From 25a327d41bcb881f27acfcc58f262986a8f4e5b4 Mon Sep 17 00:00:00 2001
From: Alexander Pakulov <apakulov@stripe.com>
Date: Wed, 14 Aug 2019 12:00:27 -0700
Subject: [rubygems/rubygems] Do not mutate uri.query during s3 signature
 creation

https://github.com/rubygems/rubygems/commit/c0275ee537
---
 lib/rubygems/s3_uri_signer.rb            | 14 +++++++-------
 test/rubygems/test_gem_remote_fetcher.rb |  3 +++
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/lib/rubygems/s3_uri_signer.rb b/lib/rubygems/s3_uri_signer.rb
index 437fdbf3dc..4caf07131f 100644
--- a/lib/rubygems/s3_uri_signer.rb
+++ b/lib/rubygems/s3_uri_signer.rb
@@ -49,12 +49,12 @@ class Gem::S3URISigner
     credential_info = "#{date}/#{s3_config.region}/s3/aws4_request"
     canonical_host = "#{uri.host}.s3.#{s3_config.region}.amazonaws.com"
 
-    uri.query = generate_canonical_query_params(s3_config, date_time, credential_info, expiration)
-    canonical_request = generate_canonical_request(canonical_host)
+    query_params = generate_canonical_query_params(s3_config, date_time, credential_info, expiration)
+    canonical_request = generate_canonical_request(canonical_host, query_params)
     string_to_sign = generate_string_to_sign(date_time, credential_info, canonical_request)
     signature = generate_signature(s3_config, date, string_to_sign)
 
-    URI.parse("https://#{canonical_host}#{uri.path}?#{uri.query}&X-Amz-Signature=#{signature}")
+    URI.parse("https://#{canonical_host}#{uri.path}?#{query_params}&X-Amz-Signature=#{signature}")
   end
 
   private
@@ -76,11 +76,11 @@ class Gem::S3URISigner
     end.join("&")
   end
 
-  def generate_canonical_request(canonical_host)
+  def generate_canonical_request(canonical_host, query_params)
     [
       "GET",
       uri.path,
-      uri.query,
+      query_params,
       "host:#{canonical_host}",
       "", # empty params
       "host",
@@ -131,11 +131,11 @@ class Gem::S3URISigner
     else
       id = auth[:id] || auth["id"]
       secret = auth[:secret] || auth["secret"]
-      raise ConfigurationError.new("s3_source for #{host} missing id or secret") unless id && secret
-
       security_token = auth[:security_token] || auth["security_token"]
     end
 
+    raise ConfigurationError.new("s3_source for #{host} missing id or secret") unless id && secret
+
     region = auth[:region] || auth["region"] || "us-east-1"
     S3Config.new(id, secret, security_token, region)
   end
diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb
index 92ff350b26..76a66af867 100644
--- a/test/rubygems/test_gem_remote_fetcher.rb
+++ b/test/rubygems/test_gem_remote_fetcher.rb
@@ -675,6 +675,9 @@ PeIQQkFng2VVot/WAQbv3ePqWq07g1BBcwIBAg==
       def s3_uri_signer.ec2_metadata_credentials_json
         JSON.parse($instance_profile)
       end
+      # Running sign operation to make sure uri.query is not mutated
+      s3_uri_signer.sign
+      raise "URI query is not empty: #{uri.query}" unless uri.query.nil?
       s3_uri_signer
     end
 
-- 
cgit v1.2.3