dependabot-bundler 0.95.6 → 0.95.7

data/lib/dependabot/bundler/file_updater.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+require "dependabot/file_updaters"
+require "dependabot/file_updaters/base"
+
+module Dependabot
+  module Bundler
+    class FileUpdater < Dependabot::FileUpdaters::Base
+      require_relative "file_updater/gemfile_updater"
+      require_relative "file_updater/gemspec_updater"
+      require_relative "file_updater/lockfile_updater"
+
+      def self.updated_files_regex
+        [
+          /^Gemfile$/,
+          /^Gemfile\.lock$/,
+          /^gems\.rb$/,
+          /^gems\.locked$/,
+          /^*\.gemspec$/
+        ]
+      end
+
+      def updated_dependency_files
+        updated_files = []
+
+        if gemfile && file_changed?(gemfile)
+          updated_files <<
+            updated_file(
+              file: gemfile,
+              content: updated_gemfile_content(gemfile)
+            )
+        end
+
+        if lockfile && dependencies.any?(&:appears_in_lockfile?)
+          updated_files <<
+            updated_file(file: lockfile, content: updated_lockfile_content)
+        end
+
+        top_level_gemspecs.each do |file|
+          next unless file_changed?(file)
+
+          updated_files <<
+            updated_file(file: file, content: updated_gemspec_content(file))
+        end
+
+        evaled_gemfiles.each do |file|
+          next unless file_changed?(file)
+
+          updated_files <<
+            updated_file(file: file, content: updated_gemfile_content(file))
+        end
+
+        updated_files
+      end
+
+      private
+
+      def check_required_files
+        file_names = dependency_files.map(&:name)
+
+        if lockfile && !gemfile
+          raise "A Gemfile must be provided if a lockfile is!"
+        end
+
+        return if file_names.any? { |name| name.match?(%r{^[^/]*\.gemspec$}) }
+        return if gemfile
+
+        raise "A gemspec or Gemfile must be provided!"
+      end
+
+      def gemfile
+        @gemfile ||= get_original_file("Gemfile") ||
+                     get_original_file("gems.rb")
+      end
+
+      def lockfile
+        @lockfile ||= get_original_file("Gemfile.lock") ||
+                      get_original_file("gems.locked")
+      end
+
+      def evaled_gemfiles
+        @evaled_gemfiles ||=
+          dependency_files.
+          reject { |f| f.name.end_with?(".gemspec") }.
+          reject { |f| f.name.end_with?(".lock") }.
+          reject { |f| f.name.end_with?(".ruby-version") }.
+          reject { |f| f.name == "Gemfile" }.
+          reject { |f| f.name == "gems.rb" }.
+          reject { |f| f.name == "gems.locked" }
+      end
+
+      def updated_gemfile_content(file)
+        GemfileUpdater.new(
+          dependencies: dependencies,
+          gemfile: file
+        ).updated_gemfile_content
+      end
+
+      def updated_gemspec_content(gemspec)
+        GemspecUpdater.new(
+          dependencies: dependencies,
+          gemspec: gemspec
+        ).updated_gemspec_content
+      end
+
+      def updated_lockfile_content
+        @updated_lockfile_content ||=
+          LockfileUpdater.new(
+            dependencies: dependencies,
+            dependency_files: dependency_files,
+            credentials: credentials
+          ).updated_lockfile_content
+      end
+
+      def top_level_gemspecs
+        dependency_files.
+          select { |file| file.name.end_with?(".gemspec") }.
+          reject(&:support_file?)
+      end
+    end
+  end
+end
+
+Dependabot::FileUpdaters.
+  register("bundler", Dependabot::Bundler::FileUpdater)

data/lib/dependabot/bundler/metadata_finder.rb

@@ -0,0 +1,204 @@
+# frozen_string_literal: true
+
+require "excon"
+require "dependabot/metadata_finders"
+require "dependabot/metadata_finders/base"
+
+module Dependabot
+  module Bundler
+    class MetadataFinder < Dependabot::MetadataFinders::Base
+      SOURCE_KEYS = %w(
+        source_code_uri
+        homepage_uri
+        wiki_uri
+        bug_tracker_uri
+        documentation_uri
+        changelog_uri
+        mailing_list_uri
+        download_uri
+      ).freeze
+
+      def homepage_url
+        return super unless %w(default rubygems).include?(new_source_type)
+        return super unless rubygems_api_response["homepage_uri"]
+
+        rubygems_api_response["homepage_uri"]
+      end
+
+      private
+
+      def look_up_source
+        case new_source_type
+        when "git" then find_source_from_git_url
+        when "default", "rubygems" then find_source_from_rubygems
+        else raise "Unexpected source type: #{new_source_type}"
+        end
+      end
+
+      def new_source_type
+        sources =
+          dependency.requirements.map { |r| r.fetch(:source) }.uniq.compact
+
+        return "default" if sources.empty?
+        raise "Multiple sources! #{sources.join(', ')}" if sources.count > 1
+
+        sources.first[:type] || sources.first.fetch("type")
+      end
+
+      def find_source_from_rubygems
+        api_source = find_source_from_rubygems_api_response
+        return api_source if api_source || new_source_type == "default"
+
+        find_source_from_gemspec_download
+      end
+
+      def find_source_from_rubygems_api_response
+        source_url = rubygems_api_response.
+                     values_at(*SOURCE_KEYS).
+                     compact.
+                     find { |url| Source.from_url(url) }
+
+        Source.from_url(source_url)
+      end
+
+      def find_source_from_git_url
+        info = dependency.requirements.map { |r| r[:source] }.compact.first
+
+        url = info[:url] || info.fetch("url")
+        Source.from_url(url)
+      end
+
+      def find_source_from_gemspec_download
+        github_urls = []
+        return unless rubygems_marshalled_gemspec_response
+
+        rubygems_marshalled_gemspec_response.scan(Source::SOURCE_REGEX) do
+          github_urls << Regexp.last_match.to_s
+        end
+
+        source_url = github_urls.find do |url|
+          repo = Source.from_url(url).repo
+          repo.downcase.end_with?(dependency.name)
+        end
+        return unless source_url
+
+        Source.from_url(source_url)
+      end
+
+      # Note: This response MUST NOT be unmarshalled
+      # (as calling Marshal.load is unsafe)
+      def rubygems_marshalled_gemspec_response
+        if defined?(@rubygems_marshalled_gemspec_response)
+          return @rubygems_marshalled_gemspec_response
+        end
+
+        gemspec_uri =
+          "#{registry_url}quick/Marshal.4.8/"\
+          "#{dependency.name}-#{dependency.version}.gemspec.rz"
+
+        response =
+          Excon.get(
+            gemspec_uri,
+            headers: registry_auth_headers,
+            idempotent: true,
+            **SharedHelpers.excon_defaults
+          )
+
+        if response.status >= 400
+          return @rubygems_marshalled_gemspec_response = nil
+        end
+
+        @rubygems_marshalled_gemspec_response =
+          Zlib::Inflate.inflate(response.body)
+      rescue Zlib::DataError
+        @rubygems_marshalled_gemspec_response = nil
+      end
+
+      def rubygems_api_response
+        return @rubygems_api_response if defined?(@rubygems_api_response)
+
+        response =
+          Excon.get(
+            "#{registry_url}api/v1/gems/#{dependency.name}.json",
+            headers: registry_auth_headers,
+            idempotent: true,
+            **SharedHelpers.excon_defaults
+          )
+        return @rubygems_api_response = {} if response.status >= 400
+
+        response_body = response.body
+        response_body = augment_private_response_if_appropriate(response_body)
+
+        @rubygems_api_response = JSON.parse(response_body)
+        append_slash_to_source_code_uri(@rubygems_api_response)
+      rescue JSON::ParserError, Excon::Error::Timeout
+        @rubygems_api_response = {}
+      end
+
+      def append_slash_to_source_code_uri(listing)
+        # We have to do this so that `Source.from_url(...)` doesn't prune the
+        # last line off of the directory.
+        return listing unless listing&.fetch("source_code_uri", nil)
+        return listing if listing.fetch("source_code_uri").end_with?("/")
+
+        listing["source_code_uri"] = listing["source_code_uri"] + "/"
+        listing
+      end
+
+      def augment_private_response_if_appropriate(response_body)
+        return response_body if new_source_type == "default"
+
+        parsed_body = JSON.parse(response_body)
+        return response_body if (SOURCE_KEYS - parsed_body.keys).none?
+
+        digest = parsed_body.values_at("version", "authors", "info").hash
+
+        source_url = parsed_body.
+                     values_at(*SOURCE_KEYS).
+                     compact.
+                     find { |url| Source.from_url(url) }
+        return response_body if source_url
+
+        rubygems_response =
+          Excon.get(
+            "https://rubygems.org/api/v1/gems/#{dependency.name}.json",
+            idempotent: true,
+            **SharedHelpers.excon_defaults
+          )
+        parsed_rubygems_body = JSON.parse(rubygems_response.body)
+        rubygems_digest =
+          parsed_rubygems_body.values_at("version", "authors", "info").hash
+
+        digest == rubygems_digest ? rubygems_response.body : response_body
+      rescue JSON::ParserError, Excon::Error::Socket, Excon::Error::Timeout
+        response_body
+      end
+
+      def registry_url
+        return "https://rubygems.org/" if new_source_type == "default"
+
+        info = dependency.requirements.map { |r| r[:source] }.compact.first
+        info[:url] || info.fetch("url")
+      end
+
+      def registry_auth_headers
+        return {} unless new_source_type == "rubygems"
+
+        token =
+          credentials.
+          select { |cred| cred["type"] == "rubygems_server" }.
+          find { |cred| registry_url.include?(cred["host"]) }&.
+          fetch("token")
+
+        return {} unless token
+
+        token += ":" unless token.include?(":")
+        encoded_token = Base64.encode64(token).delete("\n")
+        { "Authorization" => "Basic #{encoded_token}" }
+      end
+    end
+  end
+end
+
+Dependabot::MetadataFinders.
+  register("bundler", Dependabot::Bundler::MetadataFinder)

data/lib/dependabot/bundler/requirement.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require "dependabot/utils"
+
+module Dependabot
+  module Bundler
+    class Requirement < Gem::Requirement
+      # For consistency with other langauges, we define a requirements array.
+      # Ruby doesn't have an `OR` separator for requirements, so it always
+      # contains a single element.
+      def self.requirements_array(requirement_string)
+        [new(requirement_string)]
+      end
+
+      # Patches Gem::Requirement to make it accept requirement strings like
+      # "~> 4.2.5, >= 4.2.5.1" without first needing to split them.
+      def initialize(*requirements)
+        requirements = requirements.flatten.flat_map do |req_string|
+          req_string.split(",")
+        end
+
+        super(requirements)
+      end
+    end
+  end
+end
+
+Dependabot::Utils.
+  register_requirement_class("bundler", Dependabot::Bundler::Requirement)

data/lib/dependabot/bundler/update_checker/file_preparer.rb

@@ -0,0 +1,279 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency_file"
+require "dependabot/bundler/update_checker"
+require "dependabot/bundler/file_updater/gemspec_sanitizer"
+require "dependabot/bundler/file_updater/git_pin_replacer"
+require "dependabot/bundler/file_updater/git_source_remover"
+require "dependabot/bundler/file_updater/requirement_replacer"
+require "dependabot/bundler/file_updater/gemspec_dependency_name_finder"
+require "dependabot/bundler/file_updater/lockfile_updater"
+require "dependabot/bundler/update_checker/ruby_requirement_setter"
+
+module Dependabot
+  module Bundler
+    class UpdateChecker
+      # This class takes a set of dependency files and sanitizes them for use
+      # in UpdateCheckers::Ruby::Bundler. In particular, it:
+      # - Removes any version requirement on the dependency being updated
+      #   (in the Gemfile)
+      # - Sanitizes any provided gemspecs to remove file imports etc. (since
+      #   Dependabot doesn't pull down the entire repo). This process is
+      #   imperfect - an alternative would be to clone the repo
+      # - Sets the ruby version in the Gemfile to be the lowest possible
+      #   version allowed by the gemspec, if the gemspec has a required ruby
+      #   version range
+      class FilePreparer
+        VERSION_REGEX = /[0-9]+(?:\.[A-Za-z0-9\-_]+)*/.freeze
+
+        # Can't be a constant because some of these don't exist in bundler
+        # 1.15, which Heroku uses, which causes an exception on boot.
+        def gemspec_sources
+          [
+            ::Bundler::Source::Path,
+            ::Bundler::Source::Gemspec
+          ]
+        end
+
+        def initialize(dependency_files:, dependency:,
+                       remove_git_source: false,
+                       unlock_requirement: true,
+                       replacement_git_pin: nil,
+                       latest_allowable_version: nil,
+                       lock_ruby_version: true)
+          @dependency_files         = dependency_files
+          @dependency               = dependency
+          @remove_git_source        = remove_git_source
+          @unlock_requirement       = unlock_requirement
+          @replacement_git_pin      = replacement_git_pin
+          @latest_allowable_version = latest_allowable_version
+          @lock_ruby_version        = lock_ruby_version
+        end
+
+        # rubocop:disable Metrics/AbcSize
+        # rubocop:disable Metrics/MethodLength
+        def prepared_dependency_files
+          files = []
+
+          if gemfile
+            files << DependencyFile.new(
+              name: gemfile.name,
+              content: gemfile_content_for_update_check(gemfile),
+              directory: gemfile.directory
+            )
+          end
+
+          top_level_gemspecs.each do |gemspec|
+            files << DependencyFile.new(
+              name: gemspec.name,
+              content: gemspec_content_for_update_check(gemspec),
+              directory: gemspec.directory
+            )
+          end
+
+          path_gemspecs.each do |file|
+            files << DependencyFile.new(
+              name: file.name,
+              content: sanitize_gemspec_content(file.content),
+              directory: file.directory,
+              support_file: file.support_file?
+            )
+          end
+
+          evaled_gemfiles.each do |file|
+            files << DependencyFile.new(
+              name: file.name,
+              content: gemfile_content_for_update_check(file),
+              directory: file.directory
+            )
+          end
+
+          # No editing required for lockfile or Ruby version file
+          files += [lockfile, ruby_version_file, *imported_ruby_files].compact
+        end
+        # rubocop:enable Metrics/AbcSize
+        # rubocop:enable Metrics/MethodLength
+
+        private
+
+        attr_reader :dependency_files, :dependency, :replacement_git_pin,
+                    :latest_allowable_version
+
+        def remove_git_source?
+          @remove_git_source
+        end
+
+        def unlock_requirement?
+          @unlock_requirement
+        end
+
+        def replace_git_pin?
+          !replacement_git_pin.nil?
+        end
+
+        def gemfile
+          dependency_files.find { |f| f.name == "Gemfile" } ||
+            dependency_files.find { |f| f.name == "gems.rb" }
+        end
+
+        def evaled_gemfiles
+          dependency_files.
+            reject { |f| f.name.end_with?(".gemspec") }.
+            reject { |f| f.name.end_with?(".lock") }.
+            reject { |f| f.name.end_with?(".ruby-version") }.
+            reject { |f| f.name == "Gemfile" }.
+            reject { |f| f.name == "gems.rb" }.
+            reject { |f| f.name == "gems.locked" }
+        end
+
+        def lockfile
+          dependency_files.find { |f| f.name == "Gemfile.lock" } ||
+            dependency_files.find { |f| f.name == "gems.locked" }
+        end
+
+        def top_level_gemspecs
+          dependency_files.
+            select { |f| f.name.end_with?(".gemspec") }.
+            reject(&:support_file?)
+        end
+
+        def ruby_version_file
+          dependency_files.find { |f| f.name == ".ruby-version" }
+        end
+
+        def path_gemspecs
+          all = dependency_files.select { |f| f.name.end_with?(".gemspec") }
+          all - top_level_gemspecs
+        end
+
+        def imported_ruby_files
+          dependency_files.
+            select { |f| f.name.end_with?(".rb") }.
+            reject { |f| f.name == "gems.rb" }
+        end
+
+        def gemfile_content_for_update_check(file)
+          content = file.content
+          content = replace_gemfile_constraint(content, file.name)
+          content = remove_git_source(content) if remove_git_source?
+          content = replace_git_pin(content) if replace_git_pin?
+          content = lock_ruby_version(content) if lock_ruby_version?(file)
+          content
+        end
+
+        def gemspec_content_for_update_check(gemspec)
+          content = gemspec.content
+          content = replace_gemspec_constraint(content, gemspec.name)
+          sanitize_gemspec_content(content)
+        end
+
+        def replace_gemfile_constraint(content, filename)
+          FileUpdater::RequirementReplacer.new(
+            dependency: dependency,
+            file_type: :gemfile,
+            updated_requirement: updated_version_requirement_string(filename),
+            insert_if_bare: true
+          ).rewrite(content)
+        end
+
+        def replace_gemspec_constraint(content, filename)
+          FileUpdater::RequirementReplacer.new(
+            dependency: dependency,
+            file_type: :gemspec,
+            updated_requirement: updated_version_requirement_string(filename),
+            insert_if_bare: true
+          ).rewrite(content)
+        end
+
+        def sanitize_gemspec_content(gemspec_content)
+          new_version = replacement_version_for_gemspec(gemspec_content)
+
+          FileUpdater::GemspecSanitizer.
+            new(replacement_version: new_version).
+            rewrite(gemspec_content)
+        end
+
+        def updated_version_requirement_string(filename)
+          lower_bound_req = updated_version_req_lower_bound(filename)
+
+          return lower_bound_req if latest_allowable_version.nil?
+          unless Gem::Version.correct?(latest_allowable_version)
+            return lower_bound_req
+          end
+
+          lower_bound_req + ", <= #{latest_allowable_version}"
+        end
+
+        def updated_version_req_lower_bound(filename)
+          original_req = dependency.requirements.
+                         find { |r| r.fetch(:file) == filename }&.
+                         fetch(:requirement)
+
+          if original_req && !unlock_requirement? then original_req
+          elsif dependency.version&.match?(/^[0-9a-f]{40}$/) then ">= 0"
+          elsif dependency.version then ">= #{dependency.version}"
+          else
+            version_for_requirement =
+              dependency.requirements.map { |r| r[:requirement] }.
+              reject { |req_string| req_string.start_with?("<") }.
+              select { |req_string| req_string.match?(VERSION_REGEX) }.
+              map { |req_string| req_string.match(VERSION_REGEX) }.
+              select { |version| Gem::Version.correct?(version) }.
+              max_by { |version| Gem::Version.new(version) }
+
+            ">= #{version_for_requirement || 0}"
+          end
+        end
+
+        def remove_git_source(content)
+          FileUpdater::GitSourceRemover.new(
+            dependency: dependency
+          ).rewrite(content)
+        end
+
+        def replace_git_pin(content)
+          FileUpdater::GitPinReplacer.new(
+            dependency: dependency,
+            new_pin: replacement_git_pin
+          ).rewrite(content)
+        end
+
+        def lock_ruby_version(gemfile_content)
+          top_level_gemspecs.each do |gs|
+            gemfile_content =
+              RubyRequirementSetter.new(gemspec: gs).rewrite(gemfile_content)
+          end
+
+          gemfile_content
+        end
+
+        def lock_ruby_version?(file)
+          @lock_ruby_version && file == gemfile
+        end
+
+        def replacement_version_for_gemspec(gemspec_content)
+          return "0.0.1" unless lockfile
+
+          gemspec_specs =
+            ::Bundler::LockfileParser.new(sanitized_lockfile_content).specs.
+            select { |s| gemspec_sources.include?(s.source.class) }
+
+          gem_name =
+            FileUpdater::GemspecDependencyNameFinder.
+            new(gemspec_content: gemspec_content).
+            dependency_name
+
+          return gemspec_specs.first&.version || "0.0.1" unless gem_name
+
+          spec = gemspec_specs.find { |s| s.name == gem_name }
+          spec&.version || gemspec_specs.first&.version || "0.0.1"
+        end
+
+        def sanitized_lockfile_content
+          re = FileUpdater::LockfileUpdater::LOCKFILE_ENDING
+          lockfile.content.gsub(re, "")
+        end
+      end
+    end
+  end
+end