Merge pull request #7568 from rubygems/segiddins/add-a-limit-to-the-size-of-the-metadata-and-checksums-files-in-a-gem-package

deivid-rodriguez · deivid-rodriguez · commit 95f635c42f49 · 2024-04-30T19:43:18.000+02:00
Add a limit to the size of the metadata and checksums files in a gem package. (cherry picked from commit 4842ad9)
diff --git a/lib/rubygems/package.rb b/lib/rubygems/package.rb
@@ -527,12 +527,13 @@ def normalize_path(pathname)
   # Loads a Gem::Specification from the TarEntry +entry+
 
   def load_spec(entry) # :nodoc:
+    limit = 10 * 1024 * 1024
     case entry.full_name
     when "metadata" then
-      @spec = Gem::Specification.from_yaml entry.read
+      @spec = Gem::Specification.from_yaml limit_read(entry, "metadata", limit)
     when "metadata.gz" then
       Zlib::GzipReader.wrap(entry, external_encoding: Encoding::UTF_8) do |gzio|
-        @spec = Gem::Specification.from_yaml gzio.read
+        @spec = Gem::Specification.from_yaml limit_read(gzio, "metadata.gz", limit)
       end
     end
   end
@@ -556,7 +557,7 @@ def read_checksums(gem)
 
     @checksums = gem.seek "checksums.yaml.gz" do |entry|
       Zlib::GzipReader.wrap entry do |gz_io|
-        Gem::SafeYAML.safe_load gz_io.read
+        Gem::SafeYAML.safe_load limit_read(gz_io, "checksums.yaml.gz", 10 * 1024 * 1024)
       end
     end
   end
@@ -663,7 +664,7 @@ def verify_entry(entry)
 
     case file_name
     when /\.sig$/ then
-      @signatures[$`] = entry.read if @security_policy
+      @signatures[$`] = limit_read(entry, file_name, 1024 * 1024) if @security_policy
       return
     else
       digest entry
@@ -723,6 +724,12 @@ def copy_stream(src, dst) # :nodoc:
       IO.copy_stream(src, dst)
     end
   end
+
+  def limit_read(io, name, limit)
+    bytes = io.read(limit + 1)
+    raise Gem::Package::FormatError, "#{name} is too big (over #{limit} bytes)" if bytes.size > limit
+    bytes
+  end
 end
 
 require_relative "package/digest_io"
