[rubygems/rubygems] Converts Bundler lockfile checksum validation to opt-in only

Looks for the CHECKSUMS section in the lockfile, activating the feature only if the section exists. Without a CHECKSUMS section, Bundler will continue as normal, validating checksums when gems are installed while checksums from the compact index are present. https://github.com/rubygems/rubygems/commit/2353cc93a4
author: Martin Emde <[email protected]> 2023-12-01 14:20:51 -0800
committer: git <[email protected]> 2023-12-05 21:09:53 +0000
commit: 5f0ea3f590f8983669fe478bc9eace6880353b84 (patch)
tree: ca777e6b654fa43b841e3286a9b35a0869987d2e /lib/bundler
parent: a33632e1ca7af1e3ba34cff05643aa067561a8cc (diff)
6 files changed, 32 insertions, 17 deletions
diff --git a/lib/bundler/checksum.rb b/lib/bundler/checksum.rb
index f8fd386569..163eac458e 100644
--- a/lib/bundler/checksum.rb
+++ b/lib/bundler/checksum.rb
@@ -9,6 +9,18 @@ module Bundler
     private_constant :DEFAULT_BLOCK_SIZE
 
     class << self
+      def from_gem_package(gem_package, algo = DEFAULT_ALGORITHM)
+        return if Bundler.settings[:disable_checksum_validation]
+        return unless source = gem_package.instance_variable_get(:@gem)
+        return unless source.respond_to?(:with_read_io)
+
+        source.with_read_io do |io|
+          from_gem(io, source.path)
+        ensure
+          io.rewind
+        end
+      end
+
       def from_gem(io, pathname, algo = DEFAULT_ALGORITHM)
         digest = Bundler::SharedHelpers.digest(algo.upcase).new
         buf = String.new(:capacity => DEFAULT_BLOCK_SIZE)
@@ -17,6 +29,7 @@ module Bundler
       end
 
       def from_api(digest, source_uri, algo = DEFAULT_ALGORITHM)
+        return if Bundler.settings[:disable_checksum_validation]
         Checksum.new(algo, to_hexdigest(digest, algo), Source.new(:api, source_uri))
       end
 
@@ -177,7 +190,6 @@ module Bundler
       # This ensures a mismatch error where there are multiple top level sources
       # that contain the same gem with different checksums.
       def replace(spec, checksum)
-        return if Bundler.settings[:disable_checksum_validation]
         return unless checksum
 
         name_tuple = spec.name_tuple
@@ -193,7 +205,6 @@ module Bundler
       end
 
       def register(spec, checksum)
-        return if Bundler.settings[:disable_checksum_validation]
         return unless checksum
         register_checksum(spec.name_tuple, checksum)
       end
diff --git a/lib/bundler/definition.rb b/lib/bundler/definition.rb
index ca12827579..3493f0732d 100644
--- a/lib/bundler/definition.rb
+++ b/lib/bundler/definition.rb
@@ -18,7 +18,8 @@ module Bundler
       :platforms,
       :ruby_version,
       :lockfile,
-      :gemfiles
+      :gemfiles,
+      :locked_checksums
     )
 
     # Given a gemfile and lockfile creates a Bundler definition
@@ -92,6 +93,7 @@ module Bundler
         @locked_bundler_version = @locked_gems.bundler_version
         @locked_ruby_version = @locked_gems.ruby_version
         @originally_locked_specs = SpecSet.new(@locked_gems.specs)
+        @locked_checksums = @locked_gems.checksums
 
         if unlock != true
           @locked_deps    = @locked_gems.dependencies
@@ -112,6 +114,7 @@ module Bundler
         @originally_locked_specs = @locked_specs
         @locked_sources = []
         @locked_platforms = []
+        @locked_checksums = nil
       end
 
       locked_gem_sources = @locked_sources.select {|s| s.is_a?(Source::Rubygems) }
@@ -767,7 +770,7 @@ module Bundler
       sources.all_sources.each do |source|
         # has to be done separately, because we want to keep the locked checksum
         # store for a source, even when doing a full update
-        if @locked_gems && locked_source = @locked_gems.sources.find {|s| s == source && !s.equal?(source) }
+        if @locked_checksums && @locked_gems && locked_source = @locked_gems.sources.find {|s| s == source && !s.equal?(source) }
           source.checksum_store.merge!(locked_source.checksum_store)
         end
         # If the source is unlockable and the current command allows an unlock of
diff --git a/lib/bundler/endpoint_specification.rb b/lib/bundler/endpoint_specification.rb
index b639918f70..87cb352efa 100644
--- a/lib/bundler/endpoint_specification.rb
+++ b/lib/bundler/endpoint_specification.rb
@@ -125,7 +125,6 @@ module Bundler
         next unless v
         case k.to_s
         when "checksum"
-          next if Bundler.settings[:disable_checksum_validation]
           begin
             @checksum = Checksum.from_api(v.last, @spec_fetcher.uri)
           rescue ArgumentError => e
diff --git a/lib/bundler/lockfile_generator.rb b/lib/bundler/lockfile_generator.rb
index 4d2a968d7e..a646d00ee1 100644
--- a/lib/bundler/lockfile_generator.rb
+++ b/lib/bundler/lockfile_generator.rb
@@ -67,6 +67,7 @@ module Bundler
     end
 
     def add_checksums
+      return unless definition.locked_checksums
       checksums = definition.resolve.map do |spec|
         spec.source.checksum_store.to_lock(spec)
       end
diff --git a/lib/bundler/lockfile_parser.rb b/lib/bundler/lockfile_parser.rb
index 942f051052..1e11621e55 100644
--- a/lib/bundler/lockfile_parser.rb
+++ b/lib/bundler/lockfile_parser.rb
@@ -24,7 +24,15 @@ module Bundler
       end
     end
 
-    attr_reader :sources, :dependencies, :specs, :platforms, :bundler_version, :ruby_version, :checksums
+    attr_reader(
+      :sources,
+      :dependencies,
+      :specs,
+      :platforms,
+      :bundler_version,
+      :ruby_version,
+      :checksums,
+    )
 
     BUNDLED      = "BUNDLED WITH"
     DEPENDENCIES = "DEPENDENCIES"
@@ -111,6 +119,9 @@ module Bundler
         elsif line == DEPENDENCIES
           @parse_method = :parse_dependency
         elsif line == CHECKSUMS
+          # This is a temporary solution to make this feature disabled by default
+          # for all gemfiles that don't already explicitly include the feature.
+          @checksums = true
           @parse_method = :parse_checksum
         elsif line == PLATFORMS
           @parse_method = :parse_platform
@@ -228,8 +239,6 @@ module Bundler
       version = Gem::Version.new(version)
       platform = platform ? Gem::Platform.new(platform) : Gem::Platform::RUBY
       full_name = Gem::NameTuple.new(name, version, platform).full_name
-      # Don't raise exception if there's a checksum for a gem that's not in the lockfile,
-      # we prefer to heal invalid lockfiles
       return unless spec = @specs[full_name]
 
       checksums.split(",") do |lock_checksum|
diff --git a/lib/bundler/rubygems_gem_installer.rb b/lib/bundler/rubygems_gem_installer.rb
index d04ef62e8e..23fb3c0416 100644
--- a/lib/bundler/rubygems_gem_installer.rb
+++ b/lib/bundler/rubygems_gem_installer.rb
@@ -103,15 +103,7 @@ module Bundler
     end
 
     def gem_checksum
-      return nil if Bundler.settings[:disable_checksum_validation]
-      return nil unless source = @package.instance_variable_get(:@gem)
-      return nil unless source.respond_to?(:with_read_io)
-
-      source.with_read_io do |io|
-        Checksum.from_gem(io, source.path)
-      ensure
-        io.rewind
-      end
+      Checksum.from_gem_package(@package)
     end
 
     private
author	Martin Emde <[email protected]>	2023-12-01 14:20:51 -0800
committer	git <[email protected]>	2023-12-05 21:09:53 +0000
commit	5f0ea3f590f8983669fe478bc9eace6880353b84 (patch)
tree	ca777e6b654fa43b841e3286a9b35a0869987d2e /lib/bundler
parent	a33632e1ca7af1e3ba34cff05643aa067561a8cc (diff)