diff --git a/.ruby-version b/.ruby-version index 30f69e8cc5..be94e6f53d 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.5.9 +3.2.2 diff --git a/.travis.yml b/.travis.yml index 107cb59dc4..e1e5a0ab2d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,6 @@ language: ruby dist: bionic -rvm: 2.5.9 +rvm: 3.2.2 services: - redis diff --git a/Dockerfile b/Dockerfile index 149c82c961..8d6932be4f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ruby:2.5.9 as builder +FROM ruby:3.2.2 as builder ARG GITHUB_OAUTH_TOKEN=notset @@ -18,7 +18,7 @@ RUN bundle exec rake assets:precompile GITHUB_OAUTH_TOKEN=$GITHUB_OAUTH_TOKEN RUN tar -cjf public.tar.bz2 public && rm -rf public -FROM ruby:2.5.9-slim +FROM ruby:3.2.2-slim LABEL maintainer Travis CI GmbH @@ -26,6 +26,11 @@ ENV TRAVIS_BUILD_DUMP_BACKTRACE true ENV PORT 4000 RUN gem update --system 3.3.26 > /dev/null 2>&1 +RUN ( \ + apt-get update ; \ + apt-get install -y --no-install-recommends libjemalloc-dev\ + && rm -rf /var/lib/apt/lists/* \ +) WORKDIR /app diff --git a/Gemfile b/Gemfile index 326f40c865..c25d6546ed 100644 --- a/Gemfile +++ b/Gemfile @@ -5,26 +5,25 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" } ruby File.read(File.expand_path('.ruby-version', __dir__)).strip -gem 'activesupport', '~> 4.0' +gem 'activesupport', '~> 7' gem 'addressable', '~> 2.3' gem 'codeclimate-test-reporter', require: false, group: %i[development test] gem 'coder' gem 'connection_pool' gem 'faraday' gem 'faraday_middleware' -gem 'jemalloc', github: 'travis-ci/jemalloc-rb' gem 'jwt', '~> 1.5' gem 'metriks', '0.9.9.6' gem 'metriks-librato_metrics', github: 'eric/metriks-librato_metrics' gem 'minitar' gem 'mocha', require: false, group: %i[development test] gem 'parallel_tests', require: false, group: %i[development test] -gem 'pry', require: false, group: %i[development test] +gem 'pry', '>= 0.14.2', require: false, group: %i[development test] gem 'webmock', group: :test gem 'puma' -gem 'rack', '>= 2.1.4' +gem 'rack', '>= 2.2.4' gem 'rack-ssl', '~> 1.4' -gem 'rack-test' +gem 'rack-test', '>= 2.1.0' gem 'rake' gem 'rbtrace' gem 'rerun', require: false, group: :development @@ -32,13 +31,16 @@ gem 'rspec', '~> 3.0', group: %i[development test] gem 'rubocop', require: false, group: %i[development test] gem 'sentry-raven' gem 'simplecov', require: false, group: %i[development test] -gem 'sinatra' -gem 'sinatra-contrib' +gem 'sinatra', '>= 3.0.6' gem 'travis' -gem 'travis-config' +gem 'travis-config', github: 'travis-ci/travis-config', branch: 'prd-ruby-upgrade-dev' gem 'travis-github_apps', github: 'travis-ci/travis-github_apps' gem 'travis-rollout', github: 'travis-ci/travis-rollout' gem 'travis-support', github: 'travis-ci/travis-support' gem "octokit", "~> 4.18" gem 'rest-client' + +github 'sinatra/sinatra' do + gem 'sinatra-contrib' +end diff --git a/Gemfile.lock b/Gemfile.lock index 4ffab5be1d..84c626d889 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -6,10 +6,25 @@ GIT metriks (>= 0.9.9.6) GIT - remote: https://github.com/travis-ci/jemalloc-rb.git - revision: e9528e26aff663efa2c124cdeca47700e389097d + remote: https://github.com/sinatra/sinatra.git + revision: 3fe6297a4bec04e279df7842fe50fb7526dea65a specs: - jemalloc (1.0.2) + rack-protection (3.0.6) + rack + sinatra-contrib (3.0.6) + multi_json + mustermann (~> 3.0) + rack-protection (= 3.0.6) + sinatra (= 3.0.6) + tilt (~> 2.0) + +GIT + remote: https://github.com/travis-ci/travis-config.git + revision: f02604a813cce3a672ae89cd7e4adaa30b001532 + branch: prd-ruby-upgrade-dev + specs: + travis-config (1.1.5) + hashr (~> 2.0) GIT remote: https://github.com/travis-ci/travis-github_apps.git @@ -37,11 +52,11 @@ GIT GEM remote: https://rubygems.org/ specs: - activesupport (4.2.11.1) - i18n (~> 0.7) - minitest (~> 5.1) - thread_safe (~> 0.3, >= 0.3.4) - tzinfo (~> 1.1) + activesupport (7.0.7.2) + concurrent-ruby (~> 1.0, >= 1.0.2) + i18n (>= 1.6, < 2) + minitest (>= 5.1) + tzinfo (~> 2.0) addressable (2.8.4) public_suffix (>= 2.0.2, < 6.0) ast (2.4.0) @@ -51,8 +66,8 @@ GEM codeclimate-test-reporter (1.0.8) simplecov (<= 0.13) coder (0.4.0) - coderay (1.1.2) - concurrent-ruby (1.1.6) + coderay (1.1.3) + concurrent-ruby (1.2.2) connection_pool (2.2.2) crack (0.4.5) rexml @@ -81,19 +96,17 @@ GEM http-accept (1.7.0) http-cookie (1.0.5) domain_name (~> 0.5) - i18n (0.9.5) + i18n (1.14.1) concurrent-ruby (~> 1.0) jaro_winkler (1.5.1) json (2.3.1) jwt (1.5.6) launchy (2.4.3) addressable (~> 2.3) - listen (3.1.5) - rb-fsevent (~> 0.9, >= 0.9.4) - rb-inotify (~> 0.9, >= 0.9.7) - ruby_dep (~> 1.2) - metaclass (0.0.4) - method_source (0.9.0) + listen (3.8.0) + rb-fsevent (~> 0.10, >= 0.10.3) + rb-inotify (~> 0.9, >= 0.9.10) + method_source (1.0.0) metriks (0.9.9.6) atomic (~> 1.0) avl_tree (~> 1.1.2) @@ -101,45 +114,43 @@ GEM mime-types (3.4.1) mime-types-data (~> 3.2015) mime-types-data (3.2022.0105) - minitar (0.6.1) - minitest (5.14.0) - mocha (1.7.0) - metaclass (~> 0.0.1) - msgpack (1.7.0) + minitar (0.9) + minitest (5.19.0) + mocha (2.0.0) + msgpack (1.7.1) multi_json (1.14.1) multipart-post (2.3.0) - mustermann (1.1.1) + mustermann (3.0.0) ruby2_keywords (~> 0.0.1) - net-http-persistent (3.0.0) + net-http-persistent (4.0.2) connection_pool (~> 2.2) net-http-pipeline (1.0.1) netrc (0.11.0) + nio4r (2.5.9) octokit (4.22.0) faraday (>= 0.9) sawyer (~> 0.8.0, >= 0.5.3) optimist (3.0.1) parallel (1.12.1) - parallel_tests (2.23.0) + parallel_tests (4.2.1) parallel parser (2.5.1.2) ast (~> 2.4.0) - powerpack (0.1.2) - pry (0.11.3) - coderay (~> 1.1.0) - method_source (~> 0.9.0) + pry (0.14.2) + coderay (~> 1.1) + method_source (~> 1.0) public_suffix (4.0.7) - puma (3.12.6) + puma (6.3.0) + nio4r (~> 2.0) pusher-client (0.6.2) json websocket (~> 1.0) - rack (2.2.6.2) - rack-protection (2.0.8.1) - rack + rack (2.2.7) rack-ssl (1.4.1) rack - rack-test (1.1.0) - rack (>= 1.0, < 3) - rainbow (3.0.0) + rack-test (2.1.0) + rack (>= 1.3) + rainbow (3.1.1) rake (12.3.3) rb-fsevent (0.10.3) rb-inotify (0.9.10) @@ -149,7 +160,7 @@ GEM msgpack (>= 0.4.3) optimist (>= 3.0.0) redis (4.1.4) - rerun (0.13.0) + rerun (0.14.0) listen (~> 3.0) rest-client (2.1.0) http-accept (>= 1.7.0, < 2.0) @@ -170,42 +181,32 @@ GEM diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.8.0) rspec-support (3.8.0) - rubocop (0.59.2) + rubocop (0.68.1) jaro_winkler (~> 1.5.1) parallel (~> 1.10) parser (>= 2.5, != 2.5.1.1) - powerpack (~> 0.1) rainbow (>= 2.2.2, < 4.0) ruby-progressbar (~> 1.7) - unicode-display_width (~> 1.0, >= 1.0.1) + unicode-display_width (>= 1.4.0, < 1.6) ruby-progressbar (1.10.0) - ruby2_keywords (0.0.2) - ruby_dep (1.5.0) + ruby2_keywords (0.0.5) sawyer (0.8.2) addressable (>= 2.3.5) faraday (> 0.8, < 2.0) - sentry-raven (2.7.4) + sentry-raven (2.13.0) faraday (>= 0.7.6, < 1.0) simplecov (0.13.0) docile (~> 1.1.0) json (>= 1.8, < 3) simplecov-html (~> 0.10.0) simplecov-html (0.10.2) - sinatra (2.0.8.1) - mustermann (~> 1.0) - rack (~> 2.0) - rack-protection (= 2.0.8.1) - tilt (~> 2.0) - sinatra-contrib (2.0.8.1) - backports (>= 2.8.2) - multi_json - mustermann (~> 1.0) - rack-protection (= 2.0.8.1) - sinatra (= 2.0.8.1) + sinatra (3.0.6) + mustermann (~> 3.0) + rack (~> 2.2, >= 2.2.4) + rack-protection (= 3.0.6) tilt (~> 2.0) - thread_safe (0.3.6) - tilt (2.0.10) - travis (1.8.9) + tilt (2.2.0) + travis (1.8.13) backports faraday (~> 0.9) faraday_middleware (~> 0.9, >= 0.9.1) @@ -214,12 +215,10 @@ GEM launchy (~> 2.1) pusher-client (~> 0.4) typhoeus (~> 0.6, >= 0.6.8) - travis-config (1.1.3) - hashr (~> 2.0) typhoeus (0.8.0) ethon (>= 0.8.0) - tzinfo (1.2.7) - thread_safe (~> 0.1) + tzinfo (2.0.6) + concurrent-ruby (~> 1.0) unf (0.1.4) unf_ext unf_ext (0.0.8.2) @@ -234,14 +233,13 @@ PLATFORMS ruby DEPENDENCIES - activesupport (~> 4.0) + activesupport (~> 7) addressable (~> 2.3) codeclimate-test-reporter coder connection_pool faraday faraday_middleware - jemalloc! jwt (~> 1.5) metriks (= 0.9.9.6) metriks-librato_metrics! @@ -249,11 +247,11 @@ DEPENDENCIES mocha octokit (~> 4.18) parallel_tests - pry + pry (>= 0.14.2) puma - rack (>= 2.1.4) + rack (>= 2.2.4) rack-ssl (~> 1.4) - rack-test + rack-test (>= 2.1.0) rake rbtrace rerun @@ -262,17 +260,17 @@ DEPENDENCIES rubocop sentry-raven simplecov - sinatra - sinatra-contrib + sinatra (>= 3.0.6) + sinatra-contrib! travis - travis-config + travis-config! travis-github_apps! travis-rollout! travis-support! webmock RUBY VERSION - ruby 2.5.9p229 + ruby 3.2.2p53 BUNDLED WITH 2.3.26 diff --git a/je b/je new file mode 100755 index 0000000000..2439a1725e --- /dev/null +++ b/je @@ -0,0 +1,44 @@ +#!/usr/bin/env ruby +# Help +def usage + puts < Injecting jemalloc..." if $verbose + ENV.store("LD_PRELOAD", lib_dir + "/jemalloc.so") +elsif File.exist? (lib_dir + "/jemalloc.bundle") + puts "=> Injecting jemalloc..." if $verbose + ENV.store("DYLD_INSERT_LIBRARIES", lib_dir + "/jemalloc.bundle") +elsif File.exist? ($sys_jemalloc) + puts "=> Injecting jemalloc..." if $verbose + ENV.store("LD_PRELOAD", $sys_jemalloc) +else + puts "=> Can't inject, jemalloc not found" +end + +Kernel.exec *argv diff --git a/lib/core_ext/string/output_safe.rb b/lib/core_ext/string/output_safe.rb index f5cd8e2016..67b06b0ccd 100644 --- a/lib/core_ext/string/output_safe.rb +++ b/lib/core_ext/string/output_safe.rb @@ -2,6 +2,6 @@ class String def output_safe - dup.untaint + dup end end diff --git a/lib/travis/build/addons.rb b/lib/travis/build/addons.rb index c300e5b3b9..6b801e15a1 100644 --- a/lib/travis/build/addons.rb +++ b/lib/travis/build/addons.rb @@ -55,7 +55,7 @@ def run_addon?(const) end def run_stage?(addon, stage) - addon.respond_to?(stage) && (!addon.respond_to?(:"#{stage}?") || addon.send(:"#{stage}?")) + addon.class.method_defined?(stage) && (!addon.class.method_defined?(:"#{stage}?") || addon.send(:"#{stage}?")) end def addon(name, config) diff --git a/lib/travis/build/appliances/agent.rb b/lib/travis/build/appliances/agent.rb index 5279ab8dd0..9e474d5507 100644 --- a/lib/travis/build/appliances/agent.rb +++ b/lib/travis/build/appliances/agent.rb @@ -42,7 +42,7 @@ def store_key def agent str = File.read(path) % { url: "#{ENV['HUB_URL']}/jobs/#{job_id}" } - str.untaint + str end def path @@ -54,7 +54,7 @@ def key end def token - jwt.create.untaint + jwt.create end def jwt diff --git a/lib/travis/build/config.rb b/lib/travis/build/config.rb index 8670cb2466..fec6156e60 100644 --- a/lib/travis/build/config.rb +++ b/lib/travis/build/config.rb @@ -119,7 +119,7 @@ def sc_data 'NETWORK_CHECK_URLS', 'http://%{app_host}/empty.txt?job_id=%{job_id}&repo=%{repo}' ) - ).split(',').map { |s| URI.unescape(s.strip) } + ).split(',').map { |s| CGI.unescape(s.strip) } }, redis: { url: 'redis://localhost:6379', @@ -130,7 +130,6 @@ def sc_data sentry_dsn: ENV.fetch( 'TRAVIS_BUILD_SENTRY_DSN', ENV.fetch('SENTRY_DSN', '') ), - tainted_node_logging_enabled: false, trace_command: ENV.fetch('TRACE_COMMAND', 'GIT_TRACE=true'), trace_git_commands_owners: ENV.fetch('TRACE_GIT_COMMANDS_OWNERS', ''), trace_git_commands_slugs: ENV.fetch('TRACE_GIT_COMMANDS_SLUGS', ''), diff --git a/lib/travis/build/env/var.rb b/lib/travis/build/env/var.rb index ee73bae33f..9697018a26 100644 --- a/lib/travis/build/env/var.rb +++ b/lib/travis/build/env/var.rb @@ -38,7 +38,7 @@ def mark_secure(vars) def initialize(key, value, options = {}) @key = key.to_s - @value = value.to_s.tap { |value| value.taint if options[:secure] } + @value = value.to_s @type = options[:type] @secure = !!options[:secure] end diff --git a/lib/travis/build/rake_tasks.rb b/lib/travis/build/rake_tasks.rb index 291da0774b..0897e76dda 100644 --- a/lib/travis/build/rake_tasks.rb +++ b/lib/travis/build/rake_tasks.rb @@ -209,10 +209,10 @@ def semver_cmp(vers_a, vers_b) end def task_clean - rm_rf(top + 'examples') - rm_rf(top + 'public/files') - rm_rf(top + 'tmp/sc_data.json') - rm_rf(top + 'tmp/ghc-versions.html') + system("rm -Rf " + top.to_s + "/examples") + system("rm -Rf " + top.to_s + "/public/files") + system("rm -Rf " + top.to_s + "/tmp/sc_data.json") + system("rm -Rf " + top.to_s + "/tmp/ghc-versions.html") end def file_update_casher diff --git a/lib/travis/build/script.rb b/lib/travis/build/script.rb index 53e86db112..5948cbd9f2 100644 --- a/lib/travis/build/script.rb +++ b/lib/travis/build/script.rb @@ -132,12 +132,9 @@ def initialize(data) @setup_cache_has_run_for = {} end - def compile(ignore_taint = false) + def compile nodes = sexp - Shell.generate(nodes, ignore_taint) - rescue Travis::Shell::Generator::TaintedOutput => to - log_tainted_nodes(nodes) - raise to + Shell.generate(nodes) rescue Exception => e event = Travis::Build.config.sentry_dsn.empty? ? nil : Raven.capture_exception(e) @@ -158,14 +155,6 @@ def sexp sh.to_sexp end - def log_tainted_nodes(nodes) - return unless Travis::Build.config.tainted_node_logging_enabled? - tainted_values = nodes.flatten.select(&:tainted?) - Travis::Build.logger.error( - "nodes contain tainted value(s) #{tainted_values.inspect}" - ) - end - def cache_slug_keys plain_env_vars = Array((config[:env] || []).dup).delete_if {|env| env.start_with? 'SECURE '} diff --git a/lib/travis/build/script/objective_c.rb b/lib/travis/build/script/objective_c.rb index 9ab9582a67..0eb764635b 100644 --- a/lib/travis/build/script/objective_c.rb +++ b/lib/travis/build/script/objective_c.rb @@ -143,11 +143,13 @@ def use_xctool? end def xcodebuild_args + args = "" config[:xcodebuild_args].to_s.tap do |xcodebuild_args| %w[project workspace scheme sdk destination].each do |var| - xcodebuild_args << " -#{var} #{config[:"xcode_#{var}"].to_s.shellescape}" if config[:"xcode_#{var}"] + args << " -#{var} #{config[:"xcode_#{var}"].to_s.shellescape}" if config[:"xcode_#{var}"] end - end.strip + end + args.strip end def suppress_cocoapods_msg diff --git a/lib/travis/build/script/python.rb b/lib/travis/build/script/python.rb index eb2eebd7cf..96d463468d 100644 --- a/lib/travis/build/script/python.rb +++ b/lib/travis/build/script/python.rb @@ -106,7 +106,7 @@ def virtualenv end def pypy? - config[:python] =~ /pypy/i + config[:python].to_s =~ /pypy/i end def system_site_packages diff --git a/lib/travis/build/script/shared/directory_cache/base.rb b/lib/travis/build/script/shared/directory_cache/base.rb index 31d45c23ce..905b887d52 100644 --- a/lib/travis/build/script/shared/directory_cache/base.rb +++ b/lib/travis/build/script/shared/directory_cache/base.rb @@ -351,7 +351,7 @@ def normalize_name(branch) end def uri_normalize_name(branch) - URI.encode(branch) + URI::Parser.new.escape(branch) end def aws_signature_version diff --git a/lib/travis/build/script/shared/directory_cache/signatures/aws4_signature.rb b/lib/travis/build/script/shared/directory_cache/signatures/aws4_signature.rb index e40aa9eba8..9e1934133d 100644 --- a/lib/travis/build/script/shared/directory_cache/signatures/aws4_signature.rb +++ b/lib/travis/build/script/shared/directory_cache/signatures/aws4_signature.rb @@ -41,7 +41,7 @@ def timestamp def query_string canonical_query_params.map { |key, value| - "#{URI.encode(key.to_s, /[^~a-zA-Z0-9_.-]/)}=#{URI.encode(value.to_s, /[^~a-zA-Z0-9_.-]/)}" + "#{URI::Parser.new.escape(key.to_s, /[^~a-zA-Z0-9_.-]/)}=#{URI::Parser.new.escape(value.to_s, /[^~a-zA-Z0-9_.-]/)}" }.join('&') end diff --git a/lib/travis/shell.rb b/lib/travis/shell.rb index 9a979f3f0d..9296e10bf5 100644 --- a/lib/travis/shell.rb +++ b/lib/travis/shell.rb @@ -6,8 +6,8 @@ module Travis module Shell class << self - def generate(nodes, ignore_taint = false) - Generator::Bash.new(nodes).generate(ignore_taint) + def generate(nodes) + Generator::Bash.new(nodes).generate end end end diff --git a/lib/travis/shell/generator.rb b/lib/travis/shell/generator.rb index 1c53067ef7..dce7a2c026 100644 --- a/lib/travis/shell/generator.rb +++ b/lib/travis/shell/generator.rb @@ -1,7 +1,6 @@ module Travis module Shell class Generator - TaintedOutput = Class.new(StandardError) attr_reader :nodes, :level, :trace MAX_SPAN_ID = 0xffffffffffffffff @@ -15,11 +14,9 @@ def initialize(nodes) ] end - def generate(ignore_taint = false) + def generate() lines = Array(handle(nodes)).flatten script = lines.join("\n").strip - raise TaintedOutput if !ignore_taint && script.tainted? - script = unindent(script) script = normalize_newlines(script) script end @@ -51,10 +48,6 @@ def indent(lines = nil) lines end - def unindent(string) - string.gsub /^#{string[/\A\s*/]}/, '' - end - def normalize_newlines(string) string.gsub("\n\n\n", "\n\n") end diff --git a/lib/travis/shell/generator/bash.rb b/lib/travis/shell/generator/bash.rb index f5065557b0..6a1f1e4cea 100644 --- a/lib/travis/shell/generator/bash.rb +++ b/lib/travis/shell/generator/bash.rb @@ -203,11 +203,6 @@ def handle_else(cmds) def handle_secure_vars(key, value, options) if options[:echo] && options[:secure] options[:echo] = "export #{key}=[secure]" - # Mark secure value as safe for output *here only* - # to ensure the presence of the previously tainted - # value in any other strings will result in the - # compiled script being tainted - value = value.output_safe end [key, value, options] end diff --git a/public/version-aliases/ghc.json b/public/version-aliases/ghc.json index c0e517d87c..fcfac023a8 100644 --- a/public/version-aliases/ghc.json +++ b/public/version-aliases/ghc.json @@ -211,4 +211,4 @@ "9.8.0.20230809": "9.8.0.20230809", "9.8.1-alpha1": "9.8.1-alpha1", "9.8.1-alpha2": "9.8.1-alpha2" -} \ No newline at end of file +} diff --git a/spec/build/env_spec.rb b/spec/build/env_spec.rb index 310db06cda..5af1082cad 100644 --- a/spec/build/env_spec.rb +++ b/spec/build/env_spec.rb @@ -39,22 +39,6 @@ expect(keys).to include('FOO') end - describe 'for secure env jobs' do - before { payload[:job][:secure_env_enabled] = true } - - it 'includes secure vars' do - expect(keys).to include('BAR') - end - - it 'marks secure vars as secure' do - expect(vars.last).to be_secure - end - - it 'taints secure var values' do - expect(vars.last.value).to be_tainted - end - end - describe 'for non-secure env jobs (pull requests)' do before { payload[:job][:secure_env_enabled] = false } @@ -71,22 +55,6 @@ expect(keys).to include('BAM') end - describe 'for secure env jobs' do - before { payload[:job][:secure_env_enabled] = true } - - it 'includes secure vars' do - expect(keys).to include('BAZ') - end - - it 'marks secure vars as secure' do - expect(vars.select {|v| v.secure?}).to_not be_empty - end - - it 'taints secure var values' do - expect(vars.select {|v| v.secure?}.map {|x| x.value.tainted?}.uniq).to eq [true] - end - end - describe 'for non-secure env jobs (pull requests)' do before { payload[:job][:secure_env_enabled] = false } diff --git a/spec/build/script/directory_cache/gcs_spec.rb b/spec/build/script/directory_cache/gcs_spec.rb index 1b9b11df66..429830c6e3 100644 --- a/spec/build/script/directory_cache/gcs_spec.rb +++ b/spec/build/script/directory_cache/gcs_spec.rb @@ -9,7 +9,7 @@ def url_for(branch, ext = 'tbz', timeout = 30) end def signed_url_for(branch, signature, ext = 'tbz', timeout = 30) - Shellwords.escape(GCS_SIGNED_URL % [url_for(URI.encode(branch), ext, timeout), signature]) + Shellwords.escape(GCS_SIGNED_URL % [url_for(URI::Parser.new.escape(branch), ext, timeout), signature]) end let(:master_fetch_signature) { "rtH5pKA2GoRqKYjQu3UweW5kRSk%3D" } diff --git a/spec/build/script/directory_cache/s3_spec.rb b/spec/build/script/directory_cache/s3_spec.rb index 5e31bc2481..c94c8e33e2 100644 --- a/spec/build/script/directory_cache/s3_spec.rb +++ b/spec/build/script/directory_cache/s3_spec.rb @@ -9,7 +9,7 @@ def url_for(branch, ext = 'tbz') end def signed_url_for(branch, signature, ext = 'tbz') - Shellwords.escape(S3_SIGNED_URL % [url_for(URI.encode(branch), ext), signature]) + Shellwords.escape(S3_SIGNED_URL % [url_for(URI::Parser.new.escape(branch), ext), signature]) end let(:master_fetch_signature) { "163b2a236fcfda37d58c1d50c27d86fbd04efb4a6d97219134f71854e3e0383b" } @@ -18,8 +18,8 @@ def signed_url_for(branch, signature, ext = 'tbz') let(:fetch_signature_tgz) { master_fetch_signature_tgz } let(:push_signature) { "d388be7ca53fb612892cffe0844c957ee6062efe08c997ddcb5d2e8e1501e339" } - let(:url) { url_for(URI.encode(branch)) } - let(:url_tgz) { url_for(URI.encode(branch), 'tgz') } + let(:url) { url_for(URI::Parser.new.escape(branch)) } + let(:url_tgz) { url_for(URI::Parser.new.escape(branch), 'tgz') } let(:fetch_url_tgz) { Shellwords.escape "#{url_tgz}&X-Amz-Expires=20&X-Amz-Signature=#{fetch_signature_tgz}&X-Amz-SignedHeaders=host" } let(:push_url) { Shellwords.escape("#{url}&X-Amz-Expires=30&X-Amz-Signature=#{push_signature}&X-Amz-SignedHeaders=host").gsub(/\.tbz(\?)?/, '.tgz\1') } diff --git a/spec/build/script/header_spec.rb b/spec/build/script/header_spec.rb index e1f0ddf0c1..3683c17345 100644 --- a/spec/build/script/header_spec.rb +++ b/spec/build/script/header_spec.rb @@ -12,7 +12,7 @@ end let :rendered do - Travis::Shell.generate(script.send(:sh).to_sexp, false) + Travis::Shell.generate(script.send(:sh).to_sexp) end let :bash_body do diff --git a/spec/build/script_spec.rb b/spec/build/script_spec.rb index 7de9a31fac..aa4363b1b7 100644 --- a/spec/build/script_spec.rb +++ b/spec/build/script_spec.rb @@ -7,12 +7,6 @@ let(:code) { script.compile } subject { script.sexp } - it 'raises an exception if the generated code is tainted (leaking secure env vars)' do - payload[:config][:env] = ['SECURE FOO=foo'] - Travis::Build::Env::Var.any_instance.stubs(:secure?).returns(false) - expect { code }.to raise_error(Travis::Shell::Generator::TaintedOutput) - end - it 'uses ${TRAVIS_BUILD_DIR} as a working directory' do expect(code).to match %r(cd +"\${TRAVIS_BUILD_DIR}") end @@ -46,13 +40,6 @@ payload[:config][:script] = true expect { subject }.to_not raise_error end - - it 'if s3_options are tainted' do - access_key_id = payload['cache_options']['s3']['access_key_id'].dup - access_key_id.taint - payload['cache_options']['s3']['access_key_id'] = access_key_id - expect { code }.to_not raise_error - end end context 'when install phase is `"skip"`' do diff --git a/spec/shell/generator/bash_spec.rb b/spec/shell/generator/bash_spec.rb index 7d571cba64..6ceb087a5f 100644 --- a/spec/shell/generator/bash_spec.rb +++ b/spec/shell/generator/bash_spec.rb @@ -8,11 +8,6 @@ @sexp = [:script, [[:cmd, 'foo'], [:cmd, 'bar']]] expect(code).to eql("foo\nbar") end - - it 'raises an exception if the generated code is tainted (leaking secure env vars)' do - @sexp = [:script, [[:export, ['foo', 'bar'.tap { |value| value.taint }]]]] - expect { code }.to raise_error(Travis::Shell::Generator::TaintedOutput) - end end describe :cmd do @@ -137,11 +132,6 @@ expect(code).to eql("travis_cmd export\\ FOO\\=foo --echo") end - it 'adds --display FOO=[secure] if the given value is tainted' do - @sexp = [:export, ['FOO', 'foo'], echo: true, secure: true] - expect(code).to eql("travis_cmd export\\ FOO\\=foo --echo --display export\\ FOO\\=\\[secure\\] --secure") - end - it 'preserves the value as is regardless of syntax' do @sexp=[:export, ['foo', '$bar "baz blah" `xyz zy`']] expect(code).to eql('export foo=$bar "baz blah" `xyz zy`') diff --git a/spec/spec_helpers/payload.rb b/spec/spec_helpers/payload.rb index 0d69613293..f0025487f9 100644 --- a/spec/spec_helpers/payload.rb +++ b/spec/spec_helpers/payload.rb @@ -22,7 +22,7 @@ def payload_for(type, language = nil, extra = {}) ) end - payload.deep_merge(extra).taint + payload.deep_merge(extra) end end end