rubygems-update 3.4.22 → 3.5.0

data/lib/rubygems/safe_marshal/visitors/visitor.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module Gem::SafeMarshal::Visitors
+  class Visitor
+    def visit(target)
+      send DISPATCH.fetch(target.class), target
+    end
+
+    private
+
+    DISPATCH = Gem::SafeMarshal::Elements.constants.each_with_object({}) do |c, h|
+      next if c == :Element
+
+      klass = Gem::SafeMarshal::Elements.const_get(c)
+      h[klass] = :"visit_#{klass.name.gsub("::", "_")}"
+      h.default = :visit_unknown_element
+    end.compare_by_identity.freeze
+    private_constant :DISPATCH
+
+    def visit_unknown_element(e)
+      raise ArgumentError, "Attempting to visit unknown element #{e.inspect}"
+    end
+
+    def visit_Gem_SafeMarshal_Elements_Array(target)
+      target.elements.each {|e| visit(e) }
+    end
+
+    def visit_Gem_SafeMarshal_Elements_Bignum(target); end
+    def visit_Gem_SafeMarshal_Elements_False(target); end
+    def visit_Gem_SafeMarshal_Elements_Float(target); end
+
+    def visit_Gem_SafeMarshal_Elements_Hash(target)
+      target.pairs.each do |k, v|
+        visit(k)
+        visit(v)
+      end
+    end
+
+    def visit_Gem_SafeMarshal_Elements_HashWithDefaultValue(target)
+      visit_Gem_SafeMarshal_Elements_Hash(target)
+      visit(target.default)
+    end
+
+    def visit_Gem_SafeMarshal_Elements_Integer(target); end
+    def visit_Gem_SafeMarshal_Elements_Nil(target); end
+
+    def visit_Gem_SafeMarshal_Elements_Object(target)
+      visit(target.name)
+    end
+
+    def visit_Gem_SafeMarshal_Elements_ObjectLink(target); end
+    def visit_Gem_SafeMarshal_Elements_String(target); end
+    def visit_Gem_SafeMarshal_Elements_Symbol(target); end
+    def visit_Gem_SafeMarshal_Elements_SymbolLink(target); end
+    def visit_Gem_SafeMarshal_Elements_True(target); end
+
+    def visit_Gem_SafeMarshal_Elements_UserDefined(target)
+      visit(target.name)
+    end
+
+    def visit_Gem_SafeMarshal_Elements_UserMarshal(target)
+      visit(target.name)
+      visit(target.data)
+    end
+
+    def visit_Gem_SafeMarshal_Elements_WithIvars(target)
+      visit(target.object)
+      target.ivars.each do |k, v|
+        visit(k)
+        visit(v)
+      end
+    end
+  end
+end

data/lib/rubygems/safe_marshal.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require "stringio"
+
+require_relative "safe_marshal/reader"
+require_relative "safe_marshal/visitors/to_ruby"
+
+module Gem
+  ###
+  # This module is used for safely loading Marshal specs from a gem.  The
+  # `safe_load` method defined on this module is specifically designed for
+  # loading Gem specifications.
+
+  module SafeMarshal
+    PERMITTED_CLASSES = %w[
+      Date
+      Time
+      Rational
+
+      Gem::Dependency
+      Gem::NameTuple
+      Gem::Platform
+      Gem::Requirement
+      Gem::Specification
+      Gem::Version
+      Gem::Version::Requirement
+
+      YAML::Syck::DefaultKey
+      YAML::PrivateType
+    ].freeze
+    private_constant :PERMITTED_CLASSES
+
+    PERMITTED_SYMBOLS = %w[
+      development
+      runtime
+
+      name
+      number
+      platform
+      dependencies
+    ].freeze
+    private_constant :PERMITTED_SYMBOLS
+
+    PERMITTED_IVARS = {
+      "String" => %w[E encoding @taguri @debug_created_info],
+      "Time" => %w[
+        offset zone nano_num nano_den submicro
+        @_zone @marshal_with_utc_coercion
+      ],
+      "Gem::Dependency" => %w[
+        @name @requirement @prerelease @version_requirement @version_requirements @type
+        @force_ruby_platform
+      ],
+      "Gem::NameTuple" => %w[@name @version @platform],
+      "Gem::Platform" => %w[@os @cpu @version],
+      "Psych::PrivateType" => %w[@value @type_id],
+    }.freeze
+    private_constant :PERMITTED_IVARS
+
+    def self.safe_load(input)
+      load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, permitted_ivars: PERMITTED_IVARS)
+    end
+
+    def self.load(input, permitted_classes: [::Symbol], permitted_symbols: [], permitted_ivars: {})
+      root = Reader.new(StringIO.new(input, "r").binmode).read!
+
+      Visitors::ToRuby.new(
+        permitted_classes: permitted_classes,
+        permitted_symbols: permitted_symbols,
+        permitted_ivars: permitted_ivars,
+      ).visit(root)
+    end
+  end
+end

data/lib/rubygems/safe_yaml.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 module Gem
-
   ###
   # This module is used for safely loading YAML specs from a gem.  The
   # `safe_load` method defined on this module is specifically designed for
@@ -26,34 +25,12 @@ module Gem
       runtime
     ].freeze
 
-    if ::Psych.respond_to? :safe_load
-      def self.safe_load(input)
-        if Gem::Version.new(Psych::VERSION) >= Gem::Version.new("3.1.0.pre1")
-          ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
-        else
-          ::Psych.safe_load(input, PERMITTED_CLASSES, PERMITTED_SYMBOLS, true)
-        end
-      end
-
-      def self.load(input)
-        if Gem::Version.new(Psych::VERSION) >= Gem::Version.new("3.1.0.pre1")
-          ::Psych.safe_load(input, permitted_classes: [::Symbol])
-        else
-          ::Psych.safe_load(input, [::Symbol])
-        end
-      end
-    else
-      unless Gem::Deprecate.skip
-        warn "Psych safe loading is not available. Please upgrade psych to a version that supports safe loading (>= 2.0)."
-      end
-
-      def self.safe_load(input, *args)
-        ::Psych.load input
-      end
+    def self.safe_load(input)
+      ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
+    end
 
-      def self.load(input)
-        ::Psych.load input
-      end
+    def self.load(input)
+      ::Psych.safe_load(input, permitted_classes: [::Symbol])
     end
   end
 end

data/lib/rubygems/security/policies.rb

@@ -1,18 +1,17 @@
 # frozen_string_literal: true
 
 module Gem::Security
-
   ##
   # No security policy: all package signature checks are disabled.
 
   NoSecurity = Policy.new(
     "No Security",
-    :verify_data => false,
-    :verify_signer => false,
-    :verify_chain => false,
-    :verify_root => false,
-    :only_trusted => false,
-    :only_signed => false
+    verify_data: false,
+    verify_signer: false,
+    verify_chain: false,
+    verify_root: false,
+    only_trusted: false,
+    only_signed: false
   )
 
   ##
@@ -25,12 +24,12 @@ module Gem::Security
 
   AlmostNoSecurity = Policy.new(
     "Almost No Security",
-    :verify_data => true,
-    :verify_signer => false,
-    :verify_chain => false,
-    :verify_root => false,
-    :only_trusted => false,
-    :only_signed => false
+    verify_data: true,
+    verify_signer: false,
+    verify_chain: false,
+    verify_root: false,
+    only_trusted: false,
+    only_signed: false
   )
 
   ##
@@ -42,12 +41,12 @@ module Gem::Security
 
   LowSecurity = Policy.new(
     "Low Security",
-    :verify_data => true,
-    :verify_signer => true,
-    :verify_chain => false,
-    :verify_root => false,
-    :only_trusted => false,
-    :only_signed => false
+    verify_data: true,
+    verify_signer: true,
+    verify_chain: false,
+    verify_root: false,
+    only_trusted: false,
+    only_signed: false
   )
 
   ##
@@ -61,12 +60,12 @@ module Gem::Security
 
   MediumSecurity = Policy.new(
     "Medium Security",
-    :verify_data => true,
-    :verify_signer => true,
-    :verify_chain => true,
-    :verify_root => true,
-    :only_trusted => true,
-    :only_signed => false
+    verify_data: true,
+    verify_signer: true,
+    verify_chain: true,
+    verify_root: true,
+    only_trusted: true,
+    only_signed: false
   )
 
   ##
@@ -80,12 +79,12 @@ module Gem::Security
 
   HighSecurity = Policy.new(
     "High Security",
-    :verify_data => true,
-    :verify_signer => true,
-    :verify_chain => true,
-    :verify_root => true,
-    :only_trusted => true,
-    :only_signed => true
+    verify_data: true,
+    verify_signer: true,
+    verify_chain: true,
+    verify_root: true,
+    only_trusted: true,
+    only_signed: true
   )
 
   ##
@@ -93,12 +92,12 @@ module Gem::Security
 
   SigningPolicy = Policy.new(
     "Signing Policy",
-    :verify_data => false,
-    :verify_signer => true,
-    :verify_chain => true,
-    :verify_root => true,
-    :only_trusted => false,
-    :only_signed => false
+    verify_data: false,
+    verify_signer: true,
+    verify_chain: true,
+    verify_root: true,
+    only_trusted: false,
+    only_signed: false
   )
 
   ##
@@ -112,5 +111,4 @@ module Gem::Security
     "HighSecurity" => HighSecurity,
     # SigningPolicy is not intended for use by `gem -P` so do not list it
   }.freeze
-
 end

data/lib/rubygems/security/policy.rb

@@ -135,7 +135,7 @@ class Gem::Security::Policy
     raise Gem::Security::Exception, "missing root certificate" unless root
 
     raise Gem::Security::Exception,
-          "root certificate #{root.subject} is not self-signed " +
+          "root certificate #{root.subject} is not self-signed " \
           "(issuer #{root.issuer})" if
       root.issuer != root.subject
 
@@ -171,7 +171,7 @@ class Gem::Security::Policy
     cert_dgst = digester.digest pkey_str
 
     raise Gem::Security::Exception,
-          "trusted root certificate #{root.subject} checksum " +
+          "trusted root certificate #{root.subject} checksum " \
           "does not match signing root certificate checksum" unless
       save_dgst == cert_dgst
 
@@ -192,11 +192,8 @@ class Gem::Security::Policy
   end
 
   def inspect # :nodoc:
-    ("[Policy: %s - data: %p signer: %p chain: %p root: %p " +
-     "signed-only: %p trusted-only: %p]") % [
-       @name, @verify_chain, @verify_data, @verify_root, @verify_signer,
-       @only_signed, @only_trusted
-     ]
+    format("[Policy: %s - data: %p signer: %p chain: %p root: %p " \
+     "signed-only: %p trusted-only: %p]", @name, @verify_chain, @verify_data, @verify_root, @verify_signer, @only_signed, @only_trusted)
   end
 
   ##
@@ -206,8 +203,7 @@ class Gem::Security::Policy
   #
   # If +key+ is given it is used to validate the signing certificate.
 
-  def verify(chain, key = nil, digests = {}, signatures = {},
-             full_name = "(unknown)")
+  def verify(chain, key = nil, digests = {}, signatures = {}, full_name = "(unknown)")
     if signatures.empty?
       if @only_signed
         raise Gem::Security::Exception,
@@ -226,7 +222,7 @@ class Gem::Security::Policy
     trust_dir = opt[:trust_dir]
     time      = Time.now
 
-    _, signer_digests = digests.find do |algorithm, file_digests|
+    _, signer_digests = digests.find do |_algorithm, file_digests|
       file_digests.values.first.name == Gem::Security::DIGEST_NAME
     end
 
@@ -288,5 +284,5 @@ class Gem::Security::Policy
     true
   end
 
-  alias to_s name # :nodoc:
+  alias_method :to_s, :name # :nodoc:
 end

data/lib/rubygems/security/signer.rb

@@ -106,7 +106,7 @@ class Gem::Security::Signer
   # this value is preferred, otherwise the subject is used.
 
   def extract_name(cert) # :nodoc:
-    subject_alt_name = cert.extensions.find {|e| "subjectAltName" == e.oid }
+    subject_alt_name = cert.extensions.find {|e| e.oid == "subjectAltName" }
 
     if subject_alt_name
       /\Aemail:/ =~ subject_alt_name.value # rubocop:disable Performance/StartWith

data/lib/rubygems/security/trust_dir.rb

@@ -9,8 +9,8 @@ class Gem::Security::TrustDir
   # Default permissions for the trust directory and its contents
 
   DEFAULT_PERMISSIONS = {
-    :trust_dir => 0o700,
-    :trusted_cert => 0o600,
+    trust_dir: 0o700,
+    trusted_cert: 0o600,
   }.freeze
 
   ##
@@ -111,7 +111,7 @@ class Gem::Security::TrustDir
 
       FileUtils.chmod 0o700, @dir
     else
-      FileUtils.mkdir_p @dir, :mode => @permissions[:trust_dir]
+      FileUtils.mkdir_p @dir, mode: @permissions[:trust_dir]
     end
   end
 end

data/lib/rubygems/security.rb

@@ -326,7 +326,6 @@ require_relative "openssl"
 # http://pablotron.org/
 
 module Gem::Security
-
   ##
   # Gem::Security default exception type
 
@@ -399,8 +398,7 @@ module Gem::Security
   #
   # The +extensions+ restrict the key to the indicated uses.
 
-  def self.create_cert(subject, key, age = ONE_YEAR, extensions = EXTENSIONS,
-                       serial = 1)
+  def self.create_cert(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1)
     cert = OpenSSL::X509::Certificate.new
 
     cert.public_key = get_public_key(key)
@@ -451,8 +449,7 @@ module Gem::Security
   # Creates a self-signed certificate with an issuer and subject of +subject+
   # and the given +extensions+ for the +key+.
 
-  def self.create_cert_self_signed(subject, key, age = ONE_YEAR,
-                                   extensions = EXTENSIONS, serial = 1)
+  def self.create_cert_self_signed(subject, key, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1)
     certificate = create_cert subject, key, age, extensions
 
     sign certificate, key, certificate, age, extensions, serial
@@ -462,16 +459,8 @@ module Gem::Security
   # Creates a new digest instance using the specified +algorithm+. The default
   # is SHA256.
 
-  if defined?(OpenSSL::Digest)
-    def self.create_digest(algorithm = DIGEST_NAME)
-      OpenSSL::Digest.new(algorithm)
-    end
-  else
-    require "digest"
-
-    def self.create_digest(algorithm = DIGEST_NAME)
-      Digest.const_get(algorithm).new
-    end
+  def self.create_digest(algorithm = DIGEST_NAME)
+    OpenSSL::Digest.new(algorithm)
   end
 
   ##
@@ -516,11 +505,10 @@ module Gem::Security
   #--
   # TODO increment serial
 
-  def self.re_sign(expired_certificate, private_key, age = ONE_YEAR,
-                   extensions = EXTENSIONS)
+  def self.re_sign(expired_certificate, private_key, age = ONE_YEAR, extensions = EXTENSIONS)
     raise Gem::Security::Exception,
           "incorrect signing key for re-signing " +
-          "#{expired_certificate.subject}" unless
+          expired_certificate.subject.to_s unless
       expired_certificate.check_private_key(private_key)
 
     unless expired_certificate.subject.to_s ==
@@ -529,7 +517,7 @@ module Gem::Security
       issuer  = alt_name_or_x509_entry expired_certificate, :issuer
 
       raise Gem::Security::Exception,
-            "#{subject} is not self-signed, contact #{issuer} " +
+            "#{subject} is not self-signed, contact #{issuer} " \
             "to obtain a valid certificate"
     end
 
@@ -553,8 +541,7 @@ module Gem::Security
   #
   # Returns the newly signed certificate.
 
-  def self.sign(certificate, signing_key, signing_cert,
-                age = ONE_YEAR, extensions = EXTENSIONS, serial = 1)
+  def self.sign(certificate, signing_key, signing_cert, age = ONE_YEAR, extensions = EXTENSIONS, serial = 1)
     signee_subject = certificate.subject
     signee_key     = certificate.public_key
 
@@ -617,7 +604,6 @@ module Gem::Security
   end
 
   reset
-
 end
 
 if Gem::HAVE_OPENSSL

data/lib/rubygems/source/git.rb

@@ -70,8 +70,6 @@ class Gem::Source::Git < Gem::Source
       -1
     when Gem::Source then
       1
-    else
-      nil
     end
   end
 
@@ -229,7 +227,7 @@ class Gem::Source::Git < Gem::Source
     require_relative "../openssl"
 
     normalized =
-      if @repository =~ %r{^\w+://(\w+@)?}
+      if @repository.match?(%r{^\w+://(\w+@)?})
         uri = URI(@repository).normalize.to_s.sub %r{/$},""
         uri.sub(/\A(\w+)/) { $1.downcase }
       else

data/lib/rubygems/source/installed.rb

@@ -21,8 +21,6 @@ class Gem::Source::Installed < Gem::Source
       0
     when Gem::Source then
       1
-    else
-      nil
     end
   end
 

data/lib/rubygems/source/local.rb

@@ -24,14 +24,12 @@ class Gem::Source::Local < Gem::Source
       0
     when Gem::Source then
       1
-    else
-      nil
     end
   end
 
   def inspect # :nodoc:
     keys = @specs ? @specs.keys.sort : "NOT LOADED"
-    "#<%s specs: %p>" % [self.class, keys]
+    format("#<%s specs: %p>", self.class, keys)
   end
 
   def load_specs(type) # :nodoc:
@@ -44,7 +42,7 @@ class Gem::Source::Local < Gem::Source
         pkg = Gem::Package.new(file)
         spec = pkg.spec
       rescue SystemCallError, Gem::Package::FormatError
-      # ignore
+        # ignore
       else
         tup = spec.name_tuple
         @specs[tup] = [File.expand_path(file), pkg]
@@ -77,8 +75,7 @@ class Gem::Source::Local < Gem::Source
     end
   end
 
-  def find_gem(gem_name, version = Gem::Requirement.default, # :nodoc:
-               prerelease = false)
+  def find_gem(gem_name, version = Gem::Requirement.default, prerelease = false) # :nodoc:
     load_specs :complete
 
     found = []
@@ -96,7 +93,7 @@ class Gem::Source::Local < Gem::Source
       end
     end
 
-    found.max_by {|s| s.version }
+    found.max_by(&:version)
   end
 
   def fetch_spec(name) # :nodoc:
@@ -112,7 +109,7 @@ class Gem::Source::Local < Gem::Source
   def download(spec, cache_dir = nil) # :nodoc:
     load_specs :complete
 
-    @specs.each do |name, data|
+    @specs.each do |_name, data|
       return data[0] if data[1].spec == spec
     end
 

data/lib/rubygems/source/lock.rb

@@ -25,13 +25,11 @@ class Gem::Source::Lock < Gem::Source
       @wrapped <=> other.wrapped
     when Gem::Source then
       1
-    else
-      nil
     end
   end
 
   def ==(other) # :nodoc:
-    0 == (self <=> other)
+    (self <=> other) == 0
   end
 
   def hash # :nodoc:

data/lib/rubygems/source/specific_file.rb

@@ -34,7 +34,6 @@ class Gem::Source::SpecificFile < Gem::Source
   def fetch_spec(name) # :nodoc:
     return @spec if name == @name
     raise Gem::Exception, "Unable to find '#{name}'"
-    @spec
   end
 
   def download(spec, dir = nil) # :nodoc:

data/lib/rubygems/source/vendor.rb

@@ -19,8 +19,6 @@ class Gem::Source::Vendor < Gem::Source::Installed
       0
     when Gem::Source then
       1
-    else
-      nil
     end
   end
 end

data/lib/rubygems/source.rb

@@ -12,9 +12,9 @@ class Gem::Source
   include Gem::Text
 
   FILES = { # :nodoc:
-    :released => "specs",
-    :latest => "latest_specs",
-    :prerelease => "prerelease_specs",
+    released: "specs",
+    latest: "latest_specs",
+    prerelease: "prerelease_specs",
   }.freeze
 
   ##
@@ -56,8 +56,6 @@ class Gem::Source
       return 1 unless @uri.to_s == other.uri.to_s
 
       0
-    else
-      nil
     end
   end
 
@@ -71,7 +69,7 @@ class Gem::Source
   # Returns a Set that can fetch specifications from this source.
 
   def dependency_resolver_set # :nodoc:
-    return Gem::Resolver::IndexSet.new self if "file" == uri.scheme
+    return Gem::Resolver::IndexSet.new self if uri.scheme == "file"
 
     fetch_uri = if uri.host == "rubygems.org"
       index_uri = uri.dup
@@ -102,8 +100,7 @@ class Gem::Source
 
   def cache_dir(uri)
     # Correct for windows paths
-    escaped_path = uri.path.sub(/^\/([a-z]):\//i, '/\\1-/')
-    escaped_path.tap(&Gem::UNTAINT)
+    escaped_path = uri.path.sub(%r{^/([a-z]):/}i, '/\\1-/')
 
     File.join Gem.spec_cache_dir, "#{uri.host}%#{uri.port}", File.dirname(escaped_path)
   end
@@ -137,8 +134,9 @@ class Gem::Source
 
     if File.exist? local_spec
       spec = Gem.read_binary local_spec
+      Gem.load_safe_marshal
       spec = begin
-               Marshal.load(spec)
+               Gem::SafeMarshal.safe_load(spec)
              rescue StandardError
                nil
              end
@@ -159,8 +157,9 @@ class Gem::Source
       end
     end
 
+    Gem.load_safe_marshal
     # TODO: Investigate setting Gem::Specification#loaded_from to a URI
-    Marshal.load spec
+    Gem::SafeMarshal.safe_load spec
   end
 
   ##
@@ -190,8 +189,9 @@ class Gem::Source
 
     spec_dump = fetcher.cache_update_path spec_path, local_file, update_cache?
 
+    Gem.load_safe_marshal
     begin
-      Gem::NameTuple.from_list Marshal.load(spec_dump)
+      Gem::NameTuple.from_list Gem::SafeMarshal.safe_load(spec_dump)
     rescue ArgumentError
       if update_cache? && !retried
         FileUtils.rm local_file
@@ -233,7 +233,7 @@ class Gem::Source
   private
 
   def enforce_trailing_slash(uri)
-    uri.merge(uri.path.gsub(/\/+$/, "") + "/")
+    uri.merge(uri.path.gsub(%r{/+$}, "") + "/")
   end
 end