[前][次][番号順一覧][スレッド一覧]

ruby-changes:74135

From: Hiroshi <ko1@a...>
Date: Thu, 20 Oct 2022 14:36:20 +0900 (JST)
Subject: [ruby-changes:74135] 4f1e0bfacd (master): Followed up CVE-2022-39253 for bundler examples

https://git.ruby-lang.org/ruby.git/commit/?id=4f1e0bfacd

From 4f1e0bfacd93c28bff549e2f3603c3b4942429a3 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@r...>
Date: Thu, 20 Oct 2022 14:36:06 +0900
Subject: Followed up CVE-2022-39253 for bundler examples

---
 spec/bundler/cache/git_spec.rb           | 3 +++
 spec/bundler/install/gemfile/git_spec.rb | 9 +++++++++
 spec/bundler/update/git_spec.rb          | 3 +++
 3 files changed, 15 insertions(+)

diff --git a/spec/bundler/cache/git_spec.rb b/spec/bundler/cache/git_spec.rb
index 7ea23cd312..fed8ba43f4 100644
--- a/spec/bundler/cache/git_spec.rb
+++ b/spec/bundler/cache/git_spec.rb
@@ -156,6 +156,9 @@ RSpec.describe "bundle cache with git" do https://github.com/ruby/ruby/blob/trunk/spec/bundler/cache/git_spec.rb#L156
   end
 
   it "copies repository to vendor cache, including submodules" do
+    # CVE-2022-39253: https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@g.../
+    system(*%W[git config --global protocol.file.allow always])
+
     build_git "submodule", "1.0"
 
     git = build_git "has_submodule", "1.0" do |s|
diff --git a/spec/bundler/install/gemfile/git_spec.rb b/spec/bundler/install/gemfile/git_spec.rb
index 2058674105..fb99c99b2d 100644
--- a/spec/bundler/install/gemfile/git_spec.rb
+++ b/spec/bundler/install/gemfile/git_spec.rb
@@ -865,6 +865,9 @@ RSpec.describe "bundle install with git sources" do https://github.com/ruby/ruby/blob/trunk/spec/bundler/install/gemfile/git_spec.rb#L865
   end
 
   it "ignores submodules if :submodule is not passed" do
+    # CVE-2022-39253: https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@g.../
+    system(*%W[git config --global protocol.file.allow always])
+
     build_git "submodule", "1.0"
     build_git "has_submodule", "1.0" do |s|
       s.add_dependency "submodule"
@@ -884,6 +887,9 @@ RSpec.describe "bundle install with git sources" do https://github.com/ruby/ruby/blob/trunk/spec/bundler/install/gemfile/git_spec.rb#L887
   end
 
   it "handles repos with submodules" do
+    # CVE-2022-39253: https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@g.../
+    system(*%W[git config --global protocol.file.allow always])
+
     build_git "submodule", "1.0"
     build_git "has_submodule", "1.0" do |s|
       s.add_dependency "submodule"
@@ -902,6 +908,9 @@ RSpec.describe "bundle install with git sources" do https://github.com/ruby/ruby/blob/trunk/spec/bundler/install/gemfile/git_spec.rb#L908
   end
 
   it "does not warn when deiniting submodules" do
+    # CVE-2022-39253: https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@g.../
+    system(*%W[git config --global protocol.file.allow always])
+
     build_git "submodule", "1.0"
     build_git "has_submodule", "1.0"
 
diff --git a/spec/bundler/update/git_spec.rb b/spec/bundler/update/git_spec.rb
index da92cab1cc..427a0bb713 100644
--- a/spec/bundler/update/git_spec.rb
+++ b/spec/bundler/update/git_spec.rb
@@ -124,6 +124,9 @@ RSpec.describe "bundle update" do https://github.com/ruby/ruby/blob/trunk/spec/bundler/update/git_spec.rb#L124
 
     describe "with submodules" do
       before :each do
+        # CVE-2022-39253: https://lore.kernel.org/lkml/xmqq4jw1uku5.fsf@g.../
+        system(*%W[git config --global protocol.file.allow always])
+
         build_repo4 do
           build_gem "submodule" do |s|
             s.write "lib/submodule.rb", "puts 'GEM'"
-- 
cgit v1.2.3


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]