ruby--ruby/lib/bundler/rubygems_gem_installer.rb

# frozen_string_literal: true
require "rubygems/installer"

module Bundler
  class RubyGemsGemInstaller < Gem::Installer
    unless respond_to?(:at)
      def self.at(*args)
        new(*args)
      end
    end

    def check_executable_overwrite(filename)
      # Bundler needs to install gems regardless of binstub overwriting
    end

    def pre_install_checks
      super && validate_bundler_checksum(options[:bundler_expected_checksum])
    end

  private

    def validate_bundler_checksum(checksum)
      return true if Bundler.settings[:disable_checksum_validation]
      return true unless checksum
      return true unless source = @package.instance_variable_get(:@gem)
      return true unless source.respond_to?(:with_read_io)
      digest = source.with_read_io do |io|
        digest = Digest::SHA256.new
        digest << io.read(16_384) until io.eof?
        io.rewind
        send(checksum_type(checksum), digest)
      end
      unless digest == checksum
        raise SecurityError, <<-MESSAGE
          Bundler cannot continue installing #{spec.name} (#{spec.version}).
          The checksum for the downloaded `#{spec.full_name}.gem` does not match \
          the checksum given by the server. This means the contents of the downloaded \
          gem is different from what was uploaded to the server, and could be a potential security issue.

          To resolve this issue:
          1. delete the downloaded gem located at: `#{spec.gem_dir}/#{spec.full_name}.gem`
          2. run `bundle install`

          If you wish to continue installing the downloaded gem, and are certain it does not pose a \
          security issue despite the mismatching checksum, do the following:
          1. run `bundle config disable_checksum_validation true` to turn off checksum verification
          2. run `bundle install`

          (More info: The expected SHA256 checksum was #{checksum.inspect}, but the \
          checksum for the downloaded gem was #{digest.inspect}.)
          MESSAGE
      end
      true
    end

    def checksum_type(checksum)
      case checksum.length
      when 64 then :hexdigest!
      when 44 then :base64digest!
      else raise InstallError, "The given checksum for #{spec.full_name} (#{checksum.inspect}) is not a valid SHA256 hexdigest nor base64digest"
      end
    end

    def hexdigest!(digest)
      digest.hexdigest!
    end

    def base64digest!(digest)
      if digest.respond_to?(:base64digest!)
        digest.base64digest!
      else
        [digest.digest!].pack("m0")
      end
    end
  end
end
Merge bundler to standard libraries. rubygems 2.7.x depends bundler-1.15.x. This is preparation for rubygems and bundler migration. * lib/bundler.rb, lib/bundler/: files of bundler-1.15.4 spec/bundler/: rspec examples of bundler-1.15.4. I applied patches. https://github.com/bundler/bundler/pull/6007 * Exclude not working examples on ruby repository. * Fake ruby interpriter instead of installed ruby. * Makefile.in: Added test task named `test-bundler`. This task is only working macOS/linux yet. I'm going to support Windows environment later. * tool/sync_default_gems.rb: Added sync task for bundler. [Feature #12733][ruby-core:77172] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59779 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2017-09-08 08:45:41 +00:00			`# frozen_string_literal: true`
			`require "rubygems/installer"`

			`module Bundler`
			`class RubyGemsGemInstaller < Gem::Installer`
			`unless respond_to?(:at)`
			`def self.at(*args)`
			`new(*args)`
			`end`
			`end`

			`def check_executable_overwrite(filename)`
			`# Bundler needs to install gems regardless of binstub overwriting`
			`end`

			`def pre_install_checks`
			`super && validate_bundler_checksum(options[:bundler_expected_checksum])`
			`end`

			`private`

			`def validate_bundler_checksum(checksum)`
			`return true if Bundler.settings[:disable_checksum_validation]`
			`return true unless checksum`
			`return true unless source = @package.instance_variable_get(:@gem)`
			`return true unless source.respond_to?(:with_read_io)`
			`digest = source.with_read_io do \|io\|`
			`digest = Digest::SHA256.new`
			`digest << io.read(16_384) until io.eof?`
			`io.rewind`
			`send(checksum_type(checksum), digest)`
			`end`
			`unless digest == checksum`
			`raise SecurityError, <<-MESSAGE`
			`Bundler cannot continue installing #{spec.name} (#{spec.version}).`
			The checksum for the downloaded `#{spec.full_name}.gem` does not match \
			`the checksum given by the server. This means the contents of the downloaded \`
			`gem is different from what was uploaded to the server, and could be a potential security issue.`

			`To resolve this issue:`
			1. delete the downloaded gem located at: `#{spec.gem_dir}/#{spec.full_name}.gem`
			2. run `bundle install`

			`If you wish to continue installing the downloaded gem, and are certain it does not pose a \`
			`security issue despite the mismatching checksum, do the following:`
			1. run `bundle config disable_checksum_validation true` to turn off checksum verification
			2. run `bundle install`

			`(More info: The expected SHA256 checksum was #{checksum.inspect}, but the \`
			`checksum for the downloaded gem was #{digest.inspect}.)`
			`MESSAGE`
			`end`
			`true`
			`end`

			`def checksum_type(checksum)`
			`case checksum.length`
			`when 64 then :hexdigest!`
			`when 44 then :base64digest!`
			`else raise InstallError, "The given checksum for #{spec.full_name} (#{checksum.inspect}) is not a valid SHA256 hexdigest nor base64digest"`
			`end`
			`end`

			`def hexdigest!(digest)`
			`digest.hexdigest!`
			`end`

			`def base64digest!(digest)`
			`if digest.respond_to?(:base64digest!)`
			`digest.base64digest!`
			`else`
			`[digest.digest!].pack("m0")`
			`end`
			`end`
			`end`
			`end`