Merge pull request #6655 from rubygems/safeyaml-false

add FalseClass and Time to the SafeMarshal list

Author: indirect

Manifest.txt

@@ -180,6 +180,7 @@ bundler/lib/bundler/rubygems_ext.rb
 bundler/lib/bundler/rubygems_gem_installer.rb
 bundler/lib/bundler/rubygems_integration.rb
 bundler/lib/bundler/runtime.rb
+bundler/lib/bundler/safe_marshal.rb
 bundler/lib/bundler/self_manager.rb
 bundler/lib/bundler/settings.rb
 bundler/lib/bundler/settings/validator.rb

bundler/lib/bundler.rb

@@ -39,16 +39,6 @@ module Bundler
   environment_preserver.replace_with_backup
   SUDO_MUTEX = Thread::Mutex.new
 
-  SAFE_MARSHAL_CLASSES = [Symbol, TrueClass, String, Array, Hash, Gem::Version, Gem::Specification].freeze
-  SAFE_MARSHAL_ERROR = "Unexpected class %s present in marshaled data. Only %s are allowed."
-  SAFE_MARSHAL_PROC = proc do |object|
-    object.tap do
-      unless SAFE_MARSHAL_CLASSES.include?(object.class)
-        raise TypeError, format(SAFE_MARSHAL_ERROR, object.class, SAFE_MARSHAL_CLASSES.join(", "))
-      end
-    end
-  end
-
   autoload :Definition,             File.expand_path("bundler/definition", __dir__)
   autoload :Dependency,             File.expand_path("bundler/dependency", __dir__)
   autoload :Deprecate,              File.expand_path("bundler/deprecate", __dir__)
@@ -86,6 +76,7 @@ module Bundler
   autoload :UI,                     File.expand_path("bundler/ui", __dir__)
   autoload :URICredentialsFilter,   File.expand_path("bundler/uri_credentials_filter", __dir__)
   autoload :URINormalizer,          File.expand_path("bundler/uri_normalizer", __dir__)
+  autoload :SafeMarshal,            File.expand_path("bundler/safe_marshal", __dir__)
 
   class << self
     def configure
@@ -523,7 +514,7 @@ def read_file(file)
     end
 
     def safe_load_marshal(data)
-      load_marshal(data, :marshal_proc => SAFE_MARSHAL_PROC)
+      load_marshal(data, :marshal_proc => SafeMarshal.proc)
     end
 
     def load_gemspec(file, validate = false)

bundler/lib/bundler/safe_marshal.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Bundler
+  module SafeMarshal
+    ALLOWED_CLASSES = [
+      Array,
+      FalseClass,
+      Gem::Specification,
+      Gem::Version,
+      Hash,
+      String,
+      Symbol,
+      Time,
+      TrueClass,
+    ].freeze
+
+    ERROR = "Unexpected class %s present in marshaled data. Only %s are allowed."
+
+    PROC = proc do |object|
+      object.tap do
+        unless ALLOWED_CLASSES.include?(object.class)
+          raise TypeError, format(ERROR, object.class, ALLOWED_CLASSES.join(", "))
+        end
+      end
+    end
+
+    def self.proc
+      PROC
+    end
+  end
+end

bundler/spec/bundler/bundler_spec.rb

@@ -28,14 +28,42 @@
       expect(Bundler.safe_load_marshal(data)).to eq(simple_structure)
     end
 
-    it "loads Gem::Version" do
-      gem_version = Gem::Version.new("3.7.2")
-      data = Marshal.dump(gem_version)
-      expect(Bundler.safe_load_marshal(data)).to eq(gem_version)
-    end
-
     it "loads Gem::Specification" do
-      gem_spec = Gem::Specification.new("name", "3.7.2")
+      gem_spec = Gem::Specification.new do |s|
+        s.name = "bundler"
+        s.version = Gem::Version.new("2.4.7")
+        s.installed_by_version = Gem::Version.new("0")
+        s.authors = ["André Arko",
+                     "Samuel Giddins",
+                     "Colby Swandale",
+                     "Hiroshi Shibata",
+                     "David Rodríguez",
+                     "Grey Baker",
+                     "Stephanie Morillo",
+                     "Chris Morris",
+                     "James Wen",
+                     "Tim Moore",
+                     "André Medeiros",
+                     "Jessica Lynn Suttles",
+                     "Terence Lee",
+                     "Carl Lerche",
+                     "Yehuda Katz"]
+        s.date = Time.utc(2023, 2, 15)
+        s.description = "Bundler manages an application's dependencies through its entire life, across many machines, systematically and repeatably"
+        s.email = ["[email protected]"]
+        s.homepage = "https://bundler.io"
+        s.metadata = { "bug_tracker_uri" => "https://github.com/rubygems/rubygems/issues?q=is%3Aopen+is%3Aissue+label%3ABundler",
+                       "changelog_uri" => "https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md",
+                       "homepage_uri" => "https://bundler.io/",
+                       "source_code_uri" => "https://github.com/rubygems/rubygems/tree/master/bundler" }
+        s.require_paths = ["lib"]
+        s.required_ruby_version = Gem::Requirement.new([">= 2.6.0"])
+        s.required_rubygems_version = Gem::Requirement.new([">= 3.0.1"])
+        s.rubygems_version = "3.4.7"
+        s.specification_version = 4
+        s.summary = "The best way to manage your application's dependencies"
+        s.license = false
+      end
       data = Marshal.dump(gem_spec)
       expect(Bundler.safe_load_marshal(data)).to eq(gem_spec)
     end