Merge #7416

7416: Don't use insecure temporary directory as home directory r=deivid-rodriguez a=fatkodima Closes #6501 Co-authored-by: fatkodima <fatkodima123@gmail.com>
author: Bundlerbot <bot@bundler.io> 2019-11-07 09:12:08 +0000
committer: Bundlerbot <bot@bundler.io> 2019-11-07 09:12:08 +0000
commit: ac758c84847a9850ae18226bfd5291e73e637ca3 (patch)
tree: 1671c4c70796927c4f0c965db3a4978d232252cb
parent: 6f452d62eb76c2699988e75b7a0eb69232026259 (diff)
parent: 65cfebb041c454c246aaf32a177b0243915a9998 (diff)
download: bundler-ac758c84847a9850ae18226bfd5291e73e637ca3.tar.gz
3 files changed, 22 insertions, 47 deletions
diff --git a/lib/bundler.rb b/lib/bundler.rb
index 809771a168..3b494a6cdf 100644
--- a/lib/bundler.rb
+++ b/lib/bundler.rb
@@ -231,8 +231,7 @@ module Bundler
         end
 
         if warning
-          Kernel.send(:require, "etc")
-          user_home = tmp_home_path(Etc.getlogin, warning)
+          user_home = tmp_home_path(warning)
           Bundler.ui.warn "#{warning}\nBundler will use `#{user_home}' as your home directory temporarily.\n"
           user_home
         else
@@ -241,21 +240,6 @@ module Bundler
       end
     end
 
-    def tmp_home_path(login, warning)
-      login ||= "unknown"
-      Kernel.send(:require, "tmpdir")
-      path = Pathname.new(Dir.tmpdir).join("bundler", "home")
-      SharedHelpers.filesystem_access(path) do |tmp_home_path|
-        unless tmp_home_path.exist?
-          tmp_home_path.mkpath
-          tmp_home_path.chmod(0o777)
-        end
-        tmp_home_path.join(login).tap(&:mkpath)
-      end
-    rescue RuntimeError => e
-      raise e.exception("#{warning}\nBundler also failed to create a temporary home directory at `#{path}':\n#{e}")
-    end
-
     def user_bundle_path(dir = "home")
       env_var, fallback = case dir
                           when "home"
@@ -676,6 +660,17 @@ EOF
       Bundler.rubygems.clear_paths
     end
 
+    def tmp_home_path(warning)
+      Kernel.send(:require, "tmpdir")
+      SharedHelpers.filesystem_access(Dir.tmpdir) do
+        path = Bundler.tmp
+        at_exit { Bundler.rm_rf(path) }
+        path
+      end
+    rescue RuntimeError => e
+      raise e.exception("#{warning}\nBundler also failed to create a temporary home directory':\n#{e}")
+    end
+
     # @param env [Hash]
     def with_env(env)
       backup = ENV.to_hash
diff --git a/spec/bundler/bundler_spec.rb b/spec/bundler/bundler_spec.rb
index 74cf7ae05d..247838600b 100644
--- a/spec/bundler/bundler_spec.rb
+++ b/spec/bundler/bundler_spec.rb
@@ -232,16 +232,13 @@ EOF
           path = "/home/oggy"
           allow(Bundler.rubygems).to receive(:user_home).and_return(path)
           allow(File).to receive(:directory?).with(path).and_return false
-          allow(Etc).to receive(:getlogin).and_return("USER")
-          allow(Dir).to receive(:tmpdir).and_return("/TMP")
-          allow(FileTest).to receive(:exist?).with("/TMP/bundler/home").and_return(true)
-          expect(FileUtils).to receive(:mkpath).with("/TMP/bundler/home/USER")
+          allow(Bundler).to receive(:tmp).and_return(Pathname.new("/tmp/trulyrandom"))
           message = <<EOF
 `/home/oggy` is not a directory.
-Bundler will use `/TMP/bundler/home/USER' as your home directory temporarily.
+Bundler will use `/tmp/trulyrandom' as your home directory temporarily.
 EOF
           expect(Bundler.ui).to receive(:warn).with(message)
-          expect(Bundler.user_home).to eq(Pathname("/TMP/bundler/home/USER"))
+          expect(Bundler.user_home).to eq(Pathname("/tmp/trulyrandom"))
         end
       end
 
@@ -254,16 +251,13 @@ EOF
           allow(File).to receive(:directory?).with(path).and_return true
           allow(File).to receive(:writable?).with(path).and_return false
           allow(File).to receive(:directory?).with(dotbundle).and_return false
-          allow(Etc).to receive(:getlogin).and_return("USER")
-          allow(Dir).to receive(:tmpdir).and_return("/TMP")
-          allow(FileTest).to receive(:exist?).with("/TMP/bundler/home").and_return(true)
-          expect(FileUtils).to receive(:mkpath).with("/TMP/bundler/home/USER")
+          allow(Bundler).to receive(:tmp).and_return(Pathname.new("/tmp/trulyrandom"))
           message = <<EOF
 `/home/oggy` is not writable.
-Bundler will use `/TMP/bundler/home/USER' as your home directory temporarily.
+Bundler will use `/tmp/trulyrandom' as your home directory temporarily.
 EOF
           expect(Bundler.ui).to receive(:warn).with(message)
-          expect(Bundler.user_home).to eq(Pathname("/TMP/bundler/home/USER"))
+          expect(Bundler.user_home).to eq(Pathname("/tmp/trulyrandom"))
         end
 
         context ".bundle exists and have correct permissions" do
@@ -282,31 +276,17 @@ EOF
     context "home directory is not set" do
       it "should issue warning and return a temporary user home" do
         allow(Bundler.rubygems).to receive(:user_home).and_return(nil)
-        allow(Etc).to receive(:getlogin).and_return("USER")
-        allow(Dir).to receive(:tmpdir).and_return("/TMP")
-        allow(FileTest).to receive(:exist?).with("/TMP/bundler/home").and_return(true)
-        expect(FileUtils).to receive(:mkpath).with("/TMP/bundler/home/USER")
+        allow(Bundler).to receive(:tmp).and_return(Pathname.new("/tmp/trulyrandom"))
         message = <<EOF
 Your home directory is not set.
-Bundler will use `/TMP/bundler/home/USER' as your home directory temporarily.
+Bundler will use `/tmp/trulyrandom' as your home directory temporarily.
 EOF
         expect(Bundler.ui).to receive(:warn).with(message)
-        expect(Bundler.user_home).to eq(Pathname("/TMP/bundler/home/USER"))
+        expect(Bundler.user_home).to eq(Pathname("/tmp/trulyrandom"))
       end
     end
   end
 
-  describe "#tmp_home_path" do
-    it "should create temporary user home" do
-      allow(Dir).to receive(:tmpdir).and_return("/TMP")
-      allow(FileTest).to receive(:exist?).with("/TMP/bundler/home").and_return(false)
-      expect(FileUtils).to receive(:mkpath).once.ordered.with("/TMP/bundler/home")
-      expect(FileUtils).to receive(:mkpath).once.ordered.with("/TMP/bundler/home/USER")
-      expect(File).to receive(:chmod).with(0o777, "/TMP/bundler/home")
-      expect(Bundler.tmp_home_path("USER", "")).to eq(Pathname("/TMP/bundler/home/USER"))
-    end
-  end
-
   describe "#requires_sudo?" do
     let!(:tmpdir) { Dir.mktmpdir }
     let(:bundle_path) { Pathname("#{tmpdir}/bundle") }
diff --git a/spec/bundler/settings_spec.rb b/spec/bundler/settings_spec.rb
index 7e1dadded7..2a285fdcf3 100644
--- a/spec/bundler/settings_spec.rb
+++ b/spec/bundler/settings_spec.rb
@@ -67,7 +67,7 @@ that would suck --ehhh=oh geez it looks like i might have broken bundler somehow
       context "when $TMPDIR is not writable" do
         it "does not raise" do
           expect(Bundler.rubygems).to receive(:user_home).twice.and_return(nil)
-          expect(FileUtils).to receive(:mkpath).twice.with(File.join(Dir.tmpdir, "bundler", "home")).and_raise(Errno::EROFS, "Read-only file system @ dir_s_mkdir - /tmp/bundler")
+          expect(Bundler).to receive(:tmp).twice.and_raise(Errno::EROFS, "Read-only file system @ dir_s_mkdir - /tmp/bundler")
 
           expect(subject.send(:global_config_file)).to be_nil
         end
author	Bundlerbot <bot@bundler.io>	2019-11-07 09:12:08 +0000
committer	Bundlerbot <bot@bundler.io>	2019-11-07 09:12:08 +0000
commit	ac758c84847a9850ae18226bfd5291e73e637ca3 (patch)
tree	1671c4c70796927c4f0c965db3a4978d232252cb
parent	6f452d62eb76c2699988e75b7a0eb69232026259 (diff)
parent	65cfebb041c454c246aaf32a177b0243915a9998 (diff)
download	bundler-ac758c84847a9850ae18226bfd5291e73e637ca3.tar.gz