rubygems-update 2.7.5 → 2.7.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 95086df533cd20a4f5f170842e369a7a883a80653b84ff3398adffc7514299c5
-  data.tar.gz: c21e484af79d93bb72757b37903e990081436482f00cd63bd4b941699ba5eb88
+  metadata.gz: 0fa366bda5b1ed46730b8c276ce161ef32966ec9dde14f974663508163df41da
+  data.tar.gz: 76d8c2583652ec7266303e5af81014b7b6c440ff207e1d4cbe483959226db55d
 SHA512:
-  metadata.gz: 1a5b15531e1362e6f141956de530d446fc9c013b59e67573a6d3ada5630e67f90c8d6b732d1895ec0bc4233a292fc1316028049dee4dc1fe947034fe531ebf9b
-  data.tar.gz: 82ee7c7338628277e6127faeac9043b19bae6b57dee39dd48c8137f1c954866a6a6e43f6e44fbfa2428f86efe1d0d24ba724fa4f188ae4383117a3388beae171
+  metadata.gz: cd712f404f5e736191c312af58dafdfe897e155b9cdec68a634547606846bb31bae7cdefc46ace35eb143db7f8281c20092a534a7ccb94760ad5701d8c0ca06f
+  data.tar.gz: 1d80df8990549a07c91d94c5e848141f72045a71046ef0a3be5b871e8af9f0909187b196d117b6c508ec9fd0c9238a0ed96e4f9a8c7f6a9f6b59feac8a7df25b

data/History.txt

@@ -1,5 +1,24 @@
 # coding: UTF-8
 
+=== 2.7.6 / 2018-02-16
+
+Security fixes:
+
+* Prevent path traversal when writing to a symlinked basedir outside of the root.
+  Discovered by nmalkin, fixed by Jonathan Claudius and Samuel Giddins.
+* Fix possible Unsafe Object Deserialization Vulnerability in gem owner.
+  Fixed by Jonathan Claudius.
+* Strictly interpret octal fields in tar headers.
+  Discoved by plover, fixed by Samuel Giddins.
+* Raise a security error when there are duplicate files in a package.
+  Discovered by plover, fixed by Samuel Giddins.
+* Enforce URL validation on spec homepage attribute.
+  Discovered by Yasin Soliman, fixed by Jonathan Claudius.
+* Mitigate XSS vulnerability in homepage attribute when displayed via `gem server`.
+  Discovered by Yasin Soliman, fixed by Jonathan Claudius.
+* Prevent Path Traversal issue during gem installation.
+  Discovered by nmalkin.
+
 === 2.7.4
 
 Bug fixes:

data/lib/rubygems.rb

@@ -10,7 +10,7 @@ require 'rbconfig'
 require 'thread'
 
 module Gem
-  VERSION = "2.7.5"
+  VERSION = "2.7.6"
 end
 
 # Must be first since it unloads the prelude from 1.9.2

data/lib/rubygems/commands/owner_command.rb

@@ -64,7 +64,7 @@ permission to.
     end
 
     with_response response do |resp|
-      owners = YAML.load resp.body
+      owners = Gem::SafeYAML.load resp.body
 
       say "Owners for gem: #{name}"
       owners.each do |owner|

data/lib/rubygems/package.rb

@@ -378,7 +378,7 @@ EOM
             File.dirname destination
           end
 
-        FileUtils.mkdir_p mkdir, mkdir_options
+        mkdir_p_safe mkdir, mkdir_options, destination_dir, entry.full_name
 
         File.open destination, 'wb' do |out|
           out.write entry.read
@@ -416,20 +416,35 @@ EOM
     raise Gem::Package::PathError.new(filename, destination_dir) if
       filename.start_with? '/'
 
-    destination_dir = File.realpath destination_dir if
-      File.respond_to? :realpath
+    destination_dir = realpath destination_dir
     destination_dir = File.expand_path destination_dir
 
     destination = File.join destination_dir, filename
     destination = File.expand_path destination
 
     raise Gem::Package::PathError.new(destination, destination_dir) unless
-      destination.start_with? destination_dir
+      destination.start_with? destination_dir + '/'
 
     destination.untaint
     destination
   end
 
+  def mkdir_p_safe mkdir, mkdir_options, destination_dir, file_name
+    destination_dir = realpath File.expand_path(destination_dir)
+    parts = mkdir.split(File::SEPARATOR)
+    parts.reduce do |path, basename|
+      path = realpath path  unless path == ""
+      path = File.expand_path(path + File::SEPARATOR + basename)
+      lstat = File.lstat path rescue nil
+      if !lstat || !lstat.directory?
+        unless path.start_with? destination_dir and (FileUtils.mkdir path, mkdir_options rescue false)
+          raise Gem::Package::PathError.new(file_name, destination_dir)
+        end
+      end
+      path
+    end
+  end
+
   ##
   # Loads a Gem::Specification from the TarEntry +entry+
 
@@ -603,6 +618,10 @@ EOM
       raise Gem::Package::FormatError.new \
               'package content (data.tar.gz) is missing', @gem
     end
+
+    if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any?
+      raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})"
+    end
   end
 
   ##
@@ -616,6 +635,16 @@ EOM
     raise Gem::Package::FormatError.new(e.message, entry.full_name)
   end
 
+  if File.respond_to? :realpath
+    def realpath file
+      File.realpath file
+    end
+  else
+    def realpath file
+      file
+    end
+  end
+
 end
 
 require 'rubygems/package/digest_io'

data/lib/rubygems/package/tar_header.rb

@@ -104,25 +104,30 @@ class Gem::Package::TarHeader
     fields = header.unpack UNPACK_FORMAT
 
     new :name     => fields.shift,
-        :mode     => fields.shift.oct,
-        :uid      => fields.shift.oct,
-        :gid      => fields.shift.oct,
-        :size     => fields.shift.oct,
-        :mtime    => fields.shift.oct,
-        :checksum => fields.shift.oct,
+        :mode     => strict_oct(fields.shift),
+        :uid      => strict_oct(fields.shift),
+        :gid      => strict_oct(fields.shift),
+        :size     => strict_oct(fields.shift),
+        :mtime    => strict_oct(fields.shift),
+        :checksum => strict_oct(fields.shift),
         :typeflag => fields.shift,
         :linkname => fields.shift,
         :magic    => fields.shift,
-        :version  => fields.shift.oct,
+        :version  => strict_oct(fields.shift),
         :uname    => fields.shift,
         :gname    => fields.shift,
-        :devmajor => fields.shift.oct,
-        :devminor => fields.shift.oct,
+        :devmajor => strict_oct(fields.shift),
+        :devminor => strict_oct(fields.shift),
         :prefix   => fields.shift,
 
         :empty => empty
   end
 
+  def self.strict_oct(str)
+    return str.oct if str =~ /\A[0-7]*\z/
+    raise ArgumentError, "#{str.inspect} is not an octal string"
+  end
+
   ##
   # Creates a new TarHeader using +vals+
 

data/lib/rubygems/package/tar_writer.rb

@@ -196,6 +196,8 @@ class Gem::Package::TarWriter
       digest_name == signer.digest_name
     end
 
+    raise "no #{signer.digest_name} in #{digests.values.compact}" unless signature_digest
+
     if signer.key then
       signature = signer.sign signature_digest.digest
 

data/lib/rubygems/server.rb

@@ -623,6 +623,18 @@ div.method-source-code pre { color: #ffdead; overflow: hidden; }
       executables = nil if executables.empty?
       executables.last["is_last"] = true if executables
 
+      # Pre-process spec homepage for safety reasons
+      begin
+        homepage_uri = URI.parse(spec.homepage)
+        if [URI::HTTP, URI::HTTPS].member? homepage_uri.class
+          homepage_uri = spec.homepage
+        else
+          homepage_uri = "."
+        end
+      rescue URI::InvalidURIError
+        homepage_uri = "."
+      end
+
       specs << {
         "authors"             => spec.authors.sort.join(", "),
         "date"                => spec.date.to_s,
@@ -632,7 +644,7 @@ div.method-source-code pre { color: #ffdead; overflow: hidden; }
         "only_one_executable" => (executables && executables.size == 1),
         "full_name"           => spec.full_name,
         "has_deps"            => !deps.empty?,
-        "homepage"            => spec.homepage,
+        "homepage"            => homepage_uri,
         "name"                => spec.name,
         "rdoc_installed"      => Gem::RDoc.new(spec).rdoc_installed?,
         "ri_installed"        => Gem::RDoc.new(spec).ri_installed?,

data/lib/rubygems/specification.rb

@@ -15,6 +15,7 @@ require 'rubygems/basic_specification'
 require 'rubygems/stub_specification'
 require 'rubygems/util/list'
 require 'stringio'
+require 'uri'
 
 ##
 # The Specification class contains the information for a Gem.  Typically
@@ -2822,10 +2823,16 @@ http://spdx.org/licenses or '#{Gem::Licenses::NONSTANDARD}' for a nonstandard li
       raise Gem::InvalidSpecificationException, "#{lazy} is not a summary"
     end
 
-    if homepage and not homepage.empty? and
-       homepage !~ /\A[a-z][a-z\d+.-]*:/i then
-      raise Gem::InvalidSpecificationException,
-            "\"#{homepage}\" is not a URI"
+    # Make sure a homepage is valid HTTP/HTTPS URI
+    if homepage and not homepage.empty?
+      begin
+        homepage_uri = URI.parse(homepage)
+        unless [URI::HTTP, URI::HTTPS].member? homepage_uri.class
+          raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI"
+        end
+      rescue URI::InvalidURIError
+        raise Gem::InvalidSpecificationException, "\"#{homepage}\" is not a valid HTTP URI"
+      end
     end
 
     # Warnings

data/test/rubygems/test_gem_commands_owner_command.rb

@@ -43,6 +43,31 @@ EOF
     assert_match %r{- 4}, @ui.output
   end
 
+  def test_show_owners_dont_load_objects
+    skip "testing a psych-only API" unless defined?(::Psych::DisallowedClass)
+
+    response = <<EOF
+---
+- email: !ruby/object:Object {}
+  id: 1
+  handle: user1
+- email: user2@example.com
+- id: 3
+  handle: user3
+- id: 4
+EOF
+
+    @fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 200, 'OK']
+
+    assert_raises Psych::DisallowedClass do
+      use_ui @ui do
+        @cmd.show_owners("freewill")
+      end
+    end
+
+  end
+
+
   def test_show_owners_setting_up_host_through_env_var
     response = "- email: user1@example.com\n"
     host = "http://rubygems.example"

data/test/rubygems/test_gem_package.rb

@@ -455,6 +455,31 @@ class TestGemPackage < Gem::Package::TarTestCase
                  File.read(extracted)
   end
 
+  def test_extract_symlink_parent
+   skip 'symlink not supported' if Gem.win_platform?
+
+   package = Gem::Package.new @gem
+
+   tgz_io = util_tar_gz do |tar|
+     tar.mkdir       'lib',               0755
+     tar.add_symlink 'lib/link', '../..', 0644
+     tar.add_file    'lib/link/outside.txt', 0644 do |io| io.write 'hi' end
+   end
+
+   # Extract into a subdirectory of @destination; if this test fails it writes
+   # a file outside destination_subdir, but we want the file to remain inside
+   # @destination so it will be cleaned up.
+   destination_subdir = File.join @destination, 'subdir'
+   FileUtils.mkdir_p destination_subdir
+
+   e = assert_raises Gem::Package::PathError do
+     package.extract_tar_gz tgz_io, destination_subdir
+   end
+
+   assert_equal("installing into parent path lib/link/outside.txt of " +
+                 "#{destination_subdir} is not allowed", e.message)
+  end
+
   def test_extract_tar_gz_directory
     package = Gem::Package.new @gem
 
@@ -566,6 +591,21 @@ class TestGemPackage < Gem::Package::TarTestCase
                  "#{@destination} is not allowed", e.message)
   end
 
+  def test_install_location_suffix
+    package = Gem::Package.new @gem
+
+    filename = "../#{File.basename(@destination)}suffix.rb"
+
+    e = assert_raises Gem::Package::PathError do
+      package.install_location filename, @destination
+    end
+
+    parent = File.expand_path File.join @destination, filename
+
+    assert_equal("installing into parent path #{parent} of " +
+                 "#{@destination} is not allowed", e.message)
+  end
+
   def test_load_spec
     entry = StringIO.new Gem.gzip @spec.to_yaml
     def entry.full_name() 'metadata.gz' end
@@ -723,6 +763,32 @@ class TestGemPackage < Gem::Package::TarTestCase
     assert_match %r%nonexistent.gem$%,           e.message
   end
 
+  def test_verify_duplicate_file
+    FileUtils.mkdir_p 'lib'
+    FileUtils.touch 'lib/code.rb'
+
+    build = Gem::Package.new @gem
+    build.spec = @spec
+    build.setup_signer
+    open @gem, 'wb' do |gem_io|
+      Gem::Package::TarWriter.new gem_io do |gem|
+        build.add_metadata gem
+        build.add_contents gem
+
+        gem.add_file_simple 'a.sig', 0444, 0
+        gem.add_file_simple 'a.sig', 0444, 0
+      end
+    end
+
+    package = Gem::Package.new @gem
+
+    e = assert_raises Gem::Security::Exception do
+      package.verify
+    end
+
+    assert_equal 'duplicate files in the package: ("a.sig")', e.message
+  end
+
   def test_verify_security_policy
     skip 'openssl is missing' unless defined?(OpenSSL::SSL)
 
@@ -780,7 +846,13 @@ class TestGemPackage < Gem::Package::TarTestCase
 
         # write bogus data.tar.gz to foil signature
         bogus_data = Gem.gzip 'hello'
-        gem.add_file_simple 'data.tar.gz', 0444, bogus_data.length do |io|
+        fake_signer = Class.new do
+          def digest_name; 'SHA512'; end
+          def digest_algorithm; Digest(:SHA512); end
+          def key; 'key'; end
+          def sign(*); 'fake_sig'; end
+        end
+        gem.add_file_signed 'data2.tar.gz', 0444, fake_signer.new do |io|
           io.write bogus_data
         end
 

data/test/rubygems/test_gem_package_tar_header.rb

@@ -143,5 +143,25 @@ group\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000
     assert_equal '012467', @tar_header.checksum
   end
 
+  def test_from_bad_octal
+    test_cases = [
+      "00000006,44\000", # bogus character
+      "00000006789\000", # non-octal digit
+      "+0000001234\000", # positive sign
+      "-0000001000\000", # negative sign
+      "0x000123abc\000", # radix prefix
+    ]
+
+    test_cases.each do |val|
+      header_s = @tar_header.to_s
+      # overwrite the size field
+      header_s[124, 12] = val
+      io = TempIO.new header_s
+      assert_raises ArgumentError do
+        new_header = Gem::Package::TarHeader.from io
+      end
+    end
+  end
+
 end
 

data/test/rubygems/test_gem_server.rb

@@ -353,6 +353,171 @@ class TestGemServer < Gem::TestCase
     assert_match 'z 9', @res.body
   end
 
+
+  def test_xss_homepage_fix_289313
+    data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
+    dir = "#{@gemhome}2"
+
+    spec = util_spec 'xsshomepagegem', 1
+    spec.homepage = "javascript:confirm(document.domain)"
+
+    specs_dir = File.join dir, 'specifications'
+    FileUtils.mkdir_p specs_dir
+
+    open File.join(specs_dir, spec.spec_name), 'w' do |io|
+      io.write spec.to_ruby
+    end
+
+    server = Gem::Server.new dir, process_based_port, false
+
+    @req.parse data
+
+    server.root @req, @res
+
+    assert_equal 200, @res.status
+    assert_match 'xsshomepagegem 1', @res.body
+
+    # This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a 
+    # valid HTTP/HTTPS URL and could be unsafe in an HTML context.  We would prefer to throw an exception here,
+    # but spec.homepage is currently free form and not currently required to be a URL, this behavior may be 
+    # validated in future versions of Gem::Specification.
+    #
+    # There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex:
+    #
+    # Variant #1 - rdoc not installed
+    #
+    #   <b>xsshomepagegem 1</b>
+    #
+    #
+    #  <span title="rdoc not installed">[rdoc]</span>
+    #
+    #
+    #
+    #  <a href="." title=".">[www]</a>
+    #
+    # Variant #2 - rdoc installed
+    #
+    #   <b>xsshomepagegem 1</b>
+    #
+    #
+    #  <a href="\/doc_root\/xsshomepagegem-1\/">\[rdoc\]<\/a>
+    #
+    #
+    #
+    #  <a href="." title=".">[www]</a>
+    regex_match = /xsshomepagegem 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/xsshomepagegem-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="\." title="\.">\[www\]<\/a>/
+    assert_match regex_match, @res.body
+  end
+
+  def test_invalid_homepage
+    data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
+    dir = "#{@gemhome}2"
+
+    spec = util_spec 'invalidhomepagegem', 1
+    spec.homepage = "notavalidhomepageurl"
+
+    specs_dir = File.join dir, 'specifications'
+    FileUtils.mkdir_p specs_dir
+
+    open File.join(specs_dir, spec.spec_name), 'w' do |io|
+      io.write spec.to_ruby
+    end
+
+    server = Gem::Server.new dir, process_based_port, false
+
+    @req.parse data
+
+    server.root @req, @res
+
+    assert_equal 200, @res.status
+    assert_match 'invalidhomepagegem 1', @res.body
+
+    # This verifies that the homepage for this spec is not displayed and is set to ".", because it's not a 
+    # valid HTTP/HTTPS URL and could be unsafe in an HTML context.  We would prefer to throw an exception here,
+    # but spec.homepage is currently free form and not currently required to be a URL, this behavior may be 
+    # validated in future versions of Gem::Specification.
+    #
+    # There are two variant we're checking here, one where rdoc is not present, and one where rdoc is present in the same regex:
+    #
+    # Variant #1 - rdoc not installed
+    #
+    #   <b>invalidhomepagegem 1</b>
+    #
+    #
+    #  <span title="rdoc not installed">[rdoc]</span>
+    #
+    #
+    #
+    #  <a href="." title=".">[www]</a>
+    #
+    # Variant #2 - rdoc installed
+    #
+    #   <b>invalidhomepagegem 1</b>
+    #
+    #
+    #  <a href="\/doc_root\/invalidhomepagegem-1\/">\[rdoc\]<\/a>
+    #
+    #
+    #
+    #  <a href="." title=".">[www]</a>
+    regex_match = /invalidhomepagegem 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/invalidhomepagegem-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="\." title="\.">\[www\]<\/a>/
+    assert_match regex_match, @res.body
+  end
+
+  def test_valid_homepage_http
+    data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
+    dir = "#{@gemhome}2"
+
+    spec = util_spec 'validhomepagegemhttp', 1
+    spec.homepage = "http://rubygems.org"
+
+    specs_dir = File.join dir, 'specifications'
+    FileUtils.mkdir_p specs_dir
+
+    open File.join(specs_dir, spec.spec_name), 'w' do |io|
+      io.write spec.to_ruby
+    end
+
+    server = Gem::Server.new dir, process_based_port, false
+
+    @req.parse data
+
+    server.root @req, @res
+
+    assert_equal 200, @res.status
+    assert_match 'validhomepagegemhttp 1', @res.body
+
+    regex_match = /validhomepagegemhttp 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/validhomepagegemhttp-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="http:\/\/rubygems\.org" title="http:\/\/rubygems\.org">\[www\]<\/a>/
+    assert_match regex_match, @res.body
+  end
+
+  def test_valid_homepage_https
+    data = StringIO.new "GET / HTTP/1.0\r\n\r\n"
+    dir = "#{@gemhome}2"
+
+    spec = util_spec 'validhomepagegemhttps', 1
+    spec.homepage = "https://rubygems.org"
+
+    specs_dir = File.join dir, 'specifications'
+    FileUtils.mkdir_p specs_dir
+
+    open File.join(specs_dir, spec.spec_name), 'w' do |io|
+      io.write spec.to_ruby
+    end
+
+    server = Gem::Server.new dir, process_based_port, false
+
+    @req.parse data
+
+    server.root @req, @res
+
+    assert_equal 200, @res.status
+    assert_match 'validhomepagegemhttps 1', @res.body
+
+    regex_match = /validhomepagegemhttps 1<\/b>[\n\s]+(<span title="rdoc not installed">\[rdoc\]<\/span>|<a href="\/doc_root\/validhomepagegemhttps-1\/">\[rdoc\]<\/a>)[\n\s]+<a href="https:\/\/rubygems\.org" title="https:\/\/rubygems\.org">\[www\]<\/a>/
+    assert_match regex_match, @res.body
+  end
+
   def test_specs
     data = StringIO.new "GET /specs.#{Gem.marshal_version} HTTP/1.0\r\n\r\n"
     @req.parse data

data/test/rubygems/test_gem_specification.rb

@@ -2886,7 +2886,22 @@ duplicate dependency on c (>= 1.2.3, development), (~> 1.2) use:
         @a1.validate
       end
 
-      assert_equal '"over at my cool site" is not a URI', e.message
+      assert_equal '"over at my cool site" is not a valid HTTP URI', e.message
+
+      @a1.homepage = 'ftp://rubygems.org'
+
+      e = assert_raises Gem::InvalidSpecificationException do
+        @a1.validate
+      end
+
+      assert_equal '"ftp://rubygems.org" is not a valid HTTP URI', e.message
+
+      @a1.homepage = 'http://rubygems.org'
+      assert_equal true, @a1.validate
+
+      @a1.homepage = 'https://rubygems.org'
+      assert_equal true, @a1.validate
+
     end
   end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 2.7.5
+  version: 2.7.6
 platform: ruby
 authors:
 - Jim Weirich
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-06 00:00:00.000000000 Z
+date: 2018-02-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: builder
@@ -804,7 +804,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.4
 signing_key: 
 specification_version: 4
 summary: ''