lib/bundler/errors.rb in bundler-2.4.22 vs lib/bundler/errors.rb in bundler-2.5.0
- old
+ new
@@ -50,9 +50,52 @@
class APIResponseMismatchError < BundlerError; status_code(34); end
class APIResponseInvalidDependenciesError < BundlerError; status_code(35); end
class GemfileEvalError < GemfileError; end
class MarshalError < StandardError; end
+ class ChecksumMismatchError < SecurityError
+ def initialize(lock_name, existing, checksum)
+ @lock_name = lock_name
+ @existing = existing
+ @checksum = checksum
+ end
+
+ def message
+ <<~MESSAGE
+ Bundler found mismatched checksums. This is a potential security risk.
+ #{@lock_name} #{@existing.to_lock}
+ from #{@existing.sources.join("\n and ")}
+ #{@lock_name} #{@checksum.to_lock}
+ from #{@checksum.sources.join("\n and ")}
+
+ #{mismatch_resolution_instructions}
+ To ignore checksum security warnings, disable checksum validation with
+ `bundle config set --local disable_checksum_validation true`
+ MESSAGE
+ end
+
+ def mismatch_resolution_instructions
+ removable, remote = [@existing, @checksum].partition(&:removable?)
+ case removable.size
+ when 0
+ msg = +"Mismatched checksums each have an authoritative source:\n"
+ msg << " 1. #{@existing.sources.reject(&:removable?).map(&:to_s).join(" and ")}\n"
+ msg << " 2. #{@checksum.sources.reject(&:removable?).map(&:to_s).join(" and ")}\n"
+ msg << "You may need to alter your Gemfile sources to resolve this issue.\n"
+ when 1
+ msg = +"If you trust #{remote.first.sources.first}, to resolve this issue you can:\n"
+ msg << removable.first.removal_instructions
+ when 2
+ msg = +"To resolve this issue you can either:\n"
+ msg << @checksum.removal_instructions
+ msg << "or if you are sure that the new checksum from #{@checksum.sources.first} is correct:\n"
+ msg << @existing.removal_instructions
+ end
+ end
+
+ status_code(37)
+ end
+
class PermissionError < BundlerError
def initialize(path, permission_type = :write)
@path = path
@permission_type = permission_type
end