kamp/fdroidserver
1
0
Fork 0
mirror of https://gitlab.com/fdroid/fdroidserver.git synced 2024-11-04 14:30:11 +01:00
Code Activity
5,509 Commits 1 Branch 59 Tags 40 MiB
5d39a97ab8
Commit Graph

5509 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Michael Pöhn
5e4eb294c5 switch to fdroid-stretch64 basebox; remove baseboxurl form makebuildserver 2018-09-13 11:11:18 +02:00
Michael Pöhn
c005d8c5f4 more detailed error message and handling when fetching buildserverid in build.py 2018-09-13 11:11:18 +02:00
Michael Pöhn
a5ef08f57d more general regex for updating debian repo urls in buildserver provisions 2018-09-13 11:11:18 +02:00
Michael Pöhn
aa86e56338 updated buildserver provisions to stretch 2018-09-13 11:11:18 +02:00
Michael Pöhn
ba92623c1e Merge branch 'vmtools_561' into 'master' 
actually use the chosen vagrant provider

Closes #561

See merge request fdroid/fdroidserver!573
 2018-09-13 08:50:21 +00:00
Marcus Hoffmann
1b95452c14 vmtools: use whatever buildserver box is available 
When we don't have an already working builder/.vagrant directory
look for available buildserver vagrant boxes because we'll need to
import one.

Abort if there's no buildserver box.

Fixes: #497
 2018-09-12 14:12:12 +02:00
Marcus Hoffmann
1e90b6118e vmtools: fix comment typos 2018-09-12 12:59:11 +02:00
Marcus Hoffmann
b0cce0b8c4 vmtools: actually use the chosen provider 
Fixes #561
 2018-09-12 12:59:11 +02:00
Hans-Christoph Steiner
ad9a07b47e Merge branch 'little-security-fixes' into 'master' 
Little security fixes

Closes #555

See merge request fdroid/fdroidserver!572
 2018-09-07 13:32:32 +00:00
Hans-Christoph Steiner
9d12b1dc61 add strict, tested validation of Android/F-Droid package names 
Android has stricter rules than Java for Package Names, but anything the
Python regex thinks is valid must be valid according to Java's rules too.

https://developer.android.com/studio/build/application-id
 2018-09-07 14:17:39 +02:00
Hans-Christoph Steiner
3ab66efcfe update: max image size of 16 mil pixels to stop image bomb attacks 
closes #555
 2018-09-07 10:34:56 +02:00
Hans-Christoph Steiner
0cd1e0b172 gitlab-ci: include fdroid in bandit scans 2018-09-07 10:34:56 +02:00
Hans-Christoph Steiner
8b17076525 jenkins-build-all: error msg when buildserver VM not found 2018-09-05 14:37:36 +02:00
Hans-Christoph Steiner
b254472a99 Merge branch 'exclude-filter' into 'master' 
build: replace exclude with filter during source tar creation

Closes #531

See merge request fdroid/fdroidserver!538
 2018-09-05 12:39:23 +00:00
Marcus
de5455e273 Merge branch 'minor-security-fixups' into 'master' 
Minor security fixups

Closes #163

See merge request fdroid/fdroidserver!570
 2018-09-04 11:05:25 +00:00
Hans-Christoph Steiner
8f48976cb9 Merge branch 'drop-pickle-for-json' into 'master' 
Drop pickle for json

Closes #163

See merge request fdroid/fdroidserver!568
 2018-09-03 21:10:26 +00:00
Hans-Christoph Steiner
9bccb2c73e temp fallback to built-in ElementTree if defusedxml is not there 2018-09-03 23:02:31 +02:00
Hans-Christoph Steiner
cf4c9cb4ee buildserver now needs python3-defusedxml 
4d13a904f3 means that defusedxml is required
to be installed on the buildserver guest.
 2018-09-03 22:56:08 +02:00
Hans-Christoph Steiner
11b3e5be3a update: throw exception for APKs with invalid Application ID 
Android Application IDs must be valid Java Package Names.  While the build
tools likely validate the Application ID, it is possible to manually create
a malicious APK.
 2018-09-03 22:56:08 +02:00
Hans-Christoph Steiner
5d161cc9fd validate appid when reading metadata files 
The metadata file must be named after the Application ID of the app it is
describing, and Android Application IDs must be valid Java Package Names.
 2018-09-03 22:56:08 +02:00
Hans-Christoph Steiner
3011953d0e convert apkcache from pickle to JSON 
pickle can serialize executable code, while JSON is only ever pure data.
The APK cache is only ever pure data, so no need for the security risks of
pickle.  For example, if some malicious thing gets write access on the
`fdroid update` machine, it can write out a custom tmp/apkcache which would
then be executed.  That is not possible with JSON.

This does just ignore any existing cache and rebuilds from scratch. That is
so we don't need to maintain pickle anywhere, and to ensure there are no
glitches from a conversion from pickle to JSON.

closes #163
 2018-09-03 18:07:40 +02:00
Marcus Hoffmann
74776e026f gradlew-fdroid: add gradle 4.10 2018-09-03 14:47:36 +02:00
Marcus Hoffmann
d7b249272a makebuildserver: add gradle 4.10 2018-09-03 14:44:33 +02:00
Hans-Christoph Steiner
c7d5050091 Merge branch 'bandit-scanner-and-fixes' into 'master' 
Bandit scanner and fixes

See merge request fdroid/fdroidserver!567
 2018-08-30 13:06:07 +00:00
Hans-Christoph Steiner
3ffe2860f3 gitlab-ci: add 'bandit' security scanner to all runs 
bandit is used by Radically Open Security and is part of the GitLab Ultimate
Static Application Security Testing (SAST) suite.

https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
 2018-08-29 17:48:06 +02:00
Hans-Christoph Steiner
4d13a904f3 use defusedxml to avoid DoS attacks while loading XML 2018-08-29 17:44:54 +02:00
Hans-Christoph Steiner
cc94ebca30 use global constant for the 'xmlns:android' XML namespace 2018-08-29 17:44:54 +02:00
Hans-Christoph Steiner
3e1d313b7c mark manually sanitized input so bandit doesn't complain 2018-08-29 17:44:54 +02:00
Hans-Christoph Steiner
2edc68d6cd mark all required permissions so bandit doesn't complain 2018-08-29 17:44:54 +02:00
Hans-Christoph Steiner
8d3e82913e mark all required usages of MD5 so bandit doesn't complain 2018-08-29 17:44:54 +02:00
Hans-Christoph Steiner
a089614225 checkupdates: remove magic number 99999999 from HTTP checks 
It is vestigal from old code and no longer is needed.
 2018-08-29 17:24:24 +02:00
Hans-Christoph Steiner
5d77fd97ee use posixpath.join() for paths on the buildserver 
This fixes bandit misdetection of hardcoded /tmp dir.  posixpath.join() is
good to use anyway, it highlights what is on the remote server, vs what is
local.  Local paths should use os.path.join() to support Windows, etc.
posixpath is built in since Python 3.4, maybe earlier
 2018-08-29 17:24:04 +02:00
Hans-Christoph Steiner
4503e7a92a replace unneeded eval() call and support negative versionCodes 2018-08-29 17:24:04 +02:00
Hans-Christoph Steiner
f0d27e1fa5 Merge branch 'remove-unused-YamlLoader-optimisation' into 'master' 
remove unused YamlLoader optimization

See merge request fdroid/fdroidserver!566
 2018-08-29 11:12:02 +00:00
Michael Pöhn
ee4945cb84 remove unused YamlLoader optimization 2018-08-29 11:25:01 +02:00
Hans-Christoph Steiner
6b3cf72b68 Merge branch 'safe_yaml_parsing' into 'master' 
use yaml.safe_load for parsing metadata

See merge request fdroid/fdroidserver!565
 2018-08-29 07:37:43 +00:00
Michael Pöhn
e7a34807f7 use yaml.safe_load for parsing metadata 2018-08-29 00:33:58 +02:00
Michael Pöhn
1a8c77e815 Merge branch 'jarsigner-and-keytool-lookup-regression' into 'master' 
fix: jarsigner and keytool lookup regression

Closes #550

See merge request fdroid/fdroidserver!562
 2018-08-21 01:28:22 +00:00
Michael Pöhn
4dcfa95d6e fix: jarsigner and keytool lookup regression 2018-08-21 03:05:43 +02:00
Nicco Kunzmann
3546e8d38d generate all po files 
- contributes to https://gitlab.com/fdroid/fdroidserver/issues/546#note_95593326
 2018-08-20 23:05:55 +02:00
Michael Pöhn
c766129f8b Merge branch 'master' into 'master' 
Fix keytool not found on MacOSX (when using Java from Apple)

See merge request fdroid/fdroidserver!557
 2018-08-20 10:57:45 +00:00
Cyril Russo
81641b4628 Fixed precommit checks 2018-08-20 11:17:36 +02:00
Cyril Russo
4303b0fac1 Apply suggestion from @uniqx to using shutil.which instead of iterating path by hand 2018-08-17 20:14:54 +02:00
Cyril Russo
ace33bcfc0 Reverted the change in the default config.py 
Improved the detection of keytool and jarsigner by also searching the PATH environment variable
 2018-08-17 16:46:46 +02:00
Cyril Russo
4f21045cad Fix keytool not found on MacOSX (when using Java from Apple) 
Fix keytool parsing error due to localisation keytool -list command.
Always fallback to english so the parsing makes sense.
 2018-08-17 15:32:29 +02:00
Hans-Christoph Steiner
05be4bc814 Merge branch '471-lint-check-unknown-keys' into 'master' 
check for unknown app fields and build flags when parsing yml

Closes #471

See merge request fdroid/fdroidserver!554
 2018-08-14 10:50:59 +00:00
Hans-Christoph Steiner
53bd5acb09 Merge branch 'make-python-tests-run-independent-of-cwd' into 'master' 
Make python tests run independent of cwd

See merge request fdroid/fdroidserver!556
 2018-08-14 10:34:47 +00:00
Hans-Christoph Steiner
fb16823a4a Merge branch 'master' into 'master' 
common: fix tests when running without any Android SDK installed

See merge request fdroid/fdroidserver!553
 2018-08-14 10:32:10 +00:00
Michael Pöhn
82563850b7 fix test metadata case for Builds app field 2018-08-14 12:31:12 +02:00
Michael Pöhn
6a06944945 better exception and waring message when yaml metadata checks fail; build flags check optional 2018-08-14 12:31:12 +02:00