[rubygems/rubygems] Warn on insecure materialization

bc2537de71
2025-08-24 05:25:34 +02:00 · 2024-09-12 13:40:59 +02:00 · 2024-09-12 13:40:59 +02:00 · 10d694a1ff
commit 10d694a1ff
parent 7cb0bb43b9
8 changed files with 59 additions and 14 deletions
--- a/lib/bundler/definition.rb
+++ b/lib/bundler/definition.rb
@ -651,6 +651,15 @@ module Bundler
        incomplete_specs = still_incomplete_specs
      end

+      insecurely_materialized_specs = specs.insecurely_materialized_specs
+
+      if insecurely_materialized_specs.any?
+        Bundler.ui.warn "The following platform specific gems are getting installed, yet the lockfile includes only their generic ruby version:\n" \
+                        " * #{insecurely_materialized_specs.map(&:full_name).join("\n * ")}\n" \
+                        "Please run `bundle lock --normalize-platforms` and commit the resulting lockfile.\n" \
+                        "Alternatively, you may run `bundle lock --add-platform <list-of-platforms-that-you-want-to-support>`"
+      end
+
      bundler = sources.metadata_source.specs.search(["bundler", Bundler.gem_version]).last
      specs["bundler"] = bundler

--- a/lib/bundler/endpoint_specification.rb
+++ b/lib/bundler/endpoint_specification.rb
@ -6,7 +6,7 @@ module Bundler
    include MatchRemoteMetadata

    attr_reader :name, :version, :platform, :checksum
-    attr_accessor :remote, :dependencies
+    attr_accessor :remote, :dependencies, :locked_platform

    def initialize(name, version, platform, spec_fetcher, dependencies, metadata = nil)
      super()
@ -18,10 +18,15 @@ module Bundler

      @loaded_from          = nil
      @remote_specification = nil
+      @locked_platform = nil

      parse_metadata(metadata)
    end

+    def insecurely_materialized?
+      @locked_platform.to_s != @platform.to_s
+    end
+
    def fetch_platform
      @platform
    end
--- a/lib/bundler/lazy_specification.rb
+++ b/lib/bundler/lazy_specification.rb
@ -99,15 +99,24 @@ module Bundler
      out
    end

+    def materialize_strictly
+      source.local!
+
+      matching_specs = source.specs.search(self)
+      return self if matching_specs.empty?
+
+      __materialize__(matching_specs)
+    end
+
    def materialize_for_installation(most_specific_locked_platform = nil)
      source.local!

-      matching_specs = source.specs.search(use_exact_resolved_specifications?(most_specific_locked_platform) ? self : [name, version])
-      return self if matching_specs.empty?
-
-      candidates = if use_exact_resolved_specifications?(most_specific_locked_platform)
-        matching_specs
+      if use_exact_resolved_specifications?(most_specific_locked_platform)
+        materialize_strictly
      else
+        matching_specs = source.specs.search([name, version])
+        return self if matching_specs.empty?
+
        target_platform = source.is_a?(Source::Path) ? platform : local_platform

        installable_candidates = GemHelpers.select_best_platform_match(matching_specs, target_platform)
@ -119,10 +128,8 @@ module Bundler
          installable_candidates = GemHelpers.select_best_platform_match(matching_specs, platform)
        end

-        installable_candidates
+        __materialize__(installable_candidates)
      end
-
-      __materialize__(candidates)
    end

    # If in frozen mode, we fallback to a non-installable candidate because by
@ -143,8 +150,12 @@ module Bundler
        # `bundler/setup` performance
        if search.is_a?(StubSpecification)
          search.dependencies = dependencies
-        elsif !source.is_a?(Source::Path) && search.runtime_dependencies.sort != dependencies.sort
-          raise IncorrectLockfileDependencies.new(self)
+        else
+          if !source.is_a?(Source::Path) && search.runtime_dependencies.sort != dependencies.sort
+            raise IncorrectLockfileDependencies.new(self)
+          end
+
+          search.locked_platform = platform if search.instance_of?(RemoteSpecification) || search.instance_of?(EndpointSpecification)
        end
      end
      search
--- a/lib/bundler/remote_specification.rb
+++ b/lib/bundler/remote_specification.rb
@ -12,7 +12,7 @@ module Bundler

    attr_reader :name, :version, :platform
    attr_writer :dependencies
-    attr_accessor :source, :remote
+    attr_accessor :source, :remote, :locked_platform

    def initialize(name, version, platform, spec_fetcher)
      @name         = name
@ -21,6 +21,11 @@ module Bundler
      @platform     = Gem::Platform.new(platform)
      @spec_fetcher = spec_fetcher
      @dependencies = nil
+      @locked_platform = nil
+    end
+
+    def insecurely_materialized?
+      @locked_platform.to_s != @platform.to_s
    end

    # Needed before installs, since the arch matters then and quick
--- a/lib/bundler/rubygems_ext.rb
+++ b/lib/bundler/rubygems_ext.rb
@ -150,6 +150,10 @@ module Gem
      end
    end

+    def insecurely_materialized?
+      false
+    end
+
    def groups
      @groups ||= []
    end
--- a/lib/bundler/spec_set.rb
+++ b/lib/bundler/spec_set.rb
@ -143,7 +143,7 @@ module Bundler
      @specs.map do |s|
        next s unless s.is_a?(LazySpecification)
        s.source.remote!
-        spec = s.materialize_for_installation
+        spec = s.materialize_strictly
        raise GemNotFound, "Could not find #{s.full_name} in any of the sources" unless spec
        spec
      end
@ -162,6 +162,10 @@ module Bundler
      @specs.select {|s| s.is_a?(LazySpecification) }
    end

+    def insecurely_materialized_specs
+      @specs.select(&:insecurely_materialized?)
+    end
+
    def -(other)
      SpecSet.new(to_a - other.to_a)
    end
--- a/lib/bundler/stub_specification.rb
+++ b/lib/bundler/stub_specification.rb
@ -9,6 +9,10 @@ module Bundler
      spec
    end

+    def insecurely_materialized?
+      false
+    end
+
    attr_reader :checksum
    attr_accessor :stub, :ignored

--- a/spec/bundler/install/gemfile/specific_platform_spec.rb
+++ b/spec/bundler/install/gemfile/specific_platform_spec.rb
@ -58,7 +58,7 @@ RSpec.describe "bundle install with specific platforms" do
      L

      bundle "install --verbose"
-
+      expect(err).to include("The following platform specific gems are getting installed, yet the lockfile includes only their generic ruby version")
      expect(out).to include("Installing sass-embedded 1.72.0 (x86_64-darwin-15)")

      expect(the_bundle).to include_gem("sass-embedded 1.72.0 x86_64-darwin-15")
@ -130,6 +130,7 @@ RSpec.describe "bundle install with specific platforms" do
      L

      bundle "update"
+      expect(err).to include("The following platform specific gems are getting installed, yet the lockfile includes only their generic ruby version")

      checksums.checksum gem_repo2, "google-protobuf", "3.0.0.alpha.5.0.5.1"

@ -238,6 +239,7 @@ RSpec.describe "bundle install with specific platforms" do
      L

      bundle "install --verbose"
+      expect(err).to include("The following platform specific gems are getting installed, yet the lockfile includes only their generic ruby version")
      expect(out).to include("Installing libv8 8.4.255.0 (universal-darwin)")

      bundle "add mini_racer --verbose"
@ -275,6 +277,7 @@ RSpec.describe "bundle install with specific platforms" do
      L

      bundle "install --verbose", artifice: "compact_index_precompiled_before"
+      expect(err).to include("The following platform specific gems are getting installed, yet the lockfile includes only their generic ruby version")
      expect(out).to include("Installing grpc 1.50.0 (universal-darwin)")
    end
  end