rubygems-update 3.1.0.pre3 → 3.1.4

data/lib/rubygems/commands/sources_command.rb

@@ -43,6 +43,8 @@ class Gem::Commands::SourcesCommand < Gem::Command
 
     source = Gem::Source.new source_uri
 
+    check_typo_squatting(source)
+
     begin
       if Gem.sources.include? source
         say "source #{source_uri} already present in the cache"
@@ -62,6 +64,18 @@ class Gem::Commands::SourcesCommand < Gem::Command
     end
   end
 
+  def check_typo_squatting(source)
+    if source.typo_squatting?("rubygems.org")
+      question = <<-QUESTION.chomp
+#{source.uri.to_s} is too similar to https://rubygems.org
+
+Do you want to add this source?
+      QUESTION
+
+      terminate_interaction 1 unless ask_yes_no question
+    end
+  end
+
   def check_rubygems_https(source_uri) # :nodoc:
     uri = URI source_uri
 
@@ -122,7 +136,7 @@ RubyGems has been configured to serve gems via the following URLs through
 its history:
 
 * http://gems.rubyforge.org (RubyGems 1.3.6 and earlier)
-* http://rubygems.org       (RubyGems 1.3.7 through 1.8.25)
+* https://rubygems.org/       (RubyGems 1.3.7 through 1.8.25)
 * https://rubygems.org      (RubyGems 2.0.1 and newer)
 
 Since all of these sources point to the same set of gems you only need one
@@ -139,8 +153,8 @@ before it is added.
 
 To remove a source use the --remove argument:
 
-    $ gem sources --remove http://rubygems.org
-    http://rubygems.org removed from sources
+    $ gem sources --remove https://rubygems.org/
+    https://rubygems.org/ removed from sources
 
     EOF
   end

data/lib/rubygems/commands/uninstall_command.rb

@@ -143,7 +143,7 @@ that is a dependency of an existing gem.  You can use the
       uninstall_gem spec.name
     end
 
-    alert "Uninstalled all gems in #{options[:install_dir]}"
+    alert "Uninstalled all gems in #{options[:install_dir] || Gem.dir}"
   end
 
   def uninstall_specific

data/lib/rubygems/core_ext/kernel_require.rb

@@ -46,7 +46,7 @@ module Kernel
       $LOAD_PATH[0...Gem.load_path_insert_index || -1].each do |lp|
         safe_lp = lp.dup.tap(&Gem::UNTAINT)
         begin
-          if File.symlink? safe_lp # for backword compatibility
+          if File.symlink? safe_lp # for backward compatibility
             next
           end
         rescue SecurityError

data/lib/rubygems/core_ext/kernel_warn.rb

@@ -6,12 +6,16 @@ if RUBY_VERSION >= "2.5"
   module Kernel
     path = "#{__dir__}/" # Frames to be skipped start with this path.
 
-    # Suppress "method redefined" warning
-    original_warn = instance_method(:warn)
-    Module.new {define_method(:warn, original_warn)}
-
     original_warn = method(:warn)
 
+    remove_method :warn
+
+    class << self
+
+      remove_method :warn
+
+    end
+
     module_function define_method(:warn) {|*messages, **kw|
       unless uplevel = kw[:uplevel]
         if Gem.java_platform?

data/lib/rubygems/ext/builder.rb

@@ -6,7 +6,6 @@
 #++
 
 require 'rubygems/user_interaction'
-require "open3"
 
 class Gem::Ext::Builder
 
@@ -68,7 +67,10 @@ class Gem::Ext::Builder
       results << "current directory: #{Dir.pwd}"
       results << (command.respond_to?(:shelljoin) ? command.shelljoin : command)
 
-      output, status = Open3.capture2e(*command)
+      require "open3"
+      # Set $SOURCE_DATE_EPOCH for the subprocess.
+      env = {'SOURCE_DATE_EPOCH' => Gem.source_date_epoch_string}
+      output, status = Open3.capture2e(env, *command)
       if verbose
         puts output
       else

data/lib/rubygems/remote_fetcher.rb

@@ -4,6 +4,7 @@ require 'rubygems/request'
 require 'rubygems/request/connection_pools'
 require 'rubygems/s3_uri_signer'
 require 'rubygems/uri_formatter'
+require 'rubygems/uri_parsing'
 require 'rubygems/user_interaction'
 require 'resolv'
 require 'rubygems/deprecate'
@@ -17,12 +18,16 @@ class Gem::RemoteFetcher
   include Gem::UserInteraction
   extend Gem::Deprecate
 
+  include Gem::UriParsing
+
   ##
   # A FetchError exception wraps up the various possible IO and HTTP failures
   # that could happen while downloading from the internet.
 
   class FetchError < Gem::Exception
 
+    include Gem::UriParsing
+
     ##
     # The URI which was being accessed when the exception happened.
 
@@ -30,13 +35,12 @@ class Gem::RemoteFetcher
 
     def initialize(message, uri)
       super message
-      begin
-        uri = URI(uri)
-        uri.password = 'REDACTED' if uri.password
-        @uri = uri.to_s
-      rescue URI::InvalidURIError, ArgumentError
-        @uri = uri
-      end
+
+      uri = parse_uri(uri)
+
+      uri.password = 'REDACTED' if uri.respond_to?(:password) && uri.password
+
+      @uri = uri.to_s
     end
 
     def to_s # :nodoc:
@@ -107,7 +111,7 @@ class Gem::RemoteFetcher
 
     spec, source = found.max_by { |(s,_)| s.version }
 
-    download spec, source.uri.to_s
+    download spec, source.uri
   end
 
   ##
@@ -130,18 +134,7 @@ class Gem::RemoteFetcher
 
     FileUtils.mkdir_p cache_dir rescue nil unless File.exist? cache_dir
 
-    # Always escape URI's to deal with potential spaces and such
-    # It should also be considered that source_uri may already be
-    # a valid URI with escaped characters. e.g. "{DESede}" is encoded
-    # as "%7BDESede%7D". If this is escaped again the percentage
-    # symbols will be escaped.
-    unless source_uri.is_a?(URI::Generic)
-      begin
-        source_uri = URI.parse(source_uri)
-      rescue
-        source_uri = URI.parse(URI::DEFAULT_PARSER.escape(source_uri.to_s))
-      end
-    end
+    source_uri = parse_uri(source_uri)
 
     scheme = source_uri.scheme
 
@@ -159,7 +152,7 @@ class Gem::RemoteFetcher
           remote_gem_path = source_uri + "gems/#{gem_file_name}"
 
           self.cache_update_path remote_gem_path, local_gem_path
-        rescue Gem::RemoteFetcher::FetchError
+        rescue FetchError
           raise if spec.original_platform == spec.platform
 
           alternate_name = "#{spec.original_name}.gem"
@@ -236,7 +229,7 @@ class Gem::RemoteFetcher
       unless location = response['Location']
         raise FetchError.new("redirecting but no redirect location was given", uri)
       end
-      location = URI.parse response['Location']
+      location = parse_uri location
 
       if https?(uri) && !https?(location)
         raise FetchError.new("redirecting to non-https resource: #{location}", uri)
@@ -254,9 +247,7 @@ class Gem::RemoteFetcher
   # Downloads +uri+ and returns it as a String.
 
   def fetch_path(uri, mtime = nil, head = false)
-    uri = URI.parse uri unless URI::Generic === uri
-
-    raise ArgumentError, "bad uri: #{uri}" unless uri
+    uri = parse_uri uri
 
     unless uri.scheme
       raise ArgumentError, "uri scheme is invalid: #{uri.scheme.inspect}"
@@ -268,21 +259,19 @@ class Gem::RemoteFetcher
       begin
         data = Gem::Util.gunzip data
       rescue Zlib::GzipFile::Error
-        raise FetchError.new("server did not return a valid file", uri.to_s)
+        raise FetchError.new("server did not return a valid file", uri)
       end
     end
 
     data
-  rescue FetchError
-    raise
   rescue Timeout::Error
-    raise UnknownHostError.new('timed out', uri.to_s)
+    raise UnknownHostError.new('timed out', uri)
   rescue IOError, SocketError, SystemCallError,
          *(OpenSSL::SSL::SSLError if defined?(OpenSSL)) => e
     if e.message =~ /getaddrinfo/
-      raise UnknownHostError.new('no such name', uri.to_s)
+      raise UnknownHostError.new('no such name', uri)
     else
-      raise FetchError.new("#{e.class}: #{e}", uri.to_s)
+      raise FetchError.new("#{e.class}: #{e}", uri)
     end
   end
 

data/lib/rubygems/request.rb

@@ -19,6 +19,7 @@ class Gem::Request
   end
 
   def self.proxy_uri(proxy) # :nodoc:
+    require "uri"
     case proxy
     when :no_proxy then nil
     when URI::HTTP then proxy
@@ -173,6 +174,7 @@ class Gem::Request
         :no_proxy : get_proxy_from_env('http')
     end
 
+    require "uri"
     uri = URI(Gem::UriFormatter.new(env_proxy).normalize)
 
     if uri and uri.user.nil? and uri.password.nil?

data/lib/rubygems/request_set/gem_dependency_api.rb

@@ -235,7 +235,7 @@ class Gem::RequestSet::GemDependencyAPI
     return unless (groups & @without_groups).empty?
 
     dependencies.each do |dep|
-      @set.gem dep.name, *dep.requirement
+      @set.gem dep.name, *dep.requirement.as_list
     end
   end
 

data/lib/rubygems/resolver/api_set.rb

@@ -23,7 +23,7 @@ class Gem::Resolver::APISet < Gem::Resolver::Set
   ##
   # Creates a new APISet that will retrieve gems from +uri+ using the RubyGems
   # API URL +dep_uri+ which is described at
-  # http://guides.rubygems.org/rubygems-org-api
+  # https://guides.rubygems.org/rubygems-org-api
 
   def initialize(dep_uri = 'https://rubygems.org/api/v1/dependencies')
     super()

data/lib/rubygems/resolver/api_specification.rb

@@ -11,7 +11,7 @@ class Gem::Resolver::APISpecification < Gem::Resolver::Specification
   # Creates an APISpecification for the given +set+ from the rubygems.org
   # +api_data+.
   #
-  # See http://guides.rubygems.org/rubygems-org-api/#misc_methods for the
+  # See https://guides.rubygems.org/rubygems-org-api/#misc_methods for the
   # format of the +api_data+.
 
   def initialize(set, api_data)

data/lib/rubygems/server.rb

@@ -661,7 +661,7 @@ div.method-source-code pre { color: #ffdead; overflow: hidden; }
       "only_one_executable" => true,
       "full_name" => "rubygems-#{Gem::VERSION}",
       "has_deps" => false,
-      "homepage" => "http://guides.rubygems.org/",
+      "homepage" => "https://guides.rubygems.org/",
       "name" => 'rubygems',
       "ri_installed" => true,
       "summary" => "RubyGems itself",

data/lib/rubygems/source.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 autoload :FileUtils, 'fileutils'
-autoload :URI, 'uri'
 
+require "rubygems/text"
 ##
 # A Source knows how to list and fetch gems from a RubyGems marshal index.
 #
@@ -11,6 +11,7 @@ autoload :URI, 'uri'
 class Gem::Source
 
   include Comparable
+  include Gem::Text
 
   FILES = { # :nodoc:
     :released   => 'specs',
@@ -219,6 +220,11 @@ class Gem::Source
     end
   end
 
+  def typo_squatting?(host, distance_threshold=4)
+    return if @uri.host.nil?
+    levenshtein_distance(@uri.host, host) <= distance_threshold
+  end
+
 end
 
 require 'rubygems/source/git'

data/lib/rubygems/source_list.rb

@@ -50,6 +50,8 @@ class Gem::SourceList
   # String.
 
   def <<(obj)
+    require "uri"
+
     src = case obj
           when URI
             Gem::Source.new(obj)

data/lib/rubygems/specification.rb

@@ -193,6 +193,12 @@ class Gem::Specification < Gem::BasicSpecification
   @@spec_with_requirable_file = {}
   @@active_stub_with_requirable_file = {}
 
+  # Tracking removed method calls to warn users during build time.
+  REMOVED_METHODS = [:rubyforge_project=].freeze # :nodoc:
+  def removed_method_calls
+    @removed_method_calls ||= []
+  end
+
   ######################################################################
   # :section: Required gemspec attributes
 
@@ -726,14 +732,6 @@ class Gem::Specification < Gem::BasicSpecification
 
   attr_writer :original_platform # :nodoc:
 
-  ##
-  # Deprecated and ignored.
-  #
-  # Formerly used to set rubyforge project.
-
-  attr_writer :rubyforge_project
-  deprecate :rubyforge_project=, :none,       2019, 12
-
   ##
   # The Gem::Specification version of this gemspec.
   #
@@ -2107,9 +2105,15 @@ class Gem::Specification < Gem::BasicSpecification
   end
 
   ##
+  # Track removed method calls to warn about during build time.
   # Warn about unknown attributes while loading a spec.
 
   def method_missing(sym, *a, &b) # :nodoc:
+    if REMOVED_METHODS.include?(sym)
+      removed_method_calls << sym
+      return
+    end
+
     if @specification_version > CURRENT_SPECIFICATION_VERSION and
       sym.to_s =~ /=$/
       warn "ignoring #{sym} loading #{full_name}" if $DEBUG

data/lib/rubygems/specification_policy.rb

@@ -1,8 +1,6 @@
-require 'delegate'
-require 'uri'
 require 'rubygems/user_interaction'
 
-class Gem::SpecificationPolicy < SimpleDelegator
+class Gem::SpecificationPolicy
 
   include Gem::UserInteraction
 
@@ -25,7 +23,7 @@ class Gem::SpecificationPolicy < SimpleDelegator
   def initialize(specification)
     @warnings = 0
 
-    super(specification)
+    @specification = specification
   end
 
   ##
@@ -51,7 +49,7 @@ class Gem::SpecificationPolicy < SimpleDelegator
 
     validate_require_paths
 
-    keep_only_files_and_directories
+    @specification.keep_only_files_and_directories
 
     validate_non_files
 
@@ -77,6 +75,8 @@ class Gem::SpecificationPolicy < SimpleDelegator
 
     validate_dependencies
 
+    validate_removed_attributes
+
     if @warnings > 0
       if strict
         error "specification has warnings"
@@ -92,6 +92,8 @@ class Gem::SpecificationPolicy < SimpleDelegator
   # Implementation for Specification#validate_metadata
 
   def validate_metadata
+    metadata = @specification.metadata
+
     unless Hash === metadata
       error 'metadata must be a hash'
     end
@@ -130,7 +132,7 @@ class Gem::SpecificationPolicy < SimpleDelegator
 
     error_messages = []
     warning_messages = []
-    dependencies.each do |dep|
+    @specification.dependencies.each do |dep|
       if prev = seen[dep.type][dep.name]
         error_messages << <<-MESSAGE
 duplicate dependency on #{dep}, (#{prev.requirement}) use:
@@ -145,7 +147,7 @@ duplicate dependency on #{dep}, (#{prev.requirement}) use:
       end
 
       warning_messages << "prerelease dependency on #{dep} is not recommended" if
-          prerelease_dep && !version.prerelease?
+          prerelease_dep && !@specification.version.prerelease?
 
       open_ended = dep.requirement.requirements.all? do |op, version|
         not version.prerelease? and (op == '>' or op == '>=')
@@ -190,14 +192,14 @@ duplicate dependency on #{dep}, (#{prev.requirement}) use:
   def validate_permissions
     return if Gem.win_platform?
 
-    files.each do |file|
+    @specification.files.each do |file|
       next unless File.file?(file)
       next if File.stat(file).mode & 0444 == 0444
       warning "#{file} is not world-readable"
     end
 
-    executables.each do |name|
-      exec = File.join bindir, name
+    @specification.executables.each do |name|
+      exec = File.join @specification.bindir, name
       next unless File.file?(exec)
       next if File.stat(exec).executable?
       warning "#{exec} is not executable"
@@ -208,7 +210,7 @@ duplicate dependency on #{dep}, (#{prev.requirement}) use:
 
   def validate_nil_attributes
     nil_attributes = Gem::Specification.non_nil_attributes.select do |attrname|
-      __getobj__.instance_variable_get("@#{attrname}").nil?
+      @specification.instance_variable_get("@#{attrname}").nil?
     end
     return if nil_attributes.empty?
     error "#{nil_attributes.join ', '} must not be nil"
@@ -216,6 +218,9 @@ duplicate dependency on #{dep}, (#{prev.requirement}) use:
 
   def validate_rubygems_version
     return unless packaging
+
+    rubygems_version = @specification.rubygems_version
+
     return if rubygems_version == Gem::VERSION
 
     error "expected RubyGems version #{Gem::VERSION}, was #{rubygems_version}"
@@ -223,13 +228,15 @@ duplicate dependency on #{dep}, (#{prev.requirement}) use:
 
   def validate_required_attributes
     Gem::Specification.required_attributes.each do |symbol|
-      unless send symbol
+      unless @specification.send symbol
         error "missing value for attribute #{symbol}"
       end
     end
   end
 
   def validate_name
+    name = @specification.name
+
     if !name.is_a?(String)
       error "invalid value for attribute name: \"#{name.inspect}\" must be a string"
     elsif name !~ /[a-zA-Z]/
@@ -242,14 +249,15 @@ duplicate dependency on #{dep}, (#{prev.requirement}) use:
   end
 
   def validate_require_paths
-    return unless raw_require_paths.empty?
+    return unless @specification.raw_require_paths.empty?
 
     error 'specification must have at least one require_path'
   end
 
   def validate_non_files
     return unless packaging
-    non_files = files.reject {|x| File.file?(x) || File.symlink?(x)}
+
+    non_files = @specification.files.reject {|x| File.file?(x) || File.symlink?(x)}
 
     unless non_files.empty?
       error "[\"#{non_files.join "\", \""}\"] are not files"
@@ -257,18 +265,22 @@ duplicate dependency on #{dep}, (#{prev.requirement}) use:
   end
 
   def validate_self_inclusion_in_files_list
-    return unless files.include?(file_name)
+    file_name = @specification.file_name
+
+    return unless @specification.files.include?(file_name)
 
-    error "#{full_name} contains itself (#{file_name}), check your files list"
+    error "#{@specification.full_name} contains itself (#{file_name}), check your files list"
   end
 
   def validate_specification_version
-    return if specification_version.is_a?(Integer)
+    return if @specification.specification_version.is_a?(Integer)
 
     error 'specification_version must be an Integer (did you mean version?)'
   end
 
   def validate_platform
+    platform = @specification.platform
+
     case platform
     when Gem::Platform, Gem::Platform::RUBY  # ok
     else
@@ -283,7 +295,7 @@ duplicate dependency on #{dep}, (#{prev.requirement}) use:
   end
 
   def validate_array_attribute(field)
-    val = self.send(field)
+    val = @specification.send(field)
     klass = case field
             when :dependencies then
               Gem::Dependency
@@ -298,12 +310,14 @@ duplicate dependency on #{dep}, (#{prev.requirement}) use:
   end
 
   def validate_authors_field
-    return unless authors.empty?
+    return unless @specification.authors.empty?
 
     error "authors may not be empty"
   end
 
   def validate_licenses
+    licenses = @specification.licenses
+
     licenses.each do |license|
       if license.length > 64
         error "each license must be 64 characters or less"
@@ -331,24 +345,27 @@ http://spdx.org/licenses or '#{Gem::Licenses::NONSTANDARD}' for a nonstandard li
   HOMEPAGE_URI_PATTERN = /\A[a-z][a-z\d+.-]*:/i.freeze
 
   def validate_lazy_metadata
-    unless authors.grep(LAZY_PATTERN).empty?
+    unless @specification.authors.grep(LAZY_PATTERN).empty?
       error "#{LAZY} is not an author"
     end
 
-    unless Array(email).grep(LAZY_PATTERN).empty?
+    unless Array(@specification.email).grep(LAZY_PATTERN).empty?
       error "#{LAZY} is not an email"
     end
 
-    if description =~ LAZY_PATTERN
+    if @specification.description =~ LAZY_PATTERN
       error "#{LAZY} is not a description"
     end
 
-    if summary =~ LAZY_PATTERN
+    if @specification.summary =~ LAZY_PATTERN
       error "#{LAZY} is not a summary"
     end
 
+    homepage = @specification.homepage
+
     # Make sure a homepage is valid HTTP/HTTPS URI
     if homepage and not homepage.empty?
+      require 'uri'
       begin
         homepage_uri = URI.parse(homepage)
         unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class
@@ -365,34 +382,40 @@ http://spdx.org/licenses or '#{Gem::Licenses::NONSTANDARD}' for a nonstandard li
       validate_attribute_present(attribute)
     end
 
-    if description == summary
+    if @specification.description == @specification.summary
       warning "description and summary are identical"
     end
 
     # TODO: raise at some given date
-    warning "deprecated autorequire specified" if autorequire
+    warning "deprecated autorequire specified" if @specification.autorequire
 
-    executables.each do |executable|
+    @specification.executables.each do |executable|
       validate_shebang_line_in(executable)
     end
 
-    files.select { |f| File.symlink?(f) }.each do |file|
+    @specification.files.select { |f| File.symlink?(f) }.each do |file|
       warning "#{file} is a symlink, which is not supported on all platforms"
     end
   end
 
   def validate_attribute_present(attribute)
-    value = self.send attribute
+    value = @specification.send attribute
     warning("no #{attribute} specified") if value.nil? || value.empty?
   end
 
   def validate_shebang_line_in(executable)
-    executable_path = File.join(bindir, executable)
+    executable_path = File.join(@specification.bindir, executable)
     return if File.read(executable_path, 2) == '#!'
 
     warning "#{executable_path} is missing #! line"
   end
 
+  def validate_removed_attributes # :nodoc:
+    @specification.removed_method_calls.each do |attr|
+      warning("#{attr} is deprecated and ignored. Please remove this from your gemspec to ensure that your gem continues to build in the future.")
+    end
+  end
+
   def warning(statement) # :nodoc:
     @warnings += 1
 
@@ -406,7 +429,7 @@ http://spdx.org/licenses or '#{Gem::Licenses::NONSTANDARD}' for a nonstandard li
   end
 
   def help_text # :nodoc:
-    "See http://guides.rubygems.org/specification-reference/ for help"
+    "See https://guides.rubygems.org/specification-reference/ for help"
   end
 
 end