Created
December 2, 2021 21:32
-
-
Save junaruga/0e4b109537abe2757dc542d69dd17604 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[mockbuild@0c20d978b71742d9a2748f28467f17a3 cve-2020-36327]$ SERVER=gem-server BUNDLE_WARN_ON_DEPENDENCY_CONFUSION=1 ./runtest.sh | |
* Arguments | |
* SERVER: gem-server | |
* TEST_SILENT: true | |
* TEST_GEM_VERBOSE: | |
* TEST_BUNDLE_DEBUG: | |
* TEST_BUNDLE_VERBOSE: | |
* TEST_BUNDLE_INSTALL_INDEX: | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/foo/foo.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/c-0.0.2/c.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/d-0.0.2/d.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/d-0.0.3/d.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/e-0.0.3/e.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/bar-malicious/bar.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/c-0.0.1/c.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/f-0.0.2/f.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/e-0.0.2/e.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/f-0.0.3/f.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/bar/bar.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/a_okay-malicious/a_okay.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/c-0.0.3/c.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/f-0.0.1/f.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/h-0.0.1/h.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/a_okay/a_okay.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/e-0.0.1/e.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/d-0.0.1/d.gemspec ... | |
* Building gem with gemspec file /mnt/cve-2020-36327/test/fixtures/gems/g-0.0.2/g.gemspec ... | |
* Installing gems to repositories ... | |
* Public repo: Installing gems foo 0.0.1, a_okey 0.1.0, bar 0.1.0 and etc ... | |
* Private repo: Installing gems a_okey 0.0.1, bar 0.0.1 and etc ... | |
* Private 2 repo: Installing gems ... | |
* Starting repo server (server type: gem-server, port: 8801, pid: 4980) | |
* Starting repo server (server type: gem-server, port: 8802, pid: 4983) | |
* Starting repo server (server type: gem-server, port: 8803, pid: 4986) | |
* Testing ... | |
* Testing with /mnt/cve-2020-36327/test/bundler/reproducer1.Gemfile [1] | |
* Running 'bundle install' on BUNDLE_PATH: app ... | |
Fetching source index from http://127.0.0.1:8802/ | |
Fetching source index from http://127.0.0.1:8801/ | |
Your Gemfile contains scoped sources that don't implement a dependency API, namely: | |
* rubygems repository http://127.0.0.1:8802/ or installed locally | |
Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers. | |
Resolving dependencies... | |
Fetching a_okay 0.1.0 | |
Installing a_okay 0.1.0 | |
Fetching bar 0.0.1 | |
Installing bar 0.0.1 | |
Using bundler 1.17.2 | |
Fetching foo 0.0.1 | |
Installing foo 0.0.1 | |
Bundle complete! 2 Gemfile dependencies, 4 gems now installed. | |
Bundled gems are installed into `./app` | |
=> PASS - safe gem bar version 0.0.1 installed from private repo. | |
=> FAIL - malicious gem a_okay version 0.1.0 installed from public repo. | |
* Testing with /mnt/cve-2020-36327/test/bundler/reproducer2.Gemfile [2] | |
* Running 'bundle install' on BUNDLE_PATH: app ... | |
Fetching source index from http://127.0.0.1:8802/ | |
Fetching source index from http://127.0.0.1:8801/ | |
Your Gemfile contains scoped sources that don't implement a dependency API, namely: | |
* rubygems repository http://127.0.0.1:8802/ or installed locally | |
* rubygems repository http://127.0.0.1:8801/ or installed locally | |
Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers. | |
Resolving dependencies... | |
Fetching a_okay 0.1.0 | |
Installing a_okay 0.1.0 | |
Fetching bar 0.0.1 | |
Installing bar 0.0.1 | |
Using bundler 1.17.2 | |
Fetching foo 0.0.1 | |
Installing foo 0.0.1 | |
Bundle complete! 2 Gemfile dependencies, 4 gems now installed. | |
Bundled gems are installed into `./app` | |
=> PASS - safe gem bar version 0.0.1 installed from private repo. | |
=> FAIL - malicious gem a_okay version 0.1.0 installed from public repo. | |
* Testing with /mnt/cve-2020-36327/test/bundler/reproducer3.Gemfile [3] | |
* Running 'bundle install' on BUNDLE_PATH: app ... | |
Fetching source index from http://127.0.0.1:8802/ | |
Fetching source index from http://127.0.0.1:8801/ | |
Your Gemfile contains scoped sources that don't implement a dependency API, namely: | |
* rubygems repository http://127.0.0.1:8802/ or installed locally | |
Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers. | |
Resolving dependencies... | |
Fetching a_okay 0.1.0 | |
Installing a_okay 0.1.0 | |
Fetching bar 0.0.1 | |
Installing bar 0.0.1 | |
Using bundler 1.17.2 | |
Fetching foo 0.0.1 | |
Installing foo 0.0.1 | |
Bundle complete! 2 Gemfile dependencies, 4 gems now installed. | |
Bundled gems are installed into `./app` | |
=> PASS - safe gem bar version 0.0.1 installed from private repo. | |
=> FAIL - malicious gem a_okay version 0.1.0 installed from public repo. | |
* Testing with /mnt/cve-2020-36327/test/bundler/reproducer4.Gemfile [4] | |
* Running 'bundle install' on BUNDLE_PATH: app ... | |
Fetching source index from http://127.0.0.1:8802/ | |
Fetching source index from http://127.0.0.1:8801/ | |
Your Gemfile contains scoped sources that don't implement a dependency API, namely: | |
* rubygems repository http://127.0.0.1:8802/ or installed locally | |
* rubygems repository http://127.0.0.1:8801/ or installed locally | |
Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers. | |
Resolving dependencies... | |
Fetching a_okay 0.1.0 | |
Installing a_okay 0.1.0 | |
Fetching bar 0.0.1 | |
Installing bar 0.0.1 | |
Using bundler 1.17.2 | |
Fetching foo 0.0.1 | |
Installing foo 0.0.1 | |
Bundle complete! 2 Gemfile dependencies, 4 gems now installed. | |
Bundled gems are installed into `./app` | |
=> PASS - safe gem bar version 0.0.1 installed from private repo. | |
=> FAIL - malicious gem a_okay version 0.1.0 installed from public repo. | |
* Testing with /mnt/cve-2020-36327/test/bundler/reproducer5.Gemfile [5] | |
* Running 'bundle install' on BUNDLE_PATH: app ... | |
Fetching source index from http://127.0.0.1:8802/ | |
Fetching gem metadata from https://rubygems.org/ | |
Fetching source index from https://rubygems.org/ | |
Your Gemfile contains scoped sources that don't implement a dependency API, namely: | |
* rubygems repository http://127.0.0.1:8802/ or installed locally | |
Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers. | |
Resolving dependencies... | |
Fetching a_okay 0.1.0 | |
Installing a_okay 0.1.0 | |
Fetching bar 0.0.1 | |
Installing bar 0.0.1 | |
Using bundler 1.17.2 | |
Bundle complete! 1 Gemfile dependency, 3 gems now installed. | |
Bundled gems are installed into `./app` | |
=> PASS - safe gem bar version 0.0.1 installed from private repo. | |
=> FAIL - malicious gem a_okay version 0.1.0 installed from public repo. | |
* Testing with /mnt/cve-2020-36327/test/bundler/reproducer6.Gemfile [6] | |
* Running 'bundle install' on BUNDLE_PATH: app ... | |
Fetching source index from http://127.0.0.1:8803/ | |
Fetching source index from http://127.0.0.1:8802/ | |
Fetching source index from http://127.0.0.1:8801/ | |
Your Gemfile contains scoped sources that don't implement a dependency API, namely: | |
* rubygems repository http://127.0.0.1:8803/ or installed locally | |
* rubygems repository http://127.0.0.1:8802/ or installed locally | |
Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers. | |
Resolving dependencies... | |
Fetching a_okay 0.1.0 | |
Installing a_okay 0.1.0 | |
Fetching bar 0.0.1 | |
Installing bar 0.0.1 | |
Using bundler 1.17.2 | |
Fetching e 0.0.3 | |
Installing e 0.0.3 | |
Fetching d 0.0.3 | |
Installing d 0.0.3 | |
Fetching g 0.0.2 | |
Installing g 0.0.2 | |
Fetching c 0.0.2 | |
Installing c 0.0.2 | |
Fetching h 0.0.1 | |
Installing h 0.0.1 | |
Fetching f 0.0.1 | |
Installing f 0.0.1 | |
Bundle complete! 3 Gemfile dependencies, 9 gems now installed. | |
Bundled gems are installed into `./app` | |
=> PASS - safe gem bar version 0.0.1 installed from private repo. | |
=> FAIL - malicious gem a_okay version 0.1.0 installed from public repo. | |
=> PASS - safe gem c version 0.0.2 installed from private repo. | |
=> FAIL - malicious gem d version 0.0.3 installed from public repo. | |
=> FAIL - malicious gem e version 0.0.3 installed from public repo. | |
=> PASS - safe gem f version 0.0.1 installed from private repo. | |
* Testing with /mnt/cve-2020-36327/test/bundler/workaround1.Gemfile [7] | |
* Running 'bundle install' on BUNDLE_PATH: app ... | |
Fetching source index from http://127.0.0.1:8802/ | |
Fetching source index from http://127.0.0.1:8801/ | |
Your Gemfile contains scoped sources that don't implement a dependency API, namely: | |
* rubygems repository http://127.0.0.1:8802/ or installed locally | |
Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers. | |
Resolving dependencies... | |
Fetching a_okay 0.0.1 | |
Installing a_okay 0.0.1 | |
Fetching bar 0.0.1 | |
Installing bar 0.0.1 | |
Using bundler 1.17.2 | |
Fetching foo 0.0.1 | |
Installing foo 0.0.1 | |
Bundle complete! 3 Gemfile dependencies, 4 gems now installed. | |
Bundled gems are installed into `./app` | |
=> PASS - safe gem bar version 0.0.1 installed from private repo. | |
=> PASS - safe gem a_okay version 0.0.1 installed from private repo. | |
* Testing with /mnt/cve-2020-36327/test/bundler/workaround2.Gemfile [8] | |
* Running 'bundle install' on BUNDLE_PATH: app ... | |
Fetching source index from http://127.0.0.1:8802/ | |
Fetching source index from http://127.0.0.1:8801/ | |
Your Gemfile contains scoped sources that don't implement a dependency API, namely: | |
* rubygems repository http://127.0.0.1:8802/ or installed locally | |
Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers. | |
Resolving dependencies... | |
Fetching a_okay 0.0.1 | |
Installing a_okay 0.0.1 | |
Fetching bar 0.0.1 | |
Installing bar 0.0.1 | |
Using bundler 1.17.2 | |
Fetching foo 0.0.1 | |
Installing foo 0.0.1 | |
Bundle complete! 3 Gemfile dependencies, 4 gems now installed. | |
Bundled gems are installed into `./app` | |
=> PASS - safe gem bar version 0.0.1 installed from private repo. | |
=> PASS - safe gem a_okay version 0.0.1 installed from private repo. | |
* Testing with /mnt/cve-2020-36327/test/bundler/workaround3.Gemfile [9] | |
* Running 'bundle install' on BUNDLE_PATH: app ... | |
Fetching source index from http://127.0.0.1:8802/ | |
Fetching gem metadata from https://rubygems.org/ | |
Fetching source index from https://rubygems.org/ | |
Your Gemfile contains scoped sources that don't implement a dependency API, namely: | |
* rubygems repository http://127.0.0.1:8802/ or installed locally | |
Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers. | |
Resolving dependencies... | |
Fetching a_okay 0.0.1 | |
Installing a_okay 0.0.1 | |
Fetching bar 0.0.1 | |
Installing bar 0.0.1 | |
Using bundler 1.17.2 | |
Bundle complete! 2 Gemfile dependencies, 3 gems now installed. | |
Bundled gems are installed into `./app` | |
=> PASS - safe gem bar version 0.0.1 installed from private repo. | |
=> PASS - safe gem a_okay version 0.0.1 installed from private repo. | |
* Testing with /mnt/cve-2020-36327/test/bundler/workaround4.Gemfile [10] | |
* Running 'bundle install' on BUNDLE_PATH: app ... | |
Fetching source index from http://127.0.0.1:8802/ | |
Fetching source index from http://127.0.0.1:8803/ | |
Fetching source index from http://127.0.0.1:8801/ | |
Your Gemfile contains scoped sources that don't implement a dependency API, namely: | |
* rubygems repository http://127.0.0.1:8802/ or installed locally | |
* rubygems repository http://127.0.0.1:8803/ or installed locally | |
Using the above gem servers may result in installing unexpected gems. To resolve this warning, make sure you use gem servers that implement dependency APIs, such as gemstash or geminabox gem servers. | |
Resolving dependencies... | |
Fetching a_okay 0.0.1 | |
Installing a_okay 0.0.1 | |
Fetching bar 0.0.1 | |
Installing bar 0.0.1 | |
Using bundler 1.17.2 | |
Fetching e 0.0.2 | |
Installing e 0.0.2 | |
Fetching d 0.0.2 | |
Installing d 0.0.2 | |
Fetching g 0.0.2 | |
Installing g 0.0.2 | |
Fetching c 0.0.2 | |
Installing c 0.0.2 | |
Fetching h 0.0.1 | |
Installing h 0.0.1 | |
Fetching f 0.0.1 | |
Installing f 0.0.1 | |
Bundle complete! 6 Gemfile dependencies, 9 gems now installed. | |
Bundled gems are installed into `./app` | |
=> PASS - safe gem bar version 0.0.1 installed from private repo. | |
=> PASS - safe gem a_okay version 0.0.1 installed from private repo. | |
=> PASS - safe gem c version 0.0.2 installed from private repo. | |
=> PASS - safe gem d version 0.0.2 installed from private repo. | |
=> PASS - safe gem e version 0.0.2 installed from private repo. | |
=> PASS - safe gem f version 0.0.1 installed from private repo. | |
* Result of tests | |
* Number of total tests: 10 | |
* Number of succeeded tests: 4 | |
* Number of failed tests: 6 | |
* Stopping repo server public (pid: 4980) ... | |
* Stopping repo server private (pid: 4983) ... | |
* Stopping repo server private2 (pid: 4986) ... | |
* Failed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment