rubysec / bundler-audit

Patch-level verification for Bundler
GNU General Public License v3.0
2.69k stars 229 forks source link

Bundler audit is not thread safe #156

Open mensfeld opened 8 years ago

mensfeld commented 8 years ago

Because of the Dir.chdir in lib/bundler/audit/database.rb, the gem itself is not threadsafe

I believe that this should do the trick:

module Bundler
  module Audit
    # Represents the directory of advisories, grouped by gem name
    # and CVE number.
    class Database
      def path
        return VENDORED_PATH unless File.directory?(USER_PATH)

        t1 = Time.parse(`git -C #{USER_PATH} log --date=iso8601 --pretty="%cd" -1`)
        t2 = VENDORED_TIMESTAMP

        t1 >= t2 ? USER_PATH : VENDORED_PATH
      end

      # Updates the ruby-advisory-db.
      # @return [Boolean, nil]
      #   Specifies whether the update was successful.
      #   A `nil` indicates no update was performed.
      def update!
        if File.directory?(USER_PATH)
          cmd = "git -C #{USER_PATH} pull origin master"
        else
          cmd = "git clone #{URL} #{USER_PATH}"
        end

        system cmd
      end
    end
  end
end
mensfeld commented 8 years ago

Any update on that?

nijikon commented 7 years ago

Ping?

postmodern commented 3 years ago

Pull Requests welcomed. git pull does not seem to support passing in the path to the git repository, so Dir.chdir is necessary. A workaround to this is simply to avoid calling Database#update! within threads.