[Build] Block insecure HTTP Maven repository URLs for defense in depth#11351
Merged
simonrozsival merged 4 commits intoMay 16, 2026
Merged
Conversation
… set When a `<AndroidMavenLibrary>` item specifies an `http://` repository URL, the build now fails with error XA4251 unless `AllowInsecureHttp="true"` metadata is explicitly set on the item. HTTPS URLs are unaffected. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
XA4251 was taken by main for JniAddNativeMethodRegistrationAttribute. Renumbered the insecure HTTP Maven error to XA4252. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens Maven dependency restore by rejecting insecure HTTP Maven repository URLs unless an explicit item metadata opt-in is provided.
Changes:
- Adds XA4252 validation for insecure HTTP repositories in
MavenDownload. - Adds localized resource entries for the new error.
- Adds unit tests for blocked and opt-in HTTP repository behavior.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/Xamarin.Android.Build.Tasks/Tasks/MavenDownload.cs |
Adds HTTP repository validation and XA4252 logging. |
src/Xamarin.Android.Build.Tasks/Tests/Xamarin.Android.Build.Tests/Tasks/MavenDownloadTests.cs |
Adds tests for blocked and allowed insecure HTTP repositories. |
src/Xamarin.Android.Build.Tasks/Properties/Resources.resx |
Adds the XA4252 error message resource. |
src/Xamarin.Android.Build.Tasks/Properties/Resources.Designer.cs |
Adds the generated accessor for XA4252. |
Files not reviewed (1)
- src/Xamarin.Android.Build.Tasks/Properties/Resources.Designer.cs: Language not supported
- Use Uri.TryCreate + scheme check instead of string prefix matching to properly handle all HTTP URI variations (defense in depth). - Make opt-in test assertion positive: assert XA4236 download error instead of just checking absence of XA4252. - Add XA4252 error documentation (xa4252.md) and update message index. - Document AllowInsecureHttp metadata in both build-items.md files. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jonathanpeppers
added
the
ready-to-review
simonrozsival
approved these changes
May 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Aligning with Gradle & Maven behavior for defense in depth and supply-chain hardening.
When a customer specifies an
http://Maven repository URL, the build now fails with error XA4252 unlessAllowInsecureHttp="true"metadata is explicitly set on the item. HTTPS URLs are unaffected.Problem
A customer could write an insecure
http://Maven repository URL and the product would use it.Solution
Require explicit opt-in via
AllowInsecureHttp="true"metadata:This mirrors what Gradle (
allowInsecureProtocol) and Maven (<blocked>http://*</blocked>) already enforce by default.Changes
MavenDownload.cs— Added HTTP check inGetRepository()that logs error XA4252 whenhttp://is used withoutAllowInsecureHttp="true"Resources.resx/Resources.Designer.cs— Added XA4252 error messageMavenDownloadTests.cs— Two new tests:InsecureHttpRepository_Blocked— verifieshttp://URL without opt-in produces XA4252InsecureHttpRepository_AllowedWithOptIn— verifiesAllowInsecureHttp="true"bypasses the check