diff options
author | Mercedes Bernard <mercedesrbernard@gmail.com> | 2023-02-10 13:34:30 -0600 |
---|---|---|
committer | Hiroshi SHIBATA <hsbt@ruby-lang.org> | 2023-10-23 13:59:01 +0900 |
commit | 69d7e9a12eb6e3dbfa1b1021b73c2afcbf7d4a46 (patch) | |
tree | 10e56a9112f606e866624095ec8acacce0500288 /lib/bundler/checksum.rb | |
parent | ad08674d8dc17c4ca031ce20760c4a4779c83e27 (diff) |
[rubygems/rubygems] Use the server checksum, then calculate from gem on disk if possible
1. Use the checksum provided by the server if provided: provides security
knowing if the gem you downloaded matches the gem on the server
2. Calculate the checksum from the gem on disk: provides security knowing
if the gem has changed between installs
3. In some cases, neither is possible in which case we don't put anything
in the checksum and we maintain functionality as it is today
Add the checksums to specs in the index if we already have them
Prior to checksums, we didn't lose any information when overwriting specs
in the index with stubs. But now when we overwrite EndpointSpecifications
or RemoteSpecifications with more generic specs, we could lose checksum
info. This manually sets checksum info so we keep it in the index.
https://github.com/rubygems/rubygems/commit/de00a4f153
Diffstat (limited to 'lib/bundler/checksum.rb')
-rw-r--r-- | lib/bundler/checksum.rb | 45 |
1 files changed, 30 insertions, 15 deletions
diff --git a/lib/bundler/checksum.rb b/lib/bundler/checksum.rb index 2e0a80cac2..0b618d5033 100644 --- a/lib/bundler/checksum.rb +++ b/lib/bundler/checksum.rb @@ -2,22 +2,37 @@ module Bundler class Checksum - attr_reader :name, :version, :platform - attr_accessor :checksum + attr_reader :name, :version, :platform, :checksums - SHA256 = /\Asha256-([a-z0-9]{64}|[A-Za-z0-9+\/=]{44})\z/.freeze + SHA256 = %r{\Asha256-([a-z0-9]{64}|[A-Za-z0-9+\/=]{44})\z}.freeze - def initialize(name, version, platform, checksum = nil) + def initialize(name, version, platform, checksums = []) @name = name @version = version @platform = platform || Gem::Platform::RUBY - @checksum = checksum + @checksums = checksums - if @checksum && @checksum !~ SHA256 - raise ArgumentError, "invalid checksum (#{@checksum})" + # can expand this validation when we support more hashing algos later + if @checksums.any? && @checksums.all? {|c| c !~ SHA256 } + raise ArgumentError, "invalid checksums (#{@checksums})" end end + def self.digest_from_file_source(file_source) + raise ArgumentError, "not a valid file source: #{file_source}" unless file_source.respond_to?(:with_read_io) + + file_source.with_read_io do |io| + digest = Bundler::SharedHelpers.digest(:SHA256).new + digest << io.read(16_384) until io.eof? + io.rewind + digest + end + end + + def full_name + GemHelpers.spec_full_name(@name, @version, @platform) + end + def match_spec?(spec) name == spec.name && version == spec.version && @@ -26,17 +41,17 @@ module Bundler def to_lock out = String.new - - if platform == Gem::Platform::RUBY - out << " #{name} (#{version})" - else - out << " #{name} (#{version}-#{platform})" - end - - out << " #{checksum}" if checksum + out << " #{GemHelpers.lock_name(name, version, platform)}" + out << " #{sha256}" if sha256 out << "\n" out end + + private + + def sha256 + @checksums.find {|c| c =~ SHA256 } + end end end |