dependabot-bundler 0.95.6 → 0.95.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6f9e379564416aff2841e1bccf1b420dd167eb77fb5647b3a1741d49a8d53a67
-  data.tar.gz: 3dbbaae582caf3e6380842c6b4f893002eb5062819cd249c3a24e22dc5749b51
+  metadata.gz: 7c6c9dbd8b8a661f9e5ea65669d1e7b62c500962eca6f678694aaf453097a129
+  data.tar.gz: 1232449ea7f3a20430eed31c086c4f682f269405f7f3ed04ed7f49f387e3393e
 SHA512:
-  metadata.gz: d5881f87654a931b002b2db3a1a128f43fd2f378acbaff69e77710cb81ed9133b5711bc98ee2bc27c2e56feb3eb71b3dc16e2b4fdd269c41c977734239522e95
-  data.tar.gz: eb4c477200b043f59e4de9c6e468d71be947468ac7cf980d62c3828c1a528e1f25f4559c1f6fdf153fdf04208fe0c855c0cad5ed664d388b7eef3dcdaba3a9b0
+  metadata.gz: 4711f733fd5af8bce8ed4ea4c437b891f4bafd16eec7b1d5d4402a50cad9710feb052ef9afe88edf747c505f65a52f95bb5cc017a96b4796e25c270bec98704a
+  data.tar.gz: 7f16f6ebb4fc3712b8dcc91969986016f7dac9ccea85e21aef7b95396dbe19077ab2f55d565f25a89da67f5a9439fc7e058e2a2951e2f36a0252a50bdf20682e

data/lib/dependabot/bundler/file_fetcher/child_gemfile_finder.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "pathname"
+require "parser/current"
+require "dependabot/bundler/file_fetcher"
+require "dependabot/errors"
+
+module Dependabot
+  module Bundler
+    class FileFetcher
+      # Finds the paths of any Gemfiles declared using `eval_gemfile` in the
+      # passed Gemfile.
+      class ChildGemfileFinder
+        def initialize(gemfile:)
+          @gemfile = gemfile
+        end
+
+        def child_gemfile_paths
+          ast = Parser::CurrentRuby.parse(gemfile.content)
+          find_child_gemfile_paths(ast)
+        rescue Parser::SyntaxError
+          raise Dependabot::DependencyFileNotParseable, gemfile.path
+        end
+
+        private
+
+        attr_reader :gemfile
+
+        # rubocop:disable Security/Eval
+        def find_child_gemfile_paths(node)
+          return [] unless node.is_a?(Parser::AST::Node)
+
+          if declares_eval_gemfile?(node)
+            # We use eval here, but we know what we're doing. The FileFetchers
+            # helper method should only ever be run in an isolated environment
+            source = node.children[2].loc.expression.source
+            begin
+              path = eval(source)
+            rescue StandardError
+              return []
+            end
+            if Pathname.new(path).absolute?
+              base_path = Pathname.new(File.expand_path(Dir.pwd))
+              path = Pathname.new(path).relative_path_from(base_path).to_s
+            end
+            path = File.join(current_dir, path) unless current_dir.nil?
+            return [Pathname.new(path).cleanpath.to_path]
+          end
+
+          node.children.flat_map do |child_node|
+            find_child_gemfile_paths(child_node)
+          end
+        end
+        # rubocop:enable Security/Eval
+
+        def current_dir
+          @current_dir ||= gemfile.name.split("/")[0..-2].last
+        end
+
+        def declares_eval_gemfile?(node)
+          return false unless node.is_a?(Parser::AST::Node)
+
+          node.children[1] == :eval_gemfile
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_fetcher/gemspec_finder.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+require "pathname"
+require "parser/current"
+require "dependabot/bundler/file_fetcher"
+require "dependabot/errors"
+
+module Dependabot
+  module Bundler
+    class FileFetcher
+      # Finds the directories of any gemspecs declared using `gemspec` in the
+      # passed Gemfile.
+      class GemspecFinder
+        def initialize(gemfile:)
+          @gemfile = gemfile
+        end
+
+        def gemspec_directories
+          ast = Parser::CurrentRuby.parse(gemfile.content)
+          find_gemspec_paths(ast)
+        rescue Parser::SyntaxError
+          raise Dependabot::DependencyFileNotParseable, gemfile.path
+        end
+
+        private
+
+        attr_reader :gemfile
+
+        # rubocop:disable Security/Eval
+        def find_gemspec_paths(node)
+          return [] unless node.is_a?(Parser::AST::Node)
+
+          if declares_gemspec_dependency?(node)
+            path_node = path_node_for_gem_declaration(node)
+            return [clean_path(".")] unless path_node
+
+            begin
+              # We use eval here, but we know what we're doing. The
+              # FileFetchers helper method should only ever be run in an
+              # isolated environment
+              path = eval(path_node.loc.expression.source)
+            rescue StandardError
+              return []
+            end
+            return [clean_path(path)]
+          end
+
+          node.children.flat_map do |child_node|
+            find_gemspec_paths(child_node)
+          end
+        end
+        # rubocop:enable Security/Eval
+
+        def current_dir
+          @current_dir ||= gemfile.name.rpartition("/").first
+          @current_dir = nil if @current_dir == ""
+          @current_dir
+        end
+
+        def declares_gemspec_dependency?(node)
+          return false unless node.is_a?(Parser::AST::Node)
+
+          node.children[1] == :gemspec
+        end
+
+        def clean_path(path)
+          if Pathname.new(path).absolute?
+            base_path = Pathname.new(File.expand_path(Dir.pwd))
+            path = Pathname.new(path).relative_path_from(base_path).to_s
+          end
+          path = File.join(current_dir, path) unless current_dir.nil?
+          Pathname.new(path).cleanpath
+        end
+
+        def path_node_for_gem_declaration(node)
+          return unless node.children.last.is_a?(Parser::AST::Node)
+          return unless node.children.last.type == :hash
+
+          kwargs_node = node.children.last
+
+          path_hash_pair =
+            kwargs_node.children.
+            find { |hash_pair| key_from_hash_pair(hash_pair) == :path }
+
+          return unless path_hash_pair
+
+          path_hash_pair.children.last
+        end
+
+        def key_from_hash_pair(node)
+          node.children.first.children.first.to_sym
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_fetcher/path_gemspec_finder.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+require "pathname"
+require "parser/current"
+require "dependabot/bundler/file_fetcher"
+require "dependabot/errors"
+
+module Dependabot
+  module Bundler
+    class FileFetcher
+      # Finds the paths of any gemspecs declared using `path: ` in the
+      # passed Gemfile.
+      class PathGemspecFinder
+        def initialize(gemfile:)
+          @gemfile = gemfile
+        end
+
+        def path_gemspec_paths
+          ast = Parser::CurrentRuby.parse(gemfile.content)
+          find_path_gemspec_paths(ast)
+        rescue Parser::SyntaxError
+          raise Dependabot::DependencyFileNotParseable, gemfile.path
+        end
+
+        private
+
+        attr_reader :gemfile
+
+        # rubocop:disable Security/Eval
+        def find_path_gemspec_paths(node)
+          return [] unless node.is_a?(Parser::AST::Node)
+
+          if declares_path_dependency?(node)
+            path_node = path_node_for_gem_declaration(node)
+
+            begin
+              # We use eval here, but we know what we're doing. The
+              # FileFetchers helper method should only ever be run in an
+              # isolated environment
+              path = eval(path_node.loc.expression.source)
+            rescue StandardError
+              return []
+            end
+            return [clean_path(path)]
+          end
+
+          relevant_child_nodes(node).flat_map do |child_node|
+            find_path_gemspec_paths(child_node)
+          end
+        end
+        # rubocop:enable Security/Eval
+
+        def current_dir
+          @current_dir ||= gemfile.name.rpartition("/").first
+          @current_dir = nil if @current_dir == ""
+          @current_dir
+        end
+
+        def declares_path_dependency?(node)
+          return false unless node.is_a?(Parser::AST::Node)
+          return false unless node.children[1] == :gem
+
+          !path_node_for_gem_declaration(node).nil?
+        end
+
+        def clean_path(path)
+          if Pathname.new(path).absolute?
+            base_path = Pathname.new(File.expand_path(Dir.pwd))
+            path = Pathname.new(path).relative_path_from(base_path).to_s
+          end
+          path = File.join(current_dir, path) unless current_dir.nil?
+          Pathname.new(path).cleanpath
+        end
+
+        # rubocop:disable Security/Eval
+        def relevant_child_nodes(node)
+          return [] unless node.is_a?(Parser::AST::Node)
+          return node.children unless node.type == :if
+
+          begin
+            if eval(node.children.first.loc.expression.source)
+              [node.children[1]]
+            else
+              [node.children[2]]
+            end
+          rescue StandardError
+            return node.children
+          end
+        end
+        # rubocop:enable Security/Eval
+
+        def path_node_for_gem_declaration(node)
+          return unless node.children.last.type == :hash
+
+          kwargs_node = node.children.last
+
+          path_hash_pair =
+            kwargs_node.children.
+            find { |hash_pair| key_from_hash_pair(hash_pair) == :path }
+
+          return unless path_hash_pair
+
+          path_hash_pair.children.last
+        end
+
+        def key_from_hash_pair(node)
+          node.children.first.children.first.to_sym
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_fetcher/require_relative_finder.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require "pathname"
+require "parser/current"
+require "dependabot/bundler/file_fetcher"
+require "dependabot/errors"
+
+module Dependabot
+  module Bundler
+    class FileFetcher
+      # Finds the paths of any files included using `require_relative` in the
+      # passed file.
+      class RequireRelativeFinder
+        def initialize(file:)
+          @file = file
+        end
+
+        def require_relative_paths
+          ast = Parser::CurrentRuby.parse(file.content)
+          find_require_relative_paths(ast)
+        rescue Parser::SyntaxError
+          raise Dependabot::DependencyFileNotParseable, file.path
+        end
+
+        private
+
+        attr_reader :file
+
+        # rubocop:disable Security/Eval
+        def find_require_relative_paths(node)
+          return [] unless node.is_a?(Parser::AST::Node)
+
+          if declares_require_relative?(node)
+            # We use eval here, but we know what we're doing. The FileFetchers
+            # helper method should only ever be run in an isolated environment
+            source = node.children[2].loc.expression.source
+            begin
+              path = eval(source)
+            rescue StandardError
+              return []
+            end
+
+            path = File.join(current_dir, path) unless current_dir.nil?
+            return [Pathname.new(path + ".rb").cleanpath.to_path]
+          end
+
+          node.children.flat_map do |child_node|
+            find_require_relative_paths(child_node)
+          end
+        end
+        # rubocop:enable Security/Eval
+
+        def current_dir
+          @current_dir ||= file.name.split("/")[0..-2].last
+        end
+
+        def declares_require_relative?(node)
+          return false unless node.is_a?(Parser::AST::Node)
+
+          node.children[1] == :require_relative
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_fetcher.rb

@@ -0,0 +1,216 @@
+# frozen_string_literal: true
+
+require "dependabot/file_fetchers"
+require "dependabot/file_fetchers/base"
+require "dependabot/bundler/file_updater/lockfile_updater"
+require "dependabot/errors"
+
+module Dependabot
+  module Bundler
+    class FileFetcher < Dependabot::FileFetchers::Base
+      require "dependabot/bundler/file_fetcher/gemspec_finder"
+      require "dependabot/bundler/file_fetcher/path_gemspec_finder"
+      require "dependabot/bundler/file_fetcher/child_gemfile_finder"
+      require "dependabot/bundler/file_fetcher/require_relative_finder"
+
+      def self.required_files_in?(filenames)
+        if filenames.any? { |name| name.match?(%r{^[^/]*\.gemspec$}) }
+          return true
+        end
+
+        filenames.include?("Gemfile") || filenames.include?("gems.rb")
+      end
+
+      def self.required_files_message
+        "Repo must contain either a Gemfile, a gemspec, or a gems.rb."
+      end
+
+      private
+
+      def fetch_files
+        fetched_files = []
+        fetched_files << gemfile if gemfile
+        fetched_files << lockfile if gemfile && lockfile
+        fetched_files += child_gemfiles
+        fetched_files += gemspecs
+        fetched_files << ruby_version_file if ruby_version_file
+        fetched_files += path_gemspecs
+        fetched_files += require_relative_files(fetched_files)
+
+        fetched_files = uniq_files(fetched_files)
+
+        check_required_files_present
+
+        unless self.class.required_files_in?(fetched_files.map(&:name))
+          raise "Invalid set of files: #{fetched_files.map(&:name)}"
+        end
+
+        fetched_files
+      end
+
+      def uniq_files(fetched_files)
+        uniq_files = fetched_files.reject(&:support_file?).uniq
+        uniq_files += fetched_files.
+                      reject { |f| uniq_files.map(&:name).include?(f.name) }
+      end
+
+      def check_required_files_present
+        return if gemfile || gemspecs.any?
+
+        path = Pathname.new(File.join(directory, "Gemfile")).
+               cleanpath.to_path
+        raise Dependabot::DependencyFileNotFound, path
+      end
+
+      def gemfile
+        @gemfile ||= fetch_file_if_present("gems.rb") ||
+                     fetch_file_if_present("Gemfile")
+      end
+
+      def lockfile
+        @lockfile ||= fetch_file_if_present("gems.locked") ||
+                      fetch_file_if_present("Gemfile.lock")
+      end
+
+      def gemspecs
+        return @gemspecs if defined?(@gemspecs)
+
+        gemspecs_paths =
+          gemspec_directories.
+          flat_map do |d|
+            repo_contents(dir: d).
+              select { |f| f.name.end_with?(".gemspec") }.
+              map { |f| File.join(d, f.name) }
+          end
+
+        @gemspecs = gemspecs_paths.map { |n| fetch_file_from_host(n) }
+      rescue Octokit::NotFound
+        []
+      end
+
+      def gemspec_directories
+        gemfiles = ([gemfile] + child_gemfiles).compact
+        directories =
+          gemfiles.flat_map do |file|
+            GemspecFinder.new(gemfile: file).gemspec_directories
+          end.uniq
+
+        directories.empty? ? ["."] : directories
+      end
+
+      def ruby_version_file
+        return unless gemfile
+        return unless gemfile.content.include?(".ruby-version")
+
+        @ruby_version_file ||=
+          fetch_file_if_present(".ruby-version")&.
+          tap { |f| f.support_file = true }
+      end
+
+      def path_gemspecs
+        gemspec_files = []
+        unfetchable_gems = []
+
+        path_gemspec_paths.each do |path|
+          # Get any gemspecs at the path itself
+          gemspecs_at_path = fetch_gemspecs_from_directory(path)
+
+          # Get any gemspecs nested one level deeper
+          nested_directories =
+            repo_contents(dir: path).
+            select { |f| f.type == "dir" }
+
+          nested_directories.each do |dir|
+            dir_path = File.join(path, dir.name)
+            gemspecs_at_path += fetch_gemspecs_from_directory(dir_path)
+          end
+
+          # Add the fetched gemspecs to the main array, and note an error if
+          # none were found for this path
+          gemspec_files += gemspecs_at_path
+          unfetchable_gems << path.basename.to_s if gemspecs_at_path.empty?
+        rescue Octokit::NotFound, Gitlab::Error::NotFound
+          unfetchable_gems << path.basename.to_s
+        end
+
+        if unfetchable_gems.any?
+          raise Dependabot::PathDependenciesNotReachable, unfetchable_gems
+        end
+
+        gemspec_files.tap { |ar| ar.each { |f| f.support_file = true } }
+      end
+
+      def path_gemspec_paths
+        fetch_path_gemspec_paths.map { |path| Pathname.new(path) }
+      end
+
+      def require_relative_files(files)
+        ruby_files =
+          files.select { |f| f.name.end_with?(".rb", "Gemfile", ".gemspec") }
+
+        paths = ruby_files.flat_map do |file|
+          RequireRelativeFinder.new(file: file).require_relative_paths
+        end
+
+        @require_relative_files ||=
+          paths.map { |path| fetch_file_from_host(path) }.
+          tap { |req_files| req_files.each { |f| f.support_file = true } }
+      end
+
+      def fetch_gemspecs_from_directory(dir_path)
+        repo_contents(dir: dir_path, fetch_submodules: true).
+          select { |f| f.name.end_with?(".gemspec") }.
+          map { |f| File.join(dir_path, f.name) }.
+          map { |fp| fetch_file_from_host(fp, fetch_submodules: true) }
+      end
+
+      def fetch_path_gemspec_paths
+        if lockfile
+          parsed_lockfile = ::Bundler::LockfileParser.new(
+            sanitized_lockfile_content
+          )
+          parsed_lockfile.specs.
+            select { |s| s.source.instance_of?(::Bundler::Source::Path) }.
+            map { |s| s.source.path }.uniq
+        else
+          gemfiles = ([gemfile] + child_gemfiles).compact
+          gemfiles.flat_map do |file|
+            PathGemspecFinder.new(gemfile: file).path_gemspec_paths
+          end.uniq
+        end
+      rescue ::Bundler::LockfileError
+        raise Dependabot::DependencyFileNotParseable, lockfile.path
+      end
+
+      def child_gemfiles
+        return [] unless gemfile
+
+        @child_gemfiles ||=
+          fetch_child_gemfiles(file: gemfile, previously_fetched_files: [])
+      end
+
+      def sanitized_lockfile_content
+        regex = FileUpdater::LockfileUpdater::LOCKFILE_ENDING
+        lockfile.content.gsub(regex, "")
+      end
+
+      def fetch_child_gemfiles(file:, previously_fetched_files:)
+        paths = ChildGemfileFinder.new(gemfile: file).child_gemfile_paths
+
+        paths.flat_map do |path|
+          next if previously_fetched_files.map(&:name).include?(path)
+          next if file.name == path
+
+          fetched_file = fetch_file_from_host(path)
+          grandchild_gemfiles = fetch_child_gemfiles(
+            file: fetched_file,
+            previously_fetched_files: previously_fetched_files + [file]
+          )
+          [fetched_file, *grandchild_gemfiles]
+        end.compact
+      end
+    end
+  end
+end
+
+Dependabot::FileFetchers.register("bundler", Dependabot::Bundler::FileFetcher)

data/lib/dependabot/bundler/file_parser/file_preparer.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require "dependabot/dependency_file"
+require "dependabot/bundler/file_parser"
+require "dependabot/bundler/file_updater/gemspec_sanitizer"
+
+module Dependabot
+  module Bundler
+    class FileParser
+      class FilePreparer
+        def initialize(dependency_files:)
+          @dependency_files = dependency_files
+        end
+
+        def prepared_dependency_files
+          files = []
+
+          gemspecs.compact.each do |file|
+            files << DependencyFile.new(
+              name: file.name,
+              content: sanitize_gemspec_content(file.content),
+              directory: file.directory,
+              support_file: file.support_file?
+            )
+          end
+
+          files += [
+            gemfile,
+            *evaled_gemfiles,
+            lockfile,
+            ruby_version_file,
+            *imported_ruby_files
+          ].compact
+        end
+
+        private
+
+        attr_reader :dependency_files
+
+        def gemfile
+          dependency_files.find { |f| f.name == "Gemfile" } ||
+            dependency_files.find { |f| f.name == "gems.rb" }
+        end
+
+        def evaled_gemfiles
+          dependency_files.
+            reject { |f| f.name.end_with?(".gemspec") }.
+            reject { |f| f.name.end_with?(".lock") }.
+            reject { |f| f.name.end_with?(".ruby-version") }.
+            reject { |f| f.name == "Gemfile" }.
+            reject { |f| f.name == "gems.rb" }.
+            reject { |f| f.name == "gems.locked" }
+        end
+
+        def lockfile
+          dependency_files.find { |f| f.name == "Gemfile.lock" } ||
+            dependency_files.find { |f| f.name == "gems.locked" }
+        end
+
+        def gemspecs
+          dependency_files.select { |f| f.name.end_with?(".gemspec") }
+        end
+
+        def ruby_version_file
+          dependency_files.find { |f| f.name == ".ruby-version" }
+        end
+
+        def imported_ruby_files
+          dependency_files.
+            select { |f| f.name.end_with?(".rb") }.
+            reject { |f| f.name == "gems.rb" }
+        end
+
+        def sanitize_gemspec_content(gemspec_content)
+          # No need to set the version correctly - this is just an update
+          # check so we're not going to persist any changes to the lockfile.
+          FileUpdater::GemspecSanitizer.
+            new(replacement_version: "0.0.1").
+            rewrite(gemspec_content)
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/bundler/file_parser/gemfile_checker.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require "parser/current"
+require "dependabot/bundler/file_parser"
+
+module Dependabot
+  module Bundler
+    class FileParser
+      # Checks whether a dependency is declared in a Gemfile
+      class GemfileChecker
+        def initialize(dependency:, gemfile:)
+          @dependency = dependency
+          @gemfile = gemfile
+        end
+
+        def includes_dependency?
+          return false unless Parser::CurrentRuby.parse(gemfile.content)
+
+          Parser::CurrentRuby.parse(gemfile.content).children.any? do |node|
+            deep_check_for_gem(node)
+          end
+        end
+
+        private
+
+        attr_reader :dependency, :gemfile
+
+        def deep_check_for_gem(node)
+          return true if declares_targeted_gem?(node)
+          return false unless node.is_a?(Parser::AST::Node)
+
+          node.children.any? do |child_node|
+            deep_check_for_gem(child_node)
+          end
+        end
+
+        def declares_targeted_gem?(node)
+          return false unless node.is_a?(Parser::AST::Node)
+          return false unless node.children[1] == :gem
+
+          node.children[2].children.first == dependency.name
+        end
+      end
+    end
+  end
+end