diff options
author | Martin Emde <martin.emde@gmail.com> | 2023-10-20 20:16:24 -0700 |
---|---|---|
committer | Hiroshi SHIBATA <hsbt@ruby-lang.org> | 2023-10-23 13:59:01 +0900 |
commit | 6dcd4e90d8d2a2db06a140cf10c5d9519360fc69 (patch) | |
tree | 6898fd5e6ddfdf91b1a03cda886a7c9ed101a751 /spec/bundler/install/gemfile/sources_spec.rb | |
parent | c667de72ff9de195e1cab4b1937973e841ff89ae (diff) | |
download | ruby-6dcd4e90d8d2a2db06a140cf10c5d9519360fc69.tar.gz |
[rubygems/rubygems] Handle base64 encoded checksums in lockfile for future compatibility.
Save checksums using = as separator.
https://github.com/rubygems/rubygems/commit/a36ad7d160
Diffstat (limited to 'spec/bundler/install/gemfile/sources_spec.rb')
-rw-r--r-- | spec/bundler/install/gemfile/sources_spec.rb | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/spec/bundler/install/gemfile/sources_spec.rb b/spec/bundler/install/gemfile/sources_spec.rb index 16b9d82104..64eed1a2f4 100644 --- a/spec/bundler/install/gemfile/sources_spec.rb +++ b/spec/bundler/install/gemfile/sources_spec.rb @@ -129,7 +129,7 @@ RSpec.describe "bundle install with gems on multiple sources" do end it "works in standalone mode", :bundler => "< 3" do - gem_checksum = checksum_for_repo_gem(gem_repo4, "foo", "1.0").split("-").last + gem_checksum = checksum_for_repo_gem(gem_repo4, "foo", "1.0").split(Bundler::Checksum::ALGO_SEPARATOR).last bundle "install --standalone", :artifice => "compact_index", :env => { "BUNDLER_SPEC_FOO_CHECKSUM" => gem_checksum } end end @@ -337,7 +337,7 @@ RSpec.describe "bundle install with gems on multiple sources" do expect(err).to eq(<<~E.strip) [DEPRECATED] Your Gemfile contains multiple global sources. Using `source` more than once without a block is a security risk, and may result in installing unexpected gems. To resolve this warning, use a block to indicate which gems should come from the secondary source. Bundler found mismatched checksums. This is a potential security risk. - rack (1.0.0) sha256-#{rack_checksum} + rack (1.0.0) sha256=#{rack_checksum} from the API at https://gem.repo2/ and the API at https://gem.repo1/ #{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")} @@ -354,7 +354,7 @@ RSpec.describe "bundle install with gems on multiple sources" do end it "installs from the other source and warns about ambiguous gems when the sources have the same checksum", :bundler => "< 3" do - gem_checksum = checksum_for_repo_gem(gem_repo2, "rack", "1.0.0").split("-").last + gem_checksum = checksum_for_repo_gem(gem_repo2, "rack", "1.0.0").split(Bundler::Checksum::ALGO_SEPARATOR).last bundle :install, :artifice => "compact_index", :env => { "BUNDLER_SPEC_RACK_CHECKSUM" => gem_checksum, "DEBUG" => "1" } expect(err).to include("Warning: the gem 'rack' was found in multiple sources.") @@ -1302,16 +1302,16 @@ RSpec.describe "bundle install with gems on multiple sources" do bundle "install", :artifice => "compact_index", :raise_on_error => false - api_checksum1 = checksum_for_repo_gem(gem_repo1, "rack", "0.9.1").split("sha256-").last - api_checksum3 = checksum_for_repo_gem(gem_repo3, "rack", "0.9.1").split("sha256-").last + api_checksum1 = checksum_for_repo_gem(gem_repo1, "rack", "0.9.1").split("sha256=").last + api_checksum3 = checksum_for_repo_gem(gem_repo3, "rack", "0.9.1").split("sha256=").last expect(exitstatus).to eq(37) expect(err).to eq(<<~E.strip) [DEPRECATED] Your lockfile contains a single rubygems source section with multiple remotes, which is insecure. Make sure you run `bundle install` in non frozen mode and commit the result to make your lockfile secure. Bundler found mismatched checksums. This is a potential security risk. - rack (0.9.1) sha256-#{api_checksum3} + rack (0.9.1) sha256=#{api_checksum3} from the API at https://gem.repo3/ - rack (0.9.1) sha256-#{api_checksum1} + rack (0.9.1) sha256=#{api_checksum1} from the API at https://gem.repo1/ Mismatched checksums each have an authoritative source: |