diff options
| author | Samuel Giddins <segiddins@segiddins.me> | 2016-08-08 17:15:17 -0500 |
|---|---|---|
| committer | Samuel Giddins <segiddins@segiddins.me> | 2016-08-22 11:57:30 -0500 |
| commit | 689aff2244c80f8246035a839e7d83bb26915a4d (patch) | |
| tree | cca8f17178c645b48ac9b42d470a27e2ebb6fb59 | |
| parent | cdd286377909e8f1c116ce176a2a4c78105ab2fd (diff) | |
| download | bundler-689aff2244c80f8246035a839e7d83bb26915a4d.tar.gz | |
[RubyGemsGemInstaller] Validate checksums from the compact index
| -rw-r--r-- | lib/bundler/rubygems_gem_installer.rb | 27 | ||||
| -rw-r--r-- | lib/bundler/source/rubygems.rb | 3 | ||||
| -rw-r--r-- | spec/install/gems/compact_index_spec.rb | 14 | ||||
| -rw-r--r-- | spec/support/artifice/compact_index.rb | 7 | ||||
| -rw-r--r-- | spec/support/artifice/compact_index_wrong_gem_checksum.rb | 17 |
5 files changed, 66 insertions, 2 deletions
diff --git a/lib/bundler/rubygems_gem_installer.rb b/lib/bundler/rubygems_gem_installer.rb index e18f46268b..cccd28e294 100644 --- a/lib/bundler/rubygems_gem_installer.rb +++ b/lib/bundler/rubygems_gem_installer.rb @@ -12,5 +12,32 @@ module Bundler def check_executable_overwrite(filename) # Bundler needs to install gems regardless of binstub overwriting end + + def pre_install_checks + super && validate_bundler_checksum(options[:bundler_expected_checksum]) + end + + private + + def validate_bundler_checksum(checksum) + return true unless checksum + return true unless source = @package.instance_variable_get(:@gem) + return true unless source.respond_to?(:with_read_io) + digest = source.with_read_io do |io| + digest = Digest::SHA256.new + digest << io.read(16_384) until io.eof? + io.rewind + digest.base64digest! + end + unless digest == checksum + raise SecurityError, + "The checksum for the downloaded `#{spec.full_name}.gem` did not match " \ + "the checksum given by the API. This means that the contents of the " \ + "gem appear to be different from what was uploaded, and could be an indicator of a security issue.\n" \ + "(The expected SHA256 checksum was #{checksum.inspect}, but the checksum for the downloaded gem was #{digest.inspect}.)\n" \ + "Bundler cannot continue installing #{spec.name} (#{spec.version})." + end + true + end end end diff --git a/lib/bundler/source/rubygems.rb b/lib/bundler/source/rubygems.rb index aedad7086d..89f7673eb8 100644 --- a/lib/bundler/source/rubygems.rb +++ b/lib/bundler/source/rubygems.rb @@ -140,7 +140,8 @@ module Bundler :bin_dir => bin_path.to_s, :ignore_dependencies => true, :wrappers => true, - :env_shebang => true + :env_shebang => true, + :bundler_expected_checksum => spec.respond_to?(:checksum) && spec.checksum ).install end spec.full_gem_path = installed_spec.full_gem_path diff --git a/spec/install/gems/compact_index_spec.rb b/spec/install/gems/compact_index_spec.rb index 0edd1d20e7..926ae6bc8b 100644 --- a/spec/install/gems/compact_index_spec.rb +++ b/spec/install/gems/compact_index_spec.rb @@ -695,4 +695,18 @@ The checksum of /versions does not match the checksum provided by the server! So expect(File.read(versions)).to start_with("created_at") expect(the_bundle).to include_gems "rack 1.0.0" end + + describe "checksum validation" do + it "raises when the checksum does not match" do + install_gemfile <<-G, :artifice => "compact_index_wrong_gem_checksum" + source "#{source_uri}" + gem "rack" + G + expect(out). + to include("The checksum for the downloaded `rack-1.0.0.gem` did not match the checksum given by the API."). + and include("This means that the contents of the gem appear to be different from what was uploaded, and could be an indicator of a security issue."). + and match(/\(The expected SHA256 checksum was "checksum!", but the checksum for the downloaded gem was "[a-zA-Z0-9]+="\.\)/). + and include("Bundler cannot continue installing rack (1.0.0).") + end + end end diff --git a/spec/support/artifice/compact_index.rb b/spec/support/artifice/compact_index.rb index 233c192a67..f3ff2db4fa 100644 --- a/spec/support/artifice/compact_index.rb +++ b/spec/support/artifice/compact_index.rb @@ -78,7 +78,12 @@ class CompactIndexAPI < Endpoint reqs = d.requirement.requirements.map {|r| r.join(" ") }.join(", ") CompactIndex::Dependency.new(d.name, reqs) end - CompactIndex::GemVersion.new(spec.version.version, spec.platform.to_s, nil, nil, + checksum = begin + Digest::SHA256.file("#{GEM_REPO}/gems/#{spec.original_name}.gem").base64digest + rescue + nil + end + CompactIndex::GemVersion.new(spec.version.version, spec.platform.to_s, checksum, nil, deps, spec.required_ruby_version, spec.required_rubygems_version) end CompactIndex::Gem.new(name, gem_versions) diff --git a/spec/support/artifice/compact_index_wrong_gem_checksum.rb b/spec/support/artifice/compact_index_wrong_gem_checksum.rb new file mode 100644 index 0000000000..6af64856aa --- /dev/null +++ b/spec/support/artifice/compact_index_wrong_gem_checksum.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true +require File.expand_path("../compact_index", __FILE__) + +Artifice.deactivate + +class CompactIndexWrongGemChecksum < CompactIndexAPI + get "/info/:name" do + etag_response do + gem = gems.find {|g| g.name == params[:name] } + versions = gem ? gem.versions : [] + versions.each {|v| v.checksum = "checksum!" } + CompactIndex.info(versions) + end + end +end + +Artifice.activate_with(CompactIndexWrongGemChecksum) |