | # Disable the wrapping so the output is deterministic in the tests. 26 | # 27 | UI.disable_wrap = true 28 | 29 | # Redirects the messages to an internal store. 30 | # 31 | module UI 32 | @output = '' 33 | @warnings = '' 34 | 35 | class << self 36 | attr_accessor :output 37 | attr_accessor :warnings 38 | 39 | def puts(message = '') 40 | @output << "#{message}\n" 41 | end 42 | 43 | def warn(message = '', actions = []) 44 | @warnings << "#{message}\n" 45 | end 46 | 47 | def print(message) 48 | @output << message 49 | end 50 | end 51 | end 52 | end 53 | 54 | module SpecHelper 55 | module Command 56 | def argv(*argv) 57 | CLAide::ARGV.new(argv) 58 | end 59 | 60 | def command(*argv) 61 | argv << '--no-ansi' 62 | Pod::Command.parse(argv) 63 | end 64 | 65 | def run_command(*args) 66 | Pod::UI.output = '' 67 | # @todo Remove this once all cocoapods has 68 | # been converted to use the UI.puts 69 | config_silent = config.silent? 70 | config.silent = false 71 | cmd = command(*args) 72 | cmd.validate! 73 | cmd.run 74 | config.silent = config_silent 75 | Pod::UI.output 76 | end 77 | end 78 | end 79 | 80 | Bacon.summary_at_exit 81 | 82 | module Bacon 83 | class Context 84 | include Pod::Config::Mixin 85 | # include SpecHelper::Fixture 86 | include SpecHelper::Command 87 | 88 | # def skip_xcodebuild? 89 | # ENV['SKIP_XCODEBUILD'] 90 | # end 91 | 92 | def temporary_directory 93 | SpecHelper.temporary_directory 94 | end 95 | end 96 | end 97 | -------------------------------------------------------------------------------- /lib/cocoapods-blocklist/command/blocklist.rb: -------------------------------------------------------------------------------- 1 | # Created by David Grandinetti 4/27/2015 2 | # Copyright (c) 2015 Yahoo, Inc. 3 | # Licensed under the terms of the MIT License. See LICENSE file in the project root. 4 | 5 | require 'json' 6 | require 'open-uri' 7 | 8 | module Pod 9 | class Command 10 | class Blocklist < Command 11 | self.summary = 'Validate a project against a list of blocked pods.' 12 | 13 | self.description = <<-DESC 14 | Validate a project against a list of blocked pods. Requires a lockfile 15 | and a config file (JSON). 16 | 17 | example: 18 | $ pod blocklist --config blocklist.json 19 | DESC 20 | 21 | self.arguments = [ 22 | CLAide::Argument.new('LOCKFILE', false), 23 | ] 24 | 25 | def self.options 26 | [ 27 | ['--config=CONFIG', 'Config file or URL for the blocklist'], 28 | ['--warn', 'Only warn about use of blocked pods'], 29 | ].concat(super) 30 | end 31 | 32 | def initialize(argv) 33 | @blocklist = argv.option('config') 34 | @warn = argv.flag?('warn') 35 | @lockfile_path = argv.shift_argument 36 | super 37 | end 38 | 39 | def validate! 40 | super 41 | 42 | @lockfile = @lockfile_path ? Lockfile.from_file(Pathname(@lockfile_path)) : config.lockfile 43 | help! 'A lockfile is needed.' unless lockfile 44 | help! 'A blocklist file is needed.' unless @blocklist 45 | end 46 | 47 | def run 48 | open(@blocklist) do |f| 49 | @blocklist_file = JSON.parse(f.read) 50 | end 51 | 52 | warned = false 53 | failed_pods = {} 54 | 55 | @blocklist_file['pods'].each do |pod| 56 | name = pod['name'] 57 | if lockfile.pod_names.include? name 58 | version = Version.new(lockfile.version(name)) 59 | if Requirement.create(pod['versions']).satisfied_by?(version) 60 | UI.puts "[!] Validation error: Use of #{name} #{version} for reason: #{pod['reason']}".yellow 61 | failed_pods[name] = version 62 | warned = true 63 | end 64 | end 65 | end 66 | if !warned 67 | UI.puts "#{UI.path lockfile.defined_in_file.expand_path} passed blocklist validation".green 68 | else 69 | failed_pod_string = failed_pods.map { |name, version| "#{name} (#{version})"}.join(", ") 70 | unless @warn 71 | raise Informative.new("Failed blocklist validation due to use of #{failed_pod_string}") 72 | end 73 | end 74 | end 75 | 76 | private 77 | 78 | attr_reader :lockfile 79 | end 80 | end 81 | end 82 | -------------------------------------------------------------------------------- /Gemfile.lock: -------------------------------------------------------------------------------- 1 | PATH 2 | remote: . 3 | specs: 4 | cocoapods-blocklist (0.1.4) 5 | 6 | GEM 7 | remote: https://rubygems.org/ 8 | specs: 9 | CFPropertyList (3.0.2) 10 | activesupport (4.2.11.3) 11 | i18n (~> 0.7) 12 | minitest (~> 5.1) 13 | thread_safe (~> 0.3, >= 0.3.4) 14 | tzinfo (~> 1.1) 15 | addressable (2.8.0) 16 | public_suffix (>= 2.0.2, < 5.0) 17 | algoliasearch (1.27.3) 18 | httpclient (~> 2.8, >= 2.8.3) 19 | json (>= 1.5.1) 20 | atomos (0.1.3) 21 | bacon (1.2.0) 22 | claide (1.0.3) 23 | cocoapods (1.9.3) 24 | activesupport (>= 4.0.2, < 5) 25 | claide (>= 1.0.2, < 2.0) 26 | cocoapods-core (= 1.9.3) 27 | cocoapods-deintegrate (>= 1.0.3, < 2.0) 28 | cocoapods-downloader (>= 1.2.2, < 2.0) 29 | cocoapods-plugins (>= 1.0.0, < 2.0) 30 | cocoapods-search (>= 1.0.0, < 2.0) 31 | cocoapods-stats (>= 1.0.0, < 2.0) 32 | cocoapods-trunk (>= 1.4.0, < 2.0) 33 | cocoapods-try (>= 1.1.0, < 2.0) 34 | colored2 (~> 3.1) 35 | escape (~> 0.0.4) 36 | fourflusher (>= 2.3.0, < 3.0) 37 | gh_inspector (~> 1.0) 38 | molinillo (~> 0.6.6) 39 | nap (~> 1.0) 40 | ruby-macho (~> 1.4) 41 | xcodeproj (>= 1.14.0, < 2.0) 42 | cocoapods-core (1.9.3) 43 | activesupport (>= 4.0.2, < 6) 44 | algoliasearch (~> 1.0) 45 | concurrent-ruby (~> 1.1) 46 | fuzzy_match (~> 2.0.4) 47 | nap (~> 1.0) 48 | netrc (~> 0.11) 49 | typhoeus (~> 1.0) 50 | cocoapods-deintegrate (1.0.4) 51 | cocoapods-downloader (1.6.3) 52 | cocoapods-plugins (1.0.0) 53 | nap 54 | cocoapods-search (1.0.0) 55 | cocoapods-stats (1.1.0) 56 | cocoapods-trunk (1.5.0) 57 | nap (>= 0.8, < 2.0) 58 | netrc (~> 0.11) 59 | cocoapods-try (1.2.0) 60 | colored2 (3.1.2) 61 | concurrent-ruby (1.1.6) 62 | crack (0.4.3) 63 | safe_yaml (~> 1.0.0) 64 | escape (0.0.4) 65 | ethon (0.12.0) 66 | ffi (>= 1.3.0) 67 | ffi (1.13.1) 68 | fourflusher (2.3.1) 69 | fuzzy_match (2.0.4) 70 | gh_inspector (1.1.3) 71 | hashdiff (1.0.1) 72 | httpclient (2.8.3) 73 | i18n (0.9.5) 74 | concurrent-ruby (~> 1.0) 75 | json (2.3.0) 76 | minitest (5.14.1) 77 | molinillo (0.6.6) 78 | nanaimo (0.2.6) 79 | nap (1.1.0) 80 | netrc (0.11.0) 81 | prettybacon (0.0.2) 82 | bacon (~> 1.2) 83 | public_suffix (4.0.6) 84 | rake (13.0.1) 85 | ruby-macho (1.4.0) 86 | safe_yaml (1.0.5) 87 | thread_safe (0.3.6) 88 | typhoeus (1.4.0) 89 | ethon (>= 0.9.0) 90 | tzinfo (1.2.7) 91 | thread_safe (~> 0.1) 92 | webmock (3.8.3) 93 | addressable (>= 2.3.6) 94 | crack (>= 0.3.2) 95 | hashdiff (>= 0.4.0, < 2.0.0) 96 | xcodeproj (1.16.0) 97 | CFPropertyList (>= 2.3.3, < 4.0) 98 | atomos (~> 0.1.3) 99 | claide (>= 1.0.2, < 2.0) 100 | colored2 (~> 3.1) 101 | nanaimo (~> 0.2.6) 102 | 103 | PLATFORMS 104 | ruby 105 | 106 | DEPENDENCIES 107 | activesupport (>= 4.2.2, < 5) 108 | bacon 109 | bundler (~> 1.3) 110 | cocoapods (~> 1.9.0) 111 | cocoapods-blocklist! 112 | prettybacon 113 | rake (>= 12.3.3) 114 | webmock 115 | 116 | BUNDLED WITH 117 | 1.17.3 118 | -------------------------------------------------------------------------------- /spec/command/blocklist_spec.rb: -------------------------------------------------------------------------------- 1 | # Created by David Grandinetti 4/27/2015 2 | # Copyright (c) 2015 Yahoo, Inc. 3 | # Licensed under the terms of the MIT License. See LICENSE file in the project root. 4 | 5 | require File.expand_path('../../spec_helper', __FILE__) 6 | 7 | GOOD_LOCKFILE = './spec/fixtures/GoodPodfile.lock' 8 | BAD_LOCKFILE = './spec/fixtures/BadPodfile.lock' 9 | DOUBLE_BAD_LOCKFILE = './spec/fixtures/DoubleBadPodfile.lock' 10 | BLOCKLIST_FILE = './spec/fixtures/blocklist.json' 11 | BLOCKLIST_URL = 'http://example.com/blocklist.json' 12 | 13 | NON_EXIST_FILE = './spec/fixtures/doesnotexist' 14 | 15 | module Pod 16 | describe Command::Blocklist do 17 | describe 'In general' do 18 | it 'registers itself' do 19 | Command.parse(%w{ blocklist }).should.be.instance_of Command::Blocklist 20 | end 21 | 22 | it 'defaults to show help' do 23 | lambda { run_command('blocklist') }.should.raise CLAide::Help 24 | end 25 | end 26 | 27 | it 'validates Podfile.lock exists if not passed in' do 28 | command = Command.parse(['blocklist', "--config=#{BLOCKLIST_FILE}"]) 29 | lambda { command.validate! }.should.raise CLAide::Help 30 | end 31 | 32 | it 'validates the lockfile exists if passed in' do 33 | command = Command.parse(['blocklist', NON_EXIST_FILE, "--config=#{BLOCKLIST_FILE}"]) 34 | lambda { command.validate! }.should.raise CLAide::Help 35 | end 36 | 37 | describe 'running with required args' do 38 | it 'allows valid pods with a local blocklist file' do 39 | command = Command.parse(['blocklist', GOOD_LOCKFILE, "--config=#{BLOCKLIST_FILE}"]) 40 | lambda { 41 | command.validate! 42 | command.run 43 | }.should.not.raise 44 | end 45 | 46 | it 'allows valid pods with a remote blocklist file' do 47 | WebMock::API.stub_request(:get, "http://example.com/blocklist.json"). 48 | with(:headers => {'Accept'=>'*/*', 'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3', 'User-Agent'=>'Ruby'}). 49 | to_return(:status => 200, :body => File.read(BLOCKLIST_FILE), :headers => {}) 50 | 51 | command = Command.parse(['blocklist', GOOD_LOCKFILE, "--config=#{BLOCKLIST_URL}"]) 52 | lambda { 53 | command.validate! 54 | command.run 55 | }.should.not.raise 56 | UI.output.should.include "passed blocklist validation" 57 | end 58 | 59 | describe 'having blocked pods' do 60 | it 'disallows a blocked pod' do 61 | command = Command.parse(['blocklist', BAD_LOCKFILE, "--config=#{BLOCKLIST_FILE}"]) 62 | exception = lambda { 63 | command.validate! 64 | command.run 65 | }.should.raise Informative 66 | exception.message.should.include "Failed blocklist validation due to use of BananaKit" 67 | UI.output.should.include "Vulnerable to code injection with malformed BQL queries" 68 | end 69 | 70 | it 'prints all blocked pods' do 71 | command = Command.parse(['blocklist', DOUBLE_BAD_LOCKFILE, "--config=#{BLOCKLIST_FILE}"]) 72 | exception = lambda { 73 | command.validate! 74 | command.run 75 | }.should.raise Informative 76 | exception.message.should.include "Failed blocklist validation due to use of" 77 | exception.message.should.include "BananaKit (3.4.7)" 78 | exception.message.should.include "FooKit (1.2.2)" 79 | UI.output.should.include "FooKit 1.2.2 did not check passwords on Thursdays" 80 | UI.output.should.include "Vulnerable to code injection with malformed BQL queries" 81 | end 82 | 83 | it 'warns about blocked pods when --warn is used' do 84 | command = Command.parse(['blocklist', DOUBLE_BAD_LOCKFILE, "--config=#{BLOCKLIST_FILE}", "--warn"]) 85 | exception = lambda { 86 | command.validate! 87 | command.run 88 | }.should.not.raise 89 | UI.output.should.include "FooKit 1.2.2 did not check passwords on Thursdays" 90 | UI.output.should.include "Vulnerable to code injection with malformed BQL queries" 91 | end 92 | end 93 | end 94 | end 95 | end 96 | --------------------------------------------------------------------------------