From 7117610b4665560604be0dfef7f29e4ad4c96312 Mon Sep 17 00:00:00 2001
From: Yuta Kurotaki <yuta.kurotaki@gmail.com>
Date: Fri, 24 Apr 2026 05:26:56 +0900
Subject: [PATCH] Deprecate parsing non-lockfile content in LockfileParser

Bundler::LockfileParser#initialize silently accepted any string input,
including Gemfiles or arbitrary text, producing an empty parser with
no indication that the input was invalid. This caused downstream
tooling like bundler-audit to operate on unvalidated content.

Detect non-lockfile content by checking for any of the known section
headers; empty input is left untouched for backward compatibility.
Rather than raising immediately, emit a deprecation warning via
SharedHelpers.feature_deprecated! announcing that a future Bundler
version will raise LockfileError. Expose LockfileParser#valid? so
callers can branch on the result without string-matching the message.

Fixes #8932
---
 bundler/lib/bundler/lockfile_parser.rb | 15 +++++++
 spec/bundler/lockfile_parser_spec.rb   | 61 ++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)

diff --git a/bundler/lib/bundler/lockfile_parser.rb b/bundler/lib/bundler/lockfile_parser.rb
index a837f994cd90..e0bb83ab6669 100644
--- a/bundler/lib/bundler/lockfile_parser.rb
+++ b/bundler/lib/bundler/lockfile_parser.rb
@@ -115,6 +115,17 @@ def initialize(lockfile, strict: false)
           "Run `git checkout HEAD -- #{@lockfile_path}` first to get a clean lock."
       end
 
+      @valid = lockfile.strip.empty? ||
+        lockfile.split(/(?:\r?\n)+/).any? {|l| KNOWN_SECTIONS.include?(l) }
+
+      unless @valid
+        SharedHelpers.feature_deprecated!(
+          "Your #{@lockfile_path} does not appear to be a valid lockfile. " \
+          "Run `rm #{@lockfile_path}` and then `bundle install` to generate a new lockfile. " \
+          "This will raise a LockfileError in a future version of Bundler."
+        )
+      end
+
       lockfile.split(/((?:\r?\n)+)/) do |line|
         # split alternates between the line and the following whitespace
         next @pos.advance!(line) if line.match?(/^\s*$/)
@@ -164,6 +175,10 @@ def may_include_redundant_platform_specific_gems?
       bundler_version.nil? || bundler_version < Gem::Version.new("1.16.2")
     end
 
+    def valid?
+      @valid
+    end
+
     private
 
     TYPES = {
diff --git a/spec/bundler/lockfile_parser_spec.rb b/spec/bundler/lockfile_parser_spec.rb
index f38da2c99321..4b493a37576b 100644
--- a/spec/bundler/lockfile_parser_spec.rb
+++ b/spec/bundler/lockfile_parser_spec.rb
@@ -129,6 +129,7 @@
 
     shared_examples_for "parsing" do
       it "parses correctly" do
+        expect(subject.valid?).to be(true)
         expect(subject.sources).to eq sources
         expect(subject.dependencies).to eq dependencies
         expect(subject.specs).to eq specs
@@ -191,6 +192,66 @@
       include_examples "parsing"
     end
 
+    context "when the content does not contain any recognized lockfile sections" do
+      let(:lockfile_contents) { "hello world\nlorem ipsum\n" }
+
+      it "does not raise, is not valid, and deprecates" do
+        expect(Bundler::SharedHelpers).to receive(:feature_deprecated!).with(
+          /does not appear to be a valid lockfile.*future version of Bundler/m
+        )
+        parser = described_class.new(lockfile_contents)
+        expect(parser.valid?).to be(false)
+        expect(parser.specs).to eq([])
+        expect(parser.dependencies).to eq({})
+      end
+
+      it "does not raise when strict: true, and still deprecates" do
+        expect(Bundler::SharedHelpers).to receive(:feature_deprecated!).with(
+          /does not appear to be a valid lockfile.*future version of Bundler/m
+        )
+        parser = described_class.new(lockfile_contents, strict: true)
+        expect(parser.valid?).to be(false)
+        expect(parser.specs).to eq([])
+        expect(parser.dependencies).to eq({})
+      end
+    end
+
+    context "when the content looks like a Gemfile DSL" do
+      let(:lockfile_contents) { <<~G }
+        source "https://rubygems.org"
+        gem "rake"
+      G
+
+      it "does not raise, is not valid, and deprecates" do
+        expect(Bundler::SharedHelpers).to receive(:feature_deprecated!).with(
+          /does not appear to be a valid lockfile.*future version of Bundler/m
+        )
+        parser = described_class.new(lockfile_contents)
+        expect(parser.valid?).to be(false)
+        expect(parser.specs).to eq([])
+        expect(parser.dependencies).to eq({})
+      end
+
+      it "does not raise when strict: true, and still deprecates" do
+        expect(Bundler::SharedHelpers).to receive(:feature_deprecated!).with(
+          /does not appear to be a valid lockfile.*future version of Bundler/m
+        )
+        parser = described_class.new(lockfile_contents, strict: true)
+        expect(parser.valid?).to be(false)
+        expect(parser.specs).to eq([])
+        expect(parser.dependencies).to eq({})
+      end
+    end
+
+    context "when the content is empty" do
+      let(:lockfile_contents) { "" }
+
+      it "does not raise and is valid" do
+        expect { subject }.not_to raise_error
+        expect(subject.valid?).to be(true)
+      end
+    end
+
     context "when CHECKSUMS has duplicate checksums in the lockfile that don't match" do
       let(:bad_checksum) { "sha256=c0ffee11c0ffee11c0ffee11c0ffee11c0ffee11c0ffee11c0ffee11c0ffee11" }
       let(:lockfile_contents) { super().split(/(?<=CHECKSUMS\n)/m).insert(1, "  rake (10.3.2) #{bad_checksum}\n").join }