rubygems-update 3.2.19 → 3.2.20

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ba52b4a462e0da9cf903bc69e61096bd08a3281bd6d174cc35abf975099eb737
-  data.tar.gz: 791cfa5488c4d56d48b60bc372c16be5d426d53bbb603c8b95fbaf20bbc4b0c8
+  metadata.gz: beb9904852db18bc2cb58e157631c112d2951ea7df0bac7f63a1838ffba5ddbc
+  data.tar.gz: a987e2d21ffd319e2dc0c0ae4d913b5f1d3ad6480783addbc4faaee5ad540b86
 SHA512:
-  metadata.gz: 89c0efcd3e1f639edfac4af460a7bbb891f13cae5b1dc5c58829e10f0a64d9fe04c0d0e58c108b6dbff8b7f7e7f77d96edbe993dfbb6086ae998fb68b9b05793
-  data.tar.gz: a01059a530f414a334a8d16af04d8507ca6ca10891e869b395795bacb5748822b44e98eb4491f3f98dc781d72b9c4a228700eb1ee8ff18fdeb1a50aa14482114
+  metadata.gz: cc88c86f3691d8b07ce12056d0f1e762de188fe3775d3f80a83c2912020ed039b34ce50e95e118bfe8f6077cdb6ced949cb9c6147699292c6f45e3703b5e0087
+  data.tar.gz: a91aa086be326926df974bbf2734c94e9ee1dfebc1e1b0a23474d64156c46249448e398baaf38fa4fedbdb2e006fd40ef94949112271842a89a1adc2a1b952a9

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+# 3.2.20 / 2021-06-11
+
+## Security fixes:
+
+* Verify plaform before installing to avoid potential remote code
+  execution. Pull request #4667 by sonalkr132
+
+## Enhancements:
+
+* Add better specification policy error description. Pull request #4658 by
+  ceritium
+
 # 3.2.19 / 2021-05-31
 
 ## Enhancements:

data/Manifest.txt

@@ -538,6 +538,7 @@ test/rubygems/invalidchild_cert.pem
 test/rubygems/invalidchild_cert_32.pem
 test/rubygems/invalidchild_key.pem
 test/rubygems/packages/ascii_binder-0.1.10.1.gem
+test/rubygems/packages/ill-formatted-platform-1.0.0.10.gem
 test/rubygems/plugin/exception/rubygems_plugin.rb
 test/rubygems/plugin/load/rubygems_plugin.rb
 test/rubygems/plugin/standarderror/rubygems_plugin.rb

data/bundler/CHANGELOG.md

@@ -1,3 +1,19 @@
+# 2.2.20 (June 11, 2021)
+
+## Enhancements:
+
+  - Don't print bug report template on server side errors [#4663](https://github.com/rubygems/rubygems/pull/4663)
+  - Don't load `resolv` unnecessarily [#4640](https://github.com/rubygems/rubygems/pull/4640)
+
+## Bug fixes:
+
+  - Fix `bundle outdated` edge case [#4648](https://github.com/rubygems/rubygems/pull/4648)
+  - Fix `bundle check` with scoped rubygems sources [#4639](https://github.com/rubygems/rubygems/pull/4639)
+
+## Performance:
+
+  - Don't use `extra_rdoc_files` with md files in gemspec to make installing bundler with docs faster [#4628](https://github.com/rubygems/rubygems/pull/4628)
+
 # 2.2.19 (May 31, 2021)
 
 ## Bug fixes:

data/bundler/bundler.gemspec

@@ -39,7 +39,7 @@ Gem::Specification.new do |s|
   # include the gemspec itself because warbler breaks w/o it
   s.files += %w[bundler.gemspec]
 
-  s.extra_rdoc_files = %w[CHANGELOG.md LICENSE.md README.md]
+  s.files += %w[CHANGELOG.md LICENSE.md README.md]
   s.bindir        = "exe"
   s.executables   = %w[bundle bundler]
   s.require_paths = ["lib"]

data/bundler/lib/bundler/build_metadata.rb

@@ -4,8 +4,8 @@ module Bundler
   # Represents metadata from when the Bundler gem was built.
   module BuildMetadata
     # begin ivars
-    @built_at = "2021-05-31".freeze
-    @git_commit_sha = "43f80b12c0".freeze
+    @built_at = "2021-06-11".freeze
+    @git_commit_sha = "4c510a34a4".freeze
     @release = true
     # end ivars
 

data/bundler/lib/bundler/cli/check.rb

@@ -11,9 +11,11 @@ module Bundler
     def run
       Bundler.settings.set_command_option_if_given :path, options[:path]
 
+      definition = Bundler.definition
+      definition.validate_runtime!
+
       begin
-        definition = Bundler.definition
-        definition.validate_runtime!
+        definition.resolve_only_locally!
         not_installed = definition.missing_specs
       rescue GemNotFound, VersionConflict
         Bundler.ui.error "Bundler can't satisfy your Gemfile's dependencies."

data/bundler/lib/bundler/cli/outdated.rb

@@ -147,6 +147,8 @@ module Bundler
 
     def retrieve_active_spec(definition, current_spec)
       active_spec = definition.resolve.find_by_name_and_platform(current_spec.name, current_spec.platform)
+      return unless active_spec
+
       return active_spec if strict
 
       active_specs = active_spec.source.specs.search(current_spec.name).select {|spec| spec.match_platform(current_spec.platform) }.sort_by(&:version)

data/bundler/lib/bundler/definition.rb

@@ -160,6 +160,12 @@ module Bundler
       @disable_multisource
     end
 
+    def resolve_only_locally!
+      @remote = false
+      sources.local_only!
+      resolve
+    end
+
     def resolve_with_cache!
       sources.cached!
       resolve

data/bundler/lib/bundler/fetcher/index.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require_relative "base"
-require "rubygems/remote_fetcher"
 
 module Bundler
   class Fetcher

data/bundler/lib/bundler/friendly_errors.rb

@@ -49,8 +49,6 @@ module Bundler
           "Alternatively, you can increase the amount of memory the JVM is able to use by running Bundler with jruby -J-Xmx1024m -S bundle (JRuby defaults to 500MB)."
       else request_issue_report_for(error)
       end
-    rescue StandardError
-      raise error
     end
 
     def exit_status(error)
@@ -111,7 +109,7 @@ module Bundler
         First, try this link to see if there are any existing issue reports for this error:
         #{issues_url(e)}
 
-        If there aren't any reports for this error yet, please create copy and paste the report template above into a new issue. Don't forget to anonymize any private data! The new issue form is located at:
+        If there aren't any reports for this error yet, please copy and paste the report template above into a new issue. Don't forget to anonymize any private data! The new issue form is located at:
         https://github.com/rubygems/rubygems/issues/new?labels=Bundler&template=bundler-related-issue.md
       EOS
     end

data/bundler/lib/bundler/rubygems_integration.rb

@@ -526,13 +526,14 @@ module Bundler
       Bundler::Retry.new("download gem from #{uri}").attempts do
         fetcher.download(spec, uri, path)
       end
+    rescue Gem::RemoteFetcher::FetchError => e
+      raise Bundler::HTTPError, "Could not download gem from #{uri} due to underlying error <#{e.message}>"
     end
 
     def gem_remote_fetcher
-      require "resolv"
+      require "rubygems/remote_fetcher"
       proxy = configuration[:http_proxy]
-      dns = Resolv::DNS.new
-      Gem::RemoteFetcher.new(proxy, dns)
+      Gem::RemoteFetcher.new(proxy)
     end
 
     def gem_from_path(path, policy = nil)

data/bundler/lib/bundler/source.rb

@@ -36,6 +36,8 @@ module Bundler
 
     def local!; end
 
+    def local_only!; end
+
     def cached!; end
 
     def remote!; end

data/bundler/lib/bundler/source/rubygems.rb

@@ -26,6 +26,12 @@ module Bundler
         Array(options["remotes"]).reverse_each {|r| add_remote(r) }
       end
 
+      def local_only!
+        @specs = nil
+        @allow_local = true
+        @allow_remote = false
+      end
+
       def local!
         return if @allow_local
 

data/bundler/lib/bundler/source_list.rb

@@ -132,6 +132,10 @@ module Bundler
       false
     end
 
+    def local_only!
+      all_sources.each(&:local_only!)
+    end
+
     def cached!
       all_sources.each(&:cached!)
     end

data/bundler/lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.2.19".freeze
+  VERSION = "2.2.20".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

data/lib/rubygems.rb

@@ -8,7 +8,7 @@
 require 'rbconfig'
 
 module Gem
-  VERSION = "3.2.19".freeze
+  VERSION = "3.2.20".freeze
 end
 
 # Must be first since it unloads the prelude from 1.9.2

data/lib/rubygems/installer.rb

@@ -728,6 +728,10 @@ class Gem::Installer
       raise Gem::InstallError, "#{spec} has an invalid extensions"
     end
 
+    if spec.platform.to_s =~ /\R/
+      raise Gem::InstallError, "#{spec.platform} is an invalid platform"
+    end
+
     unless spec.specification_version.to_s =~ /\A\d+\z/
       raise Gem::InstallError, "#{spec} has an invalid specification_version"
     end

data/lib/rubygems/specification_policy.rb

@@ -124,25 +124,26 @@ class Gem::SpecificationPolicy
     end
 
     metadata.each do |key, value|
+      entry = "metadata['#{key}']"
       if !key.kind_of?(String)
         error "metadata keys must be a String"
       end
 
       if key.size > 128
-        error "metadata key too large (#{key.size} > 128)"
+        error "metadata key is too large (#{key.size} > 128)"
       end
 
       if !value.kind_of?(String)
-        error "metadata values must be a String"
+        error "#{entry} value must be a String"
       end
 
       if value.size > 1024
-        error "metadata value too large (#{value.size} > 1024)"
+        error "#{entry} value is too large (#{value.size} > 1024)"
       end
 
       if METADATA_LINK_KEYS.include? key
         if value !~ VALID_URI_PATTERN
-          error "metadata['#{key}'] has invalid link: #{value.inspect}"
+          error "#{entry} has invalid link: #{value.inspect}"
         end
       end
     end

data/lib/rubygems/test_case.rb

@@ -553,6 +553,10 @@ class Gem::TestCase < Test::Unit::TestCase
     Gem.pre_uninstall_hooks.clear
   end
 
+  def without_any_upwards_gemfiles
+    ENV["BUNDLE_GEMFILE"] = File.join(@tempdir, "Gemfile")
+  end
+
   ##
   # A git_gem is used with a gem dependencies file.  The gem created here
   # has no files, just a gem specification for the given +name+ and +version+.

data/rubygems-update.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |s|
   s.name = "rubygems-update"
-  s.version = "3.2.19"
+  s.version = "3.2.20"
   s.authors = ["Jim Weirich", "Chad Fowler", "Eric Hodel", "Luis Lavena", "Aaron Patterson", "Samuel Giddins", "André Arko", "Evan Phoenix", "Hiroshi SHIBATA"]
   s.email = ["", "", "drbrain@segment7.net", "luislavena@gmail.com", "aaron@tenderlovemaking.com", "segiddins@segiddins.me", "andre@arko.net", "evan@phx.io", "hsbt@ruby-lang.org"]
 

data/test/rubygems/test_gem_bundler_version_finder.rb

@@ -6,14 +6,12 @@ class TestGemBundlerVersionFinder < Gem::TestCase
     super
 
     @argv = ARGV.dup
-    @env = ENV.to_hash.clone
-    ENV.delete("BUNDLER_VERSION")
     @dollar_0 = $0
+    without_any_upwards_gemfiles
   end
 
   def teardown
     ARGV.replace @argv
-    ENV.replace @env
     $0 = @dollar_0
 
     super

data/test/rubygems/test_gem_dependency.rb

@@ -3,6 +3,12 @@ require 'rubygems/test_case'
 require 'rubygems/dependency'
 
 class TestGemDependency < Gem::TestCase
+  def setup
+    super
+
+    without_any_upwards_gemfiles
+  end
+
   def test_initialize
     d = dep "pkg", "> 1.0"
 

data/test/rubygems/test_gem_installer.rb

@@ -1776,6 +1776,26 @@ gem 'other', version
     end
   end
 
+  def test_pre_install_checks_malicious_platform_before_eval
+    gem_with_ill_formated_platform = File.expand_path("packages/ill-formatted-platform-1.0.0.10.gem", __dir__)
+
+    installer = Gem::Installer.at(
+      gem_with_ill_formated_platform,
+      :install_dir => @gem_home,
+      :user_install => false,
+      :force => true
+    )
+
+    use_ui @ui do
+      e = assert_raise Gem::InstallError do
+        installer.pre_install_checks
+      end
+
+      assert_equal "x86-mswin32\n system('id > /tmp/nyangawa')# is an invalid platform", e.message
+      assert_empty @ui.output
+    end
+  end
+
   def test_shebang
     installer = setup_base_installer
 

data/test/rubygems/test_gem_specification.rb

@@ -3612,7 +3612,7 @@ Did you mean 'Ruby'?
         @m2.validate
       end
 
-      assert_equal "metadata key too large (129 > 128)", e.message
+      assert_equal "metadata key is too large (129 > 128)", e.message
     end
   end
 
@@ -3629,7 +3629,7 @@ Did you mean 'Ruby'?
         @m2.validate
       end
 
-      assert_equal "metadata values must be a String", e.message
+      assert_equal "metadata['fail'] value must be a String", e.message
     end
   end
 
@@ -3646,7 +3646,7 @@ Did you mean 'Ruby'?
         @m2.validate
       end
 
-      assert_equal "metadata value too large (1025 > 1024)", e.message
+      assert_equal "metadata['fail'] value is too large (1025 > 1024)", e.message
     end
   end
 

data/test/rubygems/test_kernel.rb

@@ -8,6 +8,8 @@ class TestKernel < Gem::TestCase
     @old_path = $:.dup
 
     util_make_gems
+
+    without_any_upwards_gemfiles
   end
 
   def teardown

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 3.2.19
+  version: 3.2.20
 platform: ruby
 authors:
 - Jim Weirich
@@ -16,7 +16,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-05-31 00:00:00.000000000 Z
+date: 2021-06-11 00:00:00.000000000 Z
 dependencies: []
 description: |-
   A package (also known as a library) contains a set of functionality
@@ -594,6 +594,7 @@ files:
 - test/rubygems/invalidchild_cert_32.pem
 - test/rubygems/invalidchild_key.pem
 - test/rubygems/packages/ascii_binder-0.1.10.1.gem
+- test/rubygems/packages/ill-formatted-platform-1.0.0.10.gem
 - test/rubygems/plugin/exception/rubygems_plugin.rb
 - test/rubygems/plugin/load/rubygems_plugin.rb
 - test/rubygems/plugin/standarderror/rubygems_plugin.rb
@@ -771,7 +772,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.19
+rubygems_version: 3.2.20
 signing_key: 
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby.