From f42027808b304fd6c2ac2a71453278b8c81cb390 Mon Sep 17 00:00:00 2001
From: Samuel Giddins <segiddins@segiddins.me>
Date: Wed, 6 Sep 2017 16:31:25 -0500
Subject: [Source::Rubygems] Remove .gem if downloaded package is invalid

---
 lib/bundler/source/rubygems.rb | 10 ++++++++--
 spec/install/failure_spec.rb   | 19 +++++++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/lib/bundler/source/rubygems.rb b/lib/bundler/source/rubygems.rb
index fa60bb0c84..e083953d42 100644
--- a/lib/bundler/source/rubygems.rb
+++ b/lib/bundler/source/rubygems.rb
@@ -120,8 +120,14 @@ module Bundler
           uris.uniq!
           Installer.ambiguous_gems << [spec.name, *uris] if uris.length > 1
 
-          s = Bundler.rubygems.spec_from_gem(fetch_gem(spec), Bundler.settings["trust-policy"])
-          spec.__swap__(s)
+          path = fetch_gem(spec)
+          begin
+            s = Bundler.rubygems.spec_from_gem(path, Bundler.settings["trust-policy"])
+            spec.__swap__(s)
+          rescue
+            Bundler.rm_rf(path)
+            raise
+          end
         end
 
         unless Bundler.settings[:no_install]
diff --git a/spec/install/failure_spec.rb b/spec/install/failure_spec.rb
index 896138c659..44006be52e 100644
--- a/spec/install/failure_spec.rb
+++ b/spec/install/failure_spec.rb
@@ -28,5 +28,24 @@ In Gemfile:
       activesupport
                      M
     end
+
+    context "because the downloaded .gem was invalid" do
+      before do
+        build_repo4 do
+          build_gem "a"
+        end
+
+        gem_repo4("gems", "a-1.0.gem").open("w") {|f| f << "<html></html>" }
+      end
+
+      it "removes the downloaded .gem" do
+        install_gemfile <<-G
+          source "file:#{gem_repo4}"
+          gem "a"
+        G
+
+        expect(default_bundle_path("cache", "a-1.0.gem")).not_to exist
+      end
+    end
   end
 end
-- 
cgit v1.2.1