rubygems-update 3.4.10 → 3.4.14

data/bundler/lib/bundler.rb

@@ -39,16 +39,6 @@ module Bundler
   environment_preserver.replace_with_backup
   SUDO_MUTEX = Thread::Mutex.new
 
-  SAFE_MARSHAL_CLASSES = [Symbol, TrueClass, String, Array, Hash, Gem::Version, Gem::Specification].freeze
-  SAFE_MARSHAL_ERROR = "Unexpected class %s present in marshaled data. Only %s are allowed."
-  SAFE_MARSHAL_PROC = proc do |object|
-    object.tap do
-      unless SAFE_MARSHAL_CLASSES.include?(object.class)
-        raise TypeError, format(SAFE_MARSHAL_ERROR, object.class, SAFE_MARSHAL_CLASSES.join(", "))
-      end
-    end
-  end
-
   autoload :Definition,             File.expand_path("bundler/definition", __dir__)
   autoload :Dependency,             File.expand_path("bundler/dependency", __dir__)
   autoload :Deprecate,              File.expand_path("bundler/deprecate", __dir__)
@@ -86,10 +76,11 @@ module Bundler
   autoload :UI,                     File.expand_path("bundler/ui", __dir__)
   autoload :URICredentialsFilter,   File.expand_path("bundler/uri_credentials_filter", __dir__)
   autoload :URINormalizer,          File.expand_path("bundler/uri_normalizer", __dir__)
+  autoload :SafeMarshal,            File.expand_path("bundler/safe_marshal", __dir__)
 
   class << self
     def configure
-      @configured ||= configure_gem_home_and_path
+      @configure ||= configure_gem_home_and_path
     end
 
     def ui
@@ -219,9 +210,10 @@ module Bundler
     end
 
     def frozen_bundle?
-      frozen = settings[:deployment]
-      frozen ||= settings[:frozen]
-      frozen
+      frozen = settings[:frozen]
+      return frozen unless frozen.nil?
+
+      settings[:deployment]
     end
 
     def locked_gems
@@ -523,7 +515,7 @@ EOF
     end
 
     def safe_load_marshal(data)
-      load_marshal(data, :marshal_proc => SAFE_MARSHAL_PROC)
+      load_marshal(data, :marshal_proc => SafeMarshal.proc)
     end
 
     def load_gemspec(file, validate = false)
@@ -581,7 +573,7 @@ EOF
       @bin_path = nil
       @bundler_major_version = nil
       @bundle_path = nil
-      @configured = nil
+      @configure = nil
       @configured_bundle_path = nil
       @definition = nil
       @load = nil

data/lib/rubygems/command_manager.rb

@@ -83,7 +83,7 @@ class Gem::CommandManager
   # Return the authoritative instance of the command manager.
 
   def self.instance
-    @command_manager ||= new
+    @instance ||= new
   end
 
   ##
@@ -98,7 +98,7 @@ class Gem::CommandManager
   # Reset the authoritative instance of the command manager.
 
   def self.reset
-    @command_manager = nil
+    @instance = nil
   end
 
   ##

data/lib/rubygems/commands/owner_command.rb

@@ -98,8 +98,10 @@ permission to.
         action = method == :delete ? "Removing" : "Adding"
 
         with_response response, "#{action} #{owner}"
-      rescue
-        # ignore
+      rescue Gem::WebauthnVerificationError => e
+        raise e
+      rescue StandardError
+        # ignore early exits to allow for completing the iteration of all owners
       end
     end
   end

data/lib/rubygems/exceptions.rb

@@ -213,6 +213,16 @@ class Gem::RubyVersionMismatch < Gem::Exception; end
 
 class Gem::VerificationError < Gem::Exception; end
 
+##
+# Raised by Gem::WebauthnListener when an error occurs during security
+# device verification.
+
+class Gem::WebauthnVerificationError < Gem::Exception
+  def initialize(message)
+    super "Security device verification failed: #{message}"
+  end
+end
+
 ##
 # Raised to indicate that a system exit should occur with the specified
 # exit_code

data/lib/rubygems/gemcutter_utilities.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require_relative "remote_fetcher"
 require_relative "text"
+require_relative "webauthn_listener"
 
 ##
 # Utility methods for using the RubyGems API.
@@ -82,7 +83,7 @@ module Gem::GemcutterUtilities
   #
   # If +allowed_push_host+ metadata is present, then it will only allow that host.
 
-  def rubygems_api_request(method, path, host = nil, allowed_push_host = nil, scope: nil, &block)
+  def rubygems_api_request(method, path, host = nil, allowed_push_host = nil, scope: nil, credentials: {}, &block)
     require "net/http"
 
     self.host = host if host
@@ -105,7 +106,7 @@ module Gem::GemcutterUtilities
     response = request_with_otp(method, uri, &block)
 
     if mfa_unauthorized?(response)
-      ask_otp
+      fetch_otp(credentials)
       response = request_with_otp(method, uri, &block)
     end
 
@@ -167,11 +168,12 @@ module Gem::GemcutterUtilities
     mfa_params   = get_mfa_params(profile)
     all_params   = scope_params.merge(mfa_params)
     warning      = profile["warning"]
+    credentials  = { email: email, password: password }
 
     say "#{warning}\n" if warning
 
     response = rubygems_api_request(:post, "api/v1/api_key",
-                                    sign_in_host, scope: scope) do |request|
+                                    sign_in_host, credentials: credentials, scope: scope) do |request|
       request.basic_auth email, password
       request["OTP"] = otp if otp
       request.body = URI.encode_www_form({ name: key_name }.merge(all_params))
@@ -250,9 +252,49 @@ module Gem::GemcutterUtilities
     end
   end
 
-  def ask_otp
-    say "You have enabled multi-factor authentication. Please enter OTP code."
-    options[:otp] = ask "Code: "
+  def fetch_otp(credentials)
+    options[:otp] = if webauthn_url = webauthn_verification_url(credentials)
+      wait_for_otp(webauthn_url)
+    else
+      say "You have enabled multi-factor authentication. Please enter OTP code."
+      ask "Code: "
+    end
+  end
+
+  def wait_for_otp(webauthn_url)
+    server = TCPServer.new 0
+    port = server.addr[1].to_s
+
+    thread = Thread.new do
+      Thread.current[:otp] = Gem::WebauthnListener.wait_for_otp_code(host, server)
+    rescue Gem::WebauthnVerificationError => e
+      Thread.current[:error] = e
+    end
+    thread.abort_on_exception = true
+    thread.report_on_exception = false
+
+    url_with_port = "#{webauthn_url}?port=#{port}"
+    say "You have enabled multi-factor authentication. Please visit #{url_with_port} to authenticate via security device. If you can't verify using WebAuthn but have OTP enabled, you can re-run the gem signin command with the `--otp [your_code]` option."
+
+    thread.join
+    if error = thread[:error]
+      alert_error error.message
+      terminate_interaction(1)
+    end
+
+    say "You are verified with a security device. You may close the browser window."
+    thread[:otp]
+  end
+
+  def webauthn_verification_url(credentials)
+    response = rubygems_api_request(:post, "api/v1/webauthn_verification") do |request|
+      if credentials.empty?
+        request.add_field "Authorization", api_key
+      else
+        request.basic_auth credentials[:email], credentials[:password]
+      end
+    end
+    response.is_a?(Net::HTTPSuccess) ? response.body : nil
   end
 
   def pretty_host(host)

data/lib/rubygems/installer.rb

@@ -342,6 +342,8 @@ class Gem::Installer
 
     Gem::Specification.add_spec(spec)
 
+    load_plugin
+
     run_post_install_hooks
 
     spec
@@ -388,7 +390,7 @@ class Gem::Installer
   # we'll be installing into.
 
   def installed_specs
-    @specs ||= begin
+    @installed_specs ||= begin
       specs = []
 
       Gem::Util.glob_files_in_dir("*.gemspec", File.join(gem_home, "specifications")).each do |path|
@@ -1002,4 +1004,17 @@ TEXT
       ""
     end
   end
+
+  def load_plugin
+    specs = Gem::Specification.find_all_by_name(spec.name)
+    # If old version already exists, this plugin isn't loaded
+    # immediately. It's for avoiding a case that multiple versions
+    # are loaded at the same time.
+    return unless specs.size == 1
+
+    plugin_files = spec.plugins.map do |plugin|
+      File.join(@plugins_dir, "#{spec.name}_plugin#{File.extname(plugin)}")
+    end
+    Gem.load_plugin_files(plugin_files)
+  end
 end

data/lib/rubygems/request_set.rb

@@ -107,7 +107,7 @@ class Gem::RequestSet
     @requests            = []
     @sets                = []
     @soft_missing        = false
-    @sorted              = nil
+    @sorted_requests     = nil
     @specs               = nil
     @vendor_set          = nil
     @source_set          = nil
@@ -424,7 +424,7 @@ class Gem::RequestSet
   end
 
   def sorted_requests
-    @sorted ||= strongly_connected_components.flatten
+    @sorted_requests ||= strongly_connected_components.flatten
   end
 
   def specs

data/lib/rubygems/specification.rb

@@ -2233,7 +2233,7 @@ class Gem::Specification < Gem::BasicSpecification
   # The platform this gem runs on.  See Gem::Platform for details.
 
   def platform
-    @new_platform ||= Gem::Platform::RUBY
+    @new_platform ||= Gem::Platform::RUBY # rubocop:disable Naming/MemoizedInstanceVariableName
   end
 
   def pretty_print(q) # :nodoc:
@@ -2712,6 +2712,8 @@ class Gem::Specification < Gem::BasicSpecification
     end
 
     @installed_by_version ||= nil
+
+    nil
   end
 
   def flatten_require_paths # :nodoc:

data/lib/rubygems/stub_specification.rb

@@ -183,7 +183,7 @@ class Gem::StubSpecification < Gem::BasicSpecification
   ##
   # The full Gem::Specification for this gem, loaded from evalling its gemspec
 
-  def to_spec
+  def spec
     @spec ||= if @data
       loaded = Gem.loaded_specs[name]
       loaded if loaded && loaded.version == version
@@ -191,6 +191,7 @@ class Gem::StubSpecification < Gem::BasicSpecification
 
     @spec ||= Gem::Specification.load(loaded_from)
   end
+  alias_method :to_spec, :spec
 
   ##
   # Is this StubSpecification valid? i.e. have we found a stub line, OR does

data/lib/rubygems/webauthn_listener/response.rb

@@ -0,0 +1,161 @@
+# frozen_string_literal: true
+
+##
+# The WebauthnListener Response class is used by the WebauthnListener to create
+# responses to be sent to the Gem host. It creates a Net::HTTPResponse instance
+# when initialized and can be converted to the appropriate format to be sent by a socket using `to_s`.
+# Net::HTTPResponse instances cannot be directly sent over a socket.
+#
+# Types of response classes:
+#   - OkResponse
+#   - NoContentResponse
+#   - BadRequestResponse
+#   - NotFoundResponse
+#   - MethodNotAllowedResponse
+#
+# Example usage:
+#
+#   server = TCPServer.new(0)
+#   socket = server.accept
+#
+#   response = OkResponse.for("https://rubygems.example")
+#   socket.print response.to_s
+#   socket.close
+#
+
+class Gem::WebauthnListener
+  class Response
+    attr_reader :http_response
+
+    def self.for(host)
+      new(host)
+    end
+
+    def initialize(host)
+      @host = host
+
+      build_http_response
+    end
+
+    def to_s
+      status_line = "HTTP/#{@http_response.http_version} #{@http_response.code} #{@http_response.message}\r\n"
+      headers = @http_response.to_hash.map {|header, value| "#{header}: #{value.join(", ")}\r\n" }.join + "\r\n"
+      body = @http_response.body ? "#{@http_response.body}\n" : ""
+
+      status_line + headers + body
+    end
+
+    private
+
+    # Must be implemented in subclasses
+    def code
+      raise NotImplementedError
+    end
+
+    def reason_phrase
+      raise NotImplementedError
+    end
+
+    def body; end
+
+    def build_http_response
+      response_class = Net::HTTPResponse::CODE_TO_OBJ[code.to_s]
+      @http_response = response_class.new("1.1", code, reason_phrase)
+      @http_response.instance_variable_set(:@read, true)
+
+      add_connection_header
+      add_access_control_headers
+      add_body
+    end
+
+    def add_connection_header
+      @http_response["connection"] = "close"
+    end
+
+    def add_access_control_headers
+      @http_response["access-control-allow-origin"] = @host
+      @http_response["access-control-allow-methods"] = "POST"
+      @http_response["access-control-allow-headers"] = %w[Content-Type Authorization x-csrf-token]
+    end
+
+    def add_body
+      return unless body
+      @http_response["content-type"] = "text/plain"
+      @http_response["content-length"] = body.bytesize
+      @http_response.instance_variable_set(:@body, body)
+    end
+  end
+
+  class OkResponse < Response
+    private
+
+    def code
+      200
+    end
+
+    def reason_phrase
+      "OK"
+    end
+
+    def body
+      "success"
+    end
+  end
+
+  class NoContentResponse < Response
+    private
+
+    def code
+      204
+    end
+
+    def reason_phrase
+      "No Content"
+    end
+  end
+
+  class BadRequestResponse < Response
+    private
+
+    def code
+      400
+    end
+
+    def reason_phrase
+      "Bad Request"
+    end
+
+    def body
+      "missing code parameter"
+    end
+  end
+
+  class NotFoundResponse < Response
+    private
+
+    def code
+      404
+    end
+
+    def reason_phrase
+      "Not Found"
+    end
+  end
+
+  class MethodNotAllowedResponse < Response
+    private
+
+    def code
+      405
+    end
+
+    def reason_phrase
+      "Method Not Allowed"
+    end
+
+    def add_access_control_headers
+      super
+      @http_response["allow"] = %w[GET OPTIONS]
+    end
+  end
+end

data/lib/rubygems/webauthn_listener.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+require_relative "webauthn_listener/response"
+
+##
+# The WebauthnListener class retrieves an OTP after a user successfully WebAuthns with the Gem host.
+# An instance opens a socket using the TCPServer instance given and listens for a request from the Gem host.
+# The request should be a GET request to the root path and contains the OTP code in the form
+# of a query parameter `code`. The listener will return the code which will be used as the OTP for
+# API requests.
+#
+# Types of responses sent by the listener after receiving a request:
+#   - 200 OK: OTP code was successfully retrieved
+#   - 204 No Content: If the request was an OPTIONS request
+#   - 400 Bad Request: If the request did not contain a query parameter `code`
+#   - 404 Not Found: The request was not to the root path
+#   - 405 Method Not Allowed: OTP code was not retrieved because the request was not a GET/OPTIONS request
+#
+# Example usage:
+#
+#   server = TCPServer.new(0)
+#   otp = Gem::WebauthnListener.wait_for_otp_code("https://rubygems.example", server)
+#
+
+class Gem::WebauthnListener
+  attr_reader :host
+
+  def initialize(host)
+    @host = host
+  end
+
+  def self.wait_for_otp_code(host, server)
+    new(host).fetch_otp_from_connection(server)
+  end
+
+  def fetch_otp_from_connection(server)
+    loop do
+      socket = server.accept
+      request_line = socket.gets
+
+      method, req_uri, _protocol = request_line.split(" ")
+      req_uri = URI.parse(req_uri)
+
+      responder = SocketResponder.new(socket)
+
+      unless root_path?(req_uri)
+        responder.send(NotFoundResponse.for(host))
+        raise Gem::WebauthnVerificationError, "Page at #{req_uri.path} not found."
+      end
+
+      case method.upcase
+      when "OPTIONS"
+        responder.send(NoContentResponse.for(host))
+        next # will be GET
+      when "GET"
+        if otp = parse_otp_from_uri(req_uri)
+          responder.send(OkResponse.for(host))
+          return otp
+        end
+        responder.send(BadRequestResponse.for(host))
+        raise Gem::WebauthnVerificationError, "Did not receive OTP from #{host}."
+      else
+        responder.send(MethodNotAllowedResponse.for(host))
+        raise Gem::WebauthnVerificationError, "Invalid HTTP method #{method.upcase} received."
+      end
+    end
+  end
+
+  private
+
+  def root_path?(uri)
+    uri.path == "/"
+  end
+
+  def parse_otp_from_uri(uri)
+    require "cgi"
+
+    return if uri.query.nil?
+    CGI.parse(uri.query).dig("code", 0)
+  end
+
+  class SocketResponder
+    def initialize(socket)
+      @socket = socket
+    end
+
+    def send(response)
+      @socket.print response.to_s
+      @socket.close
+    end
+  end
+end

data/lib/rubygems.rb

@@ -8,7 +8,7 @@
 require "rbconfig"
 
 module Gem
-  VERSION = "3.4.10"
+  VERSION = "3.4.14"
 end
 
 # Must be first since it unloads the prelude from 1.9.2

data/rubygems-update.gemspec

@@ -2,18 +2,19 @@
 
 Gem::Specification.new do |s|
   s.name = "rubygems-update"
-  s.version = "3.4.10"
+  s.version = "3.4.14"
   s.authors = ["Jim Weirich", "Chad Fowler", "Eric Hodel", "Luis Lavena", "Aaron Patterson", "Samuel Giddins", "André Arko", "Evan Phoenix", "Hiroshi SHIBATA"]
   s.email = ["", "", "drbrain@segment7.net", "luislavena@gmail.com", "aaron@tenderlovemaking.com", "segiddins@segiddins.me", "andre@arko.net", "evan@phx.io", "hsbt@ruby-lang.org"]
 
-  s.summary = "RubyGems is a package management framework for Ruby."
+  s.summary = "RubyGems is a package management framework for Ruby. This gem is downloaded and installed by `gem update --system`, so that the `gem` CLI can update itself."
   s.description = "A package (also known as a library) contains a set of functionality
   that can be invoked by a Ruby program, such as reading and parsing an XML file. We call
   these packages 'gems' and RubyGems is a tool to install, create, manage and load these
   packages in your Ruby environment. RubyGems is also a client for RubyGems.org, a public
   repository of Gems that allows you to publish a Gem that can be shared and used by other
   developers. See our guide on publishing a Gem at guides.rubygems.org"
-  s.homepage = "https://rubygems.org"
+  s.homepage = "https://guides.rubygems.org"
+  s.metadata = { "source_code_uri" => "https://github.com/rubygems/rubygems" }
   s.licenses = ["Ruby", "MIT"]
 
   s.files = File.read("Manifest.txt").split

data/test/rubygems/helper.rb

@@ -1179,6 +1179,20 @@ Also, a list:
     RUBY_PLATFORM.match("mswin")
   end
 
+  ##
+  # Is this test being run on a version of Ruby built with mingw?
+
+  def self.mingw_windows?
+    RUBY_PLATFORM.match("mingw")
+  end
+
+  ##
+  # Is this test being run on a version of Ruby built with mingw?
+
+  def mingw_windows?
+    RUBY_PLATFORM.match("mingw")
+  end
+
   ##
   # Is this test being run on a ruby/ruby repository?
   #

data/test/rubygems/test_bundled_ca.rb

@@ -14,7 +14,7 @@ require "rubygems/request"
 # The tested hosts are explained in detail here: https://github.com/rubygems/rubygems/commit/5e16a5428f973667cabfa07e94ff939e7a83ebd9
 #
 
-class TestBundledCA < Gem::TestCase
+class TestGemBundledCA < Gem::TestCase
   def bundled_certificate_store
     store = OpenSSL::X509::Store.new
 

data/test/rubygems/test_config.rb

@@ -3,7 +3,7 @@ require_relative "helper"
 require "rubygems"
 require "shellwords"
 
-class TestConfig < Gem::TestCase
+class TestGemConfig < Gem::TestCase
   def test_datadir
     util_make_gems
     spec = Gem::Specification.find_by_name("a")

data/test/rubygems/test_deprecate.rb

@@ -2,7 +2,7 @@
 require_relative "helper"
 require "rubygems/deprecate"
 
-class TestDeprecate < Gem::TestCase
+class TestGemDeprecate < Gem::TestCase
   def setup
     super
 

data/test/rubygems/test_exit.rb

@@ -3,7 +3,7 @@
 require_relative "helper"
 require "rubygems"
 
-class TestExit < Gem::TestCase
+class TestGemExit < Gem::TestCase
   def test_exit
     system(*ruby_with_rubygems_in_load_path, "-e", "raise Gem::SystemExitException.new(2)")
     assert_equal 2, $?.exitstatus

data/test/rubygems/test_gem.rb

@@ -1435,6 +1435,8 @@ class TestGem < Gem::TestCase
   def test_load_plugins
     plugin_path = File.join "lib", "rubygems_plugin.rb"
 
+    foo1_plugin_path = nil
+    foo2_plugin_path = nil
     Dir.chdir @tempdir do
       FileUtils.mkdir_p "lib"
       File.open plugin_path, "w" do |fp|
@@ -1444,17 +1446,22 @@ class TestGem < Gem::TestCase
       foo1 = util_spec "foo", "1" do |s|
         s.files << plugin_path
       end
+      foo1_plugin_path = File.join(foo1.gem_dir, plugin_path)
 
       install_gem foo1
 
       foo2 = util_spec "foo", "2" do |s|
         s.files << plugin_path
       end
+      foo2_plugin_path = File.join(foo2.gem_dir, plugin_path)
 
       install_gem foo2
     end
 
     Gem::Specification.reset
+    PLUGINS_LOADED.clear
+    $LOADED_FEATURES.delete(foo1_plugin_path)
+    $LOADED_FEATURES.delete(foo2_plugin_path)
 
     gem "foo"