Merge RubyGems-3.2.20 and Bundler-2.2.20

lib/bundler/bundler.gemspec

@@ -39,7 +39,7 @@ Gem::Specification.new do |s|
   # include the gemspec itself because warbler breaks w/o it
   s.files += %w[bundler.gemspec]
 
-  s.extra_rdoc_files = %w[CHANGELOG.md LICENSE.md README.md]
+  s.files += %w[CHANGELOG.md LICENSE.md README.md]
   s.bindir        = "exe"
   s.executables   = %w[bundle bundler]
   s.require_paths = ["lib"]

lib/bundler/cli/check.rb

@@ -11,9 +11,11 @@ def initialize(options)
     def run
       Bundler.settings.set_command_option_if_given :path, options[:path]
 
+      definition = Bundler.definition
+      definition.validate_runtime!
+
       begin
-        definition = Bundler.definition
-        definition.validate_runtime!
+        definition.resolve_only_locally!
         not_installed = definition.missing_specs
       rescue GemNotFound, VersionConflict
         Bundler.ui.error "Bundler can't satisfy your Gemfile's dependencies."

lib/bundler/cli/outdated.rb

@@ -147,6 +147,8 @@ def nothing_outdated_message
 
     def retrieve_active_spec(definition, current_spec)
       active_spec = definition.resolve.find_by_name_and_platform(current_spec.name, current_spec.platform)
+      return unless active_spec
+
       return active_spec if strict
 
       active_specs = active_spec.source.specs.search(current_spec.name).select {|spec| spec.match_platform(current_spec.platform) }.sort_by(&:version)

lib/bundler/definition.rb

@@ -160,6 +160,12 @@ def disable_multisource?
       @disable_multisource
     end
 
+    def resolve_only_locally!
+      @remote = false
+      sources.local_only!
+      resolve
+    end
+
     def resolve_with_cache!
       sources.cached!
       resolve

lib/bundler/fetcher/index.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require_relative "base"
-require "rubygems/remote_fetcher"
 
 module Bundler
   class Fetcher

lib/bundler/friendly_errors.rb

@@ -49,8 +49,6 @@ def log_error(error)
           "Alternatively, you can increase the amount of memory the JVM is able to use by running Bundler with jruby -J-Xmx1024m -S bundle (JRuby defaults to 500MB)."
       else request_issue_report_for(error)
       end
-    rescue StandardError
-      raise error
     end
 
     def exit_status(error)
@@ -111,7 +109,7 @@ def request_issue_report_for(e)
         First, try this link to see if there are any existing issue reports for this error:
         #{issues_url(e)}
 
-        If there aren't any reports for this error yet, please create copy and paste the report template above into a new issue. Don't forget to anonymize any private data! The new issue form is located at:
+        If there aren't any reports for this error yet, please copy and paste the report template above into a new issue. Don't forget to anonymize any private data! The new issue form is located at:
         https://github.com/rubygems/rubygems/issues/new?labels=Bundler&template=bundler-related-issue.md
       EOS
     end

lib/bundler/rubygems_integration.rb

@@ -526,13 +526,14 @@ def download_gem(spec, uri, path)
       Bundler::Retry.new("download gem from #{uri}").attempts do
         fetcher.download(spec, uri, path)
       end
+    rescue Gem::RemoteFetcher::FetchError => e
+      raise Bundler::HTTPError, "Could not download gem from #{uri} due to underlying error <#{e.message}>"
     end
 
     def gem_remote_fetcher
-      require "resolv"
+      require "rubygems/remote_fetcher"
       proxy = configuration[:http_proxy]
-      dns = Resolv::DNS.new
-      Gem::RemoteFetcher.new(proxy, dns)
+      Gem::RemoteFetcher.new(proxy)
     end
 
     def gem_from_path(path, policy = nil)

lib/bundler/source.rb

@@ -36,6 +36,8 @@ def can_lock?(spec)
 
     def local!; end
 
+    def local_only!; end
+
     def cached!; end
 
     def remote!; end

lib/bundler/source/rubygems.rb

@@ -26,6 +26,12 @@ def initialize(options = {})
         Array(options["remotes"]).reverse_each {|r| add_remote(r) }
       end
 
+      def local_only!
+        @specs = nil
+        @allow_local = true
+        @allow_remote = false
+      end
+
       def local!
         return if @allow_local
 

lib/bundler/source_list.rb

@@ -132,6 +132,10 @@ def replace_sources!(replacement_sources)
       false
     end
 
+    def local_only!
+      all_sources.each(&:local_only!)
+    end
+
     def cached!
       all_sources.each(&:cached!)
     end

lib/bundler/version.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: false
 
 module Bundler
-  VERSION = "2.2.19".freeze
+  VERSION = "2.2.20".freeze
 
   def self.bundler_major_version
     @bundler_major_version ||= VERSION.split(".").first.to_i

lib/rubygems.rb

@@ -8,7 +8,7 @@
 require 'rbconfig'
 
 module Gem
-  VERSION = "3.2.19".freeze
+  VERSION = "3.2.20".freeze
 end
 
 # Must be first since it unloads the prelude from 1.9.2

lib/rubygems/installer.rb

@@ -728,6 +728,10 @@ def verify_spec
       raise Gem::InstallError, "#{spec} has an invalid extensions"
     end
 
+    if spec.platform.to_s =~ /\R/
+      raise Gem::InstallError, "#{spec.platform} is an invalid platform"
+    end
+
     unless spec.specification_version.to_s =~ /\A\d+\z/
       raise Gem::InstallError, "#{spec} has an invalid specification_version"
     end

lib/rubygems/specification_policy.rb

@@ -124,25 +124,26 @@ def validate_metadata
     end
 
     metadata.each do |key, value|
+      entry = "metadata['#{key}']"
       if !key.kind_of?(String)
         error "metadata keys must be a String"
       end
 
       if key.size > 128
-        error "metadata key too large (#{key.size} > 128)"
+        error "metadata key is too large (#{key.size} > 128)"
       end
 
       if !value.kind_of?(String)
-        error "metadata values must be a String"
+        error "#{entry} value must be a String"
       end
 
       if value.size > 1024
-        error "metadata value too large (#{value.size} > 1024)"
+        error "#{entry} value is too large (#{value.size} > 1024)"
       end
 
       if METADATA_LINK_KEYS.include? key
         if value !~ VALID_URI_PATTERN
-          error "metadata['#{key}'] has invalid link: #{value.inspect}"
+          error "#{entry} has invalid link: #{value.inspect}"
         end
       end
     end

lib/rubygems/test_case.rb

@@ -553,6 +553,10 @@ def common_installer_teardown
     Gem.pre_uninstall_hooks.clear
   end
 
+  def without_any_upwards_gemfiles
+    ENV["BUNDLE_GEMFILE"] = File.join(@tempdir, "Gemfile")
+  end
+
   ##
   # A git_gem is used with a gem dependencies file.  The gem created here
   # has no files, just a gem specification for the given +name+ and +version+.

spec/bundler/bundler/fetcher/index_spec.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "rubygems/remote_fetcher"
+
 RSpec.describe Bundler::Fetcher::Index do
   let(:downloader)  { nil }
   let(:remote)      { nil }

spec/bundler/commands/check_spec.rb

@@ -288,6 +288,66 @@
     end
   end
 
+  describe "when using only scoped rubygems sources" do
+    before do
+      gemfile <<~G
+        source "#{file_uri_for(gem_repo1)}" do
+          gem "rack"
+        end
+      G
+    end
+
+    it "returns success when the Gemfile is satisfied" do
+      system_gems "rack-1.0.0", :path => default_bundle_path
+      bundle :check
+      expect(out).to include("The Gemfile's dependencies are satisfied")
+    end
+  end
+
+  describe "when using only scoped rubygems sources with indirect dependencies" do
+    before do
+      build_repo4 do
+        build_gem "depends_on_rack" do |s|
+          s.add_dependency "rack"
+        end
+
+        build_gem "rack"
+      end
+
+      gemfile <<~G
+        source "#{file_uri_for(gem_repo4)}" do
+          gem "depends_on_rack"
+        end
+      G
+    end
+
+    it "returns success when the Gemfile is satisfied and generates a correct lockfile" do
+      system_gems "depends_on_rack-1.0", "rack-1.0", :gem_repo => gem_repo4, :path => default_bundle_path
+      bundle :check
+      expect(out).to include("The Gemfile's dependencies are satisfied")
+      expect(lockfile).to eq <<~L
+        GEM
+          specs:
+
+        GEM
+          remote: #{file_uri_for(gem_repo4)}/
+          specs:
+            depends_on_rack (1.0)
+              rack
+            rack (1.0)
+
+        PLATFORMS
+          #{lockfile_platforms}
+
+        DEPENDENCIES
+          depends_on_rack!
+
+        BUNDLED WITH
+           #{Bundler::VERSION}
+      L
+    end
+  end
+
   describe "BUNDLED WITH" do
     def lock_with(bundler_version = nil)
       lock = <<-L

spec/bundler/commands/outdated_spec.rb

@@ -1292,4 +1292,53 @@ def test_group_option(group)
       expect(out).to end_with(expected_output)
     end
   end
+
+  context "when a gem is no longer a dependency after a full update" do
+    before do
+      build_repo4 do
+        build_gem "mini_portile2", "2.5.2" do |s|
+          s.add_dependency "net-ftp", "~> 0.1"
+        end
+
+        build_gem "mini_portile2", "2.5.3"
+
+        build_gem "net-ftp", "0.1.2"
+      end
+
+      gemfile <<~G
+        source "#{file_uri_for(gem_repo4)}"
+
+        gem "mini_portile2"
+      G
+
+      lockfile <<~L
+        GEM
+          remote: #{file_uri_for(gem_repo4)}/
+          specs:
+            mini_portile2 (2.5.2)
+              net-ftp (~> 0.1)
+            net-ftp (0.1.2)
+
+        PLATFORMS
+          #{lockfile_platforms}
+
+        DEPENDENCIES
+          mini_portile2
+
+        BUNDLED WITH
+           #{Bundler::VERSION}
+      L
+    end
+
+    it "works" do
+      bundle "outdated", :raise_on_error => false
+
+      expected_output = <<~TABLE.strip
+        Gem            Current  Latest  Requested  Groups
+        mini_portile2  2.5.2    2.5.3   >= 0       default
+      TABLE
+
+      expect(out).to end_with(expected_output)
+    end
+  end
 end

spec/bundler/install/global_cache_spec.rb

@@ -113,6 +113,8 @@ def source2_global_cache(*segments)
         expect(source2_global_cache("rack-0.9.1.gem")).to exist
         bundle :install, :artifice => "compact_index_no_gem", :raise_on_error => false
         expect(err).to include("Internal Server Error 500")
+        expect(err).not_to include("please copy and paste the report template above into a new issue")
+
         # rack 1.0.0 is not installed and rack 0.9.1 is not
         expect(the_bundle).not_to include_gems "rack 1.0.0"
         expect(the_bundle).not_to include_gems "rack 0.9.1"
@@ -126,6 +128,8 @@ def source2_global_cache(*segments)
         expect(source2_global_cache("rack-0.9.1.gem")).to exist
         bundle :install, :artifice => "compact_index_no_gem", :raise_on_error => false
         expect(err).to include("Internal Server Error 500")
+        expect(err).not_to include("please copy and paste the report template above into a new issue")
+
         # rack 0.9.1 is not installed and rack 1.0.0 is not
         expect(the_bundle).not_to include_gems "rack 0.9.1"
         expect(the_bundle).not_to include_gems "rack 1.0.0"

test/rubygems/test_gem_bundler_version_finder.rb

@@ -6,14 +6,12 @@ def setup
     super
 
     @argv = ARGV.dup
-    @env = ENV.to_hash.clone
-    ENV.delete("BUNDLER_VERSION")
     @dollar_0 = $0
+    without_any_upwards_gemfiles
   end
 
   def teardown
     ARGV.replace @argv
-    ENV.replace @env
     $0 = @dollar_0
 
     super

test/rubygems/test_gem_dependency.rb

@@ -3,6 +3,12 @@
 require 'rubygems/dependency'
 
 class TestGemDependency < Gem::TestCase
+  def setup
+    super
+
+    without_any_upwards_gemfiles
+  end
+
   def test_initialize
     d = dep "pkg", "> 1.0"
 

test/rubygems/test_gem_installer.rb

@@ -1776,6 +1776,26 @@ def spec.validate(*args); end
     end
   end
 
+  def test_pre_install_checks_malicious_platform_before_eval
+    gem_with_ill_formated_platform = File.expand_path("packages/ill-formatted-platform-1.0.0.10.gem", __dir__)
+
+    installer = Gem::Installer.at(
+      gem_with_ill_formated_platform,
+      :install_dir => @gem_home,
+      :user_install => false,
+      :force => true
+    )
+
+    use_ui @ui do
+      e = assert_raise Gem::InstallError do
+        installer.pre_install_checks
+      end
+
+      assert_equal "x86-mswin32\n system('id > /tmp/nyangawa')# is an invalid platform", e.message
+      assert_empty @ui.output
+    end
+  end
+
   def test_shebang
     installer = setup_base_installer