From ecd1bea43731f11116925bb6805a9a135a996f11 Mon Sep 17 00:00:00 2001 From: "Urabe, Shyouhei" Date: Sun, 20 Aug 2017 15:16:18 +0900 Subject: avoid TOPLEVEL_BINDING pollution Evaluating user inputs in the TOPLEVEL_BINDING can pollute global toplevel local variable namespace because there is only one TOPLEVEL_BINDING across the entire process. Here in this method we do not need such thing. Duplicating that binding to create dedicated one for this purpose should effectively kill such global side effects. --- lib/bundler.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/bundler.rb b/lib/bundler.rb index e4b9313401..57b4c32e40 100644 --- a/lib/bundler.rb +++ b/lib/bundler.rb @@ -494,7 +494,7 @@ EOF end def eval_gemspec(path, contents) - eval(contents, TOPLEVEL_BINDING, path.expand_path.to_s) + eval(contents, TOPLEVEL_BINDING.dup, path.expand_path.to_s) rescue ScriptError, StandardError => e msg = "There was an error while loading `#{path.basename}`: #{e.message}" -- cgit v1.2.1 From 94e2b6086577efcb10d22bc348d516f693b0f26f Mon Sep 17 00:00:00 2001 From: "Urabe, Shyouhei" Date: Mon, 21 Aug 2017 00:41:14 +0900 Subject: Add specs for TOPLEVEL_BINDING pollution --- spec/bundler/bundler_spec.rb | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/spec/bundler/bundler_spec.rb b/spec/bundler/bundler_spec.rb index 633aed12db..ee117adc6e 100644 --- a/spec/bundler/bundler_spec.rb +++ b/spec/bundler/bundler_spec.rb @@ -102,6 +102,24 @@ RSpec.describe Bundler do subject end end + + context "with gemspec containing local variables" do + before do + File.open(app_gemspec_path, "wb") do |f| + f.write strip_whitespace(<<-GEMSPEC) + must_not_leak = true + Gem::Specification.new do |gem| + gem.name = "leak check" + end + GEMSPEC + end + end + + it "should not pollute the TOPLEVEL_BINDING" do + subject + expect(TOPLEVEL_BINDING.local_variables).to_not include(:must_not_leak) + end + end end describe "#which" do -- cgit v1.2.1 From 8668a7e3bd2eb857e134cb7be99da39aa96e9c30 Mon Sep 17 00:00:00 2001 From: "Urabe, Shyouhei" Date: Tue, 22 Aug 2017 19:50:31 +0900 Subject: support ruby < 2.2.0 --- spec/bundler/bundler_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/bundler/bundler_spec.rb b/spec/bundler/bundler_spec.rb index ee117adc6e..19e3f0336f 100644 --- a/spec/bundler/bundler_spec.rb +++ b/spec/bundler/bundler_spec.rb @@ -117,7 +117,7 @@ RSpec.describe Bundler do it "should not pollute the TOPLEVEL_BINDING" do subject - expect(TOPLEVEL_BINDING.local_variables).to_not include(:must_not_leak) + expect(TOPLEVEL_BINDING.eval("local_variables")).to_not include(:must_not_leak) end end end -- cgit v1.2.1