Merge #7067

7067: Tweaking vendoring r=hsbt a=deivid-rodriguez The problem was that we were not using the latest versions of some of our vendored dependencies. My diagnosis was that we should upgrade them. My fix is to upgrade them using `automatiek`, and add a few tweaks to our vendoring setup. I chose this fix because.... I didn't really considered other options. Co-authored-by: David Rodríguez <[email protected]> (cherry picked from commit 6f39ea5)
rubygems · Apr 5, 2019 · 8f3facd · 8f3facd
1 parent c17d799
commit 8f3facd
Show file tree

Hide file tree

Showing 11 changed files with 298 additions and 51 deletions.
diff --git a/lib/bundler/vendor/fileutils/lib/fileutils.rb b/lib/bundler/vendor/fileutils/lib/fileutils.rb
@@ -85,8 +85,12 @@
 # <tt>:verbose</tt> flags to methods in Bundler::FileUtils.
 #
 
+require 'rbconfig'
+
 module Bundler::FileUtils
 
+  VERSION = "1.1.0"
+
   def self.private_module_function(name)   #:nodoc:
     module_function name
     private_class_method name
@@ -117,8 +121,9 @@ def pwd
   #
   def cd(dir, verbose: nil, &block) # :yield: dir
     fu_output_message "cd #{dir}" if verbose
-    Dir.chdir(dir, &block)
+    result = Dir.chdir(dir, &block)
     fu_output_message 'cd -' if verbose and block
+    result
   end
   module_function :cd
 
@@ -245,15 +250,15 @@ def rmdir(list, parents: nil, noop: nil, verbose: nil)
     fu_output_message "rmdir #{parents ? '-p ' : ''}#{list.join ' '}" if verbose
     return if noop
     list.each do |dir|
-      begin
-        Dir.rmdir(dir = remove_trailing_slash(dir))
-        if parents
+      Dir.rmdir(dir = remove_trailing_slash(dir))
+      if parents
+        begin
           until (parent = File.dirname(dir)) == '.' or parent == dir
             dir = parent
             Dir.rmdir(dir)
           end
+        rescue Errno::ENOTEMPTY, Errno::EEXIST, Errno::ENOENT
         end
-      rescue Errno::ENOTEMPTY, Errno::EEXIST, Errno::ENOENT
       end
     end
   end
@@ -293,6 +298,39 @@ def ln(src, dest, force: nil, noop: nil, verbose: nil)
   alias link ln
   module_function :link
 
+  #
+  # :call-seq:
+  #   Bundler::FileUtils.cp_lr(src, dest, noop: nil, verbose: nil, dereference_root: true, remove_destination: false)
+  #
+  # Hard link +src+ to +dest+. If +src+ is a directory, this method links
+  # all its contents recursively. If +dest+ is a directory, links
+  # +src+ to +dest/src+.
+  #
+  # +src+ can be a list of files.
+  #
+  #   # Installing the library "mylib" under the site_ruby directory.
+  #   Bundler::FileUtils.rm_r site_ruby + '/mylib', :force => true
+  #   Bundler::FileUtils.cp_lr 'lib/', site_ruby + '/mylib'
+  #
+  #   # Examples of linking several files to target directory.
+  #   Bundler::FileUtils.cp_lr %w(mail.rb field.rb debug/), site_ruby + '/tmail'
+  #   Bundler::FileUtils.cp_lr Dir.glob('*.rb'), '/home/aamine/lib/ruby', :noop => true, :verbose => true
+  #
+  #   # If you want to link all contents of a directory instead of the
+  #   # directory itself, c.f. src/x -> dest/x, src/y -> dest/y,
+  #   # use the following code.
+  #   Bundler::FileUtils.cp_lr 'src/.', 'dest'  # cp_lr('src', 'dest') makes dest/src, but this doesn't.
+  #
+  def cp_lr(src, dest, noop: nil, verbose: nil,
+            dereference_root: true, remove_destination: false)
+    fu_output_message "cp -lr#{remove_destination ? ' --remove-destination' : ''} #{[src,dest].flatten.join ' '}" if verbose
+    return if noop
+    fu_each_src_dest(src, dest) do |s, d|
+      link_entry s, d, dereference_root, remove_destination
+    end
+  end
+  module_function :cp_lr
+
   #
   # :call-seq:
   #   Bundler::FileUtils.ln_s(target, link, force: nil, noop: nil, verbose: nil)
@@ -339,6 +377,26 @@ def ln_sf(src, dest, noop: nil, verbose: nil)
   end
   module_function :ln_sf
 
+  #
+  # Hard links a file system entry +src+ to +dest+.
+  # If +src+ is a directory, this method links its contents recursively.
+  #
+  # Both of +src+ and +dest+ must be a path name.
+  # +src+ must exist, +dest+ must not exist.
+  #
+  # If +dereference_root+ is true, this method dereferences the tree root.
+  #
+  # If +remove_destination+ is true, this method removes each destination file before copy.
+  #
+  def link_entry(src, dest, dereference_root = false, remove_destination = false)
+    Entry_.new(src, nil, dereference_root).traverse do |ent|
+      destent = Entry_.new(dest, ent.rel, false)
+      File.unlink destent.path if remove_destination && File.file?(destent.path)
+      ent.link destent.path
+    end
+  end
+  module_function :link_entry
+
   #
   # Copies a file content +src+ to +dest+.  If +dest+ is a directory,
   # copies +src+ to +dest/src+.
@@ -412,7 +470,7 @@ def cp_r(src, dest, preserve: nil, noop: nil, verbose: nil,
   def copy_entry(src, dest, preserve = false, dereference_root = false, remove_destination = false)
     Entry_.new(src, nil, dereference_root).wrap_traverse(proc do |ent|
       destent = Entry_.new(dest, ent.rel, false)
-      File.unlink destent.path if remove_destination && File.file?(destent.path)
+      File.unlink destent.path if remove_destination && (File.file?(destent.path) || File.symlink?(destent.path))
       ent.copy destent.path
     end, proc do |ent|
       destent = Entry_.new(dest, ent.rel, false)
@@ -486,7 +544,7 @@ def mv(src, dest, force: nil, noop: nil, verbose: nil, secure: nil)
   module_function :move
 
   def rename_cannot_overwrite_file?   #:nodoc:
-    /emx/ =~ RUBY_PLATFORM
+    /emx/ =~ RbConfig::CONFIG['host_os']
   end
   private_module_function :rename_cannot_overwrite_file?
 
@@ -601,8 +659,8 @@ def rm_rf(list, noop: nil, verbose: nil, secure: nil)
   #
   # For details of this security vulnerability, see Perl's case:
   #
-  # * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0448
-  # * http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452
+  # * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0448
+  # * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452
   #
   # For fileutils.rb, this vulnerability is reported in [ruby-dev:26100].
   #
@@ -626,22 +684,38 @@ def remove_entry_secure(path, force = false)
     unless parent_st.sticky?
       raise ArgumentError, "parent directory is world writable, Bundler::FileUtils#remove_entry_secure does not work; abort: #{path.inspect} (parent directory mode #{'%o' % parent_st.mode})"
     end
+
     # freeze tree root
     euid = Process.euid
-    File.open(fullpath + '/.') {|f|
-      unless fu_stat_identical_entry?(st, f.stat)
-        # symlink (TOC-to-TOU attack?)
-        File.unlink fullpath
-        return
-      end
-      f.chown euid, -1
-      f.chmod 0700
-      unless fu_stat_identical_entry?(st, File.lstat(fullpath))
-        # TOC-to-TOU attack?
-        File.unlink fullpath
-        return
-      end
-    }
+    dot_file = fullpath + "/."
+    begin
+      File.open(dot_file) {|f|
+        unless fu_stat_identical_entry?(st, f.stat)
+          # symlink (TOC-to-TOU attack?)
+          File.unlink fullpath
+          return
+        end
+        f.chown euid, -1
+        f.chmod 0700
+      }
+    rescue EISDIR # JRuby in non-native mode can't open files as dirs
+      File.lstat(dot_file).tap {|fstat|
+        unless fu_stat_identical_entry?(st, fstat)
+          # symlink (TOC-to-TOU attack?)
+          File.unlink fullpath
+          return
+        end
+        File.chown euid, -1, dot_file
+        File.chmod 0700, dot_file
+      }
+    end
+
+    unless fu_stat_identical_entry?(st, File.lstat(fullpath))
+      # TOC-to-TOU attack?
+      File.unlink fullpath
+      return
+    end
+
     # ---- tree root is frozen ----
     root = Entry_.new(path)
     root.preorder_traverse do |ent|
@@ -742,8 +816,15 @@ def compare_file(a, b)
   #
   def compare_stream(a, b)
     bsize = fu_stream_blksize(a, b)
-    sa = String.new(capacity: bsize)
-    sb = String.new(capacity: bsize)
+
+    if RUBY_VERSION > "2.4"
+      sa = String.new(capacity: bsize)
+      sb = String.new(capacity: bsize)
+    else
+      sa = String.new
+      sb = String.new
+    end
+
     begin
       a.read(bsize, sa)
       b.read(bsize, sb)
@@ -1068,7 +1149,7 @@ module StreamUtils_
     private
 
     def fu_windows?
-      /mswin|mingw|bccwin|emx/ =~ RUBY_PLATFORM
+      /mswin|mingw|bccwin|emx/ =~ RbConfig::CONFIG['host_os']
     end
 
     def fu_copy_stream0(src, dest, blksize = nil)   #:nodoc:
@@ -1250,6 +1331,22 @@ def chown(uid, gid)
       end
     end
 
+    def link(dest)
+      case
+      when directory?
+        if !File.exist?(dest) and descendant_directory?(dest, path)
+          raise ArgumentError, "cannot link directory %s to itself %s" % [path, dest]
+        end
+        begin
+          Dir.mkdir dest
+        rescue
+          raise unless File.directory?(dest)
+        end
+      else
+        File.link path(), dest
+      end
+    end
+
     def copy(dest)
       lstat
       case

diff --git a/lib/bundler/vendor/thor/lib/thor/actions.rb b/lib/bundler/vendor/thor/lib/thor/actions.rb
@@ -113,8 +113,10 @@ def destination_root=(root)
     # the script started).
     #
     def relative_to_original_destination_root(path, remove_dot = true)
-      path = path.dup
-      if path.gsub!(@destination_stack[0], ".")
+      root = @destination_stack[0]
+      if path.start_with?(root) && [File::SEPARATOR, File::ALT_SEPARATOR, nil, ''].include?(path[root.size..root.size])
+        path = path.dup
+        path[0...root.size] = '.'
         remove_dot ? (path[2..-1] || "") : path
       else
         path
@@ -217,6 +219,7 @@ def apply(path, config = {})
       shell.padding += 1 if verbose
 
       contents = if is_uri
+        require "open-uri"
         open(path, "Accept" => "application/x-thor-template", &:read)
       else
         open(path, &:read)
@@ -252,9 +255,16 @@ def run(command, config = {})
 
       say_status :run, desc, config.fetch(:verbose, true)
 
-      unless options[:pretend]
-        config[:capture] ? `#{command}` : system(command.to_s)
+      return if options[:pretend]
+
+      result = config[:capture] ? `#{command}` : system(command.to_s)
+
+      if config[:abort_on_failure]
+        success = config[:capture] ? $?.success? : result
+        abort unless success
       end
+
+      result
     end
 
     # Executes a ruby script (taking into account WIN32 platform quirks).

diff --git a/lib/bundler/vendor/thor/lib/thor/actions/file_manipulation.rb b/lib/bundler/vendor/thor/lib/thor/actions/file_manipulation.rb
@@ -60,6 +60,9 @@ def link_file(source, *args)
     # destination. If a block is given instead of destination, the content of
     # the url is yielded and used as location.
     #
+    # +get+ relies on open-uri, so passing application user input would provide
+    # a command injection attack vector.
+    #
     # ==== Parameters
     # source<String>:: the address of the given content.
     # destination<String>:: the relative path to the destination root.
@@ -117,7 +120,13 @@ def template(source, *args, &block)
       context = config.delete(:context) || instance_eval("binding")
 
       create_file destination, nil, config do
-        content = CapturableERB.new(::File.binread(source), nil, "-", "@output_buffer").tap do |erb|
+        match = ERB.version.match(/(\d+\.\d+\.\d+)/)
+        capturable_erb = if match && match[1] >= "2.2.0" # Ruby 2.6+
+          CapturableERB.new(::File.binread(source), :trim_mode => "-", :eoutvar => "@output_buffer")
+        else
+          CapturableERB.new(::File.binread(source), nil, "-", "@output_buffer")
+        end
+        content = capturable_erb.tap do |erb|
           erb.filename = source
         end.result(context)
         content = yield(content) if block
@@ -301,7 +310,7 @@ def uncomment_lines(path, flag, *args)
     def comment_lines(path, flag, *args)
       flag = flag.respond_to?(:source) ? flag.source : flag
 
-      gsub_file(path, /^(\s*)([^#|\n]*#{flag})/, '\1# \2', *args)
+      gsub_file(path, /^(\s*)([^#\n]*#{flag})/, '\1# \2', *args)
     end
 
     # Removes a file at the given location.

diff --git a/lib/bundler/vendor/thor/lib/thor/base.rb b/lib/bundler/vendor/thor/lib/thor/base.rb
@@ -466,13 +466,13 @@ def start(given_args = ARGV, config = {})
         dispatch(nil, given_args.dup, nil, config)
       rescue Bundler::Thor::Error => e
         config[:debug] || ENV["THOR_DEBUG"] == "1" ? (raise e) : config[:shell].error(e.message)
-        exit(1) if exit_on_failure?
+        exit(false) if exit_on_failure?
       rescue Errno::EPIPE
         # This happens if a thor command is piped to something like `head`,
         # which closes the pipe when it's done reading. This will also
         # mean that if the pipe is closed, further unnecessary
         # computation will not occur.
-        exit(0)
+        exit(true)
       end
 
       # Allows to use private methods from parent in child classes as commands.
@@ -493,8 +493,7 @@ def public_command(*names)
       alias_method :public_task, :public_command
 
       def handle_no_command_error(command, has_namespace = $thor_runner) #:nodoc:
-        raise UndefinedCommandError, "Could not find command #{command.inspect} in #{namespace.inspect} namespace." if has_namespace
-        raise UndefinedCommandError, "Could not find command #{command.inspect}."
+        raise UndefinedCommandError.new(command, all_commands.keys, (namespace if has_namespace))
       end
       alias_method :handle_no_task_error, :handle_no_command_error