Warn when using unsafe URL local installs

Author: voltone

lib/mix/lib/mix/local/installer.ex

@@ -107,7 +107,7 @@ defmodule Mix.Local.Installer do
           module.install(basename, binary, previous_files)
 
         :badpath ->
-          Mix.raise("Expected #{inspect(src)} to be a URL or a local file path")
+          Mix.raise("Expected #{inspect(src)} to be a local file path")
 
         {:local, message} ->
           Mix.raise(message)
@@ -164,7 +164,7 @@ defmodule Mix.Local.Installer do
     cond do
       local_path?(url_or_path) -> {:local, url_or_path}
       file_url?(url_or_path) -> {:url, url_or_path}
-      true -> {:error, "Expected #{inspect(url_or_path)} to be a URL or a local file path"}
+      true -> {:error, "Expected #{inspect(url_or_path)} to be a local file path"}
     end
   end
 

lib/mix/lib/mix/tasks/archive.install.ex

@@ -12,7 +12,7 @@ defmodule Mix.Tasks.Archive.Install do
 
       mix do archive.build, archive.install
 
-  If an argument is provided, it should be a local path or a URL to a
+  If an argument is provided, it should be a local path to a
   prebuilt archive, a Git repository, a GitHub repository, or a Hex
   package.
 
@@ -35,13 +35,12 @@ defmodule Mix.Tasks.Archive.Install do
       mix some_task
 
   Note that installing via Git, GitHub, or Hex fetches the source
-  of the archive and builds it, while using a URL or a local path
-  fetches a pre-built archive.
+  of the archive and builds it, while using local path uses a pre-built archive.
 
   ## Command line options
 
     * `--sha512` - checks the archive matches the given SHA-512 checksum. Only
-      applies to installations via URL or local path
+      applies to installations via a local path
 
     * `--force` - forces installation without a shell prompt; primarily
       intended for automation in build systems like Make
@@ -55,9 +54,6 @@ defmodule Mix.Tasks.Archive.Install do
     * `--organization` - specifies an organization to use if fetching the package
       from a private Hex repository
 
-    * `--timeout` - sets a request timeout in milliseconds for fetching
-      archives from URLs. Default is 60 seconds
-
   """
 
   @behaviour Mix.Local.Installer
@@ -77,17 +73,25 @@ defmodule Mix.Tasks.Archive.Install do
   end
 
   @impl true
-  def check_install_spec({local_or_url, path_or_url} = _install_spec, _opts)
-      when local_or_url in [:local, :url] do
+  def check_install_spec({:local, path} = _install_spec, _opts) do
+    check_extname(path)
+  end
+
+  def check_install_spec({:url, url} = _install_spec, _opts) do
+    Mix.Utils.warn_install_over_http_deprecated("archive.install", url)
+    check_extname(url)
+  end
+
+  def check_install_spec(_, _), do: :ok
+
+  defp check_extname(path_or_url) do
     if Path.extname(path_or_url) == ".ez" do
       :ok
     else
-      {:error, "Expected a local file path or a file URL ending in \".ez\"."}
+      {:error, "Expected a local file path ending in \".ez\"."}
     end
   end
 
-  def check_install_spec(_, _), do: :ok
-
   @impl true
   def find_previous_versions(src) do
     app =

lib/mix/lib/mix/tasks/escript.install.ex

@@ -12,12 +12,11 @@ defmodule Mix.Tasks.Escript.Install do
 
       mix do escript.build, escript.install
 
-  If an argument is provided, it should be a local path or a URL to a prebuilt escript,
+  If an argument is provided, it should be a local path to a prebuilt escript,
   a Git repository, a GitHub repository, or a Hex package.
 
       mix escript.install escript
       mix escript.install path/to/escript
-      mix escript.install https://example.com/my_escript
       mix escript.install git https://path/to/git/repo
       mix escript.install git https://path/to/git/repo branch git_branch
       mix escript.install git https://path/to/git/repo tag git_tag
@@ -40,7 +39,7 @@ defmodule Mix.Tasks.Escript.Install do
   ## Command line options
 
     * `--sha512` - checks the escript matches the given SHA-512 checksum. Only
-      applies to installations via URL or local path
+      applies to installations via a local path
 
     * `--force` - forces installation without a shell prompt; primarily
       intended for automation in build systems like Make
@@ -54,9 +53,6 @@ defmodule Mix.Tasks.Escript.Install do
     * `--organization` - specifies an organization to use if fetching the package
       from a private Hex repository
 
-    * `--timeout` - sets a request timeout in milliseconds for fetching
-      archives from URLs. Default is 60 seconds
-
   """
 
   @behaviour Mix.Local.Installer
@@ -79,6 +75,11 @@ defmodule Mix.Tasks.Escript.Install do
   end
 
   @impl true
+  def check_install_spec({:url, url} = _install_spec, _opts) do
+    Mix.Utils.warn_install_over_http_deprecated("escript.install", url)
+    :ok
+  end
+
   def check_install_spec(_, _), do: :ok
 
   @impl true

lib/mix/lib/mix/tasks/local.rebar.ex

@@ -25,9 +25,9 @@ defmodule Mix.Tasks.Local.Rebar do
 
   ## Command line options
 
-    * `rebar PATH` - specifies a path or URL for `rebar`
+    * `rebar PATH` - specifies a path for `rebar`
 
-    * `rebar3 PATH` - specifies a path or URL for `rebar3`
+    * `rebar3 PATH` - specifies a path for `rebar3`
 
     * `--sha512` - checks the archive matches the given SHA-512 checksum
 
@@ -68,6 +68,8 @@ defmodule Mix.Tasks.Local.Rebar do
   defp install_from_path(manager, path, opts) do
     local = Mix.Rebar.local_rebar_path(manager)
 
+    if file_url?(path), do: warn_install_over_http_deprecated(manager, path)
+
     if opts[:force] || Mix.Generator.overwrite?(local) do
       case Mix.Utils.read_path(path, opts) do
         {:ok, binary} ->
@@ -77,7 +79,7 @@ defmodule Mix.Tasks.Local.Rebar do
           Mix.shell().info([:green, "* creating ", :reset, Path.relative_to_cwd(local)])
 
         :badpath ->
-          Mix.raise("Expected #{inspect(path)} to be a URL or a local file path")
+          Mix.raise("Expected #{inspect(path)} to be a local file path")
 
         {:local, message} ->
           Mix.raise(message)
@@ -100,6 +102,10 @@ defmodule Mix.Tasks.Local.Rebar do
     true
   end
 
+  defp file_url?(url_or_path) do
+    URI.parse(url_or_path).scheme in ["http", "https"]
+  end
+
   defp install_from_s3(manager, list_url, escript_url, opts) do
     hex_mirror = Mix.Hex.mirror()
     list_url = hex_mirror <> list_url
@@ -114,4 +120,37 @@ defmodule Mix.Tasks.Local.Rebar do
 
     install_from_path(manager, url, Keyword.put(opts, :sha512, sha512))
   end
+
+  defp warn_install_over_http_deprecated(manager, url) do
+    shell = Mix.shell()
+    basename = Path.basename(url)
+
+    shell.error("""
+    Warning: the use of HTTP/HTTPS URLs with `mix local.rebar` is deprecated")
+
+    Run `mix help local.rebar` for details on installing #{manager} from Hex's CDN.
+    Alternatively you can fetch the file using an external HTTP client and then
+    install it locally:
+
+    Unix (Linux, MacOS X):
+
+        $ wget #{url}
+        $ mix local.rebar #{manager} #{basename}
+
+    or
+
+        $ curl -o #{basename} #{url}
+        $ mix local.rebar #{manager} #{basename}
+
+    Windows (Win7 or later):
+
+        > powershell -Command "Invoke-WebRequest #{url} -OutFile #{basename}"
+        > mix local.rebar #{manager} #{basename}
+
+    or
+
+        > powershell -Command "(New-Object Net.WebClient).DownloadFile('#{url}', '#{basename}')"
+        > mix local.rebar #{manager} #{basename}
+    """)
+  end
 end

lib/mix/lib/mix/utils.ex

@@ -676,4 +676,38 @@ defmodule Mix.Utils do
 
     [proxy_auth: {user, pass}]
   end
+
+  def warn_install_over_http_deprecated(task_name, url) do
+    basename = Path.basename(url)
+
+    shell = Mix.shell()
+
+    shell.error("""
+    Warning: the use of HTTP/HTTPS URLs with `mix #{task_name}` is deprecated
+
+    Run `mix help #{task_name}` for details on the available alternatives, using
+    hex, git or github. Alternatively you can fetch the file using an external HTTP
+    client and then install it locally:
+
+    Unix (Linux, MacOS X):
+
+        $ wget #{url}
+        $ mix #{task_name} #{basename}
+
+    or
+
+        $ curl -o #{basename} #{url}
+        $ mix #{task_name} #{basename}
+
+    Windows (Win7 or later):
+
+        > powershell -Command "Invoke-WebRequest #{url} -OutFile #{basename}"
+        > mix #{task_name} #{basename}
+
+    or
+
+        > powershell -Command "(New-Object Net.WebClient).DownloadFile('#{url}', '#{basename}')"
+        > mix #{task_name} #{basename}
+    """)
+  end
 end

lib/mix/test/mix/tasks/archive_test.exs

@@ -82,6 +82,8 @@ defmodule Mix.Tasks.ArchiveTest do
       # Try to override it with URL
       send(self(), {:mix_shell_input, :yes?, false})
       Mix.Tasks.Archive.Install.run(["https://example.com/archive-0.1.0?hello.ez"])
+
+      assert_received {:mix_shell, :error, ["Warning: the use of HTTP/HTTPS URLs" <> _]}
       assert_received {:mix_shell, :yes?, ["Found existing entry: " <> _]}
 
       # Loading the archive should emit warning again
@@ -116,7 +118,7 @@ defmodule Mix.Tasks.ArchiveTest do
   end
 
   test "archive install missing file" do
-    message = ~r[Expected "./unlikely-to-exist-0.1.0.ez" to be a URL or a local file path]
+    message = ~r[Expected "./unlikely-to-exist-0.1.0.ez" to be a local file path]
 
     assert_raise Mix.Error, message, fn ->
       Mix.Tasks.Archive.Install.run(["./unlikely-to-exist-0.1.0.ez"])

lib/mix/test/mix/tasks/escript_test.exs

@@ -242,6 +242,13 @@ defmodule Mix.Tasks.EscriptTest do
       assert_received {:mix_shell, :info, ["* escript_test"]}
       refute_received {:mix_shell, :info, ["* escript_test.bat"]}
 
+      # Try to override it with URL
+      send(self(), {:mix_shell_input, :yes?, false})
+      Mix.Tasks.Escript.Install.run(["https://example.com/escript_test"])
+
+      assert_received {:mix_shell, :error, ["Warning: the use of HTTP/HTTPS URLs" <> _]}
+      assert_received {:mix_shell, :yes?, ["Found existing entry: " <> _]}
+
       # check uninstall confirmation
       send(self(), {:mix_shell_input, :yes?, false})
       Mix.Tasks.Escript.Uninstall.run(["escript_test"])