rubygems-update 2.6.12 → 2.6.13
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of rubygems-update might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/History.txt +14 -0
- data/lib/rubygems.rb +1 -1
- data/lib/rubygems/commands/query_command.rb +3 -2
- data/lib/rubygems/installer.rb +7 -0
- data/lib/rubygems/remote_fetcher.rb +1 -1
- data/lib/rubygems/specification.rb +10 -2
- data/lib/rubygems/text.rb +14 -1
- data/test/rubygems/test_gem_commands_query_command.rb +80 -0
- data/test/rubygems/test_gem_installer.rb +20 -0
- data/test/rubygems/test_gem_remote_fetcher.rb +15 -0
- data/test/rubygems/test_gem_specification.rb +31 -1
- data/test/rubygems/test_gem_text.rb +11 -0
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c355e9814c4bd683190f6d71b5451fc9c7299aa4
|
4
|
+
data.tar.gz: 5086e33f6dbf1c20876379c2d31feed694c7f2ba
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6fc702c906ba6bca4b5495934b856487c35aed3eb45037be622019074aa1b415dced89750e0329b63471d6428088162ff96341367c999fdd6274b2617ffe8c38
|
7
|
+
data.tar.gz: ad369475ea2d97b69940858dbd0e864fc57220c0472b0c7e4b68bc2c703debcb559efbd5c37af9b562607b180233fd97af6a36c076d4722254d26d9106227693
|
data/History.txt
CHANGED
@@ -1,5 +1,19 @@
|
|
1
1
|
# coding: UTF-8
|
2
2
|
|
3
|
+
=== 2.6.13 / 2017-08-27
|
4
|
+
|
5
|
+
Security fixes:
|
6
|
+
|
7
|
+
* Fix a DNS request hijacking vulnerability.
|
8
|
+
Fix by Samuel Giddins.
|
9
|
+
* Fix an ANSI escape sequence vulnerability.
|
10
|
+
Fix by Evan Phoenix.
|
11
|
+
* Fix a DOS vulernerability in the `query` command.
|
12
|
+
Fix by Samuel Giddins.
|
13
|
+
* Fix a vulnerability in the gem installer that allowed
|
14
|
+
a malicious gem to overwrite arbitrary files.
|
15
|
+
Fix by Samuel Giddins.
|
16
|
+
|
3
17
|
=== 2.6.12 / 2017-04-30
|
4
18
|
|
5
19
|
Bug fixes:
|
data/lib/rubygems.rb
CHANGED
@@ -226,7 +226,7 @@ is too hard to use.
|
|
226
226
|
end
|
227
227
|
end
|
228
228
|
|
229
|
-
output << make_entry(matching_tuples, platforms)
|
229
|
+
output << clean_text(make_entry(matching_tuples, platforms))
|
230
230
|
end
|
231
231
|
end
|
232
232
|
|
@@ -353,7 +353,8 @@ is too hard to use.
|
|
353
353
|
end
|
354
354
|
|
355
355
|
def spec_summary entry, spec
|
356
|
-
|
356
|
+
summary = truncate_text(spec.summary, "the summary for #{spec.full_name}")
|
357
|
+
entry << "\n\n" << format_text(summary, 68, 4)
|
357
358
|
end
|
358
359
|
|
359
360
|
end
|
data/lib/rubygems/installer.rb
CHANGED
@@ -697,6 +697,11 @@ class Gem::Installer
|
|
697
697
|
unpack or File.writable?(gem_home)
|
698
698
|
end
|
699
699
|
|
700
|
+
def verify_spec_name
|
701
|
+
return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
|
702
|
+
raise Gem::InstallError, "#{spec} has an invalid name"
|
703
|
+
end
|
704
|
+
|
700
705
|
##
|
701
706
|
# Return the text for an application file.
|
702
707
|
|
@@ -823,6 +828,8 @@ TEXT
|
|
823
828
|
|
824
829
|
ensure_loadable_spec
|
825
830
|
|
831
|
+
verify_spec_name
|
832
|
+
|
826
833
|
if options[:install_as_default]
|
827
834
|
Gem.ensure_default_gem_subdirectories gem_home
|
828
835
|
else
|
@@ -108,6 +108,8 @@ class Gem::Specification < Gem::BasicSpecification
|
|
108
108
|
|
109
109
|
private_constant :LOAD_CACHE if defined? private_constant
|
110
110
|
|
111
|
+
VALID_NAME_PATTERN = /\A[a-zA-Z0-9\.\-\_]+\z/ # :nodoc:
|
112
|
+
|
111
113
|
# :startdoc:
|
112
114
|
|
113
115
|
##
|
@@ -2668,9 +2670,15 @@ class Gem::Specification < Gem::BasicSpecification
|
|
2668
2670
|
end
|
2669
2671
|
end
|
2670
2672
|
|
2671
|
-
|
2673
|
+
if !name.is_a?(String) then
|
2674
|
+
raise Gem::InvalidSpecificationException,
|
2675
|
+
"invalid value for attribute name: \"#{name.inspect}\" must be a string"
|
2676
|
+
elsif name !~ /[a-zA-Z]/ then
|
2677
|
+
raise Gem::InvalidSpecificationException,
|
2678
|
+
"invalid value for attribute name: #{name.dump} must include at least one letter"
|
2679
|
+
elsif name !~ VALID_NAME_PATTERN then
|
2672
2680
|
raise Gem::InvalidSpecificationException,
|
2673
|
-
"invalid value for attribute name:
|
2681
|
+
"invalid value for attribute name: #{name.dump} can only include letters, numbers, dashes, and underscores"
|
2674
2682
|
end
|
2675
2683
|
|
2676
2684
|
if raw_require_paths.empty? then
|
data/lib/rubygems/text.rb
CHANGED
@@ -6,13 +6,26 @@ require 'rubygems'
|
|
6
6
|
|
7
7
|
module Gem::Text
|
8
8
|
|
9
|
+
##
|
10
|
+
# Remove any non-printable characters and make the text suitable for
|
11
|
+
# printing.
|
12
|
+
def clean_text(text)
|
13
|
+
text.gsub(/[\000-\b\v-\f\016-\037\177]/, ".".freeze)
|
14
|
+
end
|
15
|
+
|
16
|
+
def truncate_text(text, description, max_length = 100_000)
|
17
|
+
raise ArgumentError, "max_length must be positive" unless max_length > 0
|
18
|
+
return text if text.size <= max_length
|
19
|
+
"Truncating #{description} to #{max_length.to_s.reverse.gsub(/...(?=.)/,'\&,').reverse} characters:\n" + text[0, max_length]
|
20
|
+
end
|
21
|
+
|
9
22
|
##
|
10
23
|
# Wraps +text+ to +wrap+ characters and optionally indents by +indent+
|
11
24
|
# characters
|
12
25
|
|
13
26
|
def format_text(text, wrap, indent=0)
|
14
27
|
result = []
|
15
|
-
work = text
|
28
|
+
work = clean_text(text)
|
16
29
|
|
17
30
|
while work.length > wrap do
|
18
31
|
if work =~ /^(.{0,#{wrap}})[ \n]/ then
|
@@ -116,6 +116,86 @@ a (2)
|
|
116
116
|
This is a lot of text. This is a lot of text. This is a lot of text.
|
117
117
|
This is a lot of text.
|
118
118
|
|
119
|
+
pl (1)
|
120
|
+
Platform: i386-linux
|
121
|
+
Author: A User
|
122
|
+
Homepage: http://example.com
|
123
|
+
|
124
|
+
this is a summary
|
125
|
+
EOF
|
126
|
+
|
127
|
+
assert_equal expected, @ui.output
|
128
|
+
assert_equal '', @ui.error
|
129
|
+
end
|
130
|
+
|
131
|
+
def test_execute_details_cleans_text
|
132
|
+
spec_fetcher do |fetcher|
|
133
|
+
fetcher.spec 'a', 2 do |s|
|
134
|
+
s.summary = 'This is a lot of text. ' * 4
|
135
|
+
s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
|
136
|
+
s.homepage = "http://a.example.com/\x03"
|
137
|
+
end
|
138
|
+
|
139
|
+
fetcher.legacy_platform
|
140
|
+
end
|
141
|
+
|
142
|
+
@cmd.handle_options %w[-r -d]
|
143
|
+
|
144
|
+
use_ui @ui do
|
145
|
+
@cmd.execute
|
146
|
+
end
|
147
|
+
|
148
|
+
expected = <<-EOF
|
149
|
+
|
150
|
+
*** REMOTE GEMS ***
|
151
|
+
|
152
|
+
a (2)
|
153
|
+
Authors: Abraham Lincoln ., . Hirohito
|
154
|
+
Homepage: http://a.example.com/.
|
155
|
+
|
156
|
+
This is a lot of text. This is a lot of text. This is a lot of text.
|
157
|
+
This is a lot of text.
|
158
|
+
|
159
|
+
pl (1)
|
160
|
+
Platform: i386-linux
|
161
|
+
Author: A User
|
162
|
+
Homepage: http://example.com
|
163
|
+
|
164
|
+
this is a summary
|
165
|
+
EOF
|
166
|
+
|
167
|
+
assert_equal expected, @ui.output
|
168
|
+
assert_equal '', @ui.error
|
169
|
+
end
|
170
|
+
|
171
|
+
def test_execute_details_truncates_summary
|
172
|
+
spec_fetcher do |fetcher|
|
173
|
+
fetcher.spec 'a', 2 do |s|
|
174
|
+
s.summary = 'This is a lot of text. ' * 10_000
|
175
|
+
s.authors = ["Abraham Lincoln \x01", "\x02 Hirohito"]
|
176
|
+
s.homepage = "http://a.example.com/\x03"
|
177
|
+
end
|
178
|
+
|
179
|
+
fetcher.legacy_platform
|
180
|
+
end
|
181
|
+
|
182
|
+
@cmd.handle_options %w[-r -d]
|
183
|
+
|
184
|
+
use_ui @ui do
|
185
|
+
@cmd.execute
|
186
|
+
end
|
187
|
+
|
188
|
+
expected = <<-EOF
|
189
|
+
|
190
|
+
*** REMOTE GEMS ***
|
191
|
+
|
192
|
+
a (2)
|
193
|
+
Authors: Abraham Lincoln ., . Hirohito
|
194
|
+
Homepage: http://a.example.com/.
|
195
|
+
|
196
|
+
Truncating the summary for a-2 to 100,000 characters:
|
197
|
+
#{" This is a lot of text. This is a lot of text. This is a lot of text.\n" * 1449} This is a lot of te
|
198
|
+
|
119
199
|
pl (1)
|
120
200
|
Platform: i386-linux
|
121
201
|
Author: A User
|
@@ -1448,6 +1448,26 @@ gem 'other', version
|
|
1448
1448
|
end
|
1449
1449
|
end
|
1450
1450
|
|
1451
|
+
def test_pre_install_checks_malicious_name
|
1452
|
+
spec = util_spec '../malicious', '1'
|
1453
|
+
def spec.full_name # so the spec is buildable
|
1454
|
+
"malicious-1"
|
1455
|
+
end
|
1456
|
+
def spec.validate; end
|
1457
|
+
|
1458
|
+
util_build_gem spec
|
1459
|
+
|
1460
|
+
gem = File.join(@gemhome, 'cache', spec.file_name)
|
1461
|
+
|
1462
|
+
use_ui @ui do
|
1463
|
+
@installer = Gem::Installer.at gem
|
1464
|
+
e = assert_raises Gem::InstallError do
|
1465
|
+
@installer.pre_install_checks
|
1466
|
+
end
|
1467
|
+
assert_equal '#<Gem::Specification name=../malicious version=1> has an invalid name', e.message
|
1468
|
+
end
|
1469
|
+
end
|
1470
|
+
|
1451
1471
|
def test_shebang
|
1452
1472
|
util_make_exec @spec, "#!/usr/bin/ruby"
|
1453
1473
|
|
@@ -241,6 +241,21 @@ PeIQQkFng2VVot/WAQbv3ePqWq07g1BBcwIBAg==
|
|
241
241
|
dns.verify
|
242
242
|
end
|
243
243
|
|
244
|
+
def test_api_endpoint_ignores_trans_domain_values_that_end_with_original_in_path
|
245
|
+
uri = URI.parse "http://example.com/foo"
|
246
|
+
target = MiniTest::Mock.new
|
247
|
+
target.expect :target, "evil.com/a.example.com"
|
248
|
+
|
249
|
+
dns = MiniTest::Mock.new
|
250
|
+
dns.expect :getresource, target, [String, Object]
|
251
|
+
|
252
|
+
fetch = Gem::RemoteFetcher.new nil, dns
|
253
|
+
assert_equal URI.parse("http://example.com/foo"), fetch.api_endpoint(uri)
|
254
|
+
|
255
|
+
target.verify
|
256
|
+
dns.verify
|
257
|
+
end
|
258
|
+
|
244
259
|
def test_api_endpoint_timeout_warning
|
245
260
|
uri = URI.parse "http://gems.example.com/foo"
|
246
261
|
|
@@ -2985,7 +2985,37 @@ Did you mean 'Ruby'?
|
|
2985
2985
|
@a1.validate
|
2986
2986
|
end
|
2987
2987
|
|
2988
|
-
assert_equal 'invalid value for attribute name: ":json"', e.message
|
2988
|
+
assert_equal 'invalid value for attribute name: ":json" must be a string', e.message
|
2989
|
+
|
2990
|
+
@a1.name = []
|
2991
|
+
e = assert_raises Gem::InvalidSpecificationException do
|
2992
|
+
@a1.validate
|
2993
|
+
end
|
2994
|
+
assert_equal "invalid value for attribute name: \"[]\" must be a string", e.message
|
2995
|
+
|
2996
|
+
@a1.name = ""
|
2997
|
+
e = assert_raises Gem::InvalidSpecificationException do
|
2998
|
+
@a1.validate
|
2999
|
+
end
|
3000
|
+
assert_equal "invalid value for attribute name: \"\" must include at least one letter", e.message
|
3001
|
+
|
3002
|
+
@a1.name = "12345"
|
3003
|
+
e = assert_raises Gem::InvalidSpecificationException do
|
3004
|
+
@a1.validate
|
3005
|
+
end
|
3006
|
+
assert_equal "invalid value for attribute name: \"12345\" must include at least one letter", e.message
|
3007
|
+
|
3008
|
+
@a1.name = "../malicious"
|
3009
|
+
e = assert_raises Gem::InvalidSpecificationException do
|
3010
|
+
@a1.validate
|
3011
|
+
end
|
3012
|
+
assert_equal "invalid value for attribute name: \"../malicious\" can only include letters, numbers, dashes, and underscores", e.message
|
3013
|
+
|
3014
|
+
@a1.name = "\ba\t"
|
3015
|
+
e = assert_raises Gem::InvalidSpecificationException do
|
3016
|
+
@a1.validate
|
3017
|
+
end
|
3018
|
+
assert_equal "invalid value for attribute name: \"\\ba\\t\" can only include letters, numbers, dashes, and underscores", e.message
|
2989
3019
|
end
|
2990
3020
|
|
2991
3021
|
def test_validate_non_nil
|
@@ -36,6 +36,10 @@ Without the wrapping, the text might not look good in the RSS feed.
|
|
36
36
|
assert_equal expected, format_text(text, 78)
|
37
37
|
end
|
38
38
|
|
39
|
+
def test_format_removes_nonprintable_characters
|
40
|
+
assert_equal "text with weird .. stuff .", format_text("text with weird \x1b\x02 stuff \x7f", 40)
|
41
|
+
end
|
42
|
+
|
39
43
|
def test_min3
|
40
44
|
assert_equal 1, min3(1, 1, 1)
|
41
45
|
assert_equal 1, min3(1, 1, 2)
|
@@ -74,4 +78,11 @@ Without the wrapping, the text might not look good in the RSS feed.
|
|
74
78
|
assert_equal 7, levenshtein_distance("xxxxxxx", "ZenTest")
|
75
79
|
assert_equal 7, levenshtein_distance("zentest", "xxxxxxx")
|
76
80
|
end
|
81
|
+
|
82
|
+
def test_truncate_text
|
83
|
+
assert_equal "abc", truncate_text("abc", "desc")
|
84
|
+
assert_equal "Truncating desc to 2 characters:\nab", truncate_text("abc", "desc", 2)
|
85
|
+
s = "ab" * 500_001
|
86
|
+
assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000)
|
87
|
+
end
|
77
88
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rubygems-update
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.6.
|
4
|
+
version: 2.6.13
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jim Weirich
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2017-
|
13
|
+
date: 2017-08-28 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: builder
|
@@ -800,7 +800,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
800
800
|
version: '0'
|
801
801
|
requirements: []
|
802
802
|
rubyforge_project:
|
803
|
-
rubygems_version: 2.6.
|
803
|
+
rubygems_version: 2.6.12
|
804
804
|
signing_key:
|
805
805
|
specification_version: 4
|
806
806
|
summary: RubyGems is a package management framework for Ruby
|