Upgrade to 2.8.0

2022-07-01 14:52:59 +08:00 · 2022-07-01 14:52:59 +08:00 · 635d2aa5b1
commit 635d2aa5b1
parent 30fb87dd2a
7 changed files with 11 additions and 195 deletions
--- a/CVE-2021-32740.patch
+++ b/CVE-2021-32740.patch
@ -1,57 +0,0 @@
 From b48ff03347a6d46e8dc674e242ce74c6381962a5 Mon Sep 17 00:00:00 2001
 From: Security Curious <security-curious@pm.me>
 Date: Fri, 2 Jul 2021 15:30:02 -0400
 Subject: [PATCH] Prevent ReDOS vuln on URI Template matching
 The regular expression used to match a template against a URL is
 vulnerable to a regular expression denial-of-service via catastrophic
 backtracking.
 This commit includes a test that demonstrates the failure without
 the fix as well as updates the regexp to remove the vulnerability.
 The vulnerability is removed by updating the grouping to be atomic.
 ---
 lib/addressable/template.rb       | 2 +-
 spec/addressable/template_spec.rb | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)
 diff --git a/lib/addressable/template.rb b/lib/addressable/template.rb
 index 2696695..45967ce 100644
 --- a/lib/addressable/template.rb
 +++ b/lib/addressable/template.rb
@@ -37,7 +37,7 @@ class Template
       Addressable::URI::CharacterClasses::DIGIT + '_'
     var_char =
 -      "(?:(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
 +      "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
     RESERVED =
       "(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])"
     UNRESERVED =
 diff --git a/spec/addressable/template_spec.rb b/spec/addressable/template_spec.rb
 index a019165..d47589a 100644
 --- a/spec/addressable/template_spec.rb
 +++ b/spec/addressable/template_spec.rb
@@ -19,6 +19,7 @@
 require "spec_helper"
 require "bigdecimal"
 +require "timeout"
 require "addressable/template"
 shared_examples_for 'expands' do |tests|
@@ -1340,6 +1341,14 @@ def self.match(name)
         expect(subject).not_to match("foo_bar*")
         expect(subject).not_to match("foo_bar:20")
       end
 +
 +      it 'should parse in a reasonable time' do
 +        expect do
 +          Timeout.timeout(0.1) do
 +            expect(subject).not_to match("0"*25 + "!")
 +          end
 +        end.not_to raise_error
 +      end
     end
     context "VARIABLE_LIST" do
       subject { Addressable::Template::VARIABLE_LIST }
--- a/addressable-2.5.2.gem
+++ b/addressable-2.5.2.gem
--- a/addressable-2.8.0.gem
+++ b/addressable-2.8.0.gem
--- a/fix_addressable_tests.patch
+++ b/fix_addressable_tests.patch
@ -1,71 +0,0 @@
 --- spec/addressable/uri_spec_orig.rb
 +++ spec/addressable/uri_spec.rb
@@ -401,9 +401,9 @@
     expect(@uri.normalized_host).to eq("example.com")
   end
 -  it "returns 'com' for #tld" do
 -    expect(@uri.tld).to eq("com")
 -  end
 +  # it "returns 'com' for #tld" do
 +  #   expect(@uri.tld).to eq("com")
 +  # end
   it "returns 'user:password@example.com:8080' for #authority" do
     expect(@uri.authority).to eq("user:password@example.com:8080")
@@ -2393,9 +2393,9 @@
     expect(@uri.origin).to eq('http://example.com')
   end
 -  it "should have a tld of 'com'" do
 -    expect(@uri.tld).to eq('com')
 -  end
 +  # it "should have a tld of 'com'" do
 +  #   expect(@uri.tld).to eq('com')
 +  # end
 end
 describe Addressable::URI, "when parsed from " +
@@ -2408,13 +2408,13 @@
     expect(@uri.origin).to eq('http://www.example.co.uk')
   end
 -  it "should have a tld of 'co.uk'" do
 -    expect(@uri.tld).to eq('co.uk')
 -  end
 -
 -  it "should have a domain of 'example.co.uk'" do
 -    expect(@uri.domain).to eq('example.co.uk')
 -  end
 +  # it "should have a tld of 'co.uk'" do
 +  #   expect(@uri.tld).to eq('co.uk')
 +  # end
 +
 +  # it "should have a domain of 'example.co.uk'" do
 +  #   expect(@uri.domain).to eq('example.co.uk')
 +  # end
 end
 describe Addressable::URI, "when parsed from " +
@@ -2427,13 +2427,13 @@
     expect(@uri.origin).to eq('http://sub_domain.blogspot.com')
   end
 -  it "should have a tld of 'com'" do
 -    expect(@uri.tld).to eq('com')
 -  end
 -
 -  it "should have a domain of 'blogspot.com'" do
 -    expect(@uri.domain).to eq('blogspot.com')
 -  end
 +  # it "should have a tld of 'com'" do
 +  #   expect(@uri.tld).to eq('com')
 +  # end
 +
 +  # it "should have a domain of 'blogspot.com'" do
 +  #   expect(@uri.domain).to eq('blogspot.com')
 +  # end
 end
 describe Addressable::URI, "when parsed from " +
--- a/no-rack-mount.patch
+++ b/no-rack-mount.patch
@ -1,18 +0,0 @@
 --- Gemfile
 +++ Gemfile
@@ -14,13 +14,11 @@
 end
 group :test, :development do
 -  gem 'rake', '> 10.0', '< 12'
 +  gem 'rake', '> 10.0', '< 12.1'
   gem 'simplecov', :require => false
   gem 'coveralls', :require => false, :platforms => [
     :ruby_20, :ruby_21, :ruby_22, :ruby_23
   ]
 -  # Used to test compatibility.
 -  gem 'rack-mount', git: 'https://github.com/sporkmonger/rack-mount.git', require: 'rack/mount'
   if RUBY_VERSION.start_with?('2.0', '2.1')
     gem 'rack', '< 2', :require => false
--- a/remove-deprecated-warning.patch
+++ b/remove-deprecated-warning.patch
@ -1,30 +0,0 @@
 From a9432d389954611956ea389de2f819986985ba35 Mon Sep 17 00:00:00 2001
 From: takkanm <takkanm@gmail.com>
 Date: Tue, 26 Dec 2017 20:44:52 +0900
 Subject: [PATCH] remove deprecated warning
 BigDecimal.new is deprecated in Ruby2.5
 ```
 spec/addressable/template_spec.rb:85: warning: BigDecimal.new is deprecated; use Kernel.BigDecimal method instead.
 ```
 ---
 spec/addressable/template_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/spec/addressable/template_spec.rb b/spec/addressable/template_spec.rb
 index bd8ab12..cff4a87 100644
 --- a/spec/addressable/template_spec.rb
 +++ b/spec/addressable/template_spec.rb
@@ -82,7 +82,7 @@ describe "Type conversion" do
       :hello => 1234,
       :nothing => nil,
       :sym => :symbolic,
 -      :decimal => BigDecimal.new('1')
 +      :decimal => BigDecimal('1')
     }
   }
 -- 
 2.30.0
--- a/rubygem-addressable.spec
+++ b/rubygem-addressable.spec
@ -1,7 +1,7 @@
 %global gem_name addressable
 Name:                rubygem-%{gem_name}
-Version:             2.5.2
+Version:             2.8.0
-Release:             3
+Release:             1
 Summary:             URI Implementation
 License:             ASL 2.0
 URL:                 https://github.com/sporkmonger/addressable
@ -9,12 +9,7 @@ Source0:             https://rubygems.org/gems/%{gem_name}-%{version}.gem
 BuildRequires:       ruby(release) rubygems-devel rubygem(bigdecimal) rubygem(public_suffix)
 BuildRequires:       rubygem(rspec-its) rubygem(idn)
 BuildArch:           noarch
-# Revert f1d5855162c48d06eb1907871909d5859b9a7d3c (rack-mount)
+
 Patch0:              no-rack-mount.patch
 # Comment out failing tests
 Patch1:              fix_addressable_tests.patch
 Patch2:              CVE-2021-32740.patch
 Patch3:              remove-deprecated-warning.patch
 %description
 Addressable is a replacement for the URI implementation that is part of
 Ruby's standard library. It more closely conforms to the relevant RFCs and
@ -28,16 +23,10 @@ BuildArch:           noarch
 Documentation for %{name}.
 %prep
-gem unpack %{SOURCE0}
+%setup -q -n %{gem_name}-%{version}
 %setup -q -D -T -n  %{gem_name}-%{version}
 gem spec %{SOURCE0} -l --ruby > %{gem_name}.gemspec
 %patch0
 %patch1
 %patch2 -p1
 %patch3 -p1
 %build
-gem build %{gem_name}.gemspec
+gem build ../%{gem_name}-%{version}.gemspec
 %gem_install
 %install
@ -47,11 +36,10 @@ cp -a .%{gem_dir}/* \
 %check
 pushd .%{gem_instdir}
 rm spec/addressable/rack_mount_compat_spec.rb
 sed -i "/require 'bundler\/setup'/ s/^/#/" spec/spec_helper.rb
 sed -i '/^begin$/,/^end$/ s/^/#/' spec/spec_helper.rb
-rm spec/addressable/net_http_compat_spec.rb
+mv spec/addressable/net_http_compat_spec.rb{,.disabled}
-rspec spec/
+LC_ALL=C.UTF-8 rspec spec/
 popd
 %files
@ -70,8 +58,12 @@ popd
 %doc %{gem_instdir}/README.md
 %{gem_instdir}/Rakefile
 %{gem_instdir}/spec
 %{gem_instdir}/%{gem_name}.gemspec
 %changelog
 * Thu Jun 30 2022 wulei <wulei80@h-partners.com> - 2.8.0-1
 - Upgrade to 2.8.0
 * Fri Jan 21 2022 chenchen <chen_aka_jan@163.com> - 2.5.2-3
 - remove deprecated warning for fix build error