From 05f0ebba3a2c8ddf39e436f412dc2ab5bf1353b2 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 18 Jan 2023 19:00:14 +0000 Subject: Add latest changes from gitlab-org/gitlab@15-8-stable-ee --- vendor/aws/cloudformation/eks_cluster.yaml | 342 --------------------- vendor/aws/iam/eks_cluster_read_only_policy.json | 17 - vendor/gems/bundler-checksum/README.md | 2 +- vendor/gems/bundler-checksum/bin/bundler-checksum | 4 +- .../gems/bundler-checksum/bundler-checksum.gemspec | 4 +- .../gems/bundler-checksum/lib/bundler-checksum.rb | 2 +- .../gems/bundler-checksum/lib/bundler/checksum.rb | 110 ------- .../lib/bundler/checksum/command.rb | 27 -- .../lib/bundler/checksum/command/helper.rb | 28 -- .../lib/bundler/checksum/command/init.rb | 83 ----- .../lib/bundler/checksum/command/verify.rb | 52 ---- .../lib/bundler/checksum/version.rb | 8 - .../gems/bundler-checksum/lib/bundler_checksum.rb | 108 +++++++ .../lib/bundler_checksum/command.rb | 27 ++ .../lib/bundler_checksum/command/helper.rb | 28 ++ .../lib/bundler_checksum/command/init.rb | 83 +++++ .../lib/bundler_checksum/command/verify.rb | 52 ++++ .../lib/bundler_checksum/version.rb | 6 + .../test/project_with_checksum_lock/Gemfile | 2 +- 19 files changed, 311 insertions(+), 674 deletions(-) delete mode 100644 vendor/aws/cloudformation/eks_cluster.yaml delete mode 100644 vendor/aws/iam/eks_cluster_read_only_policy.json delete mode 100644 vendor/gems/bundler-checksum/lib/bundler/checksum.rb delete mode 100644 vendor/gems/bundler-checksum/lib/bundler/checksum/command.rb delete mode 100644 vendor/gems/bundler-checksum/lib/bundler/checksum/command/helper.rb delete mode 100644 vendor/gems/bundler-checksum/lib/bundler/checksum/command/init.rb delete mode 100644 vendor/gems/bundler-checksum/lib/bundler/checksum/command/verify.rb delete mode 100644 vendor/gems/bundler-checksum/lib/bundler/checksum/version.rb create mode 100644 vendor/gems/bundler-checksum/lib/bundler_checksum.rb create mode 100644 vendor/gems/bundler-checksum/lib/bundler_checksum/command.rb create mode 100644 vendor/gems/bundler-checksum/lib/bundler_checksum/command/helper.rb create mode 100644 vendor/gems/bundler-checksum/lib/bundler_checksum/command/init.rb create mode 100644 vendor/gems/bundler-checksum/lib/bundler_checksum/command/verify.rb create mode 100644 vendor/gems/bundler-checksum/lib/bundler_checksum/version.rb (limited to 'vendor') diff --git a/vendor/aws/cloudformation/eks_cluster.yaml b/vendor/aws/cloudformation/eks_cluster.yaml deleted file mode 100644 index 8d93734fd46..00000000000 --- a/vendor/aws/cloudformation/eks_cluster.yaml +++ /dev/null @@ -1,342 +0,0 @@ ---- -AWSTemplateFormatVersion: "2010-09-09" -Description: GitLab EKS Cluster - -Parameters: - - KubernetesVersion: - Description: The Kubernetes version to install - Type: String - Default: "1.20" - AllowedValues: - - "1.16" - - "1.17" - - "1.18" - - "1.19" - - "1.20" - - KeyName: - Description: The EC2 Key Pair to allow SSH access to the node instances - Type: AWS::EC2::KeyPair::KeyName - - NodeImageIdSSMParam: - Type: "AWS::SSM::Parameter::Value" - Default: /aws/service/eks/optimized-ami/1.17/amazon-linux-2/recommended/image_id - Description: AWS Systems Manager Parameter Store parameter of the AMI ID for the worker node instances. - - NodeInstanceType: - Description: EC2 instance type for the node instances - Type: String - Default: t3.medium - ConstraintDescription: Must be a valid EC2 instance type - AllowedValues: - - t2.small - - t2.medium - - t2.large - - t2.xlarge - - t2.2xlarge - - t3.nano - - t3.micro - - t3.small - - t3.medium - - t3.large - - t3.xlarge - - t3.2xlarge - - m3.medium - - m3.large - - m3.xlarge - - m3.2xlarge - - m4.large - - m4.xlarge - - m4.2xlarge - - m4.4xlarge - - m4.10xlarge - - m5.large - - m5.xlarge - - m5.2xlarge - - m5.4xlarge - - m5.12xlarge - - m5.24xlarge - - c4.large - - c4.xlarge - - c4.2xlarge - - c4.4xlarge - - c4.8xlarge - - c5.large - - c5.xlarge - - c5.2xlarge - - c5.4xlarge - - c5.9xlarge - - c5.18xlarge - - i3.large - - i3.xlarge - - i3.2xlarge - - i3.4xlarge - - i3.8xlarge - - i3.16xlarge - - r3.xlarge - - r3.2xlarge - - r3.4xlarge - - r3.8xlarge - - r4.large - - r4.xlarge - - r4.2xlarge - - r4.4xlarge - - r4.8xlarge - - r4.16xlarge - - x1.16xlarge - - x1.32xlarge - - p2.xlarge - - p2.8xlarge - - p2.16xlarge - - p3.2xlarge - - p3.8xlarge - - p3.16xlarge - - p3dn.24xlarge - - r5.large - - r5.xlarge - - r5.2xlarge - - r5.4xlarge - - r5.12xlarge - - r5.24xlarge - - r5d.large - - r5d.xlarge - - r5d.2xlarge - - r5d.4xlarge - - r5d.12xlarge - - r5d.24xlarge - - z1d.large - - z1d.xlarge - - z1d.2xlarge - - z1d.3xlarge - - z1d.6xlarge - - z1d.12xlarge - - NodeAutoScalingGroupDesiredCapacity: - Description: Desired capacity of Node Group ASG. - Type: Number - Default: 3 - - NodeVolumeSize: - Description: Node volume size - Type: Number - Default: 20 - - ClusterName: - Description: Unique name for your Amazon EKS cluster. - Type: String - - ClusterRole: - Description: The IAM Role to allow Amazon EKS and the Kubernetes control plane to manage AWS resources on your behalf. - Type: String - - ClusterControlPlaneSecurityGroup: - Description: The security groups to apply to the EKS-managed Elastic Network Interfaces that are created in your worker node subnets. - Type: AWS::EC2::SecurityGroup::Id - - VpcId: - Description: The VPC to use for your EKS Cluster resources. - Type: AWS::EC2::VPC::Id - - Subnets: - Description: The subnets in your VPC where your worker nodes will run. - Type: List - -Metadata: - - AWS::CloudFormation::Interface: - ParameterGroups: - - Label: - default: EKS Cluster - Parameters: - - ClusterName - - ClusterRole - - KubernetesVersion - - ClusterControlPlaneSecurityGroup - - Label: - default: Worker Node Configuration - Parameters: - - NodeAutoScalingGroupDesiredCapacity - - NodeInstanceType - - NodeImageIdSSMParam - - NodeVolumeSize - - KeyName - - Label: - default: Worker Network Configuration - Parameters: - - VpcId - - Subnets - -Resources: - - Cluster: - Type: AWS::EKS::Cluster - Properties: - Name: !Sub ${ClusterName} - Version: !Sub ${KubernetesVersion} - RoleArn: !Sub ${ClusterRole} - ResourcesVpcConfig: - SecurityGroupIds: - - !Ref ClusterControlPlaneSecurityGroup - SubnetIds: !Ref Subnets - - NodeInstanceProfile: - Type: AWS::IAM::InstanceProfile - Properties: - Path: "/" - Roles: - - !Ref NodeInstanceRole - - NodeInstanceRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: "2012-10-17" - Statement: - - Effect: Allow - Principal: - Service: ec2.amazonaws.com - Action: sts:AssumeRole - Path: "/" - ManagedPolicyArns: - - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy - - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly - - NodeSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupDescription: Security group for all nodes in the cluster - VpcId: !Ref VpcId - Tags: - - Key: !Sub kubernetes.io/cluster/${ClusterName} - Value: owned - - NodeSecurityGroupIngress: - Type: AWS::EC2::SecurityGroupIngress - DependsOn: NodeSecurityGroup - Properties: - Description: Allow nodes to communicate with each other - GroupId: !Ref NodeSecurityGroup - SourceSecurityGroupId: !Ref NodeSecurityGroup - IpProtocol: -1 - FromPort: 0 - ToPort: 65535 - - NodeSecurityGroupFromControlPlaneIngress: - Type: AWS::EC2::SecurityGroupIngress - DependsOn: NodeSecurityGroup - Properties: - Description: Allow worker Kubelets and pods to receive communication from the cluster control plane - GroupId: !Ref NodeSecurityGroup - SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup - IpProtocol: tcp - FromPort: 1025 - ToPort: 65535 - - ControlPlaneEgressToNodeSecurityGroup: - Type: AWS::EC2::SecurityGroupEgress - DependsOn: NodeSecurityGroup - Properties: - Description: Allow the cluster control plane to communicate with worker Kubelet and pods - GroupId: !Ref ClusterControlPlaneSecurityGroup - DestinationSecurityGroupId: !Ref NodeSecurityGroup - IpProtocol: tcp - FromPort: 1025 - ToPort: 65535 - - NodeSecurityGroupFromControlPlaneOn443Ingress: - Type: AWS::EC2::SecurityGroupIngress - DependsOn: NodeSecurityGroup - Properties: - Description: Allow pods running extension API servers on port 443 to receive communication from cluster control plane - GroupId: !Ref NodeSecurityGroup - SourceSecurityGroupId: !Ref ClusterControlPlaneSecurityGroup - IpProtocol: tcp - FromPort: 443 - ToPort: 443 - - ControlPlaneEgressToNodeSecurityGroupOn443: - Type: AWS::EC2::SecurityGroupEgress - DependsOn: NodeSecurityGroup - Properties: - Description: Allow the cluster control plane to communicate with pods running extension API servers on port 443 - GroupId: !Ref ClusterControlPlaneSecurityGroup - DestinationSecurityGroupId: !Ref NodeSecurityGroup - IpProtocol: tcp - FromPort: 443 - ToPort: 443 - - ClusterControlPlaneSecurityGroupIngress: - Type: AWS::EC2::SecurityGroupIngress - DependsOn: NodeSecurityGroup - Properties: - Description: Allow pods to communicate with the cluster API Server - GroupId: !Ref ClusterControlPlaneSecurityGroup - SourceSecurityGroupId: !Ref NodeSecurityGroup - IpProtocol: tcp - ToPort: 443 - FromPort: 443 - - NodeGroup: - Type: AWS::AutoScaling::AutoScalingGroup - DependsOn: Cluster - Properties: - DesiredCapacity: !Ref NodeAutoScalingGroupDesiredCapacity - LaunchConfigurationName: !Ref NodeLaunchConfig - MinSize: !Ref NodeAutoScalingGroupDesiredCapacity - MaxSize: !Ref NodeAutoScalingGroupDesiredCapacity - VPCZoneIdentifier: !Ref Subnets - Tags: - - Key: Name - Value: !Sub ${ClusterName}-node - PropagateAtLaunch: true - - Key: !Sub kubernetes.io/cluster/${ClusterName} - Value: owned - PropagateAtLaunch: true - UpdatePolicy: - AutoScalingRollingUpdate: - MaxBatchSize: 1 - MinInstancesInService: !Ref NodeAutoScalingGroupDesiredCapacity - PauseTime: PT5M - - NodeLaunchConfig: - Type: AWS::AutoScaling::LaunchConfiguration - Properties: - AssociatePublicIpAddress: true - IamInstanceProfile: !Ref NodeInstanceProfile - ImageId: !Ref NodeImageIdSSMParam - InstanceType: !Ref NodeInstanceType - KeyName: !Ref KeyName - SecurityGroups: - - !Ref NodeSecurityGroup - BlockDeviceMappings: - - DeviceName: /dev/xvda - Ebs: - VolumeSize: !Ref NodeVolumeSize - VolumeType: gp2 - DeleteOnTermination: true - UserData: - Fn::Base64: - !Sub | - #!/bin/bash - set -o xtrace - /etc/eks/bootstrap.sh "${ClusterName}" - /opt/aws/bin/cfn-signal --exit-code $? \ - --stack ${AWS::StackName} \ - --resource NodeGroup \ - --region ${AWS::Region} - -Outputs: - - NodeInstanceRole: - Description: The node instance role - Value: !GetAtt NodeInstanceRole.Arn - - ClusterCertificate: - Description: The cluster certificate - Value: !GetAtt Cluster.CertificateAuthorityData - - ClusterEndpoint: - Description: The cluster endpoint - Value: !GetAtt Cluster.Endpoint diff --git a/vendor/aws/iam/eks_cluster_read_only_policy.json b/vendor/aws/iam/eks_cluster_read_only_policy.json deleted file mode 100644 index 425b9a3eff9..00000000000 --- a/vendor/aws/iam/eks_cluster_read_only_policy.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:ListRoles", - "ec2:DescribeKeyPairs", - "ec2:DescribeRegions", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs" - ], - "Resource": "*" - } - ] -} diff --git a/vendor/gems/bundler-checksum/README.md b/vendor/gems/bundler-checksum/README.md index 1420dc49b94..675c3ad2ee8 100644 --- a/vendor/gems/bundler-checksum/README.md +++ b/vendor/gems/bundler-checksum/README.md @@ -9,7 +9,7 @@ Add the following to your Gemfile: ``` if ENV['BUNDLER_CHECKSUM_VERIFICATION_OPT_IN'] # this verification is still experimental require 'bundler-checksum' - Bundler::Checksum.patch! + BundlerChecksum.patch! end ``` diff --git a/vendor/gems/bundler-checksum/bin/bundler-checksum b/vendor/gems/bundler-checksum/bin/bundler-checksum index 2d0aea827bc..0ef2748a518 100755 --- a/vendor/gems/bundler-checksum/bin/bundler-checksum +++ b/vendor/gems/bundler-checksum/bin/bundler-checksum @@ -1,6 +1,6 @@ #!/usr/bin/env ruby require 'bundler-checksum' -require 'bundler/checksum/command' +require 'bundler_checksum/command' -Bundler::Checksum::Command.execute(ARGV) +BundlerChecksum::Command.execute(ARGV) diff --git a/vendor/gems/bundler-checksum/bundler-checksum.gemspec b/vendor/gems/bundler-checksum/bundler-checksum.gemspec index c04312480b6..b9667570549 100644 --- a/vendor/gems/bundler-checksum/bundler-checksum.gemspec +++ b/vendor/gems/bundler-checksum/bundler-checksum.gemspec @@ -1,10 +1,10 @@ # frozen_string_literal: true -require_relative 'lib/bundler/checksum/version' +require_relative 'lib/bundler_checksum/version' Gem::Specification.new do |spec| spec.name = 'bundler-checksum' - spec.version = Bundler::Checksum::VERSION + spec.version = BundlerChecksum::VERSION spec.authors = ['dustinmm80'] spec.email = ['dcollins@gitlab.com'] diff --git a/vendor/gems/bundler-checksum/lib/bundler-checksum.rb b/vendor/gems/bundler-checksum/lib/bundler-checksum.rb index 600cd4f7107..c2abf1b41d6 100644 --- a/vendor/gems/bundler-checksum/lib/bundler-checksum.rb +++ b/vendor/gems/bundler-checksum/lib/bundler-checksum.rb @@ -1 +1 @@ -require 'bundler/checksum' +require 'bundler_checksum' diff --git a/vendor/gems/bundler-checksum/lib/bundler/checksum.rb b/vendor/gems/bundler-checksum/lib/bundler/checksum.rb deleted file mode 100644 index 40c42644964..00000000000 --- a/vendor/gems/bundler-checksum/lib/bundler/checksum.rb +++ /dev/null @@ -1,110 +0,0 @@ -# frozen_string_literal: true - -require 'bundler' -require 'bundler/checksum/version' -require 'json' - -module Bundler - module Patches - # This module monkey-patches Bundler to check Gemfile.checksum - # when installing gems that are from RubyGems - module RubyGemsInstallerPatch - def pre_install_checks - super && validate_local_package_checksum - end - - private - - def validate_local_package_checksum - cached_checksum = fetch_checksum_from_file(spec) - - if cached_checksum.nil? - raise SecurityError, "Cached checksum for #{spec.full_name} not found. Please (re-)generate Gemfile.checksum with " \ - "`bundle exec bundler-checksum init`. See https://docs.gitlab.com/ee/development/gemfile.html#updating-the-checksum-file." - end - - validate_file_checksum(cached_checksum) - end - - def fetch_checksum_from_file(spec) - ::Bundler::Checksum.checksum_for(spec.name, spec.version.to_s, spec.platform.to_s) - end - - # Modified from - # https://github.com/rubygems/rubygems/blob/243173279e79a38f03e318eea8825d1c8824e119/bundler/lib/bundler/rubygems_gem_installer.rb#L116 - def validate_file_checksum(checksum) - return true if Bundler.settings[:disable_checksum_validation] - - source = @package.instance_variable_get(:@gem) - - # Contary to upstream, we raise instead of silently returning - raise "#{@package.inspect} does not have :@gem" unless source - raise "#{source.inspect} does not respond to :with_read_io" unless source.respond_to?(:with_read_io) - - digest = source.with_read_io do |io| - digest = SharedHelpers.digest(:SHA256).new - digest << io.read(16_384) until io.eof? - io.rewind - send(checksum_type(checksum), digest) - end - unless digest == checksum - raise SecurityError, <<-MESSAGE - Bundler cannot continue installing #{spec.name} (#{spec.version}). - The checksum for the downloaded `#{spec.full_name}.gem` does not match \ - the checksum from the checksum file. This means the contents of the downloaded \ - gem is different from what was recorded in the checksum file, and could be potential security issue. - gem is different from what was uploaded to the server, and could be a potential security issue. - - To resolve this issue: - 1. delete the downloaded gem located at: `#{spec.gem_dir}/#{spec.full_name}.gem` - 2. run `bundle install` - - If you wish to continue installing the downloaded gem, and are certain it does not pose a \ - security issue despite the mismatching checksum, do the following: - 1. run `bundle config set --local disable_checksum_validation true` to turn off checksum verification - 2. run `bundle install` - - (More info: The expected SHA256 checksum was #{checksum.inspect}, but the \ - checksum for the downloaded gem was #{digest.inspect}.) - MESSAGE - end - true - end - end - end -end - -module Bundler - module Checksum - class << self - def checksum_file - @checksum_file ||= File.join(File.dirname(Bundler.default_gemfile), 'Gemfile.checksum') - end - - def checksums_from_file - @checksums_from_file ||= JSON.parse(File.open(checksum_file).read, symbolize_names: true) - rescue JSON::ParserError => e - raise "Invalid checksum file: #{e.message}" - end - - def checksum_for(gem_name, gem_version, gem_platform) - item = checksums_from_file.detect do |item| - item[:name] == gem_name && - item[:platform] == gem_platform && - item[:version] == gem_version - end - - item&.fetch(:checksum) - end - - def patch! - return if defined?(@patched) && @patched - @patched = true - - Bundler.ui.info "Patching bundler with bundler-checksum..." - require 'bundler/rubygems_gem_installer' - ::Bundler::RubyGemsGemInstaller.prepend(Bundler::Patches::RubyGemsInstallerPatch) - end - end - end -end diff --git a/vendor/gems/bundler-checksum/lib/bundler/checksum/command.rb b/vendor/gems/bundler-checksum/lib/bundler/checksum/command.rb deleted file mode 100644 index 438f41f6e69..00000000000 --- a/vendor/gems/bundler-checksum/lib/bundler/checksum/command.rb +++ /dev/null @@ -1,27 +0,0 @@ -# frozen_string_literal: true - -module Bundler::Checksum - module Command - autoload :Init, File.expand_path("command/init", __dir__) - autoload :Verify, File.expand_path("command/verify", __dir__) - autoload :Helper, File.expand_path("command/helper", __dir__) - - def self.execute(args) - if args.empty? - $stderr.puts 'A command must be given [init,update,verify]' - end - - if args.first == 'init' - Init.execute - elsif args.first == 'update' - $stderr.puts 'Not implemented, please use init' - elsif args.first == 'verify' - verified = Verify.execute - - unless verified - exit 1 - end - end - end - end -end diff --git a/vendor/gems/bundler-checksum/lib/bundler/checksum/command/helper.rb b/vendor/gems/bundler-checksum/lib/bundler/checksum/command/helper.rb deleted file mode 100644 index fa06bfe3da4..00000000000 --- a/vendor/gems/bundler-checksum/lib/bundler/checksum/command/helper.rb +++ /dev/null @@ -1,28 +0,0 @@ -# frozen_string_literal: true - -require 'json' -require 'net/http' - -module Bundler::Checksum::Command - module Helper - extend self - - def remote_checksums_for_gem(gem_name, gem_version) - response = Net::HTTP.get_response(URI( - "https://rubygems.org/api/v1/versions/#{gem_name}.json" - )) - - return [] unless response.code == '200' - - gem_candidates = JSON.parse(response.body, symbolize_names: true) - gem_candidates.select! { |g| g[:number] == gem_version.to_s } - - gem_candidates.map { - |g| {:name => gem_name, :version => gem_version, :platform => g[:platform], :checksum => g[:sha]} - } - - rescue JSON::ParserError - [] - end - end -end diff --git a/vendor/gems/bundler-checksum/lib/bundler/checksum/command/init.rb b/vendor/gems/bundler-checksum/lib/bundler/checksum/command/init.rb deleted file mode 100644 index 47a9b676f1d..00000000000 --- a/vendor/gems/bundler-checksum/lib/bundler/checksum/command/init.rb +++ /dev/null @@ -1,83 +0,0 @@ -# frozen_string_literal: true - -require 'openssl' - -module Bundler::Checksum::Command - module Init - extend self - - def execute - $stderr.puts "Initializing checksum file #{checksum_file}" - - checksums = [] - - compact_index_cache = Bundler::Fetcher::CompactIndex - .new(nil, Bundler::Source::Rubygems::Remote.new(Bundler::URI("https://rubygems.org")), nil) - .send(:compact_index_client) - .instance_variable_get(:@cache) - - Bundler.definition.resolve.sort_by(&:name).each do |spec| - next unless spec.source.is_a?(Bundler::Source::Rubygems) - spec_identifier = "#{spec.name}==#{spec.version}" - - previous_checksum = previous_checksums.select do |checksum| - checksum[:name] == spec.name && checksum[:version] == spec.version.to_s - end - - if !previous_checksum.empty? - $stderr.puts "Using #{spec_identifier}" - checksums += previous_checksum - - next - end - - $stderr.puts "Adding #{spec_identifier}" - - compact_index_dependencies = compact_index_cache.dependencies(spec.name).select { |item| item.first == spec.version.to_s } - - if !compact_index_dependencies.empty? - compact_index_checksums = compact_index_dependencies.map do |version, platform, dependencies, requirements| - { - name: spec.name, - version: spec.version.to_s, - platform: Gem::Platform.new(platform).to_s, - checksum: requirements.detect { |requirement| requirement.first == 'checksum' }.flatten[1] - } - end - - checksums += compact_index_checksums.sort_by { |hash| hash.values } - else - remote_checksum = Helper.remote_checksums_for_gem(spec.name, spec.version) - - if remote_checksum.empty? - raise "#{spec.name} #{spec.version} not found on Rubygems!" - end - - checksums += remote_checksum.sort_by { |hash| hash.values } - end - end - - File.write(checksum_file, JSON.generate(checksums, array_nl: "\n") + "\n") - end - - private - - def previous_checksums - @previous_checksums ||= - if File.exist?(checksum_file) - ::Bundler::Checksum.checksums_from_file - else - [] - end - end - - def checksum_file - ::Bundler::Checksum.checksum_file - end - - def lockfile - lockfile_path = Bundler.default_lockfile - lockfile = Bundler::LockfileParser.new(Bundler.read_file(lockfile_path)) - end - end -end diff --git a/vendor/gems/bundler-checksum/lib/bundler/checksum/command/verify.rb b/vendor/gems/bundler-checksum/lib/bundler/checksum/command/verify.rb deleted file mode 100644 index ba2eea6ea0c..00000000000 --- a/vendor/gems/bundler-checksum/lib/bundler/checksum/command/verify.rb +++ /dev/null @@ -1,52 +0,0 @@ -# frozen_string_literal: true - -module Bundler::Checksum::Command - module Verify - extend self - - def execute - $stderr.puts 'Verifying bundle checksums' - - verified = true - - local_checksums.each do |gem| - name = gem.fetch(:name) - version = gem.fetch(:version) - platform = gem.fetch(:platform) - checksum = gem.fetch(:checksum) - - $stderr.puts "Verifying #{name}==#{version} #{platform}" - unless validate_gem_checksum(name, version, platform, checksum) - verified = false - end - end - - verified - end - - private - - def local_checksums - ::Bundler::Checksum.checksums_from_file - end - - def validate_gem_checksum(gem_name, gem_version, gem_platform, local_checksum) - remote_checksums = Helper.remote_checksums_for_gem(gem_name, gem_version) - if remote_checksums.empty? - $stderr.puts "#{gem_name} #{gem_version} not found on Rubygems, skipping" - return false - end - - remote_platform_checksum = remote_checksums.find { |g| g[:name] == gem_name && g[:platform] == gem_platform.to_s } - - if local_checksum == remote_platform_checksum[:checksum] - true - else - $stderr.puts "Gem #{gem_name} #{gem_version} #{gem_platform} failed checksum verification" - $stderr.puts "LOCAL: #{local_checksum}" - $stderr.puts "REMOTE: #{remote_platform_checksum[:checksum]}" - return false - end - end - end -end diff --git a/vendor/gems/bundler-checksum/lib/bundler/checksum/version.rb b/vendor/gems/bundler-checksum/lib/bundler/checksum/version.rb deleted file mode 100644 index 41e958b2db9..00000000000 --- a/vendor/gems/bundler-checksum/lib/bundler/checksum/version.rb +++ /dev/null @@ -1,8 +0,0 @@ -# frozen_string_literal: true - -module Bundler - module Checksum - # bundler-checksum version - VERSION = '0.1.0' - end -end diff --git a/vendor/gems/bundler-checksum/lib/bundler_checksum.rb b/vendor/gems/bundler-checksum/lib/bundler_checksum.rb new file mode 100644 index 00000000000..b3d36521f24 --- /dev/null +++ b/vendor/gems/bundler-checksum/lib/bundler_checksum.rb @@ -0,0 +1,108 @@ +# frozen_string_literal: true + +require 'bundler' +require 'bundler_checksum/version' +require 'json' + +module Bundler + module Patches + # This module monkey-patches Bundler to check Gemfile.checksum + # when installing gems that are from RubyGems + module RubyGemsInstallerPatch + def pre_install_checks + super && validate_local_package_checksum + end + + private + + def validate_local_package_checksum + cached_checksum = fetch_checksum_from_file(spec) + + if cached_checksum.nil? + raise SecurityError, "Cached checksum for #{spec.full_name} not found. Please (re-)generate Gemfile.checksum with " \ + "`bundle exec bundler-checksum init`. See https://docs.gitlab.com/ee/development/gemfile.html#updating-the-checksum-file." + end + + validate_file_checksum(cached_checksum) + end + + def fetch_checksum_from_file(spec) + ::BundlerChecksum.checksum_for(spec.name, spec.version.to_s, spec.platform.to_s) + end + + # Modified from + # https://github.com/rubygems/rubygems/blob/243173279e79a38f03e318eea8825d1c8824e119/bundler/lib/bundler/rubygems_gem_installer.rb#L116 + def validate_file_checksum(checksum) + return true if Bundler.settings[:disable_checksum_validation] + + source = @package.instance_variable_get(:@gem) + + # Contary to upstream, we raise instead of silently returning + raise "#{@package.inspect} does not have :@gem" unless source + raise "#{source.inspect} does not respond to :with_read_io" unless source.respond_to?(:with_read_io) + + digest = source.with_read_io do |io| + digest = SharedHelpers.digest(:SHA256).new + digest << io.read(16_384) until io.eof? + io.rewind + send(checksum_type(checksum), digest) + end + unless digest == checksum + raise SecurityError, <<-MESSAGE + Bundler cannot continue installing #{spec.name} (#{spec.version}). + The checksum for the downloaded `#{spec.full_name}.gem` does not match \ + the checksum from the checksum file. This means the contents of the downloaded \ + gem is different from what was recorded in the checksum file, and could be potential security issue. + gem is different from what was uploaded to the server, and could be a potential security issue. + + To resolve this issue: + 1. delete the downloaded gem located at: `#{spec.gem_dir}/#{spec.full_name}.gem` + 2. run `bundle install` + + If you wish to continue installing the downloaded gem, and are certain it does not pose a \ + security issue despite the mismatching checksum, do the following: + 1. run `bundle config set --local disable_checksum_validation true` to turn off checksum verification + 2. run `bundle install` + + (More info: The expected SHA256 checksum was #{checksum.inspect}, but the \ + checksum for the downloaded gem was #{digest.inspect}.) + MESSAGE + end + true + end + end + end +end + +module BundlerChecksum + class << self + def checksum_file + @checksum_file ||= File.join(File.dirname(Bundler.default_gemfile), 'Gemfile.checksum') + end + + def checksums_from_file + @checksums_from_file ||= JSON.parse(File.open(checksum_file).read, symbolize_names: true) + rescue JSON::ParserError => e + raise "Invalid checksum file: #{e.message}" + end + + def checksum_for(gem_name, gem_version, gem_platform) + item = checksums_from_file.detect do |item| + item[:name] == gem_name && + item[:platform] == gem_platform && + item[:version] == gem_version + end + + item&.fetch(:checksum) + end + + def patch! + return if defined?(@patched) && @patched + @patched = true + + Bundler.ui.info "Patching bundler with bundler-checksum..." + require 'bundler/rubygems_gem_installer' + ::Bundler::RubyGemsGemInstaller.prepend(Bundler::Patches::RubyGemsInstallerPatch) + end + end +end diff --git a/vendor/gems/bundler-checksum/lib/bundler_checksum/command.rb b/vendor/gems/bundler-checksum/lib/bundler_checksum/command.rb new file mode 100644 index 00000000000..c6c71431538 --- /dev/null +++ b/vendor/gems/bundler-checksum/lib/bundler_checksum/command.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +module BundlerChecksum + module Command + autoload :Init, File.expand_path("command/init", __dir__) + autoload :Verify, File.expand_path("command/verify", __dir__) + autoload :Helper, File.expand_path("command/helper", __dir__) + + def self.execute(args) + if args.empty? + $stderr.puts 'A command must be given [init,update,verify]' + end + + if args.first == 'init' + Init.execute + elsif args.first == 'update' + $stderr.puts 'Not implemented, please use init' + elsif args.first == 'verify' + verified = Verify.execute + + unless verified + exit 1 + end + end + end + end +end diff --git a/vendor/gems/bundler-checksum/lib/bundler_checksum/command/helper.rb b/vendor/gems/bundler-checksum/lib/bundler_checksum/command/helper.rb new file mode 100644 index 00000000000..515f5926106 --- /dev/null +++ b/vendor/gems/bundler-checksum/lib/bundler_checksum/command/helper.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +require 'json' +require 'net/http' + +module BundlerChecksum::Command + module Helper + extend self + + def remote_checksums_for_gem(gem_name, gem_version) + response = Net::HTTP.get_response(URI( + "https://rubygems.org/api/v1/versions/#{gem_name}.json" + )) + + return [] unless response.code == '200' + + gem_candidates = JSON.parse(response.body, symbolize_names: true) + gem_candidates.select! { |g| g[:number] == gem_version.to_s } + + gem_candidates.map { + |g| {:name => gem_name, :version => gem_version, :platform => g[:platform], :checksum => g[:sha]} + } + + rescue JSON::ParserError + [] + end + end +end diff --git a/vendor/gems/bundler-checksum/lib/bundler_checksum/command/init.rb b/vendor/gems/bundler-checksum/lib/bundler_checksum/command/init.rb new file mode 100644 index 00000000000..1d8db7d78fa --- /dev/null +++ b/vendor/gems/bundler-checksum/lib/bundler_checksum/command/init.rb @@ -0,0 +1,83 @@ +# frozen_string_literal: true + +require 'openssl' + +module BundlerChecksum::Command + module Init + extend self + + def execute + $stderr.puts "Initializing checksum file #{checksum_file}" + + checksums = [] + + compact_index_cache = Bundler::Fetcher::CompactIndex + .new(nil, Bundler::Source::Rubygems::Remote.new(Bundler::URI("https://rubygems.org")), nil) + .send(:compact_index_client) + .instance_variable_get(:@cache) + + Bundler.definition.resolve.sort_by(&:name).each do |spec| + next unless spec.source.is_a?(Bundler::Source::Rubygems) + spec_identifier = "#{spec.name}==#{spec.version}" + + previous_checksum = previous_checksums.select do |checksum| + checksum[:name] == spec.name && checksum[:version] == spec.version.to_s + end + + if !previous_checksum.empty? + $stderr.puts "Using #{spec_identifier}" + checksums += previous_checksum + + next + end + + $stderr.puts "Adding #{spec_identifier}" + + compact_index_dependencies = compact_index_cache.dependencies(spec.name).select { |item| item.first == spec.version.to_s } + + if !compact_index_dependencies.empty? + compact_index_checksums = compact_index_dependencies.map do |version, platform, dependencies, requirements| + { + name: spec.name, + version: spec.version.to_s, + platform: Gem::Platform.new(platform).to_s, + checksum: requirements.detect { |requirement| requirement.first == 'checksum' }.flatten[1] + } + end + + checksums += compact_index_checksums.sort_by { |hash| hash.values } + else + remote_checksum = Helper.remote_checksums_for_gem(spec.name, spec.version) + + if remote_checksum.empty? + raise "#{spec.name} #{spec.version} not found on Rubygems!" + end + + checksums += remote_checksum.sort_by { |hash| hash.values } + end + end + + File.write(checksum_file, JSON.generate(checksums, array_nl: "\n") + "\n") + end + + private + + def previous_checksums + @previous_checksums ||= + if File.exist?(checksum_file) + ::BundlerChecksum.checksums_from_file + else + [] + end + end + + def checksum_file + ::BundlerChecksum.checksum_file + end + + def lockfile + lockfile_path = Bundler.default_lockfile + lockfile = Bundler::LockfileParser.new(Bundler.read_file(lockfile_path)) + end + end +end diff --git a/vendor/gems/bundler-checksum/lib/bundler_checksum/command/verify.rb b/vendor/gems/bundler-checksum/lib/bundler_checksum/command/verify.rb new file mode 100644 index 00000000000..e6a52ded42c --- /dev/null +++ b/vendor/gems/bundler-checksum/lib/bundler_checksum/command/verify.rb @@ -0,0 +1,52 @@ +# frozen_string_literal: true + +module BundlerChecksum::Command + module Verify + extend self + + def execute + $stderr.puts 'Verifying bundle checksums' + + verified = true + + local_checksums.each do |gem| + name = gem.fetch(:name) + version = gem.fetch(:version) + platform = gem.fetch(:platform) + checksum = gem.fetch(:checksum) + + $stderr.puts "Verifying #{name}==#{version} #{platform}" + unless validate_gem_checksum(name, version, platform, checksum) + verified = false + end + end + + verified + end + + private + + def local_checksums + ::BundlerChecksum.checksums_from_file + end + + def validate_gem_checksum(gem_name, gem_version, gem_platform, local_checksum) + remote_checksums = Helper.remote_checksums_for_gem(gem_name, gem_version) + if remote_checksums.empty? + $stderr.puts "#{gem_name} #{gem_version} not found on Rubygems, skipping" + return false + end + + remote_platform_checksum = remote_checksums.find { |g| g[:name] == gem_name && g[:platform] == gem_platform.to_s } + + if local_checksum == remote_platform_checksum[:checksum] + true + else + $stderr.puts "Gem #{gem_name} #{gem_version} #{gem_platform} failed checksum verification" + $stderr.puts "LOCAL: #{local_checksum}" + $stderr.puts "REMOTE: #{remote_platform_checksum[:checksum]}" + return false + end + end + end +end diff --git a/vendor/gems/bundler-checksum/lib/bundler_checksum/version.rb b/vendor/gems/bundler-checksum/lib/bundler_checksum/version.rb new file mode 100644 index 00000000000..367a9e49a47 --- /dev/null +++ b/vendor/gems/bundler-checksum/lib/bundler_checksum/version.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true + +module BundlerChecksum + # bundler-checksum version + VERSION = '0.1.0' +end diff --git a/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile b/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile index 238bd09669f..503cf4587fa 100644 --- a/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile +++ b/vendor/gems/bundler-checksum/test/project_with_checksum_lock/Gemfile @@ -5,7 +5,7 @@ source 'https://rubygems.org' if ENV['BUNDLER_CHECKSUM_VERIFICATION_OPT_IN'] # this verification is still experimental $:.unshift(File.expand_path('../../lib', __dir__)) require 'bundler-checksum' - Bundler::Checksum.patch! + BundlerChecksum.patch! end gem 'rails', '~> 6.1.6.1' -- cgit v1.2.3