Disallow API writes on ssl-10.2

hexpm · Jan 15, 2021 · e1edc03 · e1edc03
1 parent 4dc8033
commit e1edc03
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 0 deletions.
diff --git a/lib/hex/api.ex b/lib/hex/api.ex
@@ -104,4 +104,20 @@ defmodule Hex.API do
       body
     end
   end
+
+  def check_write_api() do
+    case Application.load(:ssl) do
+      :ok ->
+        if :application.get_key(:ssl, :vsn) == {:ok, '10.2'} do
+          Mix.raise("""
+          You are using an OTP release with the application ssl-10.2 which has a vulnerability \
+          making it susceptible to man-in-the-middle attacks. API operations with write
+          capabilities are disabled until you upgrade to newer version, ssl-10.2.1+ or OTP-23.2.2+.
+          """)
+        end
+
+      {:error, _} ->
+        :ok
+    end
+  end
 end
diff --git a/lib/hex/api/key.ex b/lib/hex/api/key.ex
@@ -4,6 +4,7 @@ defmodule Hex.API.Key do
   alias Hex.API
 
   def new(name, permissions, auth) do
+    Hex.API.check_write_api()
     API.erlang_post_request(nil, "keys", %{name: name, permissions: permissions}, auth)
   end
 
@@ -12,17 +13,21 @@ defmodule Hex.API.Key do
   end
 
   def delete(name, auth) do
+    Hex.API.check_write_api()
     API.request(:delete, nil, "keys/#{URI.encode(name)}", auth)
   end
 
   def delete_all(auth) do
+    Hex.API.check_write_api()
     API.request(:delete, nil, "keys", auth)
   end
 
   defmodule Organization do
     @moduledoc false
 
     def new(organization, name, permissions, auth) do
+      Hex.API.check_write_api()
+
       API.erlang_post_request(
         nil,
         "orgs/#{organization}/keys",
@@ -36,10 +41,14 @@ defmodule Hex.API.Key do
     end
 
     def delete(organization, name, auth) do
+      Hex.API.check_write_api()
+
       API.request(:delete, nil, "orgs/#{organization}/keys/#{URI.encode(name)}", auth)
     end
 
     def delete_all(organization, auth) do
+      Hex.API.check_write_api()
+
       API.request(:delete, nil, "orgs/#{organization}/keys", auth)
     end
   end

diff --git a/lib/hex/api/package.ex b/lib/hex/api/package.ex
@@ -17,13 +17,17 @@ defmodule Hex.API.Package do
     @moduledoc false
 
     def add(repo, package, owner, level, transfer, auth) do
+      Hex.API.check_write_api()
+
       owner = URI.encode_www_form(owner)
       path = "packages/#{URI.encode(package)}/owners/#{URI.encode(owner)}"
       params = %{level: level, transfer: transfer}
       API.erlang_put_request(repo, path, params, auth)
     end
 
     def delete(repo, package, owner, auth) do
+      Hex.API.check_write_api()
+
       owner = URI.encode_www_form(owner)
       path = "packages/#{URI.encode(package)}/owners/#{URI.encode(owner)}"
       API.request(:delete, repo, path, auth)

diff --git a/lib/hex/api/release.ex b/lib/hex/api/release.ex
@@ -11,22 +11,30 @@ defmodule Hex.API.Release do
   def publish(repo, tar, auth, progress \\ fn _ -> nil end, replace \\ false)
 
   def publish(repo, tar, auth, progress, replace?) do
+    Hex.API.check_write_api()
+
     path = "publish?replace=#{replace?}"
     opts = [progress: progress] ++ auth
     API.tar_post_request(repo, path, tar, opts)
   end
 
   def delete(repo, name, version, auth) do
+    Hex.API.check_write_api()
+
     path = "packages/#{URI.encode(name)}/releases/#{URI.encode(version)}"
     API.request(:delete, repo, path, auth)
   end
 
   def retire(repo, name, version, body, auth) do
+    Hex.API.check_write_api()
+
     path = "packages/#{URI.encode(name)}/releases/#{URI.encode(version)}/retire"
     API.erlang_post_request(repo, path, body, auth)
   end
 
   def unretire(repo, name, version, auth) do
+    Hex.API.check_write_api()
+
     path = "packages/#{URI.encode(name)}/releases/#{URI.encode(version)}/retire"
     API.request(:delete, repo, path, auth)
   end

diff --git a/lib/hex/api/release_docs.ex b/lib/hex/api/release_docs.ex
@@ -9,12 +9,16 @@ defmodule Hex.API.ReleaseDocs do
   end
 
   def publish(repo, name, version, tar, auth, progress \\ fn _ -> nil end) do
+    Hex.API.check_write_api()
+
     path = "packages/#{URI.encode(name)}/releases/#{URI.encode(version)}/docs"
     opts = [progress: progress] ++ auth
     API.tar_post_request(repo, path, tar, opts)
   end
 
   def delete(repo, name, version, auth) do
+    Hex.API.check_write_api()
+
     path = "packages/#{URI.encode(name)}/releases/#{URI.encode(version)}/docs"
     API.request(:delete, repo, path, auth)
   end

diff --git a/lib/hex/api/user.ex b/lib/hex/api/user.ex
@@ -12,10 +12,14 @@ defmodule Hex.API.User do
   end
 
   def new(username, email, password) do
+    Hex.API.check_write_api()
+
     API.erlang_post_request(nil, "users", %{username: username, email: email, password: password})
   end
 
   def password_reset(name) do
+    Hex.API.check_write_api()
+
     API.erlang_post_request(nil, "users/#{URI.encode(name)}/reset", %{})
   end
 end