Apply ruby-2.6.1-rubygems-v2.patch

chrisseaton · chrisseaton · commit 6ea5a99ad9a4 · 2019-03-13T21:28:09.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # 1.0 RC 14
 
-Updated to Ruby 2.6.1.
+Updated to Ruby 2.6.1, with the RubyGems 3.0.3 security patch.
 
 Bug fixes:
 
diff --git a/lib/mri/rubygems.rb b/lib/mri/rubygems.rb
@@ -9,7 +9,7 @@
 require 'rbconfig'
 
 module Gem
-  VERSION = "3.0.1".freeze
+  VERSION = "3.0.3".freeze
 end
 
 # Must be first since it unloads the prelude from 1.9.2
diff --git a/lib/mri/rubygems/command_manager.rb b/lib/mri/rubygems/command_manager.rb
@@ -7,6 +7,7 @@
 
 require 'rubygems/command'
 require 'rubygems/user_interaction'
+require 'rubygems/text'
 
 ##
 # The command manager registers and installs all the individual sub-commands
@@ -32,6 +33,7 @@
 
 class Gem::CommandManager
 
+  include Gem::Text
   include Gem::UserInteraction
 
   BUILTIN_COMMANDS = [ # :nodoc:
@@ -145,12 +147,12 @@ def command_names
   def run(args, build_args=nil)
     process_args(args, build_args)
   rescue StandardError, Timeout::Error => ex
-    alert_error "While executing gem ... (#{ex.class})\n    #{ex}"
+    alert_error clean_text("While executing gem ... (#{ex.class})\n    #{ex}")
     ui.backtrace ex
 
     terminate_interaction(1)
   rescue Interrupt
-    alert_error "Interrupted"
+    alert_error clean_text("Interrupted")
     terminate_interaction(1)
   end
 
@@ -168,7 +170,7 @@ def process_args(args, build_args=nil)
       say Gem::VERSION
       terminate_interaction 0
     when /^-/ then
-      alert_error "Invalid option: #{args.first}. See 'gem --help'."
+      alert_error clean_text("Invalid option: #{args.first}. See 'gem --help'.")
       terminate_interaction 1
     else
       cmd_name = args.shift.downcase
@@ -224,7 +226,7 @@ def load_and_instantiate(command_name)
     rescue Exception => e
       e = load_error if load_error
 
-      alert_error "Loading command: #{command_name} (#{e.class})\n\t#{e}"
+      alert_error clean_text("Loading command: #{command_name} (#{e.class})\n\t#{e}")
       ui.backtrace e
     end
   end
diff --git a/lib/mri/rubygems/commands/owner_command.rb b/lib/mri/rubygems/commands/owner_command.rb
@@ -2,8 +2,11 @@
 require 'rubygems/command'
 require 'rubygems/local_remote_options'
 require 'rubygems/gemcutter_utilities'
+require 'rubygems/text'
 
 class Gem::Commands::OwnerCommand < Gem::Command
+
+  include Gem::Text
   include Gem::LocalRemoteOptions
   include Gem::GemcutterUtilities
 
@@ -65,7 +68,7 @@ def show_owners(name)
     end
 
     with_response response do |resp|
-      owners = Gem::SafeYAML.load resp.body
+      owners = Gem::SafeYAML.load clean_text(resp.body)
 
       say "Owners for gem: #{name}"
       owners.each do |owner|
diff --git a/lib/mri/rubygems/gemcutter_utilities.rb b/lib/mri/rubygems/gemcutter_utilities.rb
@@ -1,11 +1,14 @@
 # frozen_string_literal: true
 require 'rubygems/remote_fetcher'
+require 'rubygems/text'
 
 ##
 # Utility methods for using the RubyGems API.
 
 module Gem::GemcutterUtilities
 
+  include Gem::Text
+
   # TODO: move to Gem::Command
   OptionParser.accept Symbol do |value|
     value.to_sym
@@ -162,13 +165,13 @@ def with_response(response, error_prefix = nil)
       if block_given?
         yield response
       else
-        say response.body
+        say clean_text(response.body)
       end
     else
       message = response.body
       message = "#{error_prefix}: #{message}" if error_prefix
 
-      say message
+      say clean_text(message)
       terminate_interaction 1 # TODO: question this
     end
   end
diff --git a/lib/mri/rubygems/install_update_options.rb b/lib/mri/rubygems/install_update_options.rb
@@ -30,7 +30,7 @@ def add_install_update_options
       options[:bin_dir] = File.expand_path(value)
     end
 
-    add_option(:"Install/Update",       '--[no-]document [TYPES]', Array,
+    add_option(:"Install/Update",       '--document [TYPES]', Array,
                'Generate documentation for installed gems',
                'List the documentation types you wish to',
                'generate.  For example: rdoc,ri') do |value, options|
diff --git a/lib/mri/rubygems/installer.rb b/lib/mri/rubygems/installer.rb
@@ -725,9 +725,26 @@ def verify_gem_home(unpack = false) # :nodoc:
       unpack or File.writable?(gem_home)
   end
 
-  def verify_spec_name
-    return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
-    raise Gem::InstallError, "#{spec} has an invalid name"
+  def verify_spec
+    unless spec.name =~ Gem::Specification::VALID_NAME_PATTERN
+      raise Gem::InstallError, "#{spec} has an invalid name"
+    end
+
+    if spec.raw_require_paths.any?{|path| path =~ /\R/ }
+      raise Gem::InstallError, "#{spec} has an invalid require_paths"
+    end
+
+    if spec.extensions.any?{|ext| ext =~ /\R/ }
+      raise Gem::InstallError, "#{spec} has an invalid extensions"
+    end
+
+    unless spec.specification_version.to_s =~ /\A\d+\z/
+      raise Gem::InstallError, "#{spec} has an invalid specification_version"
+    end
+
+    if spec.dependencies.any? {|dep| dep.type =~ /\R/ || dep.name =~ /\R/ }
+      raise Gem::InstallError, "#{spec} has an invalid dependencies"
+    end
   end
 
   ##
@@ -876,9 +893,11 @@ def dir
   def pre_install_checks
     verify_gem_home options[:unpack]
 
-    ensure_loadable_spec
+    # The name and require_paths must be verified first, since it could contain
+    # ruby code that would be eval'ed in #ensure_loadable_spec
+    verify_spec
 
-    verify_spec_name
+    ensure_loadable_spec
 
     if options[:install_as_default]
       Gem.ensure_default_gem_subdirectories gem_home
diff --git a/lib/mri/rubygems/package.rb b/lib/mri/rubygems/package.rb
@@ -456,6 +456,16 @@ def install_location(filename, destination_dir) # :nodoc:
     raise Gem::Package::PathError.new(destination, destination_dir) unless
       destination.start_with? destination_dir + '/'
 
+    begin
+      real_destination = File.expand_path(File.realpath(destination))
+    rescue
+      # it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage
+      nil
+    else
+      raise Gem::Package::PathError.new(real_destination, destination_dir) unless
+        real_destination.start_with? destination_dir + '/'
+    end
+
     destination.untaint
     destination
   end
diff --git a/lib/mri/rubygems/requirement.rb b/lib/mri/rubygems/requirement.rb
@@ -280,7 +280,22 @@ def to_s # :nodoc:
 
   def ==(other) # :nodoc:
     return unless Gem::Requirement === other
-    requirements == other.requirements
+
+    # An == check is always necessary
+    return false unless requirements == other.requirements
+
+    # An == check is sufficient unless any requirements use ~>
+    return true unless _tilde_requirements.any?
+
+    # If any requirements use ~> we use the stricter `#eql?` that also checks
+    # that version precision is the same
+    _tilde_requirements.eql?(other._tilde_requirements)
+  end
+
+  protected
+
+  def _tilde_requirements
+    requirements.select { |r| r.first == "~>" }
   end
 
   private
diff --git a/lib/mri/rubygems/test_case.rb b/lib/mri/rubygems/test_case.rb
@@ -259,6 +259,7 @@ def setup
     @orig_gem_env_requirements = ENV.to_hash
 
     ENV['GEM_VENDOR'] = nil
+    ENV['SOURCE_DATE_EPOCH'] = nil
 
     @current_dir = Dir.pwd
     @fetcher     = nil
diff --git a/lib/mri/rubygems/user_interaction.rb b/lib/mri/rubygems/user_interaction.rb
@@ -7,13 +7,16 @@
 
 require 'rubygems/util'
 require 'rubygems/deprecate'
+require 'rubygems/text'
 
 ##
 # Module that defines the default UserInteraction.  Any class including this
 # module will have access to the +ui+ method that returns the default UI.
 
 module Gem::DefaultUserInteraction
 
+  include Gem::Text
+
   ##
   # The default UI is a class variable of the singleton class for this
   # module.
@@ -162,7 +165,7 @@ def terminate_interaction(exit_code = 0)
   # is true.
 
   def verbose(msg = nil)
-    say(msg || yield) if Gem.configuration.really_verbose
+    say(clean_text(msg || yield)) if Gem.configuration.really_verbose
   end
 end
 
diff --git a/test/mri/tests/rubygems/test_gem.rb b/test/mri/tests/rubygems/test_gem.rb
@@ -150,13 +150,19 @@ def test_self_install_permissions_umask_077
     File.umask(umask)
   end
 
+  def test_self_install_permissions_with_format_executable
+    @format_executable = true
+    assert_self_install_permissions
+  end
+
   def assert_self_install_permissions
     mask = /mingw|mswin/ =~ RUBY_PLATFORM ? 0700 : 0777
     options = {
       :dir_mode => 0500,
       :prog_mode => 0510,
       :data_mode => 0640,
       :wrappers => true,
+      :format_executable => !!(@format_executable if defined?(@format_executable))
     }
     Dir.chdir @tempdir do
       Dir.mkdir 'bin'
@@ -182,8 +188,10 @@ def assert_self_install_permissions
     prog_mode = (options[:prog_mode] & mask).to_s(8)
     dir_mode = (options[:dir_mode] & mask).to_s(8)
     data_mode = (options[:data_mode] & mask).to_s(8)
+    prog_name = 'foo.cmd'
+    prog_name = RUBY_INSTALL_NAME.sub('ruby', 'foo.cmd') if options[:format_executable]
     expected = {
-      "bin/#{RUBY_INSTALL_NAME.sub('ruby', 'foo.cmd')}" => prog_mode,
+      "bin/#{prog_name}" => prog_mode,
       'gems/foo-1' => dir_mode,
       'gems/foo-1/bin' => dir_mode,
       'gems/foo-1/data' => dir_mode,
diff --git a/test/mri/tests/rubygems/test_gem_installer.rb b/test/mri/tests/rubygems/test_gem_installer.rb
@@ -1446,6 +1446,114 @@ def spec.validate(packaging, strict); end
     end
   end
 
+  def test_pre_install_checks_malicious_name_before_eval
+    spec = util_spec "malicious\n::Object.const_set(:FROM_EVAL, true)#", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious\n::Object.const_set(:FROM_EVAL, true)# version=1> has an invalid name", e.message
+    end
+    refute defined?(::Object::FROM_EVAL)
+  end
+
+  def test_pre_install_checks_malicious_require_paths_before_eval
+    spec = util_spec "malicious", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+    spec.require_paths = ["malicious\n``"]
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid require_paths", e.message
+    end
+  end
+
+  def test_pre_install_checks_malicious_extensions_before_eval
+    skip "mswin environment disallow to create file contained the carriage return code." if Gem.win_platform?
+
+    spec = util_spec "malicious", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+    spec.extensions = ["malicious\n``"]
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid extensions", e.message
+    end
+  end
+
+  def test_pre_install_checks_malicious_specification_version_before_eval
+    spec = util_spec "malicious", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+    spec.specification_version = "malicious\n``"
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid specification_version", e.message
+    end
+  end
+
+  def test_pre_install_checks_malicious_dependencies_before_eval
+    spec = util_spec "malicious", '1'
+    def spec.full_name # so the spec is buildable
+      "malicious-1"
+    end
+    def spec.validate(*args); end
+    spec.add_dependency "b\nfoo", '> 5'
+
+    util_build_gem spec
+
+    gem = File.join(@gemhome, 'cache', spec.file_name)
+
+    use_ui @ui do
+      @installer = Gem::Installer.at gem
+      @installer.ignore_dependencies = true
+      e = assert_raises Gem::InstallError do
+        @installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid dependencies", e.message
+    end
+  end
+
   def test_shebang
     util_make_exec @spec, "#!/usr/bin/ruby"
 
diff --git a/test/mri/tests/rubygems/test_gem_package.rb b/test/mri/tests/rubygems/test_gem_package.rb
diff --git a/test/mri/tests/rubygems/test_gem_package_tar_writer.rb b/test/mri/tests/rubygems/test_gem_package_tar_writer.rb
diff --git a/test/mri/tests/rubygems/test_gem_requirement.rb b/test/mri/tests/rubygems/test_gem_requirement.rb
diff --git a/test/mri/tests/rubygems/test_gem_specification.rb b/test/mri/tests/rubygems/test_gem_specification.rb
diff --git a/test/mri/tests/rubygems/test_gem_text.rb b/test/mri/tests/rubygems/test_gem_text.rb
diff --git a/versions.json b/versions.json
