diff options
author | Martin Emde <martin.emde@gmail.com> | 2023-09-01 15:15:49 -0700 |
---|---|---|
committer | Hiroshi SHIBATA <hsbt@ruby-lang.org> | 2023-10-23 13:59:01 +0900 |
commit | c667de72ff9de195e1cab4b1937973e841ff89ae (patch) | |
tree | 6dc6a88dbf8c44109593352055c8e798d562a83f /spec/bundler/bundler | |
parent | 6362bfdc337c1929a381734ded417b796f9767bf (diff) |
[rubygems/rubygems] Improve errors and register checksums reliably
Improve error reporting for checksums, raises a new error class.
Solve for multi-source checksum errors.
Add CHECKSUMS to tool/bundler/(dev|standard|rubocop)26_gems.rb
https://github.com/rubygems/rubygems/commit/26ceee0e76
Co-authored-by: Samuel Giddins <segiddins@segiddins.me>
Diffstat (limited to 'spec/bundler/bundler')
-rw-r--r-- | spec/bundler/bundler/lockfile_parser_spec.rb | 51 |
1 files changed, 27 insertions, 24 deletions
diff --git a/spec/bundler/bundler/lockfile_parser_spec.rb b/spec/bundler/bundler/lockfile_parser_spec.rb index c05d5a01d1..a42bdad6e4 100644 --- a/spec/bundler/bundler/lockfile_parser_spec.rb +++ b/spec/bundler/bundler/lockfile_parser_spec.rb @@ -119,6 +119,12 @@ RSpec.describe Bundler::LockfileParser do let(:bundler_version) { Gem::Version.new("1.12.0.rc.2") } let(:ruby_version) { "ruby 2.1.3p242" } let(:lockfile_path) { Bundler.default_lockfile.relative_path_from(Dir.pwd) } + let(:rake_checksum) do + Bundler::Checksum.from_lock( + "sha256-814828c34f1315d7e7b7e8295184577cc4e969bad6156ac069d02d63f58d82e8", + "#{lockfile_path}:??:1" + ) + end shared_examples_for "parsing" do it "parses correctly" do @@ -129,11 +135,9 @@ RSpec.describe Bundler::LockfileParser do expect(subject.platforms).to eq platforms expect(subject.bundler_version).to eq bundler_version expect(subject.ruby_version).to eq ruby_version - checksums = subject.sources.last.checksum_store.checksums("rake-10.3.2") - expect(checksums.size).to eq(1) - expected_checksum = Bundler::Checksum.new("sha256", "814828c34f1315d7e7b7e8295184577cc4e969bad6156ac069d02d63f58d82e8", "#{lockfile_path}:??:1") - expect(checksums.first).to be_match(expected_checksum) - expect(checksums.first.sources.first).to match(/#{Regexp.escape(lockfile_path.to_s)}:\d+:\d+/) + checksum = subject.sources.last.checksum_store.fetch(specs.last) + expect(checksum).to be_match(rake_checksum) + expect(checksum.sources.first.to_s).to match(/the lockfile CHECKSUMS at #{Regexp.escape(lockfile_path.to_s)}:\d+:\d+/) end end @@ -159,29 +163,28 @@ RSpec.describe Bundler::LockfileParser do include_examples "parsing" end - context "when CHECKSUMS has duplicate checksums that don't match" do - let(:lockfile_contents) { super().split(/(?<=CHECKSUMS\n)/m).insert(1, " rake (10.3.2) sha256-69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b6\n").join } + context "when CHECKSUMS has duplicate checksums in the lockfile that don't match" do + let(:bad_checksum) { "sha256-c0ffee11c0ffee11c0ffee11c0ffee11c0ffee11c0ffee11c0ffee11c0ffee11" } + let(:lockfile_contents) { super().split(/(?<=CHECKSUMS\n)/m).insert(1, " rake (10.3.2) #{bad_checksum}\n").join } it "raises a security error" do expect { subject }.to raise_error(Bundler::SecurityError) do |e| expect(e.message).to match <<~MESSAGE - Bundler found multiple different checksums for rake-10.3.2. - This means that there are multiple different `rake-10.3.2.gem` files. - This is a potential security issue, since Bundler could be attempting to install a different gem than what you expect. - - sha256-814828c34f1315d7e7b7e8295184577cc4e969bad6156ac069d02d63f58d82e8 (from #{lockfile_path}:21:1 CHECKSUMS rake (10.3.2)) - sha256-69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b6 from: - * #{lockfile_path}:20:1 CHECKSUMS rake (10.3.2) - - To resolve this issue: - 1. delete any downloaded gems referenced above - 2. run `bundle install` - - If you are sure that the new checksum is correct, you can remove the `rake-10.3.2` entry under the lockfile `CHECKSUMS` section and rerun `bundle install`. - - If you wish to continue installing the downloaded gem, and are certain it does not pose a security issue despite the mismatching checksum, do the following: - 1. run `bundle config set --local disable_checksum_validation true` to turn off checksum verification - 2. run `bundle install` + Bundler found mismatched checksums. This is a potential security risk. + rake (10.3.2) #{bad_checksum} + from the lockfile CHECKSUMS at #{lockfile_path}:20:17 + rake (10.3.2) #{rake_checksum.to_lock} + from the lockfile CHECKSUMS at #{lockfile_path}:21:17 + + To resolve this issue you can either: + 1. remove the matching checksum in #{lockfile_path}:21:17 + 2. run `bundle install` + or if you are sure that the new checksum from the lockfile CHECKSUMS at #{lockfile_path}:21:17 is correct: + 1. remove the matching checksum in #{lockfile_path}:20:17 + 2. run `bundle install` + + To ignore checksum security warnings, disable checksum validation with + `bundle config set --local disable_checksum_validation true` MESSAGE end end |