This commit is contained in:
Hiroshi SHIBATA 2023-05-10 15:02:29 +09:00
parent 9ed189e9aa
commit 0ef6e718d9
No known key found for this signature in database
GPG Key ID: F9CF13417264FAC2
3 changed files with 68 additions and 18 deletions

View File

@ -39,16 +39,6 @@ module Bundler
environment_preserver.replace_with_backup environment_preserver.replace_with_backup
SUDO_MUTEX = Thread::Mutex.new SUDO_MUTEX = Thread::Mutex.new
SAFE_MARSHAL_CLASSES = [Symbol, TrueClass, String, Array, Hash, Gem::Version, Gem::Specification].freeze
SAFE_MARSHAL_ERROR = "Unexpected class %s present in marshaled data. Only %s are allowed."
SAFE_MARSHAL_PROC = proc do |object|
object.tap do
unless SAFE_MARSHAL_CLASSES.include?(object.class)
raise TypeError, format(SAFE_MARSHAL_ERROR, object.class, SAFE_MARSHAL_CLASSES.join(", "))
end
end
end
autoload :Definition, File.expand_path("bundler/definition", __dir__) autoload :Definition, File.expand_path("bundler/definition", __dir__)
autoload :Dependency, File.expand_path("bundler/dependency", __dir__) autoload :Dependency, File.expand_path("bundler/dependency", __dir__)
autoload :Deprecate, File.expand_path("bundler/deprecate", __dir__) autoload :Deprecate, File.expand_path("bundler/deprecate", __dir__)
@ -86,6 +76,7 @@ module Bundler
autoload :UI, File.expand_path("bundler/ui", __dir__) autoload :UI, File.expand_path("bundler/ui", __dir__)
autoload :URICredentialsFilter, File.expand_path("bundler/uri_credentials_filter", __dir__) autoload :URICredentialsFilter, File.expand_path("bundler/uri_credentials_filter", __dir__)
autoload :URINormalizer, File.expand_path("bundler/uri_normalizer", __dir__) autoload :URINormalizer, File.expand_path("bundler/uri_normalizer", __dir__)
autoload :SafeMarshal, File.expand_path("bundler/safe_marshal", __dir__)
class << self class << self
def configure def configure
@ -523,7 +514,7 @@ EOF
end end
def safe_load_marshal(data) def safe_load_marshal(data)
load_marshal(data, :marshal_proc => SAFE_MARSHAL_PROC) load_marshal(data, :marshal_proc => SafeMarshal.proc)
end end
def load_gemspec(file, validate = false) def load_gemspec(file, validate = false)

View File

@ -0,0 +1,31 @@
# frozen_string_literal: true
module Bundler
module SafeMarshal
ALLOWED_CLASSES = [
Array,
FalseClass,
Gem::Specification,
Gem::Version,
Hash,
String,
Symbol,
Time,
TrueClass,
].freeze
ERROR = "Unexpected class %s present in marshaled data. Only %s are allowed."
PROC = proc do |object|
object.tap do
unless ALLOWED_CLASSES.include?(object.class)
raise TypeError, format(ERROR, object.class, ALLOWED_CLASSES.join(", "))
end
end
end
def self.proc
PROC
end
end
end

View File

@ -28,14 +28,42 @@ RSpec.describe Bundler do
expect(Bundler.safe_load_marshal(data)).to eq(simple_structure) expect(Bundler.safe_load_marshal(data)).to eq(simple_structure)
end end
it "loads Gem::Version" do
gem_version = Gem::Version.new("3.7.2")
data = Marshal.dump(gem_version)
expect(Bundler.safe_load_marshal(data)).to eq(gem_version)
end
it "loads Gem::Specification" do it "loads Gem::Specification" do
gem_spec = Gem::Specification.new("name", "3.7.2") gem_spec = Gem::Specification.new do |s|
s.name = "bundler"
s.version = Gem::Version.new("2.4.7")
s.installed_by_version = Gem::Version.new("0")
s.authors = ["André Arko",
"Samuel Giddins",
"Colby Swandale",
"Hiroshi Shibata",
"David Rodríguez",
"Grey Baker",
"Stephanie Morillo",
"Chris Morris",
"James Wen",
"Tim Moore",
"André Medeiros",
"Jessica Lynn Suttles",
"Terence Lee",
"Carl Lerche",
"Yehuda Katz"]
s.date = Time.utc(2023, 2, 15)
s.description = "Bundler manages an application's dependencies through its entire life, across many machines, systematically and repeatably"
s.email = ["team@bundler.io"]
s.homepage = "https://bundler.io"
s.metadata = { "bug_tracker_uri" => "https://github.com/rubygems/rubygems/issues?q=is%3Aopen+is%3Aissue+label%3ABundler",
"changelog_uri" => "https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md",
"homepage_uri" => "https://bundler.io/",
"source_code_uri" => "https://github.com/rubygems/rubygems/tree/master/bundler" }
s.require_paths = ["lib"]
s.required_ruby_version = Gem::Requirement.new([">= 2.6.0"])
s.required_rubygems_version = Gem::Requirement.new([">= 3.0.1"])
s.rubygems_version = "3.4.7"
s.specification_version = 4
s.summary = "The best way to manage your application's dependencies"
s.license = false
end
data = Marshal.dump(gem_spec) data = Marshal.dump(gem_spec)
expect(Bundler.safe_load_marshal(data)).to eq(gem_spec) expect(Bundler.safe_load_marshal(data)).to eq(gem_spec)
end end