Dependabot failure if `gemspec` file contains `instance_eval`

[ShockwaveNN]

Package ecosystem bundler Package manager version Bundler version 2.2.26 Language version ruby 3.0 dependabot.yml content

version: 2
updates:
- package-ecosystem: bundler
  directory: "/"
  schedule:
    interval: daily
  open-pull-requests-limit: 10
  allow:
  - dependency-type: direct
  - dependency-type: indirect

Description

TLDR: This sample repo contains two gemspec file test-dependabot-instance-eval.gemspec - simples gemspec file I cound create that build correct gem test-dependabot-instance-eval-with-dependency.gemspec - another gemspec which use original gemspec to create another gem with additional dependency

In this repo dependabot cannot check dependency of my service with error:

 Dependabot can't evaluate your Ruby dependency files
Dependabot failed to update your dependencies because there was an error evaluating your Ruby dependency files.

Dependabot encountered the following error:

Bundler::Dsl::DSLError with message: [!] There was an error parsing `Gemfile`: 
[!] There was an error while loading `test-dependabot-instance-eval-with-dependency.gemspec`: (eval):1: unexpected fraction part after numeric literal
0.0.1
   ^~
. Bundler cannot continue.

 #  from /home/dependabot/dependabot-updater/dependabot_tmp_dir/test-dependabot-instance-eval-with-dependency.gemspec:3
 #  -------------------------------------------
 #  
 >  gemspec = instance_eval("0.0.1")
 #  
 #  -------------------------------------------
. Bundler cannot continue.

 #  from /home/dependabot/dependabot-updater/dependabot_tmp_dir/Gemfile:5
 #  -------------------------------------------
 #  
 >  gemspec

Both gemspec files are fine and can build using gem build without any error

A more detailed description

I'm an author of ooxml_parser gem. It require ruby-filemagic gem as dependency. This dependency is hell to isntall on Windows system so I was in need to make this dependency optional in my gem.

I contacted bundler issue tracker here and team member tell that only option to solve this problem - create two different gemspec file and use instance_eval to add optional dependency. I've made this and everything worked fine, except dependabot checks are started to fail

We discussed this problem and decided to report this issue to dependabot team.

I'm not sure that this problem is easy to fix, but at least I've reported it

[jurre]

Thanks for reporting this and the detailed description + project to reproduce, that'll help a lot. I agree this might not be easy to fix, we do some things to prevent accidental code execution on the dependabot side, and this might hit some of that code (but it could also be something entirely different 😅). We'll need some time to dive into this, but the report will help a lot 👍

[daande]

@jurre I think have run into something similar. I am running multiple gemfiles that get loaded and handled fine by bundler. The Gemfile looks like this:

Dir["gemfiles/*"].each do |gemfile|
  instance_eval File.read(gemfile)
end

Any ideas on how to get this to work with Dependabot?

[jeffwidman]

Possibly related (and more context on the underlying dynamic code processing problem):

• https://github.com/dependabot/dependabot-core/issues/2098

[ekohl]

@jurre I think have run into something similar. I am running multiple gemfiles that get loaded and handled fine by bundler. The Gemfile looks like this:

Dir["gemfiles/*"].each do |gemfile|
  instance_eval File.read(gemfile)
end

Any ideas on how to get this to work with Dependabot?

We have this exact same problem. We migrated in https://github.com/theforeman/smart-proxy/commit/bce882c4876ded145465a964f8ea0a4c0f04b4b3 to use eval_gemfile since that was supposedly supported, but now see an error:

Dependabot only supports uninterpolated string arguments to eval_gemfile. Got `bundle`