From 5f0ea3f590f8983669fe478bc9eace6880353b84 Mon Sep 17 00:00:00 2001
From: Martin Emde <martin.emde@gmail.com>
Date: Fri, 1 Dec 2023 14:20:51 -0800
Subject: [rubygems/rubygems] Converts Bundler lockfile checksum validation to
 opt-in only

Looks for the CHECKSUMS section in the lockfile, activating the feature
only if the section exists. Without a CHECKSUMS section, Bundler will
continue as normal, validating checksums when gems are installed while
checksums from the compact index are present.

https://github.com/rubygems/rubygems/commit/2353cc93a4
---
 spec/bundler/install/gems/compact_index_spec.rb | 26 ++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

(limited to 'spec/bundler/install/gems/compact_index_spec.rb')

diff --git a/spec/bundler/install/gems/compact_index_spec.rb b/spec/bundler/install/gems/compact_index_spec.rb
index b383614410..ea21e66987 100644
--- a/spec/bundler/install/gems/compact_index_spec.rb
+++ b/spec/bundler/install/gems/compact_index_spec.rb
@@ -961,8 +961,25 @@ RSpec.describe "compact index api" do
   end
 
   describe "checksum validation" do
+    before do
+      lockfile <<-L
+        GEM
+          remote: #{source_uri}
+          specs:
+            rack (1.0.0)
+
+        PLATFORMS
+          ruby
+
+        DEPENDENCIES
+        #{checksums_section}
+        BUNDLED WITH
+            #{Bundler::VERSION}
+      L
+    end
+
     it "handles checksums from the server in base64" do
-      api_checksum = checksum_for_repo_gem(gem_repo1, "rack", "1.0.0").split("sha256=").last
+      api_checksum = checksum_digest(gem_repo1, "rack", "1.0.0")
       rack_checksum = [[api_checksum].pack("H*")].pack("m0")
       install_gemfile <<-G, :artifice => "compact_index", :env => { "BUNDLER_SPEC_RACK_CHECKSUM" => rack_checksum }
         source "#{source_uri}"
@@ -979,8 +996,6 @@ RSpec.describe "compact index api" do
         gem "rack"
       G
 
-      api_checksum = checksum_for_repo_gem(gem_repo1, "rack", "1.0.0").split("sha256=").last
-
       gem_path = if Bundler.feature_flag.global_gem_cache?
         default_cache_path.dirname.join("cache", "gems", "localgemserver.test.80.dd34752a738ee965a2a4298dc16db6c5", "rack-1.0.0.gem")
       else
@@ -992,7 +1007,7 @@ RSpec.describe "compact index api" do
         Bundler found mismatched checksums. This is a potential security risk.
           rack (1.0.0) sha256=2222222222222222222222222222222222222222222222222222222222222222
             from the API at http://localgemserver.test/
-          rack (1.0.0) sha256=#{api_checksum}
+          #{checksum_to_lock(gem_repo1, "rack", "1.0.0")}
             from the gem at #{gem_path}
 
         If you trust the API at http://localgemserver.test/, to resolve this issue you can:
@@ -1057,6 +1072,7 @@ Running `bundle update rails` should fix the problem.
     G
     gem_command "uninstall activemerchant"
     bundle "update rails", :artifice => "compact_index"
-    expect(lockfile.scan(/activemerchant \(/).size).to eq(2) # Once in the specs, and once in CHECKSUMS
+    count = lockfile.match?("CHECKSUMS") ? 2 : 1 # Once in the specs, and once in CHECKSUMS
+    expect(lockfile.scan(/activemerchant \(/).size).to eq(count)
   end
 end
-- 
cgit v1.2.3