ruby-changes:68067
From: Jonathan <ko1@a...>
Date: Wed, 22 Sep 2021 10:19:47 +0900 (JST)
Subject: [ruby-changes:68067] 13bb16f41e (master): [rubygems/rubygems] Fix bug where redacted credentials are sent to server
https://git.ruby-lang.org/ruby.git/commit/?id=13bb16f41e From 13bb16f41edb4682f76d02a9bf2e4d65b443dcf8 Mon Sep 17 00:00:00 2001 From: Jonathan <jonacom@l...> Date: Fri, 17 Sep 2021 12:39:25 -0600 Subject: [rubygems/rubygems] Fix bug where redacted credentials are sent to server Implement deep cloning for `Gem::Uri` class to fix a bug where redacting credentials modifies the URI string in place instead of returning a modified copy. https://github.com/rubygems/rubygems/commit/eafb5a279b --- lib/rubygems/uri.rb | 9 +++++++++ test/rubygems/test_gem_uri.rb | 7 +++++++ 2 files changed, 16 insertions(+) diff --git a/lib/rubygems/uri.rb b/lib/rubygems/uri.rb index 031d7e0..ba30fac 100644 --- a/lib/rubygems/uri.rb +++ b/lib/rubygems/uri.rb @@ -43,6 +43,11 @@ class Gem::Uri https://github.com/ruby/ruby/blob/trunk/lib/rubygems/uri.rb#L43 @parsed_uri.respond_to?(method_name, include_private) || super end + protected + + # Add a protected reader for the cloned instance to access the original object's parsed uri + attr_reader :parsed_uri + private ## @@ -99,4 +104,8 @@ class Gem::Uri https://github.com/ruby/ruby/blob/trunk/lib/rubygems/uri.rb#L104 def token? !user.nil? && password.nil? end + + def initialize_copy(original) + @parsed_uri = original.parsed_uri.clone + end end diff --git a/test/rubygems/test_gem_uri.rb b/test/rubygems/test_gem_uri.rb index 0c70443..7fe5725 100644 --- a/test/rubygems/test_gem_uri.rb +++ b/test/rubygems/test_gem_uri.rb @@ -29,4 +29,11 @@ class TestUri < Gem::TestCase https://github.com/ruby/ruby/blob/trunk/test/rubygems/test_gem_uri.rb#L29 def test_redacted_with_invalid_uri assert_equal "https://www.example.com:80index", Gem::Uri.new("https://www.example.com:80index").redacted.to_s end + + def test_redacted_does_not_modify_uri + url = 'https://user:password@e...' + uri = Gem::Uri.new(url) + assert_equal 'https://user:REDACTED@e...', uri.redacted.to_s + assert_equal url, uri.to_s + end end -- cgit v1.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/