diff options
| author | Homu <homu@barosl.com> | 2016-08-16 05:13:00 +0900 |
|---|---|---|
| committer | Homu <homu@barosl.com> | 2016-08-16 05:13:00 +0900 |
| commit | 893ce61220edd57b60f717d4287f0705499226d3 (patch) | |
| tree | 46bc8db1c83b6ef3e640ab17445cece7efb9308d | |
| parent | 94f9f8133053093a66ff9858ae44e2d3066562a8 (diff) | |
| parent | 73f8e9a865d4cd2a0cf68b6effc5ff5bc0d027ad (diff) | |
| download | bundler-893ce61220edd57b60f717d4287f0705499226d3.tar.gz | |
Auto merge of #4738 - allenzhao:remove-entry-rescue, r=segiddins
Rescue ArgumentError and explain the security vulnerability. Fixes #4726
Ref #4726
Might need to add a spec?
/c @indirect @RochesterinNYC
| -rw-r--r-- | lib/bundler.rb | 8 | ||||
| -rw-r--r-- | spec/bundler/bundler_spec.rb | 18 |
2 files changed, 26 insertions, 0 deletions
diff --git a/lib/bundler.rb b/lib/bundler.rb index d9e7e6db6d..f5fdcf87d7 100644 --- a/lib/bundler.rb +++ b/lib/bundler.rb @@ -195,6 +195,14 @@ module Bundler def rm_rf(path) FileUtils.remove_entry_secure(path) if path && File.exist?(path) + rescue ArgumentError + message = <<EOF +It is a security vulnerability to allow your home directory to be world-writable, and bundler can not continue. +You should probably consider fixing this issue by running `chmod o-w ~` on *nix. +Please refer to http://ruby-doc.org/stdlib-2.1.2/libdoc/fileutils/rdoc/FileUtils.html#method-c-remove_entry_secure for details. +EOF + File.world_writable?(path) ? Bundler.ui.warn(message) : raise + raise PathError, "Please fix the world-writable issue with your #{path} directory" end def settings diff --git a/spec/bundler/bundler_spec.rb b/spec/bundler/bundler_spec.rb index 8708dc7c55..2ff9920614 100644 --- a/spec/bundler/bundler_spec.rb +++ b/spec/bundler/bundler_spec.rb @@ -152,4 +152,22 @@ describe Bundler do end end end + + describe "#rm_rf" do + context "the directory is world writable" do + let(:bundler_ui) { Bundler.ui } + it "should show a fridenly error" do + allow(File).to receive(:exist?).and_return(true) + allow(FileUtils).to receive(:remove_entry_secure).and_raise(ArgumentError) + allow(File).to receive(:world_writable?).and_return(true) + message = <<EOF +It is a security vulnerability to allow your home directory to be world-writable, and bundler can not continue. +You should probably consider fixing this issue by running `chmod o-w ~` on *nix. +Please refer to http://ruby-doc.org/stdlib-2.1.2/libdoc/fileutils/rdoc/FileUtils.html#method-c-remove_entry_secure for details. +EOF + expect(bundler_ui).to receive(:warn).with(message) + expect { Bundler.send(:rm_rf, bundled_app) }.to raise_error(Bundler::PathError) + end + end + end end |