Merge pull request #4669 from rubygems/release/bundler_2.2.20_rubygems_3.2.20

deivid-rodriguez · web-flow · commit 4c510a34a444 · 2021-06-11T13:25:04.000+02:00
Prepare rubygems 3.2.20 and bundler 2.2.20
diff --git a/.github/workflows/ruby-core.yml b/.github/workflows/ruby-core.yml
@@ -6,7 +6,6 @@ on:
   push:
     branches:
       - master
-      - 3.2
 
 jobs:
   ruby_core:
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -86,6 +86,9 @@ Lint/DuplicateMethods:
 Lint/ParenthesesAsGroupedExpression:
   Enabled: true
 
+Layout/EndAlignment:
+  Enabled: true
+
 Naming/HeredocDelimiterCase:
   Enabled: true
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,15 @@
+# 3.2.20 / 2021-06-11
+
+## Security fixes:
+
+* Verify plaform before installing to avoid potential remote code
+  execution. Pull request #4667 by sonalkr132
+
+## Enhancements:
+
+* Add better specification policy error description. Pull request #4658 by
+  ceritium
+
 # 3.2.19 / 2021-05-31
 
 ## Enhancements:
diff --git a/Manifest.txt b/Manifest.txt
@@ -538,6 +538,7 @@ test/rubygems/invalidchild_cert.pem
 test/rubygems/invalidchild_cert_32.pem
 test/rubygems/invalidchild_key.pem
 test/rubygems/packages/ascii_binder-0.1.10.1.gem
+test/rubygems/packages/ill-formatted-platform-1.0.0.10.gem
 test/rubygems/plugin/exception/rubygems_plugin.rb
 test/rubygems/plugin/load/rubygems_plugin.rb
 test/rubygems/plugin/standarderror/rubygems_plugin.rb
diff --git a/bundler/CHANGELOG.md b/bundler/CHANGELOG.md
@@ -1,3 +1,19 @@
+# 2.2.20 (June 11, 2021)
+
+## Enhancements:
+
+  - Don't print bug report template on server side errors [#4663](https://github.com/rubygems/rubygems/pull/4663)
+  - Don't load `resolv` unnecessarily [#4640](https://github.com/rubygems/rubygems/pull/4640)
+
+## Bug fixes:
+
+  - Fix `bundle outdated` edge case [#4648](https://github.com/rubygems/rubygems/pull/4648)
+  - Fix `bundle check` with scoped rubygems sources [#4639](https://github.com/rubygems/rubygems/pull/4639)
+
+## Performance:
+
+  - Don't use `extra_rdoc_files` with md files in gemspec to make installing bundler with docs faster [#4628](https://github.com/rubygems/rubygems/pull/4628)
+
 # 2.2.19 (May 31, 2021)
 
 ## Bug fixes:
diff --git a/bundler/bundler.gemspec b/bundler/bundler.gemspec
@@ -39,7 +39,7 @@ Gem::Specification.new do |s|
   # include the gemspec itself because warbler breaks w/o it
   s.files += %w[bundler.gemspec]
 
-  s.extra_rdoc_files = %w[CHANGELOG.md LICENSE.md README.md]
+  s.files += %w[CHANGELOG.md LICENSE.md README.md]
   s.bindir        = "exe"
   s.executables   = %w[bundle bundler]
   s.require_paths = ["lib"]
diff --git a/bundler/lib/bundler/cli/check.rb b/bundler/lib/bundler/cli/check.rb
@@ -11,9 +11,11 @@ def initialize(options)
     def run
       Bundler.settings.set_command_option_if_given :path, options[:path]
 
+      definition = Bundler.definition
+      definition.validate_runtime!
+
       begin
-        definition = Bundler.definition
-        definition.validate_runtime!
+        definition.resolve_only_locally!
         not_installed = definition.missing_specs
       rescue GemNotFound, VersionConflict
         Bundler.ui.error "Bundler can't satisfy your Gemfile's dependencies."
diff --git a/bundler/lib/bundler/cli/outdated.rb b/bundler/lib/bundler/cli/outdated.rb
@@ -147,6 +147,8 @@ def nothing_outdated_message
 
     def retrieve_active_spec(definition, current_spec)
       active_spec = definition.resolve.find_by_name_and_platform(current_spec.name, current_spec.platform)
+      return unless active_spec
+
       return active_spec if strict
 
       active_specs = active_spec.source.specs.search(current_spec.name).select {|spec| spec.match_platform(current_spec.platform) }.sort_by(&:version)
diff --git a/bundler/lib/bundler/definition.rb b/bundler/lib/bundler/definition.rb
@@ -160,6 +160,12 @@ def disable_multisource?
       @disable_multisource
     end
 
+    def resolve_only_locally!
+      @remote = false
+      sources.local_only!
+      resolve
+    end
+
     def resolve_with_cache!
       sources.cached!
       resolve
diff --git a/bundler/lib/bundler/fetcher/index.rb b/bundler/lib/bundler/fetcher/index.rb
@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require_relative "base"
-require "rubygems/remote_fetcher"
 
 module Bundler
   class Fetcher
diff --git a/bundler/lib/bundler/friendly_errors.rb b/bundler/lib/bundler/friendly_errors.rb
@@ -49,8 +49,6 @@ def log_error(error)
           "Alternatively, you can increase the amount of memory the JVM is able to use by running Bundler with jruby -J-Xmx1024m -S bundle (JRuby defaults to 500MB)."
       else request_issue_report_for(error)
       end
-    rescue StandardError
-      raise error
     end
 
     def exit_status(error)
@@ -111,7 +109,7 @@ def request_issue_report_for(e)
         First, try this link to see if there are any existing issue reports for this error:
         #{issues_url(e)}
 
-        If there aren't any reports for this error yet, please create copy and paste the report template above into a new issue. Don't forget to anonymize any private data! The new issue form is located at:
+        If there aren't any reports for this error yet, please copy and paste the report template above into a new issue. Don't forget to anonymize any private data! The new issue form is located at:
         https://github.com/rubygems/rubygems/issues/new?labels=Bundler&template=bundler-related-issue.md
       EOS
     end
diff --git a/bundler/lib/bundler/rubygems_integration.rb b/bundler/lib/bundler/rubygems_integration.rb
@@ -526,13 +526,14 @@ def download_gem(spec, uri, path)
       Bundler::Retry.new("download gem from #{uri}").attempts do
         fetcher.download(spec, uri, path)
       end
+    rescue Gem::RemoteFetcher::FetchError => e
+      raise Bundler::HTTPError, "Could not download gem from #{uri} due to underlying error <#{e.message}>"
     end
 
     def gem_remote_fetcher
-      require "resolv"
+      require "rubygems/remote_fetcher"
       proxy = configuration[:http_proxy]
-      dns = Resolv::DNS.new
-      Gem::RemoteFetcher.new(proxy, dns)
+      Gem::RemoteFetcher.new(proxy)
     end
 
     def gem_from_path(path, policy = nil)
diff --git a/bundler/lib/bundler/source.rb b/bundler/lib/bundler/source.rb
@@ -36,6 +36,8 @@ def can_lock?(spec)
 
     def local!; end
 
+    def local_only!; end
+
     def cached!; end
 
     def remote!; end
diff --git a/bundler/lib/bundler/source/rubygems.rb b/bundler/lib/bundler/source/rubygems.rb
@@ -26,6 +26,12 @@ def initialize(options = {})
         Array(options["remotes"]).reverse_each {|r| add_remote(r) }
       end
 
+      def local_only!
+        @specs = nil
+        @allow_local = true
+        @allow_remote = false
+      end
+
       def local!
         return if @allow_local
 
diff --git a/bundler/lib/bundler/source_list.rb b/bundler/lib/bundler/source_list.rb
@@ -132,6 +132,10 @@ def replace_sources!(replacement_sources)
       false
     end
 
+    def local_only!
+      all_sources.each(&:local_only!)
+    end
+
     def cached!
       all_sources.each(&:cached!)
     end
diff --git a/bundler/lib/bundler/version.rb b/bundler/lib/bundler/version.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.2.19".freeze
+  VERSION = "2.2.20".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i
diff --git a/bundler/spec/bundler/fetcher/index_spec.rb b/bundler/spec/bundler/fetcher/index_spec.rb
@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "rubygems/remote_fetcher"
+
 RSpec.describe Bundler::Fetcher::Index do
   let(:downloader)  { nil }
   let(:remote)      { nil }
diff --git a/bundler/spec/commands/check_spec.rb b/bundler/spec/commands/check_spec.rb
@@ -288,6 +288,66 @@
     end
   end
 
+  describe "when using only scoped rubygems sources" do
+    before do
+      gemfile <<~G
+        source "#{file_uri_for(gem_repo1)}" do
+          gem "rack"
+        end
+      G
+    end
+
+    it "returns success when the Gemfile is satisfied" do
+      system_gems "rack-1.0.0", :path => default_bundle_path
+      bundle :check
+      expect(out).to include("The Gemfile's dependencies are satisfied")
+    end
+  end
+
+  describe "when using only scoped rubygems sources with indirect dependencies" do
+    before do
+      build_repo4 do
+        build_gem "depends_on_rack" do |s|
+          s.add_dependency "rack"
+        end
+
+        build_gem "rack"
+      end
+
+      gemfile <<~G
+        source "#{file_uri_for(gem_repo4)}" do
+          gem "depends_on_rack"
+        end
+      G
+    end
+
+    it "returns success when the Gemfile is satisfied and generates a correct lockfile" do
+      system_gems "depends_on_rack-1.0", "rack-1.0", :gem_repo => gem_repo4, :path => default_bundle_path
+      bundle :check
+      expect(out).to include("The Gemfile's dependencies are satisfied")
+      expect(lockfile).to eq <<~L
+        GEM
+          specs:
+
+        GEM
+          remote: #{file_uri_for(gem_repo4)}/
+          specs:
+            depends_on_rack (1.0)
+              rack
+            rack (1.0)
+
+        PLATFORMS
+          #{lockfile_platforms}
+
+        DEPENDENCIES
+          depends_on_rack!
+
+        BUNDLED WITH
+           #{Bundler::VERSION}
+      L
+    end
+  end
+
   describe "BUNDLED WITH" do
     def lock_with(bundler_version = nil)
       lock = <<-L
diff --git a/bundler/spec/commands/outdated_spec.rb b/bundler/spec/commands/outdated_spec.rb
@@ -1292,4 +1292,53 @@ def test_group_option(group)
       expect(out).to end_with(expected_output)
     end
   end
+
+  context "when a gem is no longer a dependency after a full update" do
+    before do
+      build_repo4 do
+        build_gem "mini_portile2", "2.5.2" do |s|
+          s.add_dependency "net-ftp", "~> 0.1"
+        end
+
+        build_gem "mini_portile2", "2.5.3"
+
+        build_gem "net-ftp", "0.1.2"
+      end
+
+      gemfile <<~G
+        source "#{file_uri_for(gem_repo4)}"
+
+        gem "mini_portile2"
+      G
+
+      lockfile <<~L
+        GEM
+          remote: #{file_uri_for(gem_repo4)}/
+          specs:
+            mini_portile2 (2.5.2)
+              net-ftp (~> 0.1)
+            net-ftp (0.1.2)
+
+        PLATFORMS
+          #{lockfile_platforms}
+
+        DEPENDENCIES
+          mini_portile2
+
+        BUNDLED WITH
+           #{Bundler::VERSION}
+      L
+    end
+
+    it "works" do
+      bundle "outdated", :raise_on_error => false
+
+      expected_output = <<~TABLE.strip
+        Gem            Current  Latest  Requested  Groups
+        mini_portile2  2.5.2    2.5.3   >= 0       default
+      TABLE
+
+      expect(out).to end_with(expected_output)
+    end
+  end
 end
diff --git a/bundler/spec/install/global_cache_spec.rb b/bundler/spec/install/global_cache_spec.rb
@@ -113,6 +113,8 @@ def source2_global_cache(*segments)
         expect(source2_global_cache("rack-0.9.1.gem")).to exist
         bundle :install, :artifice => "compact_index_no_gem", :raise_on_error => false
         expect(err).to include("Internal Server Error 500")
+        expect(err).not_to include("please copy and paste the report template above into a new issue")
+
         # rack 1.0.0 is not installed and rack 0.9.1 is not
         expect(the_bundle).not_to include_gems "rack 1.0.0"
         expect(the_bundle).not_to include_gems "rack 0.9.1"
@@ -126,6 +128,8 @@ def source2_global_cache(*segments)
         expect(source2_global_cache("rack-0.9.1.gem")).to exist
         bundle :install, :artifice => "compact_index_no_gem", :raise_on_error => false
         expect(err).to include("Internal Server Error 500")
+        expect(err).not_to include("please copy and paste the report template above into a new issue")
+
         # rack 0.9.1 is not installed and rack 1.0.0 is not
         expect(the_bundle).not_to include_gems "rack 0.9.1"
         expect(the_bundle).not_to include_gems "rack 1.0.0"
diff --git a/bundler/tool/bundler/rubocop23_gems.rb.lock b/bundler/tool/bundler/rubocop23_gems.rb.lock
@@ -54,4 +54,4 @@ DEPENDENCIES
   test-unit
 
 BUNDLED WITH
-   2.2.19
+   2.2.20
diff --git a/bundler/tool/bundler/rubocop_gems.rb.lock b/bundler/tool/bundler/rubocop_gems.rb.lock
@@ -56,4 +56,4 @@ DEPENDENCIES
   test-unit
 
 BUNDLED WITH
-   2.2.19
+   2.2.20
diff --git a/bundler/tool/bundler/test_gems.rb.lock b/bundler/tool/bundler/test_gems.rb.lock
@@ -40,4 +40,4 @@ DEPENDENCIES
   webrick (= 1.7.0)
 
 BUNDLED WITH
-   2.2.19
+   2.2.20
diff --git a/dev_gems.rb.lock b/dev_gems.rb.lock
@@ -110,4 +110,4 @@ DEPENDENCIES
   webrick (~> 1.6)
 
 BUNDLED WITH
-   2.2.19
+   2.2.20
diff --git a/lib/rubygems.rb b/lib/rubygems.rb
@@ -8,7 +8,7 @@
 require 'rbconfig'
 
 module Gem
-  VERSION = "3.2.19".freeze
+  VERSION = "3.2.20".freeze
 end
 
 # Must be first since it unloads the prelude from 1.9.2
diff --git a/lib/rubygems/installer.rb b/lib/rubygems/installer.rb
@@ -728,6 +728,10 @@ def verify_spec
       raise Gem::InstallError, "#{spec} has an invalid extensions"
     end
 
+    if spec.platform.to_s =~ /\R/
+      raise Gem::InstallError, "#{spec.platform} is an invalid platform"
+    end
+
     unless spec.specification_version.to_s =~ /\A\d+\z/
       raise Gem::InstallError, "#{spec} has an invalid specification_version"
     end
diff --git a/lib/rubygems/specification_policy.rb b/lib/rubygems/specification_policy.rb
diff --git a/lib/rubygems/test_case.rb b/lib/rubygems/test_case.rb
diff --git a/rubygems-update.gemspec b/rubygems-update.gemspec
diff --git a/test/rubygems/packages/ill-formatted-platform-1.0.0.10.gem b/test/rubygems/packages/ill-formatted-platform-1.0.0.10.gem
diff --git a/test/rubygems/test_gem_bundler_version_finder.rb b/test/rubygems/test_gem_bundler_version_finder.rb
diff --git a/test/rubygems/test_gem_dependency.rb b/test/rubygems/test_gem_dependency.rb
diff --git a/test/rubygems/test_gem_installer.rb b/test/rubygems/test_gem_installer.rb
diff --git a/test/rubygems/test_gem_specification.rb b/test/rubygems/test_gem_specification.rb
diff --git a/test/rubygems/test_kernel.rb b/test/rubygems/test_kernel.rb
diff --git a/util/changelog.rb b/util/changelog.rb
