diff options
| author | Samuel Giddins <segiddins@segiddins.me> | 2016-08-22 12:26:35 -0500 |
|---|---|---|
| committer | Samuel Giddins <segiddins@segiddins.me> | 2016-08-22 12:26:35 -0500 |
| commit | dc2a61c054aff46492aa804f1e7fe5457bbfde63 (patch) | |
| tree | fcbdebc5700e8a890def8e369a1b019f5abbdc1a | |
| parent | 24dbee03161899a80ed3f3fc0220c0814f64a339 (diff) | |
| download | bundler-dc2a61c054aff46492aa804f1e7fe5457bbfde63.tar.gz | |
Distinguish tests for checksum mismatch & invalid checksum
| -rw-r--r-- | lib/bundler/rubygems_gem_installer.rb | 2 | ||||
| -rw-r--r-- | spec/install/gems/compact_index_spec.rb | 11 | ||||
| -rw-r--r-- | spec/support/artifice/compact_index_wrong_gem_checksum.rb | 6 |
3 files changed, 15 insertions, 4 deletions
diff --git a/lib/bundler/rubygems_gem_installer.rb b/lib/bundler/rubygems_gem_installer.rb index 708d35d9fc..0aa9fd91d6 100644 --- a/lib/bundler/rubygems_gem_installer.rb +++ b/lib/bundler/rubygems_gem_installer.rb @@ -45,7 +45,7 @@ module Bundler case checksum.length when 64 then :hexdigest! when 44 then :base64digest! - else raise InstallError, "The given checksum for #{spec.full_name} is not a valid SHA256 hexdigest nor base64digest" + else raise InstallError, "The given checksum for #{spec.full_name} (#{checksum.inspect}) is not a valid SHA256 hexdigest nor base64digest" end end end diff --git a/spec/install/gems/compact_index_spec.rb b/spec/install/gems/compact_index_spec.rb index ba438e5f06..2ee196b61f 100644 --- a/spec/install/gems/compact_index_spec.rb +++ b/spec/install/gems/compact_index_spec.rb @@ -706,10 +706,19 @@ The checksum of /versions does not match the checksum provided by the server! So expect(out). to include("The checksum for the downloaded `rack-1.0.0.gem` did not match the checksum given by the API."). and include("This means that the contents of the gem appear to be different from what was uploaded, and could be an indicator of a security issue."). - and match(/\(The expected SHA256 checksum was "checksum!", but the checksum for the downloaded gem was ".+?"\.\)/). + and match(/\(The expected SHA256 checksum was "#{"ab" * 22}", but the checksum for the downloaded gem was ".+?"\.\)/). and include("Bundler cannot continue installing rack (1.0.0).") end + it "raises when the checksum is the wrong length" do + install_gemfile <<-G, :artifice => "compact_index_wrong_gem_checksum", :env => { "BUNDLER_SPEC_RACK_CHECKSUM" => "checksum!" } + source "#{source_uri}" + gem "rack" + G + expect(exitstatus).to eq(5) if exitstatus + expect(out).to include("The given checksum for rack-1.0.0 (\"checksum!\") is not a valid SHA256 hexdigest nor base64digest") + end + it "does not raise when disable_checksum_validation is set" do bundle! "config disable_checksum_validation true" install_gemfile! <<-G, :artifice => "compact_index_wrong_gem_checksum" diff --git a/spec/support/artifice/compact_index_wrong_gem_checksum.rb b/spec/support/artifice/compact_index_wrong_gem_checksum.rb index 6af64856aa..3a12a59ae7 100644 --- a/spec/support/artifice/compact_index_wrong_gem_checksum.rb +++ b/spec/support/artifice/compact_index_wrong_gem_checksum.rb @@ -6,9 +6,11 @@ Artifice.deactivate class CompactIndexWrongGemChecksum < CompactIndexAPI get "/info/:name" do etag_response do - gem = gems.find {|g| g.name == params[:name] } + name = params[:name] + gem = gems.find {|g| g.name == name } + checksum = ENV.fetch("BUNDLER_SPEC_#{name.upcase}_CHECKSUM") { "ab" * 22 } versions = gem ? gem.versions : [] - versions.each {|v| v.checksum = "checksum!" } + versions.each {|v| v.checksum = checksum } CompactIndex.info(versions) end end |