kiwi0fruit
commented
2 years ago Mind that that I haven't tested if the older version compiles well.
Open kiwi0fruit opened 2 years ago
kiwi0fruit
commented
2 years ago Mind that that I haven't tested if the older version compiles well.
kiwi0fruit
commented
2 years ago By the way. After the code review the new version could be uploaded here on GitHub then the installation script could download from git://git.jetbrains.org Then test against the uploaded on GitHub. Then install the downloaded version from git://git.jetbrains.org This way for users of the script it would be transparent that there are no security issues. And they would rely on your uploaded code only as a check measure.
kiwi0fruit
commented
2 years ago Or maybe the fresh code of the android plugin ca be found somewhere like here: https://github.com/JetBrains/intellij-community/archive/refs/tags/pycharm/$pycharm_version.tar.gz
CaKrome
commented
2 years ago Hello, Thanks for creating this issue. I did not know using git:// can have security issues.
As you have mentioned, the accessing via cli to https://git.jetbrains.org/ does not seems to work, so I guess I will change to clone the android plugin repo from Github using https://.
After the code review the new version could be uploaded here on GitHub then the installation script could download from git://git.jetbrains.org Then test against the uploaded on GitHub. Then install the downloaded version from git://git.jetbrains.org
I'm not sure if I understand this correctly, are you saying I should compare the cloned repo from git://git.jetbrains.org against their version on Github(https://github.com/JetBrains/android.git)? Would it be better if I clone the android repo directly from Github since the main PyCharm source code is from the tagged version on Github anyway?
kiwi0fruit
commented
2 years ago I guess I will change to clone the android plugin repo from Github using https://
The GitHub repo contains only outdated version of the android module with PyCharm tag (211.7442.13). At least I wasn't able to find a fresher version there. But may be I wasn't thorough enough and you would would be able find a fresher one.
are you saying I should compare the cloned repo from git://git.jetbrains.org against their version on Github(https://github.com/JetBrains/android.git)?
I proposed a rather brute way to verify download of the never bersion via git://git.jetbrains.org/
kiwi0fruit
commented
2 years ago git.jetbrains.org can be accesses via web interface via https (https://git.jetbrains.org/). So theoretically there should be a way to download files manually from there. But in order to cut manual labor it would be useful to find changed files first -- hence checking diff between 211.7442.13 (from secure https://github.com/JetBrains/android.git) and 213.7172.26 (from unsecure git://git.jetbrains.org/idea/android.git).
kiwi0fruit
commented
2 years ago Or may be you could just download insecurely 213.7172.26 from git://git.jetbrains.org/idea/android.git. Pray that you were lucky and there were no middle-man. Upload the source to GitHub. Then you can use it to check unsecurely downloaded code in the bash script (it's still better for users to download from git://git.jetbrains.org/idea/android.git and then check against you secure version than to only use your version).
kiwi0fruit
commented
2 years ago But I'd rather avoid this "I am lucky" approach. The script can already be modified to securely compile old 211.7442.13 version though (see my first comment). But first it should be checked that it compiles well.
CaKrome
commented
2 years ago I think I get what you mean now. Sorry for a bit delayed response, I'm pretty busy with school as exam season arrives. I will figure out a way when I have time. Thanks
CaKrome
commented
2 years ago I have implemented a way to mitigate the security issue caused by the insecure git protocol. There is a script in the repo generates the hash value of the android plugin source code and it does it 3 times and store it. The build script then checks the value and build the software. This allows user of the script to reproduce the exact hash I have generated via running the hash generation script. Sorry for the long delay.
The script uses
git://protocol that is insecure (source 1, source 2):The fast solution is to change script to:
But the right solution would be to actually do:
but then make a code review: via diff find files in which there are differences between 211.7442.13 and 213.7172.26 Then somehow download these files from https://git.jetbrains.org/ (via https). This would be much easier if there would be a way to securely access git.jetbrains.org via git not just browser. Unfortunately I haven't found an easy way on the spur of the moment.