warn or error on multiple primary sources

4 files changed, 36 insertions, 2 deletions

diff --git a/lib/bundler/cli/install.rb b/lib/bundler/cli/install.rb
index 43dd40a500..ba712a09d6 100644
--- a/lib/bundler/cli/install.rb
+++ b/lib/bundler/cli/install.rb
@@ -104,7 +104,7 @@ module Bundler
         Bundler.ui.error "You should add a source requirement to restrict this gem to your preferred source."
         Bundler.ui.error "For example:"
         Bundler.ui.error "    gem '#{name}', :source => '#{installed_from_uri}'"
-        Bundler.ui.error "Then uninstall the gem '#{name}' (or delete all bundled gems) and then install again."
+        Bundler.ui.error "Then uninstall the gem '#{name}' (or delete all bundled gems) and install again."
       end
 
       if Bundler.settings[:clean] && Bundler.settings[:path]
diff --git a/lib/bundler/dsl.rb b/lib/bundler/dsl.rb
index e2853e0813..0440a8c949 100644
--- a/lib/bundler/dsl.rb
+++ b/lib/bundler/dsl.rb
@@ -112,6 +112,7 @@ module Bundler
       if block_given?
         with_source(@sources.add_rubygems_source("remotes" => source), &blk)
       else
+        check_primary_source_safety(@sources)
         @sources.add_rubygems_remote(source)
       end
     end
@@ -303,5 +304,24 @@ module Bundler
         raise GemfileError, "Unknown source '#{source}'"
       end
     end
+
+    def check_primary_source_safety(source)
+      return unless source.rubygems_primary_remotes.any?
+
+      if Bundler.settings[:disable_multisource]
+        raise GemspecError, "Warning: this Gemfile contains multiple primary sources. " \
+          "Each source after the first must include a block to indicate which gems " \
+          "should come from that source. To downgrade this error to a warning, run " \
+          "`bundle config --delete disable_multisource`."
+      else
+        Bundler.ui.warn "Warning: this Gemfile contains multiple primary sources. " \
+          "Using `source` more than once without a block is a security risk, and " \
+          "may result in installing unexpected gems. To resolve this warning, use " \
+          "a block to indicate which gems should come from the secondary source. " \
+          "To upgrade this warning to an error, run `bundle config " \
+          "disable_multisource true`."
+      end
+    end
+
   end
 end
diff --git a/lib/bundler/source_list.rb b/lib/bundler/source_list.rb
index 49a976ba6a..49efbf7a8e 100644
--- a/lib/bundler/source_list.rb
+++ b/lib/bundler/source_list.rb
@@ -74,6 +74,10 @@ module Bundler
       all_sources.each(&:remote!)
     end
 
+    def rubygems_primary_remotes
+      @rubygems_aggregate.remotes
+    end
+
   private
 
     def add_source_to_list(source, list)
diff --git a/spec/install/gems/sources_spec.rb b/spec/install/gems/sources_spec.rb
index 68f3fd3713..45a742a87f 100644
--- a/spec/install/gems/sources_spec.rb
+++ b/spec/install/gems/sources_spec.rb
@@ -15,7 +15,7 @@ describe "bundle install with gems on multiple sources" do
       end
     end
 
-    context "when the same version of the same gem is in multiple sources" do
+    context "with multiple toplevel sources" do
       let(:repo3_rack_version) { "1.0.0" }
 
       before do
@@ -30,10 +30,18 @@ describe "bundle install with gems on multiple sources" do
       it "warns about ambiguous gems, but installs anyway, prioritizing sources last to first" do
         bundle :install
 
+        expect(out).to include("Warning: this Gemfile contains multiple primary sources.")
         expect(out).to include("Warning: the gem 'rack' was found in multiple sources.")
         expect(out).to include("Installed from: file:#{gem_repo1}")
         should_be_installed("rack-obama 1.0.0", "rack 1.0.0")
       end
+
+      it "errors when disable_multisource is set" do
+        bundle "config disable_multisource true"
+        bundle :install
+        expect(out).to include("Each source after the first must include a block")
+        expect(exitstatus).to eq(14) if exitstatus
+      end
     end
 
     context "when different versions of the same gem are in multiple sources" do
@@ -51,6 +59,7 @@ describe "bundle install with gems on multiple sources" do
       it "warns about ambiguous gems, but installs anyway" do
         bundle :install
 
+        expect(out).to include("Warning: this Gemfile contains multiple primary sources.")
         expect(out).to include("Warning: the gem 'rack' was found in multiple sources.")
         expect(out).to include("Installed from: file:#{gem_repo1}")
         should_be_installed("rack-obama 1.0.0", "rack 1.0.0")
@@ -214,6 +223,7 @@ describe "bundle install with gems on multiple sources" do
 
           it "installs from the other source and warns about ambiguous gems" do
             bundle :install
+            expect(out).to include("Warning: this Gemfile contains multiple primary sources.")
             expect(out).to include("Warning: the gem 'rack' was found in multiple sources.")
             expect(out).to include("Installed from: file:#{gem_repo2}")
             should_be_installed("depends_on_rack 1.0.1", "rack 1.0.0")