diff options
author | Martin Emde <martin.emde@gmail.com> | 2023-09-01 15:15:49 -0700 |
---|---|---|
committer | Hiroshi SHIBATA <hsbt@ruby-lang.org> | 2023-10-23 13:59:01 +0900 |
commit | c667de72ff9de195e1cab4b1937973e841ff89ae (patch) | |
tree | 6dc6a88dbf8c44109593352055c8e798d562a83f /spec/bundler/install/gems/compact_index_spec.rb | |
parent | 6362bfdc337c1929a381734ded417b796f9767bf (diff) |
[rubygems/rubygems] Improve errors and register checksums reliably
Improve error reporting for checksums, raises a new error class.
Solve for multi-source checksum errors.
Add CHECKSUMS to tool/bundler/(dev|standard|rubocop)26_gems.rb
https://github.com/rubygems/rubygems/commit/26ceee0e76
Co-authored-by: Samuel Giddins <segiddins@segiddins.me>
Diffstat (limited to 'spec/bundler/install/gems/compact_index_spec.rb')
-rw-r--r-- | spec/bundler/install/gems/compact_index_spec.rb | 32 |
1 files changed, 14 insertions, 18 deletions
diff --git a/spec/bundler/install/gems/compact_index_spec.rb b/spec/bundler/install/gems/compact_index_spec.rb index 4a345824ce..03c25d53bf 100644 --- a/spec/bundler/install/gems/compact_index_spec.rb +++ b/spec/bundler/install/gems/compact_index_spec.rb @@ -890,25 +890,21 @@ The checksum of /versions does not match the checksum provided by the server! So default_cache_path.dirname.join("rack-1.0.0.gem") end - expect(exitstatus).to eq(19) - expect(err). - to eq <<~E.strip - Bundler cannot continue installing rack (1.0.0). - The checksum for the downloaded `rack-1.0.0.gem` does not match the known checksum for the gem. - This means the contents of the downloaded gem is different from what was uploaded to the server or first used by your teammates, and could be a potential security issue. - - To resolve this issue: - 1. delete the downloaded gem located at: `#{gem_path}` + expect(exitstatus).to eq(37) + expect(err).to eq <<~E.strip + Bundler found mismatched checksums. This is a potential security risk. + rack (1.0.0) sha256-2222222222222222222222222222222222222222222222222222222222222222 + from the API at http://localgemserver.test/ + rack (1.0.0) sha256-#{api_checksum} + from the gem at #{gem_path} + + If you trust the API at http://localgemserver.test/, to resolve this issue you can: + 1. remove the gem at #{gem_path} 2. run `bundle install` - If you are sure that the new checksum is correct, you can remove the `rack (1.0.0)` entry under the lockfile `CHECKSUMS` section and rerun `bundle install`. - - If you wish to continue installing the downloaded gem, and are certain it does not pose a security issue despite the mismatching checksum, do the following: - 1. run `bundle config set --local disable_checksum_validation true` to turn off checksum verification - 2. run `bundle install` - - (More info: The expected SHA256 checksum was "69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b", but the checksum for the downloaded gem was "#{api_checksum}". The expected checksum came from: API response from http://localgemserver.test/) - E + To ignore checksum security warnings, disable checksum validation with + `bundle config set --local disable_checksum_validation true` + E end it "raises when the checksum is the wrong length" do @@ -917,7 +913,7 @@ The checksum of /versions does not match the checksum provided by the server! So gem "rack" G expect(exitstatus).to eq(14) - expect(err).to include("The given checksum for rack-0.9.1 (\"checksum!\") is not a valid SHA256 hexdigest nor base64digest") + expect(err).to include("Invalid checksum for rack-0.9.1: \"checksum!\" is not a valid SHA256 hexdigest nor base64digest") end it "does not raise when disable_checksum_validation is set" do |