bundler 2.2.27 → 2.6.1

data/lib/bundler/endpoint_specification.rb

@@ -3,25 +3,30 @@
 module Bundler
   # used for Creating Specifications from the Gemcutter Endpoint
   class EndpointSpecification < Gem::Specification
-    ILLFORMED_MESSAGE = 'Ill-formed requirement ["#<YAML::Syck::DefaultKey'.freeze
-    include MatchPlatform
+    include MatchRemoteMetadata
 
-    attr_reader :name, :version, :platform, :required_rubygems_version, :required_ruby_version, :checksum
-    attr_accessor :source, :remote, :dependencies
+    attr_reader :name, :version, :platform, :checksum
+    attr_accessor :remote, :dependencies, :locked_platform
 
-    def initialize(name, version, platform, dependencies, metadata = nil)
+    def initialize(name, version, platform, spec_fetcher, dependencies, metadata = nil)
       super()
       @name         = name
       @version      = Gem::Version.create version
-      @platform     = platform
+      @platform     = Gem::Platform.new(platform)
+      @spec_fetcher = spec_fetcher
       @dependencies = dependencies.map {|dep, reqs| build_dependency(dep, reqs) }
 
       @loaded_from          = nil
       @remote_specification = nil
+      @locked_platform = nil
 
       parse_metadata(metadata)
     end
 
+    def insecurely_materialized?
+      @locked_platform.to_s != @platform.to_s
+    end
+
     def fetch_platform
       @platform
     end
@@ -92,9 +97,20 @@ module Bundler
       end
     end
 
+    # needed for `bundle fund`
+    def metadata
+      if @remote_specification
+        @remote_specification.metadata
+      elsif _local_specification
+        _local_specification.metadata
+      else
+        super
+      end
+    end
+
     def _local_specification
       return unless @loaded_from && File.exist?(local_specification_path)
-      eval(File.read(local_specification_path)).tap do |spec|
+      eval(File.read(local_specification_path), nil, local_specification_path).tap do |spec|
         spec.loaded_from = @loaded_from
       end
     end
@@ -104,19 +120,36 @@ module Bundler
       @remote_specification = spec
     end
 
+    def inspect
+      "#<#{self.class} @name=\"#{name}\" (#{full_name.delete_prefix("#{name}-")})>"
+    end
+
     private
 
+    def _remote_specification
+      @_remote_specification ||= @spec_fetcher.fetch_spec([@name, @version, @platform])
+    end
+
     def local_specification_path
       "#{base_dir}/specifications/#{full_name}.gemspec"
     end
 
     def parse_metadata(data)
-      return unless data
+      unless data
+        @required_ruby_version = nil
+        @required_rubygems_version = nil
+        return
+      end
+
       data.each do |k, v|
         next unless v
         case k.to_s
         when "checksum"
-          @checksum = v.last
+          begin
+            @checksum = Checksum.from_api(v.last, @spec_fetcher.uri)
+          rescue ArgumentError => e
+            raise ArgumentError, "Invalid checksum for #{full_name}: #{e.message}"
+          end
         when "rubygems"
           @required_rubygems_version = Gem::Requirement.new(v)
         when "ruby"
@@ -129,13 +162,6 @@ module Bundler
 
     def build_dependency(name, requirements)
       Gem::Dependency.new(name, requirements)
-    rescue ArgumentError => e
-      raise unless e.message.include?(ILLFORMED_MESSAGE)
-      puts # we shouldn't print the error message on the "fetching info" status line
-      raise GemspecError,
-        "Unfortunately, the gem #{name} (#{version}) has an invalid " \
-        "gemspec.\nPlease ask the gem author to yank the bad version to fix " \
-        "this issue. For more information, see http://bit.ly/syck-defaultkey."
     end
   end
 end

data/lib/bundler/env.rb

@@ -40,11 +40,11 @@ module Bundler
 
         out << "\n## Gemfile\n"
         gemfiles.each do |gemfile|
-          out << "\n### #{Pathname.new(gemfile).relative_path_from(SharedHelpers.pwd)}\n\n"
+          out << "\n### #{SharedHelpers.relative_path_to(gemfile)}\n\n"
           out << "```ruby\n" << read_file(gemfile).chomp << "\n```\n"
         end
 
-        out << "\n### #{Bundler.default_lockfile.relative_path_from(SharedHelpers.pwd)}\n\n"
+        out << "\n### #{SharedHelpers.relative_path_to(Bundler.default_lockfile)}\n\n"
         out << "```\n" << read_file(Bundler.default_lockfile).chomp << "\n```\n"
       end
 
@@ -69,13 +69,11 @@ module Bundler
     end
 
     def self.ruby_version
-      str = String.new(RUBY_VERSION)
-      str << "p#{RUBY_PATCHLEVEL}" if defined? RUBY_PATCHLEVEL
-      str << " (#{RUBY_RELEASE_DATE} revision #{RUBY_REVISION}) [#{RUBY_PLATFORM}]"
+      "#{RUBY_VERSION}p#{RUBY_PATCHLEVEL} (#{RUBY_RELEASE_DATE} revision #{RUBY_REVISION}) [#{Gem::Platform.local}]"
     end
 
     def self.git_version
-      Bundler::Source::Git::GitProxy.new(nil, nil, nil).full_version
+      Bundler::Source::Git::GitProxy.new(nil, nil).full_version
     rescue Bundler::Source::Git::GitNotInstalledError
       "not installed"
     end
@@ -122,7 +120,7 @@ module Bundler
         specs = Bundler.rubygems.find_name(name)
         out << ["  #{name}", "(#{specs.map(&:version).join(",")})"] unless specs.empty?
       end
-      if (exe = caller.last.split(":").first) && exe =~ %r{(exe|bin)/bundler?\z}
+      if (exe = caller_locations.last.absolute_path)&.match? %r{(exe|bin)/bundler?\z}
         shebang = File.read(exe).lines.first
         shebang.sub!(/^#!\s*/, "")
         unless shebang.start_with?(Gem.ruby, "/usr/bin/env ruby")

data/lib/bundler/environment_preserver.rb

@@ -2,11 +2,12 @@
 
 module Bundler
   class EnvironmentPreserver
-    INTENTIONALLY_NIL = "BUNDLER_ENVIRONMENT_PRESERVER_INTENTIONALLY_NIL".freeze
+    INTENTIONALLY_NIL = "BUNDLER_ENVIRONMENT_PRESERVER_INTENTIONALLY_NIL"
     BUNDLER_KEYS = %w[
       BUNDLE_BIN_PATH
       BUNDLE_GEMFILE
       BUNDLER_VERSION
+      BUNDLER_SETUP
       GEM_HOME
       GEM_PATH
       MANPATH
@@ -15,17 +16,10 @@ module Bundler
       RUBYLIB
       RUBYOPT
     ].map(&:freeze).freeze
-    BUNDLER_PREFIX = "BUNDLER_ORIG_".freeze
+    BUNDLER_PREFIX = "BUNDLER_ORIG_"
 
     def self.from_env
-      new(env_to_hash(ENV), BUNDLER_KEYS)
-    end
-
-    def self.env_to_hash(env)
-      to_hash = env.to_hash
-      return to_hash unless Gem.win_platform?
-
-      to_hash.each_with_object({}) {|(k,v), a| a[k.upcase] = v }
+      new(ENV.to_hash, BUNDLER_KEYS)
     end
 
     # @param env [Hash]
@@ -38,15 +32,7 @@ module Bundler
 
     # Replaces `ENV` with the bundler environment variables backed up
     def replace_with_backup
-      ENV.replace(backup) unless Gem.win_platform?
-
-      # Fallback logic for Windows below to workaround
-      # https://bugs.ruby-lang.org/issues/16798. Can be dropped once all
-      # supported rubies include the fix for that.
-
-      ENV.clear
-
-      backup.each {|k, v| ENV[k] = v }
+      ENV.replace(backup)
     end
 
     # @return [Hash]
@@ -54,9 +40,9 @@ module Bundler
       env = @original.clone
       @keys.each do |key|
         value = env[key]
-        if !value.nil? && !value.empty?
+        if !value.nil?
           env[@prefix + key] ||= value
-        elsif value.nil?
+        else
           env[@prefix + key] ||= INTENTIONALLY_NIL
         end
       end
@@ -68,7 +54,7 @@ module Bundler
       env = @original.clone
       @keys.each do |key|
         value_original = env[@prefix + key]
-        next if value_original.nil? || value_original.empty?
+        next if value_original.nil?
         if value_original == INTENTIONALLY_NIL
           env.delete(key)
         else

data/lib/bundler/errors.rb

@@ -21,16 +21,7 @@ module Bundler
   class InstallError < BundlerError; status_code(5); end
 
   # Internal error, should be rescued
-  class VersionConflict < BundlerError
-    attr_reader :conflicts
-
-    def initialize(conflicts, msg = nil)
-      super(msg)
-      @conflicts = conflicts
-    end
-
-    status_code(6)
-  end
+  class SolveFailure < BundlerError; status_code(6); end
 
   class GemNotFound < BundlerError; status_code(7); end
   class InstallHookError < BundlerError; status_code(8); end
@@ -41,25 +32,69 @@ module Bundler
   class GemspecError < BundlerError; status_code(14); end
   class InvalidOption < BundlerError; status_code(15); end
   class ProductionError < BundlerError; status_code(16); end
+
   class HTTPError < BundlerError
     status_code(17)
     def filter_uri(uri)
       URICredentialsFilter.credential_filtered_uri(uri)
     end
   end
+
   class RubyVersionMismatch < BundlerError; status_code(18); end
   class SecurityError < BundlerError; status_code(19); end
   class LockfileError < BundlerError; status_code(20); end
   class CyclicDependencyError < BundlerError; status_code(21); end
   class GemfileLockNotFound < BundlerError; status_code(22); end
   class PluginError < BundlerError; status_code(29); end
-  class SudoNotPermittedError < BundlerError; status_code(30); end
   class ThreadCreationError < BundlerError; status_code(33); end
   class APIResponseMismatchError < BundlerError; status_code(34); end
   class APIResponseInvalidDependenciesError < BundlerError; status_code(35); end
   class GemfileEvalError < GemfileError; end
   class MarshalError < StandardError; end
 
+  class ChecksumMismatchError < SecurityError
+    def initialize(lock_name, existing, checksum)
+      @lock_name = lock_name
+      @existing = existing
+      @checksum = checksum
+    end
+
+    def message
+      <<~MESSAGE
+        Bundler found mismatched checksums. This is a potential security risk.
+          #{@lock_name} #{@existing.to_lock}
+            from #{@existing.sources.join("\n    and ")}
+          #{@lock_name} #{@checksum.to_lock}
+            from #{@checksum.sources.join("\n    and ")}
+
+        #{mismatch_resolution_instructions}
+        To ignore checksum security warnings, disable checksum validation with
+          `bundle config set --local disable_checksum_validation true`
+      MESSAGE
+    end
+
+    def mismatch_resolution_instructions
+      removable, remote = [@existing, @checksum].partition(&:removable?)
+      case removable.size
+      when 0
+        msg = +"Mismatched checksums each have an authoritative source:\n"
+        msg << "  1. #{@existing.sources.reject(&:removable?).map(&:to_s).join(" and ")}\n"
+        msg << "  2. #{@checksum.sources.reject(&:removable?).map(&:to_s).join(" and ")}\n"
+        msg << "You may need to alter your Gemfile sources to resolve this issue.\n"
+      when 1
+        msg = +"If you trust #{remote.first.sources.first}, to resolve this issue you can:\n"
+        msg << removable.first.removal_instructions
+      when 2
+        msg = +"To resolve this issue you can either:\n"
+        msg << @checksum.removal_instructions
+        msg << "or if you are sure that the new checksum from #{@checksum.sources.first} is correct:\n"
+        msg << @existing.removal_instructions
+      end
+    end
+
+    status_code(37)
+  end
+
   class PermissionError < BundlerError
     def initialize(path, permission_type = :write)
       @path = path
@@ -75,10 +110,22 @@ module Bundler
       end
     end
 
+    def permission_type
+      case @permission_type
+      when :create
+        "executable permissions for all parent directories and write permissions for `#{parent_folder}`"
+      else
+        "#{@permission_type} permissions for that path"
+      end
+    end
+
+    def parent_folder
+      File.dirname(@path)
+    end
+
     def message
       "There was an error while trying to #{action} `#{@path}`. " \
-      "It is likely that you need to grant #{@permission_type} permissions " \
-      "for that path."
+      "It is likely that you need to grant #{permission_type}."
     end
 
     status_code(23)
@@ -156,4 +203,57 @@ module Bundler
 
     status_code(32)
   end
+
+  class DirectoryRemovalError < BundlerError
+    def initialize(orig_exception, msg)
+      full_message = "#{msg}.\n" \
+                     "The underlying error was #{orig_exception.class}: #{orig_exception.message}, with backtrace:\n" \
+                     "  #{orig_exception.backtrace.join("\n  ")}\n\n" \
+                     "Bundler Error Backtrace:"
+      super(full_message)
+    end
+
+    status_code(36)
+  end
+
+  class InsecureInstallPathError < BundlerError
+    def initialize(name, path)
+      @name = name
+      @path = path
+    end
+
+    def message
+      "Bundler cannot reinstall #{@name} because there's a previous installation of it at #{@path} that is unsafe to remove.\n" \
+      "The parent of #{@path} is world-writable and does not have the sticky bit set, making it insecure to remove due to potential vulnerabilities.\n" \
+      "Please change the permissions of #{File.dirname(@path)} or choose a different install path."
+    end
+
+    status_code(38)
+  end
+
+  class CorruptBundlerInstallError < BundlerError
+    def initialize(loaded_spec)
+      @loaded_spec = loaded_spec
+    end
+
+    def message
+      "The running version of Bundler (#{Bundler::VERSION}) does not match the version of the specification installed for it (#{@loaded_spec.version}). " \
+      "This can be caused by reinstalling Ruby without removing previous installation, leaving around an upgraded default version of Bundler. " \
+      "Reinstalling Ruby from scratch should fix the problem."
+    end
+
+    status_code(39)
+  end
+
+  class InvalidArgumentError < BundlerError; status_code(40); end
+
+  class IncorrectLockfileDependencies < BundlerError
+    attr_reader :spec
+
+    def initialize(spec)
+      @spec = spec
+    end
+
+    status_code(41)
+  end
 end

data/lib/bundler/feature_flag.rb

@@ -33,13 +33,12 @@ module Bundler
     settings_flag(:default_install_uses_path) { bundler_3_mode? }
     settings_flag(:forget_cli_options) { bundler_3_mode? }
     settings_flag(:global_gem_cache) { bundler_3_mode? }
+    settings_flag(:lockfile_checksums) { bundler_3_mode? }
     settings_flag(:path_relative_to_cwd) { bundler_3_mode? }
     settings_flag(:plugins) { @bundler_version >= Gem::Version.new("1.14") }
     settings_flag(:print_only_version_number) { bundler_3_mode? }
     settings_flag(:setup_makes_kernel_gem_public) { !bundler_3_mode? }
-    settings_flag(:suppress_install_using_messages) { bundler_3_mode? }
     settings_flag(:update_requires_all_flag) { bundler_4_mode? }
-    settings_flag(:use_gem_version_promoter_for_major_updates) { bundler_3_mode? }
 
     settings_option(:default_cli_command) { bundler_3_mode? ? :cli_help : :install }
 

data/lib/bundler/fetcher/base.rb

@@ -6,12 +6,14 @@ module Bundler
       attr_reader :downloader
       attr_reader :display_uri
       attr_reader :remote
+      attr_reader :gem_remote_fetcher
 
-      def initialize(downloader, remote, display_uri)
+      def initialize(downloader, remote, display_uri, gem_remote_fetcher)
         raise "Abstract class" if self.class == Base
         @downloader = downloader
         @remote = remote
         @display_uri = display_uri
+        @gem_remote_fetcher = gem_remote_fetcher
       end
 
       def remote_uri
@@ -19,14 +21,12 @@ module Bundler
       end
 
       def fetch_uri
-        @fetch_uri ||= begin
-          if remote_uri.host == "rubygems.org"
-            uri = remote_uri.dup
-            uri.host = "index.rubygems.org"
-            uri
-          else
-            remote_uri
-          end
+        @fetch_uri ||= if remote_uri.host == "rubygems.org"
+          uri = remote_uri.dup
+          uri.host = "index.rubygems.org"
+          uri
+        else
+          remote_uri
         end
       end
 
@@ -40,9 +40,9 @@ module Bundler
 
       private
 
-      def log_specs(debug_msg)
+      def log_specs(&block)
         if Bundler.ui.debug?
-          Bundler.ui.debug debug_msg
+          Bundler.ui.debug yield
         else
           Bundler.ui.info ".", false
         end

data/lib/bundler/fetcher/compact_index.rb

@@ -4,25 +4,21 @@ require_relative "base"
 require_relative "../worker"
 
 module Bundler
-  autoload :CompactIndexClient, File.expand_path("../compact_index_client", __dir__)
-
   class Fetcher
     class CompactIndex < Base
       def self.compact_index_request(method_name)
         method = instance_method(method_name)
         undef_method(method_name)
         define_method(method_name) do |*args, &blk|
-          begin
-            method.bind(self).call(*args, &blk)
-          rescue NetworkDownError, CompactIndexClient::Updater::MisMatchedChecksumError => e
-            raise HTTPError, e.message
-          rescue AuthenticationRequiredError
-            # Fail since we got a 401 from the server.
-            raise
-          rescue HTTPError => e
-            Bundler.ui.trace(e)
-            nil
-          end
+          method.bind_call(self, *args, &blk)
+        rescue NetworkDownError, CompactIndexClient::Updater::MismatchedChecksumError => e
+          raise HTTPError, e.message
+        rescue AuthenticationRequiredError, BadAuthenticationError
+          # Fail since we got a 401 from the server.
+          raise
+        rescue HTTPError => e
+          Bundler.ui.trace(e)
+          nil
         end
       end
 
@@ -37,43 +33,27 @@ module Bundler
         remaining_gems = gem_names.dup
 
         until remaining_gems.empty?
-          log_specs "Looking up gems #{remaining_gems.inspect}"
-
-          deps = begin
-                   parallel_compact_index_client.dependencies(remaining_gems)
-                 rescue TooManyRequestsError
-                   @bundle_worker.stop if @bundle_worker
-                   @bundle_worker = nil # reset it.  Not sure if necessary
-                   serial_compact_index_client.dependencies(remaining_gems)
-                 end
-          next_gems = deps.map {|d| d[3].map(&:first).flatten(1) }.flatten(1).uniq
+          log_specs { "Looking up gems #{remaining_gems.inspect}" }
+          deps = fetch_gem_infos(remaining_gems).flatten(1)
+          next_gems = deps.flat_map {|d| d[CompactIndexClient::INFO_DEPS].flat_map(&:first) }.uniq
           deps.each {|dep| gem_info << dep }
           complete_gems.concat(deps.map(&:first)).uniq!
           remaining_gems = next_gems - complete_gems
         end
-        @bundle_worker.stop if @bundle_worker
+        @bundle_worker&.stop
         @bundle_worker = nil # reset it.  Not sure if necessary
 
         gem_info
       end
 
-      def fetch_spec(spec)
-        spec -= [nil, "ruby", ""]
-        contents = compact_index_client.spec(*spec)
-        return nil if contents.nil?
-        contents.unshift(spec.first)
-        contents[3].map! {|d| Gem::Dependency.new(*d) }
-        EndpointSpecification.new(*contents)
-      end
-      compact_index_request :fetch_spec
-
       def available?
-        return nil unless SharedHelpers.md5_available?
-        user_home = Bundler.user_home
-        return nil unless user_home.directory? && user_home.writable?
+        unless SharedHelpers.md5_available?
+          Bundler.ui.debug("FIPS mode is enabled, bundler can't use the CompactIndex API")
+          return nil
+        end
         # Read info file checksums out of /versions, so we can know if gems are up to date
-        fetch_uri.scheme != "file" && compact_index_client.update_and_parse_checksums!
-      rescue CompactIndexClient::Updater::MisMatchedChecksumError => e
+        compact_index_client.available?
+      rescue CompactIndexClient::Updater::MismatchedChecksumError => e
         Bundler.ui.debug(e.message)
         nil
       end
@@ -92,20 +72,20 @@ module Bundler
           end
       end
 
-      def parallel_compact_index_client
-        compact_index_client.execution_mode = lambda do |inputs, &blk|
-          func = lambda {|object, _index| blk.call(object) }
-          worker = bundle_worker(func)
-          inputs.each {|input| worker.enq(input) }
-          inputs.map { worker.deq }
-        end
-
-        compact_index_client
+      def fetch_gem_infos(names)
+        in_parallel(names) {|name| compact_index_client.info(name) }
+      rescue TooManyRequestsError # rubygems.org is rate limiting us, slow down.
+        @bundle_worker&.stop
+        @bundle_worker = nil # reset it.  Not sure if necessary
+        compact_index_client.reset!
+        names.map {|name| compact_index_client.info(name) }
       end
 
-      def serial_compact_index_client
-        compact_index_client.sequential_execution_mode!
-        compact_index_client
+      def in_parallel(inputs, &blk)
+        func = lambda {|object, _index| blk.call(object) }
+        worker = bundle_worker(func)
+        inputs.each {|input| worker.enq(input) }
+        inputs.map { worker.deq }
       end
 
       def bundle_worker(func = nil)
@@ -132,7 +112,7 @@ module Bundler
         rescue NetworkDownError => e
           raise unless Bundler.feature_flag.allow_offline_install? && headers["If-None-Match"]
           ui.warn "Using the cached data for the new index because of a network error: #{e}"
-          Net::HTTPNotModified.new(nil, nil, nil)
+          Gem::Net::HTTPNotModified.new(nil, nil, nil)
         end
       end
     end

data/lib/bundler/fetcher/dependency.rb

@@ -24,7 +24,7 @@ module Bundler
       def specs(gem_names, full_dependency_list = [], last_spec_list = [])
         query_list = gem_names.uniq - full_dependency_list
 
-        log_specs "Query List: #{query_list.inspect}"
+        log_specs { "Query List: #{query_list.inspect}" }
 
         return last_spec_list if query_list.empty?
 
@@ -34,14 +34,10 @@ module Bundler
 
         returned_gems = spec_list.map(&:first).uniq
         specs(deps_list, full_dependency_list + returned_gems, spec_list + last_spec_list)
-      rescue MarshalError
+      rescue MarshalError, HTTPError, GemspecError
         Bundler.ui.info "" unless Bundler.ui.debug? # new line now that the dots are over
         Bundler.ui.debug "could not fetch from the dependency API, trying the full index"
         nil
-      rescue HTTPError, GemspecError
-        Bundler.ui.info "" unless Bundler.ui.debug? # new line now that the dots are over
-        Bundler.ui.debug "could not fetch from the dependency API\nit's suggested to retry using the full index via `bundle install --full-index`"
-        nil
       end
 
       def dependency_specs(gem_names)
@@ -55,7 +51,7 @@ module Bundler
         gem_list = []
         gem_names.each_slice(Source::Rubygems::API_REQUEST_SIZE) do |names|
           marshalled_deps = downloader.fetch(dependency_api_uri(names)).body
-          gem_list.concat(Bundler.load_marshal(marshalled_deps))
+          gem_list.concat(Bundler.safe_load_marshal(marshalled_deps))
         end
         gem_list
       end