Merge pull request #2 from alokmenghrajani/alok/CVE-2015-7545

longboardcat · longboardcat · commit 14198fe12443 · 2015-12-11T23:35:33.000-08:00
Fixes the same issue as CVE-2015-7545.
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
@@ -13,7 +13,7 @@ Metrics/AbcSize:
 # Offense count: 1
 # Configuration parameters: CountComments.
 Metrics/ClassLength:
-  Max: 121
+  Max: 125
 
 # Offense count: 38
 # Configuration parameters: AllowURI, URISchemes.
diff --git a/lib/git-fastclone.rb b/lib/git-fastclone.rb
@@ -247,6 +247,11 @@ def store_updated_repo(url, mirror, repo_name, fail_hard)
     # moment means we only need to synchronize our own threads in case a single
     # submodule url is included twice via multiple dependency paths
     def with_git_mirror(url)
+      if url.lstrip.start_with?('ext::')
+        logger.info("Skipping #{url} for security purpose (CVE-2015-7545)") if logger
+        return
+      end
+
       update_reference_repo(url, true)
 
       # Sometimes remote updates involve re-packing objects on a different thread
