1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge https://github.com/rubygems/rubygems/pull/6655 manually.

Browse Source
This commit is contained in:
Hiroshi SHIBATA 2023-05-10 15:02:29 +09:00
parent 9ed189e9aa
commit 0ef6e718d9
No known key found for this signature in database
GPG Key ID: F9CF13417264FAC2
3 changed files with 68 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/bundler.rb
View File

@ -39,16 +39,6 @@ module Bundler
environment_preserver.replace_with_backup
SUDO_MUTEX = Thread::Mutex.new
SAFE_MARSHAL_CLASSES = [Symbol, TrueClass, String, Array, Hash, Gem::Version, Gem::Specification].freeze
SAFE_MARSHAL_ERROR = "Unexpected class %s present in marshaled data. Only %s are allowed."
SAFE_MARSHAL_PROC = proc do |object|
object.tap do
unless SAFE_MARSHAL_CLASSES.include?(object.class)
raise TypeError, format(SAFE_MARSHAL_ERROR, object.class, SAFE_MARSHAL_CLASSES.join(", "))
end
end
end
autoload :Definition, File.expand_path("bundler/definition", __dir__)
autoload :Dependency, File.expand_path("bundler/dependency", __dir__)
autoload :Deprecate, File.expand_path("bundler/deprecate", __dir__)
@ -86,6 +76,7 @@ module Bundler
autoload :UI, File.expand_path("bundler/ui", __dir__)
autoload :URICredentialsFilter, File.expand_path("bundler/uri_credentials_filter", __dir__)
autoload :URINormalizer, File.expand_path("bundler/uri_normalizer", __dir__)
autoload :SafeMarshal, File.expand_path("bundler/safe_marshal", __dir__)
class << self
def configure
@ -523,7 +514,7 @@ EOF
end
def safe_load_marshal(data)
load_marshal(data, :marshal_proc => SAFE_MARSHAL_PROC)
load_marshal(data, :marshal_proc => SafeMarshal.proc)
end
def load_gemspec(file, validate = false)

31
lib/bundler/safe_marshal.rb Normal file
View File

@ -0,0 +1,31 @@
# frozen_string_literal: true
module Bundler
module SafeMarshal
ALLOWED_CLASSES = [
Array,
FalseClass,
Gem::Specification,
Gem::Version,
Hash,
String,
Symbol,
Time,
TrueClass,
].freeze
ERROR = "Unexpected class %s present in marshaled data. Only %s are allowed."
PROC = proc do |object|
object.tap do
unless ALLOWED_CLASSES.include?(object.class)
raise TypeError, format(ERROR, object.class, ALLOWED_CLASSES.join(", "))
end
end
end
def self.proc
PROC
end
end
end

42
spec/bundler/bundler/bundler_spec.rb
View File

@ -28,14 +28,42 @@ RSpec.describe Bundler do
expect(Bundler.safe_load_marshal(data)).to eq(simple_structure)
end
it "loads Gem::Version" do
gem_version = Gem::Version.new("3.7.2")
data = Marshal.dump(gem_version)
expect(Bundler.safe_load_marshal(data)).to eq(gem_version)
end
it "loads Gem::Specification" do
gem_spec = Gem::Specification.new("name", "3.7.2")
gem_spec = Gem::Specification.new do |s|
s.name = "bundler"
s.version = Gem::Version.new("2.4.7")
s.installed_by_version = Gem::Version.new("0")
s.authors = ["André Arko",
"Samuel Giddins",
"Colby Swandale",
"Hiroshi Shibata",
"David Rodríguez",
"Grey Baker",
"Stephanie Morillo",
"Chris Morris",
"James Wen",
"Tim Moore",
"André Medeiros",
"Jessica Lynn Suttles",
"Terence Lee",
"Carl Lerche",
"Yehuda Katz"]
s.date = Time.utc(2023, 2, 15)
s.description = "Bundler manages an application's dependencies through its entire life, across many machines, systematically and repeatably"
s.email = ["team@bundler.io"]
s.homepage = "https://bundler.io"
s.metadata = { "bug_tracker_uri" => "https://github.com/rubygems/rubygems/issues?q=is%3Aopen+is%3Aissue+label%3ABundler",
"changelog_uri" => "https://github.com/rubygems/rubygems/blob/master/bundler/CHANGELOG.md",
"homepage_uri" => "https://bundler.io/",
"source_code_uri" => "https://github.com/rubygems/rubygems/tree/master/bundler" }
s.require_paths = ["lib"]
s.required_ruby_version = Gem::Requirement.new([">= 2.6.0"])
s.required_rubygems_version = Gem::Requirement.new([">= 3.0.1"])
s.rubygems_version = "3.4.7"
s.specification_version = 4
s.summary = "The best way to manage your application's dependencies"
s.license = false
end
data = Marshal.dump(gem_spec)
expect(Bundler.safe_load_marshal(data)).to eq(gem_spec)
end