Print a warning for a potential confusion from the indirect dependencies.

junaruga · hsbt · commit 403d6744b227 · 2026-04-15T18:37:50.000+09:00
Print a warning when a confusion by the indirect dependencies may happen. See CVE-2020-36327 for the security risk.
diff --git a/bundler/lib/bundler/definition.rb b/bundler/lib/bundler/definition.rb
@@ -777,7 +777,27 @@ def start_resolution
     end
 
     def precompute_source_requirements_for_indirect_dependencies?
-      sources.non_global_rubygems_sources.all?(&:dependency_api_available?)
+      return false unless @remote && !sources.aggregate_global_source?
+
+      if sources.non_global_rubygems_sources.all?(&:dependency_api_available?)
+        true
+      else
+        non_dependency_api_warning
+        false
+      end
+    end
+
+    def non_dependency_api_warning
+      non_api_sources = sources.non_global_rubygems_sources.reject(&:dependency_api_available?)
+      non_api_source_names = non_api_sources.map {|d| "  * #{d}" }.join("\n")
+
+      msg = String.new
+      msg << "Your Gemfile contains scoped sources that don't implement a dependency API, namely:\n\n"
+      msg << non_api_source_names
+      msg << "\n\nUsing the above gem servers may result in installing unexpected gems. " \
+        "To resolve this warning, make sure you use gem servers that implement dependency APIs, " \
+        "such as gemstash or geminabox gem servers."
+      Bundler.ui.warn msg
     end
 
     def current_platform_locked?
diff --git a/spec/bundler/definition_spec.rb b/spec/bundler/definition_spec.rb
@@ -289,6 +289,61 @@
     end
   end
 
+  describe "#precompute_source_requirements_for_indirect_dependencies?" do
+    before do
+      allow(Bundler::SharedHelpers).to receive(:find_gemfile) { Pathname.new("Gemfile") }
+    end
+
+    let(:sources) { Bundler::SourceList.new }
+    subject { Bundler::Definition.new(nil, [], sources, []) }
+
+    context "when remote and does not have multiple global sources" do
+      before do
+        subject.instance_variable_set(:@remote, true)
+        allow(sources).to receive(:aggregate_global_source?).and_return(false)
+        allow(sources).to receive(:non_global_rubygems_sources).and_return(non_global_rubygems_sources)
+      end
+
+      context "when all the scoped sources contain a dependency API" do
+        let(:non_global_rubygems_sources) do
+          [
+            double("non-global-source-0", :dependency_api_available? => true, :to_s => "a"),
+            double("non-global-source-1", :dependency_api_available? => true, :to_s => "b"),
+          ]
+        end
+
+        it "will not raise a warning" do
+          expect(subject).not_to receive(:non_dependency_api_warning)
+
+          expect(subject.send(:precompute_source_requirements_for_indirect_dependencies?)).to be_truthy
+        end
+      end
+
+      context "when scoped sources do not contain a dependency API" do
+        let(:non_global_rubygems_sources) do
+          [
+            double("non-global-source-0", :dependency_api_available? => true, :to_s => "a"),
+            double("non-global-source-1", :dependency_api_available? => false, :to_s => "b"),
+            double("non-global-source-2", :dependency_api_available? => false, :to_s => "c"),
+          ]
+        end
+
+        it "will raise a warning" do
+          expect(Bundler.ui).to receive(:warn).with(<<-W.strip)
+Your Gemfile contains scoped sources that don't implement a dependency API, namely:
+
+  * b
+  * c
+
+Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers.
+          W
+
+          expect(subject.send(:precompute_source_requirements_for_indirect_dependencies?)).to be_falsy
+        end
+      end
+    end
+  end
+
   def mock_source_list
     Class.new do
       def all_sources
