rubygems-update 2.7.8 → 2.7.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/History.txt +13 -18
- data/bundler/lib/bundler/build_metadata.rb +1 -1
- data/lib/rubygems.rb +1 -1
- data/lib/rubygems/command_manager.rb +6 -4
- data/lib/rubygems/commands/owner_command.rb +4 -1
- data/lib/rubygems/gemcutter_utilities.rb +5 -2
- data/lib/rubygems/installer.rb +24 -5
- data/lib/rubygems/package.rb +10 -0
- data/lib/rubygems/user_interaction.rb +5 -2
- data/test/rubygems/test_gem_installer.rb +106 -0
- data/test/rubygems/test_gem_package.rb +36 -0
- data/test/rubygems/test_gem_text.rb +5 -0
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6736c355ae1a7a8a8818d475210864d02a45fa719d077fa0fbdb3364f66516a8
|
4
|
+
data.tar.gz: d1e05cf09f69a1138e938415d01efe56899cbd01566d7ec00e012d91435aa21e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: baefafb2d473d18a0261483e5210052a01a89be4332fd2329530d0f0340f6e9bf7c1c902d6e519d9212a33d3f942f6c905a685c61480cb06833df0773b4cfef5
|
7
|
+
data.tar.gz: 9f3c018f865fbe4cf5f11efba601c40cd5b6bc470f1e782cfa7b9fdfa2a2f3b9e2df3bf563a0f857906f9757691cd335224358fb67e2b037097f711f3da5023e
|
data/History.txt
CHANGED
@@ -1,11 +1,21 @@
|
|
1
1
|
# coding: UTF-8
|
2
2
|
|
3
|
+
=== 2.7.9 / 2019-03-05
|
4
|
+
|
5
|
+
Security fixes:
|
6
|
+
|
7
|
+
* Fixed following vulnerabilities:
|
8
|
+
* CVE-2019-8320: Delete directory using symlink when decompressing tar
|
9
|
+
* CVE-2019-8321: Escape sequence injection vulnerability in `verbose`
|
10
|
+
* CVE-2019-8322: Escape sequence injection vulnerability in `gem owner`
|
11
|
+
* CVE-2019-8323: Escape sequence injection vulnerability in API response handling
|
12
|
+
* CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
|
13
|
+
* CVE-2019-8325: Escape sequence injection vulnerability in errors
|
14
|
+
|
3
15
|
=== 2.7.8 / 2018-11-02
|
4
16
|
|
5
17
|
Minor enhancements:
|
6
18
|
|
7
|
-
* Improve invalid proxy error message. Pull request #2217 by Luis
|
8
|
-
Sagastume.
|
9
19
|
* [Requirement] Treat requirements with == versions as equal. Pull
|
10
20
|
request #2230 by Samuel Giddins.
|
11
21
|
* Fix exec_name documentation. Pull request #2239 by Luis Sagastume.
|
@@ -13,16 +23,9 @@ Minor enhancements:
|
|
13
23
|
by Samuel Giddins.
|
14
24
|
* Simplify the code that lets us call the original, non-monkeypatched
|
15
25
|
Kernel#require. Pull request #2267 by Leon Miller-Out.
|
16
|
-
* Support IO.copy_stream. Pull request #2303 by okkez.
|
17
|
-
* Add error message when trying to open a default gem. Pull request #2307
|
18
|
-
by Luis Sagastume.
|
19
26
|
* Add install alias documentation. Pull request #2320 by ota42y.
|
20
|
-
* Removed explicitly declaration of thread library. Pull request #2324 by
|
21
|
-
SHIBATA Hiroshi.
|
22
27
|
* [Rakefile] Set bundler build metadata when doing a release. Pull request
|
23
28
|
#2335 by Samuel Giddins.
|
24
|
-
* Speed up globbing relative to given directories. Pull request #2336 by
|
25
|
-
Samuel Giddins.
|
26
29
|
* Backport commits from ruby core . Pull request #2347 by SHIBATA Hiroshi.
|
27
30
|
* Sign in to the correct host before push. Pull request #2366 by Luis
|
28
31
|
Sagastume.
|
@@ -32,24 +35,16 @@ Minor enhancements:
|
|
32
35
|
|
33
36
|
Bug fixes:
|
34
37
|
|
35
|
-
* Frozen string fix - lib/rubygems/bundler_version_finder.rb. Pull request
|
36
|
-
#2115 by MSP-Greg.
|
37
|
-
* Fixed no assignment variables about default gems installation. Pull
|
38
|
-
request #2181 by SHIBATA Hiroshi.
|
39
38
|
* Fix #1470: generate documentation when --install-dir is present. Pull
|
40
39
|
request #2229 by Elias Hernandis.
|
40
|
+
* Fix no proxy checking. Pull request #2249 by Luis Sagastume.
|
41
41
|
* Validate SPDX license exceptions. Pull request #2257 by Mikit.
|
42
|
-
* Keep feature names loaded in the block. Pull request #2261 by Nobuyoshi
|
43
|
-
Nakada.
|
44
42
|
* Retry api specification spec with original platform. Pull request #2275
|
45
43
|
by Luis Sagastume.
|
46
44
|
* Fix approximate recommendation with prereleases. Pull request #2345 by
|
47
45
|
David Rodríguez.
|
48
|
-
* Expand symlinks in gem path. Pull request #2352 by Benoit Daloze.
|
49
46
|
* Gem::Version should handle nil like it used to before. Pull request
|
50
47
|
#2363 by Luis Sagastume.
|
51
|
-
* Fix auto resign expired certificate. Pull request #2380 by Luis
|
52
|
-
Sagastume.
|
53
48
|
|
54
49
|
=== 2.7.7 / 2018-05-08
|
55
50
|
|
data/lib/rubygems.rb
CHANGED
@@ -7,6 +7,7 @@
|
|
7
7
|
|
8
8
|
require 'rubygems/command'
|
9
9
|
require 'rubygems/user_interaction'
|
10
|
+
require 'rubygems/text'
|
10
11
|
|
11
12
|
##
|
12
13
|
# The command manager registers and installs all the individual sub-commands
|
@@ -32,6 +33,7 @@ require 'rubygems/user_interaction'
|
|
32
33
|
|
33
34
|
class Gem::CommandManager
|
34
35
|
|
36
|
+
include Gem::Text
|
35
37
|
include Gem::UserInteraction
|
36
38
|
|
37
39
|
BUILTIN_COMMANDS = [ # :nodoc:
|
@@ -140,12 +142,12 @@ class Gem::CommandManager
|
|
140
142
|
def run(args, build_args=nil)
|
141
143
|
process_args(args, build_args)
|
142
144
|
rescue StandardError, Timeout::Error => ex
|
143
|
-
alert_error "While executing gem ... (#{ex.class})\n #{ex}"
|
145
|
+
alert_error clean_text("While executing gem ... (#{ex.class})\n #{ex}")
|
144
146
|
ui.backtrace ex
|
145
147
|
|
146
148
|
terminate_interaction(1)
|
147
149
|
rescue Interrupt
|
148
|
-
alert_error "Interrupted"
|
150
|
+
alert_error clean_text("Interrupted")
|
149
151
|
terminate_interaction(1)
|
150
152
|
end
|
151
153
|
|
@@ -163,7 +165,7 @@ class Gem::CommandManager
|
|
163
165
|
say Gem::VERSION
|
164
166
|
terminate_interaction 0
|
165
167
|
when /^-/ then
|
166
|
-
alert_error "Invalid option: #{args.first}. See 'gem --help'."
|
168
|
+
alert_error clean_text("Invalid option: #{args.first}. See 'gem --help'.")
|
167
169
|
terminate_interaction 1
|
168
170
|
else
|
169
171
|
cmd_name = args.shift.downcase
|
@@ -212,7 +214,7 @@ class Gem::CommandManager
|
|
212
214
|
rescue Exception => e
|
213
215
|
e = load_error if load_error
|
214
216
|
|
215
|
-
alert_error "Loading command: #{command_name} (#{e.class})\n\t#{e}"
|
217
|
+
alert_error clean_text("Loading command: #{command_name} (#{e.class})\n\t#{e}")
|
216
218
|
ui.backtrace e
|
217
219
|
end
|
218
220
|
end
|
@@ -2,8 +2,11 @@
|
|
2
2
|
require 'rubygems/command'
|
3
3
|
require 'rubygems/local_remote_options'
|
4
4
|
require 'rubygems/gemcutter_utilities'
|
5
|
+
require 'rubygems/text'
|
5
6
|
|
6
7
|
class Gem::Commands::OwnerCommand < Gem::Command
|
8
|
+
|
9
|
+
include Gem::Text
|
7
10
|
include Gem::LocalRemoteOptions
|
8
11
|
include Gem::GemcutterUtilities
|
9
12
|
|
@@ -64,7 +67,7 @@ permission to.
|
|
64
67
|
end
|
65
68
|
|
66
69
|
with_response response do |resp|
|
67
|
-
owners = Gem::SafeYAML.load resp.body
|
70
|
+
owners = Gem::SafeYAML.load clean_text(resp.body)
|
68
71
|
|
69
72
|
say "Owners for gem: #{name}"
|
70
73
|
owners.each do |owner|
|
@@ -1,11 +1,14 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
require 'rubygems/remote_fetcher'
|
3
|
+
require 'rubygems/text'
|
3
4
|
|
4
5
|
##
|
5
6
|
# Utility methods for using the RubyGems API.
|
6
7
|
|
7
8
|
module Gem::GemcutterUtilities
|
8
9
|
|
10
|
+
include Gem::Text
|
11
|
+
|
9
12
|
# TODO: move to Gem::Command
|
10
13
|
OptionParser.accept Symbol do |value|
|
11
14
|
value.to_sym
|
@@ -145,13 +148,13 @@ module Gem::GemcutterUtilities
|
|
145
148
|
if block_given? then
|
146
149
|
yield response
|
147
150
|
else
|
148
|
-
say response.body
|
151
|
+
say clean_text(response.body)
|
149
152
|
end
|
150
153
|
else
|
151
154
|
message = response.body
|
152
155
|
message = "#{error_prefix}: #{message}" if error_prefix
|
153
156
|
|
154
|
-
say message
|
157
|
+
say clean_text(message)
|
155
158
|
terminate_interaction 1 # TODO: question this
|
156
159
|
end
|
157
160
|
end
|
data/lib/rubygems/installer.rb
CHANGED
@@ -710,9 +710,26 @@ class Gem::Installer
|
|
710
710
|
unpack or File.writable?(gem_home)
|
711
711
|
end
|
712
712
|
|
713
|
-
def
|
714
|
-
|
715
|
-
|
713
|
+
def verify_spec
|
714
|
+
unless spec.name =~ Gem::Specification::VALID_NAME_PATTERN
|
715
|
+
raise Gem::InstallError, "#{spec} has an invalid name"
|
716
|
+
end
|
717
|
+
|
718
|
+
if spec.raw_require_paths.any?{|path| path =~ /\r\n|\r|\n/ }
|
719
|
+
raise Gem::InstallError, "#{spec} has an invalid require_paths"
|
720
|
+
end
|
721
|
+
|
722
|
+
if spec.extensions.any?{|ext| ext =~ /\r\n|\r|\n/ }
|
723
|
+
raise Gem::InstallError, "#{spec} has an invalid extensions"
|
724
|
+
end
|
725
|
+
|
726
|
+
unless spec.specification_version.to_s =~ /\A\d+\z/
|
727
|
+
raise Gem::InstallError, "#{spec} has an invalid specification_version"
|
728
|
+
end
|
729
|
+
|
730
|
+
if spec.dependencies.any? {|dep| dep.type =~ /\r\n|\r|\n/ || dep.name =~ /\r\n|\r|\n/ }
|
731
|
+
raise Gem::InstallError, "#{spec} has an invalid dependencies"
|
732
|
+
end
|
716
733
|
end
|
717
734
|
|
718
735
|
##
|
@@ -840,9 +857,11 @@ TEXT
|
|
840
857
|
def pre_install_checks
|
841
858
|
verify_gem_home options[:unpack]
|
842
859
|
|
843
|
-
|
860
|
+
# The name and require_paths must be verified first, since it could contain
|
861
|
+
# ruby code that would be eval'ed in #ensure_loadable_spec
|
862
|
+
verify_spec
|
844
863
|
|
845
|
-
|
864
|
+
ensure_loadable_spec
|
846
865
|
|
847
866
|
if options[:install_as_default]
|
848
867
|
Gem.ensure_default_gem_subdirectories gem_home
|
data/lib/rubygems/package.rb
CHANGED
@@ -425,6 +425,16 @@ EOM
|
|
425
425
|
raise Gem::Package::PathError.new(destination, destination_dir) unless
|
426
426
|
destination.start_with? destination_dir + '/'
|
427
427
|
|
428
|
+
begin
|
429
|
+
real_destination = File.expand_path(File.realpath(destination))
|
430
|
+
rescue
|
431
|
+
# it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage
|
432
|
+
nil
|
433
|
+
else
|
434
|
+
raise Gem::Package::PathError.new(real_destination, destination_dir) unless
|
435
|
+
real_destination.start_with? destination_dir + '/'
|
436
|
+
end
|
437
|
+
|
428
438
|
destination.untaint
|
429
439
|
destination
|
430
440
|
end
|
@@ -7,6 +7,7 @@
|
|
7
7
|
|
8
8
|
require 'rubygems/util'
|
9
9
|
require 'rubygems/deprecate'
|
10
|
+
require 'rubygems/text'
|
10
11
|
|
11
12
|
##
|
12
13
|
# Module that defines the default UserInteraction. Any class including this
|
@@ -14,6 +15,8 @@ require 'rubygems/deprecate'
|
|
14
15
|
|
15
16
|
module Gem::DefaultUserInteraction
|
16
17
|
|
18
|
+
include Gem::Text
|
19
|
+
|
17
20
|
##
|
18
21
|
# The default UI is a class variable of the singleton class for this
|
19
22
|
# module.
|
@@ -161,8 +164,8 @@ module Gem::UserInteraction
|
|
161
164
|
# Calls +say+ with +msg+ or the results of the block if really_verbose
|
162
165
|
# is true.
|
163
166
|
|
164
|
-
def verbose
|
165
|
-
say(msg || yield) if Gem.configuration.really_verbose
|
167
|
+
def verbose(msg = nil)
|
168
|
+
say(clean_text(msg || yield)) if Gem.configuration.really_verbose
|
166
169
|
end
|
167
170
|
end
|
168
171
|
|
@@ -1474,6 +1474,112 @@ gem 'other', version
|
|
1474
1474
|
end
|
1475
1475
|
end
|
1476
1476
|
|
1477
|
+
def test_pre_install_checks_malicious_name_before_eval
|
1478
|
+
spec = util_spec "malicious\n::Object.const_set(:FROM_EVAL, true)#", '1'
|
1479
|
+
def spec.full_name # so the spec is buildable
|
1480
|
+
"malicious-1"
|
1481
|
+
end
|
1482
|
+
def spec.validate(*args); end
|
1483
|
+
|
1484
|
+
util_build_gem spec
|
1485
|
+
|
1486
|
+
gem = File.join(@gemhome, 'cache', spec.file_name)
|
1487
|
+
|
1488
|
+
use_ui @ui do
|
1489
|
+
@installer = Gem::Installer.at gem
|
1490
|
+
e = assert_raises Gem::InstallError do
|
1491
|
+
@installer.pre_install_checks
|
1492
|
+
end
|
1493
|
+
assert_equal "#<Gem::Specification name=malicious\n::Object.const_set(:FROM_EVAL, true)# version=1> has an invalid name", e.message
|
1494
|
+
end
|
1495
|
+
refute defined?(::Object::FROM_EVAL)
|
1496
|
+
end
|
1497
|
+
|
1498
|
+
def test_pre_install_checks_malicious_require_paths_before_eval
|
1499
|
+
spec = util_spec "malicious", '1'
|
1500
|
+
def spec.full_name # so the spec is buildable
|
1501
|
+
"malicious-1"
|
1502
|
+
end
|
1503
|
+
def spec.validate(*args); end
|
1504
|
+
spec.require_paths = ["malicious\n``"]
|
1505
|
+
|
1506
|
+
util_build_gem spec
|
1507
|
+
|
1508
|
+
gem = File.join(@gemhome, 'cache', spec.file_name)
|
1509
|
+
|
1510
|
+
use_ui @ui do
|
1511
|
+
@installer = Gem::Installer.at gem
|
1512
|
+
e = assert_raises Gem::InstallError do
|
1513
|
+
@installer.pre_install_checks
|
1514
|
+
end
|
1515
|
+
assert_equal "#<Gem::Specification name=malicious version=1> has an invalid require_paths", e.message
|
1516
|
+
end
|
1517
|
+
end
|
1518
|
+
|
1519
|
+
def test_pre_install_checks_malicious_extensions_before_eval
|
1520
|
+
spec = util_spec "malicious", '1'
|
1521
|
+
def spec.full_name # so the spec is buildable
|
1522
|
+
"malicious-1"
|
1523
|
+
end
|
1524
|
+
def spec.validate(*args); end
|
1525
|
+
spec.extensions = ["malicious\n``"]
|
1526
|
+
|
1527
|
+
util_build_gem spec
|
1528
|
+
|
1529
|
+
gem = File.join(@gemhome, 'cache', spec.file_name)
|
1530
|
+
|
1531
|
+
use_ui @ui do
|
1532
|
+
@installer = Gem::Installer.at gem
|
1533
|
+
e = assert_raises Gem::InstallError do
|
1534
|
+
@installer.pre_install_checks
|
1535
|
+
end
|
1536
|
+
assert_equal "#<Gem::Specification name=malicious version=1> has an invalid extensions", e.message
|
1537
|
+
end
|
1538
|
+
end
|
1539
|
+
|
1540
|
+
def test_pre_install_checks_malicious_specification_version_before_eval
|
1541
|
+
spec = util_spec "malicious", '1'
|
1542
|
+
def spec.full_name # so the spec is buildable
|
1543
|
+
"malicious-1"
|
1544
|
+
end
|
1545
|
+
def spec.validate(*args); end
|
1546
|
+
spec.specification_version = "malicious\n``"
|
1547
|
+
|
1548
|
+
util_build_gem spec
|
1549
|
+
|
1550
|
+
gem = File.join(@gemhome, 'cache', spec.file_name)
|
1551
|
+
|
1552
|
+
use_ui @ui do
|
1553
|
+
@installer = Gem::Installer.at gem
|
1554
|
+
e = assert_raises Gem::InstallError do
|
1555
|
+
@installer.pre_install_checks
|
1556
|
+
end
|
1557
|
+
assert_equal "#<Gem::Specification name=malicious version=1> has an invalid specification_version", e.message
|
1558
|
+
end
|
1559
|
+
end
|
1560
|
+
|
1561
|
+
def test_pre_install_checks_malicious_dependencies_before_eval
|
1562
|
+
spec = util_spec "malicious", '1'
|
1563
|
+
def spec.full_name # so the spec is buildable
|
1564
|
+
"malicious-1"
|
1565
|
+
end
|
1566
|
+
def spec.validate(*args); end
|
1567
|
+
spec.add_dependency "b\nfoo", '> 5'
|
1568
|
+
|
1569
|
+
util_build_gem spec
|
1570
|
+
|
1571
|
+
gem = File.join(@gemhome, 'cache', spec.file_name)
|
1572
|
+
|
1573
|
+
use_ui @ui do
|
1574
|
+
@installer = Gem::Installer.at gem
|
1575
|
+
@installer.ignore_dependencies = true
|
1576
|
+
e = assert_raises Gem::InstallError do
|
1577
|
+
@installer.pre_install_checks
|
1578
|
+
end
|
1579
|
+
assert_equal "#<Gem::Specification name=malicious version=1> has an invalid dependencies", e.message
|
1580
|
+
end
|
1581
|
+
end
|
1582
|
+
|
1477
1583
|
def test_shebang
|
1478
1584
|
util_make_exec @spec, "#!/usr/bin/ruby"
|
1479
1585
|
|
@@ -480,6 +480,42 @@ class TestGemPackage < Gem::Package::TarTestCase
|
|
480
480
|
"#{destination_subdir} is not allowed", e.message)
|
481
481
|
end
|
482
482
|
|
483
|
+
def test_extract_symlink_parent_doesnt_delete_user_dir
|
484
|
+
skip if RUBY_VERSION <= "1.8.7"
|
485
|
+
|
486
|
+
package = Gem::Package.new @gem
|
487
|
+
|
488
|
+
# Extract into a subdirectory of @destination; if this test fails it writes
|
489
|
+
# a file outside destination_subdir, but we want the file to remain inside
|
490
|
+
# @destination so it will be cleaned up.
|
491
|
+
destination_subdir = File.join @destination, 'subdir'
|
492
|
+
FileUtils.mkdir_p destination_subdir
|
493
|
+
|
494
|
+
destination_user_dir = File.join @destination, 'user'
|
495
|
+
destination_user_subdir = File.join destination_user_dir, 'dir'
|
496
|
+
FileUtils.mkdir_p destination_user_subdir
|
497
|
+
|
498
|
+
tgz_io = util_tar_gz do |tar|
|
499
|
+
tar.add_symlink 'link', destination_user_dir, 16877
|
500
|
+
tar.add_symlink 'link/dir', '.', 16877
|
501
|
+
end
|
502
|
+
|
503
|
+
e = assert_raises(Gem::Package::PathError, Errno::EACCES) do
|
504
|
+
package.extract_tar_gz tgz_io, destination_subdir
|
505
|
+
end
|
506
|
+
|
507
|
+
assert_path_exists destination_user_subdir
|
508
|
+
|
509
|
+
if Gem::Package::PathError === e
|
510
|
+
assert_equal("installing into parent path #{destination_user_subdir} of " +
|
511
|
+
"#{destination_subdir} is not allowed", e.message)
|
512
|
+
elsif win_platform?
|
513
|
+
skip "symlink - must be admin with no UAC on Windows"
|
514
|
+
else
|
515
|
+
raise e
|
516
|
+
end
|
517
|
+
end
|
518
|
+
|
483
519
|
def test_extract_tar_gz_directory
|
484
520
|
package = Gem::Package.new @gem
|
485
521
|
|
@@ -85,4 +85,9 @@ Without the wrapping, the text might not look good in the RSS feed.
|
|
85
85
|
s = "ab" * 500_001
|
86
86
|
assert_equal "Truncating desc to 1,000,000 characters:\n#{s[0, 1_000_000]}", truncate_text(s, "desc", 1_000_000)
|
87
87
|
end
|
88
|
+
|
89
|
+
def test_clean_text
|
90
|
+
assert_equal ".]2;nyan.", clean_text("\e]2;nyan\a")
|
91
|
+
end
|
92
|
+
|
88
93
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rubygems-update
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.7.
|
4
|
+
version: 2.7.9
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jim Weirich
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date:
|
13
|
+
date: 2019-03-04 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: builder
|