add config git.allow_insecure and tests for #3453

2 files changed, 37 insertions, 6 deletions

diff --git a/lib/bundler/source_list.rb b/lib/bundler/source_list.rb
index 31f92d410c..ba2778c1f4 100644
--- a/lib/bundler/source_list.rb
+++ b/lib/bundler/source_list.rb
@@ -15,11 +15,8 @@ module Bundler
     end
 
     def add_git_source(options = {})
-      source = add_source_to_list Source::Git.new(options), git_sources
-      if source.uri =~ %r{^git:}
-        Bundler.ui.warn "The git source `#{source.uri}` uses the `git` protocol, " \
-                        "please consider changing it to `https`, which is more secure."
-      end
+      source = add_source_to_list(Source::Git.new(options), git_sources)
+      warn_on_git_protocol(source)
       source
     end
 
@@ -102,5 +99,16 @@ module Bundler
     def combine_rubygems_sources
       Source::Rubygems.new("remotes" => rubygems_remotes)
     end
+
+    def warn_on_git_protocol(source)
+      return if Bundler.settings["git.allow_insecure"]
+
+      if source.uri =~ %r{^git\:}
+        Bundler.ui.warn "The git source `#{source.uri}` uses the `git` protocol, " \
+          "which transmits data without encryption. Disable this warning with " \
+          "`bundle config git.allow_insecure true`, or switch to the `https` " \
+          "protocol to keep your data secure."
+      end
+    end
   end
 end
diff --git a/spec/bundler/source_list_spec.rb b/spec/bundler/source_list_spec.rb
index 3beac46f41..9fe9a13382 100644
--- a/spec/bundler/source_list_spec.rb
+++ b/spec/bundler/source_list_spec.rb
@@ -2,7 +2,7 @@ require "spec_helper"
 
 describe Bundler::SourceList do
   before do
-    allow(Bundler).to receive(:root) { Pathname.new "/" }
+    allow(Bundler).to receive(:root) { Pathname.new "./tmp/bundled_app" }
   end
 
   subject(:source_list) { Bundler::SourceList.new }
@@ -50,16 +50,39 @@ describe Bundler::SourceList do
       end
 
       it "passes the provided options to the new source" do
+        @new_source = source_list.add_git_source("uri" => "git://host/path.git")
         expect(@new_source.options).to eq("uri" => "git://host/path.git")
       end
 
       it "adds the source to the beginning of git_sources" do
+        @new_source = source_list.add_git_source("uri" => "git://host/path.git")
         expect(source_list.git_sources.first).to equal(@new_source)
       end
 
       it "removes existing duplicates" do
+        @duplicate = source_list.add_git_source("uri" => "git://host/path.git")
+        @new_source = source_list.add_git_source("uri" => "git://host/path.git")
         expect(source_list.git_sources).not_to include equal(@duplicate)
       end
+
+      context "with the git: protocol" do
+        let(:msg) { "The git source `git://existing-git.org/path.git` " \
+          "uses the `git` protocol, which transmits data without encryption. " \
+          "Disable this warning with `bundle config git.allow_insecure true`, " \
+          "or switch to the `https` protocol to keep your data secure."
+        }
+
+        it "warns about git protocols" do
+          expect(Bundler.ui).to receive(:warn).with(msg)
+          source_list.add_git_source("uri" => "git://existing-git.org/path.git")
+        end
+
+        it "ignores git protocols on request" do
+          Bundler.settings["git.allow_insecure"] = true
+          expect(Bundler.ui).to_not receive(:warn).with(msg)
+          source_list.add_git_source("uri" => "git://existing-git.org/path.git")
+        end
+      end
     end
 
     describe "#add_rubygems_source" do