diff options
Diffstat (limited to 'lib/bundler/rubygems_gem_installer.rb')
-rw-r--r-- | lib/bundler/rubygems_gem_installer.rb | 121 |
1 files changed, 49 insertions, 72 deletions
diff --git a/lib/bundler/rubygems_gem_installer.rb b/lib/bundler/rubygems_gem_installer.rb index bb9f1cb3f5..d563868cd2 100644 --- a/lib/bundler/rubygems_gem_installer.rb +++ b/lib/bundler/rubygems_gem_installer.rb @@ -20,12 +20,12 @@ module Bundler strict_rm_rf spec.extension_dir SharedHelpers.filesystem_access(gem_dir, :create) do - FileUtils.mkdir_p gem_dir, :mode => 0o755 + FileUtils.mkdir_p gem_dir, mode: 0o755 end extract_files - build_extensions + build_extensions if spec.extensions.any? write_build_info_file run_post_build_hooks @@ -45,6 +45,14 @@ module Bundler spec end + def pre_install_checks + super + rescue Gem::FilePermissionError + # Ignore permission checks in RubyGems. Instead, go on, and try to write + # for real. We properly handle permission errors when they happen. + nil + end + def generate_plugins return unless Gem::Installer.instance_methods(false).include?(:generate_plugins) @@ -60,100 +68,69 @@ module Bundler end end - def pre_install_checks - super && validate_bundler_checksum(options[:bundler_expected_checksum]) - end - def build_extensions extension_cache_path = options[:bundler_extension_cache_path] - unless extension_cache_path && extension_dir = spec.extension_dir - require "shellwords" # compensate missing require in rubygems before version 3.2.25 + extension_dir = spec.extension_dir + unless extension_cache_path && extension_dir + prepare_extension_build(extension_dir) return super end - extension_dir = Pathname.new(extension_dir) build_complete = SharedHelpers.filesystem_access(extension_cache_path.join("gem.build_complete"), :read, &:file?) if build_complete && !options[:force] - SharedHelpers.filesystem_access(extension_dir.parent, &:mkpath) + SharedHelpers.filesystem_access(File.dirname(extension_dir)) do |p| + FileUtils.mkpath p + end SharedHelpers.filesystem_access(extension_cache_path) do - FileUtils.cp_r extension_cache_path, spec.extension_dir + FileUtils.cp_r extension_cache_path, extension_dir end else - require "shellwords" # compensate missing require in rubygems before version 3.2.25 + prepare_extension_build(extension_dir) super - if extension_dir.directory? # not made for gems without extensions - SharedHelpers.filesystem_access(extension_cache_path.parent, &:mkpath) - SharedHelpers.filesystem_access(extension_cache_path) do - FileUtils.cp_r extension_dir, extension_cache_path - end + SharedHelpers.filesystem_access(extension_cache_path.parent, &:mkpath) + SharedHelpers.filesystem_access(extension_cache_path) do + FileUtils.cp_r extension_dir, extension_cache_path end end end - private + def spec + if Bundler.rubygems.provides?("< 3.3.12") # RubyGems implementation rescues and re-raises errors before 3.3.12 and we don't want that + @package.spec + else + super + end + end - def strict_rm_rf(dir) - # FileUtils.rm_rf should probably rise in case of permission issues like - # `rm -rf` does. However, it fails to delete the folder silently due to - # https://github.com/ruby/fileutils/issues/57. It should probably be fixed - # inside `fileutils` but for now I`m checking whether the folder was - # removed after it completes, and raising otherwise. - FileUtils.rm_rf dir - - raise PermissionError.new(dir, :delete) if File.directory?(dir) + def gem_checksum + Checksum.from_gem_package(@package) end - def validate_bundler_checksum(checksum) - return true if Bundler.settings[:disable_checksum_validation] - return true unless checksum - return true unless source = @package.instance_variable_get(:@gem) - return true unless source.respond_to?(:with_read_io) - digest = source.with_read_io do |io| - digest = SharedHelpers.digest(:SHA256).new - digest << io.read(16_384) until io.eof? - io.rewind - send(checksum_type(checksum), digest) - end - unless digest == checksum - raise SecurityError, <<-MESSAGE - Bundler cannot continue installing #{spec.name} (#{spec.version}). - The checksum for the downloaded `#{spec.full_name}.gem` does not match \ - the checksum given by the server. This means the contents of the downloaded \ - gem is different from what was uploaded to the server, and could be a potential security issue. - - To resolve this issue: - 1. delete the downloaded gem located at: `#{spec.gem_dir}/#{spec.full_name}.gem` - 2. run `bundle install` - - If you wish to continue installing the downloaded gem, and are certain it does not pose a \ - security issue despite the mismatching checksum, do the following: - 1. run `bundle config set --local disable_checksum_validation true` to turn off checksum verification - 2. run `bundle install` - - (More info: The expected SHA256 checksum was #{checksum.inspect}, but the \ - checksum for the downloaded gem was #{digest.inspect}.) - MESSAGE + private + + def prepare_extension_build(extension_dir) + SharedHelpers.filesystem_access(extension_dir, :create) do + FileUtils.mkdir_p extension_dir end - true + require "shellwords" unless Bundler.rubygems.provides?(">= 3.2.25") end - def checksum_type(checksum) - case checksum.length - when 64 then :hexdigest! - when 44 then :base64digest! - else raise InstallError, "The given checksum for #{spec.full_name} (#{checksum.inspect}) is not a valid SHA256 hexdigest nor base64digest" + def strict_rm_rf(dir) + return unless File.exist?(dir) + + parent = File.dirname(dir) + parent_st = File.stat(parent) + + if parent_st.world_writable? && !parent_st.sticky? + raise InsecureInstallPathError.new(parent) end - end - def hexdigest!(digest) - digest.hexdigest! - end + begin + FileUtils.remove_entry_secure(dir) + rescue StandardError => e + raise unless File.exist?(dir) - def base64digest!(digest) - if digest.respond_to?(:base64digest!) - digest.base64digest! - else - [digest.digest!].pack("m0") + raise DirectoryRemovalError.new(e, "Could not delete previous installation of `#{dir}`") end end end |