rubygems-update 3.5.6 → 3.5.8

data/lib/rubygems/commands/rebuild_command.rb

@@ -0,0 +1,264 @@
+# frozen_string_literal: true
+
+require "date"
+require "digest"
+require "fileutils"
+require "tmpdir"
+require_relative "../gemspec_helpers"
+require_relative "../package"
+
+class Gem::Commands::RebuildCommand < Gem::Command
+  include Gem::GemspecHelpers
+
+  DATE_FORMAT = "%Y-%m-%d %H:%M:%S.%N Z"
+
+  def initialize
+    super "rebuild", "Attempt to reproduce a build of a gem."
+
+    add_option "--diff", "If the files don't match, compare them using diffoscope." do |_value, options|
+      options[:diff] = true
+    end
+
+    add_option "--force", "Skip validation of the spec." do |_value, options|
+      options[:force] = true
+    end
+
+    add_option "--strict", "Consider warnings as errors when validating the spec." do |_value, options|
+      options[:strict] = true
+    end
+
+    add_option "--source GEM_SOURCE", "Specify the source to download the gem from." do |value, options|
+      options[:source] = value
+    end
+
+    add_option "--original GEM_FILE", "Specify a local file to compare against (instead of downloading it)." do |value, options|
+      options[:original_gem_file] = value
+    end
+
+    add_option "--gemspec GEMSPEC_FILE", "Specify the name of the gemspec file." do |value, options|
+      options[:gemspec_file] = value
+    end
+
+    add_option "-C PATH", "Run as if gem build was started in <PATH> instead of the current working directory." do |value, options|
+      options[:build_path] = value
+    end
+  end
+
+  def arguments # :nodoc:
+    "GEM_NAME      gem name on gem server\n" \
+    "GEM_VERSION   gem version you are attempting to rebuild"
+  end
+
+  def description # :nodoc:
+    <<-EOF
+The rebuild command allows you to (attempt to) reproduce a build of a gem
+from a ruby gemspec.
+
+This command assumes the gemspec can be built with the `gem build` command.
+If you use any of `gem build`, `rake build`, or`rake release` in the
+build/release process for a gem, it is a potential candidate.
+
+You will need to match the RubyGems version used, since this is included in
+the Gem metadata.
+
+If the gem includes lockfiles (e.g. Gemfile.lock) and similar, it will
+require more effort to reproduce a build. For example, it might require
+more precisely matched versions of Ruby and/or Bundler to be used.
+    EOF
+  end
+
+  def usage # :nodoc:
+    "#{program_name} GEM_NAME GEM_VERSION"
+  end
+
+  def execute
+    gem_name, gem_version = get_gem_name_and_version
+
+    old_dir, new_dir = prep_dirs
+
+    gem_filename = "#{gem_name}-#{gem_version}.gem"
+    old_file = File.join(old_dir, gem_filename)
+    new_file = File.join(new_dir, gem_filename)
+
+    if options[:original_gem_file]
+      FileUtils.copy_file(options[:original_gem_file], old_file)
+    else
+      download_gem(gem_name, gem_version, old_file)
+    end
+
+    rg_version = rubygems_version(old_file)
+    unless rg_version == Gem::VERSION
+      alert_error <<-EOF
+You need to use the same RubyGems version #{gem_name} v#{gem_version} was built with.
+
+#{gem_name} v#{gem_version} was built using RubyGems v#{rg_version}.
+Gem files include the version of RubyGems used to build them.
+This means in order to reproduce #{gem_filename}, you must also use RubyGems v#{rg_version}.
+
+You're using RubyGems v#{Gem::VERSION}.
+
+Please install RubyGems v#{rg_version} and try again.
+      EOF
+      terminate_interaction 1
+    end
+
+    source_date_epoch = get_timestamp(old_file).to_s
+
+    if build_path = options[:build_path]
+      Dir.chdir(build_path) { build_gem(gem_name, source_date_epoch, new_file) }
+    else
+      build_gem(gem_name, source_date_epoch, new_file)
+    end
+
+    compare(source_date_epoch, old_file, new_file)
+  end
+
+  private
+
+  def sha256(file)
+    Digest::SHA256.hexdigest(Gem.read_binary(file))
+  end
+
+  def get_timestamp(file)
+    mtime = nil
+    File.open(file, Gem.binary_mode) do |f|
+      Gem::Package::TarReader.new(f) do |tar|
+        mtime = tar.seek("metadata.gz") {|tf| tf.header.mtime }
+      end
+    end
+
+    mtime
+  end
+
+  def compare(source_date_epoch, old_file, new_file)
+    date = Time.at(source_date_epoch.to_i).strftime("%F %T %Z")
+
+    old_hash = sha256(old_file)
+    new_hash = sha256(new_file)
+
+    say
+    say "Built at: #{date} (#{source_date_epoch})"
+    say "Original build saved to:   #{old_file}"
+    say "Reproduced build saved to: #{new_file}"
+    say "Working directory: #{options[:build_path] || Dir.pwd}"
+    say
+    say "Hash comparison:"
+    say "  #{old_hash}\t#{old_file}"
+    say "  #{new_hash}\t#{new_file}"
+    say
+
+    if old_hash == new_hash
+      say "SUCCESS - original and rebuild hashes matched"
+    else
+      say "FAILURE - original and rebuild hashes did not match"
+      say
+
+      if options[:diff]
+        if system("diffoscope", old_file, new_file).nil?
+          alert_error "error: could not find `diffoscope` executable"
+        end
+      else
+        say "Pass --diff for more details (requires diffoscope to be installed)."
+      end
+
+      terminate_interaction 1
+    end
+  end
+
+  def prep_dirs
+    rebuild_dir = Dir.mktmpdir("gem_rebuild")
+    old_dir = File.join(rebuild_dir, "old")
+    new_dir = File.join(rebuild_dir, "new")
+
+    FileUtils.mkdir_p(old_dir)
+    FileUtils.mkdir_p(new_dir)
+
+    [old_dir, new_dir]
+  end
+
+  def get_gem_name_and_version
+    args = options[:args] || []
+    if args.length == 2
+      gem_name, gem_version = args
+    elsif args.length > 2
+      raise Gem::CommandLineError, "Too many arguments"
+    else
+      raise Gem::CommandLineError, "Expected GEM_NAME and GEM_VERSION arguments (gem rebuild GEM_NAME GEM_VERSION)"
+    end
+
+    [gem_name, gem_version]
+  end
+
+  def build_gem(gem_name, source_date_epoch, output_file)
+    gemspec = options[:gemspec_file] || find_gemspec("#{gem_name}.gemspec")
+
+    if gemspec
+      build_package(gemspec, source_date_epoch, output_file)
+    else
+      alert_error error_message(gem_name)
+      terminate_interaction(1)
+    end
+  end
+
+  def build_package(gemspec, source_date_epoch, output_file)
+    with_source_date_epoch(source_date_epoch) do
+      spec = Gem::Specification.load(gemspec)
+      if spec
+        Gem::Package.build(
+          spec,
+          options[:force],
+          options[:strict],
+          output_file
+        )
+      else
+        alert_error "Error loading gemspec. Aborting."
+        terminate_interaction 1
+      end
+    end
+  end
+
+  def with_source_date_epoch(source_date_epoch)
+    old_sde = ENV["SOURCE_DATE_EPOCH"]
+    ENV["SOURCE_DATE_EPOCH"] = source_date_epoch.to_s
+
+    yield
+  ensure
+    ENV["SOURCE_DATE_EPOCH"] = old_sde
+  end
+
+  def error_message(gem_name)
+    if gem_name
+      "Couldn't find a gemspec file matching '#{gem_name}' in #{Dir.pwd}"
+    else
+      "Couldn't find a gemspec file in #{Dir.pwd}"
+    end
+  end
+
+  def download_gem(gem_name, gem_version, old_file)
+    # This code was based loosely off the `gem fetch` command.
+    version = "= #{gem_version}"
+    dep = Gem::Dependency.new gem_name, version
+
+    specs_and_sources, errors =
+      Gem::SpecFetcher.fetcher.spec_for_dependency dep
+
+    # There should never be more than one item in specs_and_sources,
+    # since we search for an exact version.
+    spec, source = specs_and_sources[0]
+
+    if spec.nil?
+      show_lookup_failure gem_name, version, errors, options[:domain]
+      terminate_interaction 1
+    end
+
+    download_path = source.download spec
+
+    FileUtils.move(download_path, old_file)
+
+    say "Downloaded #{gem_name} version #{gem_version} as #{old_file}."
+  end
+
+  def rubygems_version(gem_file)
+    Gem::Package.new(gem_file).spec.rubygems_version
+  end
+end

data/lib/rubygems/config_file.rb

@@ -202,21 +202,33 @@ class Gem::ConfigFile
       @hash = @hash.merge environment_config
     end
 
+    @hash.transform_keys! do |k|
+      # gemhome and gempath are not working with symbol keys
+      if %w[backtrace bulk_threshold verbose update_sources cert_expiration_length_days
+            install_extension_in_lib ipv4_fallback_enabled sources disable_default_gem_server
+            ssl_verify_mode ssl_ca_cert ssl_client_cert].include?(k)
+        k.to_sym
+      else
+        k
+      end
+    end
+
     # HACK: these override command-line args, which is bad
     @backtrace                   = @hash[:backtrace]                   if @hash.key? :backtrace
     @bulk_threshold              = @hash[:bulk_threshold]              if @hash.key? :bulk_threshold
-    @home                        = @hash[:gemhome]                     if @hash.key? :gemhome
-    @path                        = @hash[:gempath]                     if @hash.key? :gempath
-    @update_sources              = @hash[:update_sources]              if @hash.key? :update_sources
     @verbose                     = @hash[:verbose]                     if @hash.key? :verbose
-    @disable_default_gem_server  = @hash[:disable_default_gem_server]  if @hash.key? :disable_default_gem_server
-    @sources                     = @hash[:sources]                     if @hash.key? :sources
+    @update_sources              = @hash[:update_sources]              if @hash.key? :update_sources
+    # TODO: We should handle concurrent_downloads same as other options
     @cert_expiration_length_days = @hash[:cert_expiration_length_days] if @hash.key? :cert_expiration_length_days
     @ipv4_fallback_enabled       = @hash[:ipv4_fallback_enabled]       if @hash.key? :ipv4_fallback_enabled
 
-    @ssl_verify_mode  = @hash[:ssl_verify_mode]  if @hash.key? :ssl_verify_mode
-    @ssl_ca_cert      = @hash[:ssl_ca_cert]      if @hash.key? :ssl_ca_cert
-    @ssl_client_cert  = @hash[:ssl_client_cert]  if @hash.key? :ssl_client_cert
+    @home                        = @hash[:gemhome]                     if @hash.key? :gemhome
+    @path                        = @hash[:gempath]                     if @hash.key? :gempath
+    @sources                     = @hash[:sources]                     if @hash.key? :sources
+    @disable_default_gem_server  = @hash[:disable_default_gem_server]  if @hash.key? :disable_default_gem_server
+    @ssl_verify_mode             = @hash[:ssl_verify_mode]             if @hash.key? :ssl_verify_mode
+    @ssl_ca_cert                 = @hash[:ssl_ca_cert]                 if @hash.key? :ssl_ca_cert
+    @ssl_client_cert             = @hash[:ssl_client_cert]             if @hash.key? :ssl_client_cert
 
     @api_keys         = nil
     @rubygems_api_key = nil

data/lib/rubygems/defaults.rb

@@ -112,7 +112,7 @@ module Gem
   # The path to standard location of the user's configuration directory.
 
   def self.config_home
-    @config_home ||= (ENV["XDG_CONFIG_HOME"] || File.join(Gem.user_home, ".config"))
+    @config_home ||= ENV["XDG_CONFIG_HOME"] || File.join(Gem.user_home, ".config")
   end
 
   ##
@@ -145,21 +145,21 @@ module Gem
   # The path to standard location of the user's cache directory.
 
   def self.cache_home
-    @cache_home ||= (ENV["XDG_CACHE_HOME"] || File.join(Gem.user_home, ".cache"))
+    @cache_home ||= ENV["XDG_CACHE_HOME"] || File.join(Gem.user_home, ".cache")
   end
 
   ##
   # The path to standard location of the user's data directory.
 
   def self.data_home
-    @data_home ||= (ENV["XDG_DATA_HOME"] || File.join(Gem.user_home, ".local", "share"))
+    @data_home ||= ENV["XDG_DATA_HOME"] || File.join(Gem.user_home, ".local", "share")
   end
 
   ##
   # The path to standard location of the user's state directory.
 
   def self.state_home
-    @state_home ||= (ENV["XDG_STATE_HOME"] || File.join(Gem.user_home, ".local", "state"))
+    @state_home ||= ENV["XDG_STATE_HOME"] || File.join(Gem.user_home, ".local", "state")
   end
 
   ##

data/lib/rubygems/dependency.rb

@@ -328,9 +328,9 @@ class Gem::Dependency
     return active if active
 
     unless prerelease?
-      # Move prereleases to the end of the list for >= 0 requirements
+      # Consider prereleases only as a fallback
       pre, matches = matches.partition {|spec| spec.version.prerelease? }
-      matches += pre if requirement == Gem::Requirement.default
+      matches = pre if matches.empty?
     end
 
     matches.first

data/lib/rubygems/dependency_list.rb

@@ -6,7 +6,7 @@
 # See LICENSE.txt for permissions.
 #++
 
-require_relative "tsort"
+require_relative "vendored_tsort"
 require_relative "deprecate"
 
 ##

data/lib/rubygems/ext/cargo_builder.rb

@@ -293,7 +293,7 @@ EOF
 
     case var_name
     # On windows, it is assumed that mkmf has setup an exports file for the
-    # extension, so we have to to create one ourselves.
+    # extension, so we have to create one ourselves.
     when "DEFFILE"
       write_deffile(dest_dir, crate_name)
     else

data/lib/rubygems/gemcutter_utilities.rb

@@ -85,7 +85,7 @@ module Gem::GemcutterUtilities
   # If +allowed_push_host+ metadata is present, then it will only allow that host.
 
   def rubygems_api_request(method, path, host = nil, allowed_push_host = nil, scope: nil, credentials: {}, &block)
-    require_relative "net/http"
+    require_relative "vendored_net_http"
 
     self.host = host if host
     unless self.host

data/lib/rubygems/gemspec_helpers.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative "../rubygems"
+
+##
+# Mixin methods for commands that work with gemspecs.
+
+module Gem::GemspecHelpers
+  def find_gemspec(glob = "*.gemspec")
+    gemspecs = Dir.glob(glob).sort
+
+    if gemspecs.size > 1
+      alert_error "Multiple gemspecs found: #{gemspecs}, please specify one"
+      terminate_interaction(1)
+    end
+
+    gemspecs.first
+  end
+end

data/lib/rubygems/package.rb

@@ -59,7 +59,7 @@ class Gem::Package
 
     def initialize(message, source = nil)
       if source
-        @path = source.path
+        @path = source.is_a?(String) ? source : source.path
 
         message += " in #{path}" if path
       end
@@ -454,7 +454,7 @@ EOM
 
         if entry.file?
           File.open(destination, "wb") {|out| copy_stream(entry, out) }
-          FileUtils.chmod file_mode(entry.header.mode), destination
+          FileUtils.chmod file_mode(entry.header.mode) & ~File.umask, destination
         end
 
         verbose destination

data/lib/rubygems/remote_fetcher.rb

@@ -74,7 +74,7 @@ class Gem::RemoteFetcher
 
   def initialize(proxy=nil, dns=nil, headers={})
     require_relative "core_ext/tcpsocket_init" if Gem.configuration.ipv4_fallback_enabled
-    require_relative "net/http"
+    require_relative "vendored_net_http"
     require "stringio"
     require_relative "vendor/uri/lib/uri"
 

data/lib/rubygems/request.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative "net/http"
+require_relative "vendored_net_http"
 require_relative "user_interaction"
 
 class Gem::Request

data/lib/rubygems/request_set.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative "tsort"
+require_relative "vendored_tsort"
 
 ##
 # A RequestSet groups a request to activate a set of dependencies.

data/lib/rubygems/resolver/spec_specification.rb

@@ -66,4 +66,11 @@ class Gem::Resolver::SpecSpecification < Gem::Resolver::Specification
   def version
     spec.version
   end
+
+  ##
+  # The hash value for this specification.
+
+  def hash
+    spec.hash
+  end
 end

data/lib/rubygems/s3_uri_signer.rb

@@ -140,7 +140,7 @@ class Gem::S3URISigner
   end
 
   def ec2_metadata_credentials_json
-    require_relative "net/http"
+    require_relative "vendored_net_http"
     require_relative "request"
     require_relative "request/connection_pools"
     require "json"

data/lib/rubygems/safe_yaml.rb

@@ -25,8 +25,17 @@ module Gem
       runtime
     ].freeze
 
+    @aliases_enabled = true
+    def self.aliases_enabled=(value) # :nodoc:
+      @aliases_enabled = !!value
+    end
+
+    def self.aliases_enabled? # :nodoc:
+      @aliases_enabled
+    end
+
     def self.safe_load(input)
-      ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: true)
+      ::Psych.safe_load(input, permitted_classes: PERMITTED_CLASSES, permitted_symbols: PERMITTED_SYMBOLS, aliases: @aliases_enabled)
     end
 
     def self.load(input)

data/lib/rubygems/security.rb

@@ -323,7 +323,7 @@ require_relative "openssl"
 # == Original author
 #
 # Paul Duncan <pabs@pablotron.org>
-# http://pablotron.org/
+# https://pablotron.org/
 
 module Gem::Security
   ##

data/lib/rubygems/specification.rb

@@ -341,7 +341,7 @@ class Gem::Specification < Gem::BasicSpecification
   # https://opensource.org/licenses/ approved.
   #
   # The most commonly used OSI-approved licenses are MIT and Apache-2.0.
-  # GitHub also provides a license picker at http://choosealicense.com/.
+  # GitHub also provides a license picker at https://choosealicense.com/.
   #
   # You can also use a custom license file along with your gemspec and specify
   # a LicenseRef-<idstring>, where idstring is the name of the file containing

data/lib/rubygems/specification_policy.rb

@@ -7,7 +7,7 @@ class Gem::SpecificationPolicy
 
   VALID_NAME_PATTERN = /\A[a-zA-Z0-9\.\-\_]+\z/ # :nodoc:
 
-  SPECIAL_CHARACTERS = /\A[#{Regexp.escape('.-_')}]+/ # :nodoc:
+  SPECIAL_CHARACTERS = /\A[#{Regexp.escape(".-_")}]+/ # :nodoc:
 
   VALID_URI_PATTERN = %r{\Ahttps?:\/\/([^\s:@]+:[^\s:@]*@)?[A-Za-z\d\-]+(\.[A-Za-z\d\-]+)+\.?(:\d{1,5})?([\/?]\S*)?\z} # :nodoc:
 
@@ -103,6 +103,8 @@ class Gem::SpecificationPolicy
 
     validate_dependencies
 
+    validate_required_ruby_version
+
     validate_extensions
 
     validate_removed_attributes
@@ -227,6 +229,12 @@ duplicate dependency on #{dep}, (#{prev.requirement}) use:
     end
   end
 
+  def validate_required_ruby_version
+    if @specification.required_ruby_version.requirements == [Gem::Requirement::DefaultRequirement]
+      warning "make sure you specify the oldest ruby version constraint (like \">= 3.0\") that you want your gem to support by setting the `required_ruby_version` gemspec attribute"
+    end
+  end
+
   ##
   # Issues a warning for each file to be packaged which is world-readable.
   #