Enforce checksums strictly for registry gems

Author: deivid-rodriguez

bundler/lib/bundler/checksum.rb

@@ -205,6 +205,12 @@ def missing?(spec)
         @store[spec.lock_name].nil?
       end
 
+      def empty?(spec)
+        return false unless spec.source.is_a?(Bundler::Source::Rubygems)
+
+        @store[spec.lock_name].empty?
+      end
+
       def register(spec, checksum)
         register_checksum(spec.lock_name, checksum)
       end

bundler/lib/bundler/definition.rb

@@ -559,6 +559,7 @@ def something_changed?
         @missing_lockfile_dep ||
         @unlocking_bundler ||
         @locked_spec_with_missing_checksums ||
+        @locked_spec_with_empty_checksums ||
         @locked_spec_with_missing_deps ||
         @locked_spec_with_invalid_deps
     end
@@ -839,6 +840,7 @@ def lockfile_changed_reason
         [@missing_lockfile_dep, "your lockfile is missing \"#{@missing_lockfile_dep}\""],
         [@unlocking_bundler, "an update to the version of Bundler itself was requested"],
         [@locked_spec_with_missing_checksums, "your lockfile is missing a CHECKSUMS entry for \"#{@locked_spec_with_missing_checksums}\""],
+        [@locked_spec_with_empty_checksums, "your lockfile has an empty CHECKSUMS entry for \"#{@locked_spec_with_empty_checksums}\""],
         [@locked_spec_with_missing_deps, "your lockfile includes \"#{@locked_spec_with_missing_deps}\" but not some of its dependencies"],
         [@locked_spec_with_invalid_deps, "your lockfile does not satisfy dependencies of \"#{@locked_spec_with_invalid_deps}\""],
       ].select(&:first).map(&:last).join(", ")
@@ -898,13 +900,23 @@ def check_lockfile
       @locked_spec_with_invalid_deps = nil
       @locked_spec_with_missing_deps = nil
       @locked_spec_with_missing_checksums = nil
+      @locked_spec_with_empty_checksums = nil
 
       missing_deps = []
       missing_checksums = []
+      empty_checksums = []
       invalid = []
 
       @locked_specs.each do |s|
-        missing_checksums << s if @locked_checksums && s.source.checksum_store.missing?(s)
+        if @locked_checksums
+          checksum_store = s.source.checksum_store
+
+          if checksum_store.missing?(s)
+            missing_checksums << s
+          elsif checksum_store.empty?(s)
+            empty_checksums << s
+          end
+        end
 
         validation = @locked_specs.validate_deps(s)
 
@@ -913,6 +925,7 @@ def check_lockfile
       end
 
       @locked_spec_with_missing_checksums = missing_checksums.first.name if missing_checksums.any?
+      @locked_spec_with_empty_checksums = empty_checksums.first.name if empty_checksums.any?
 
       if missing_deps.any?
         @locked_specs.delete(missing_deps)

bundler/spec/install/gemfile/git_spec.rb

@@ -2,19 +2,23 @@
 
 RSpec.describe "bundle install with git sources" do
   describe "when floating on main" do
-    let(:install_base_gemfile) do
-      build_git "foo" do |s|
-        s.executables = "foobar"
-      end
-
-      install_gemfile <<-G
+    let(:base_gemfile) do
+      <<-G
         source "https://gem.repo1"
         git "#{lib_path("foo-1.0")}" do
           gem 'foo'
         end
       G
     end
 
+    let(:install_base_gemfile) do
+      build_git "foo" do |s|
+        s.executables = "foobar"
+      end
+
+      install_gemfile base_gemfile
+    end
+
     it "fetches gems" do
       install_base_gemfile
       expect(the_bundle).to include_gems("foo 1.0")
@@ -27,6 +31,43 @@
       expect(out).to eq("WIN")
     end
 
+    it "does not (yet?) enforce CHECKSUMS" do
+      build_git "foo"
+      revision = revision_for(lib_path("foo-1.0"))
+
+      bundle "config set lockfile_checksums true"
+      gemfile base_gemfile
+
+      lockfile <<~L
+        GIT
+          remote: #{lib_path("foo-1.0")}
+          revision: #{revision}
+          specs:
+            foo (1.0)
+
+        GEM
+          remote: https://gem.repo1/
+          specs:
+
+        PLATFORMS
+          #{lockfile_platforms}
+
+        DEPENDENCIES
+          foo!
+
+        CHECKSUMS
+          foo (1.0)
+
+        BUNDLED WITH
+           #{Bundler::VERSION}
+      L
+
+      bundle "config set frozen true"
+
+      bundle "install"
+      expect(the_bundle).to include_gems("foo 1.0")
+    end
+
     it "caches the git repo" do
       install_base_gemfile
       expect(Dir["#{default_bundle_path}/cache/bundler/git/foo-1.0-*"]).to have_attributes size: 1

bundler/spec/lock/lockfile_spec.rb

@@ -1646,6 +1646,40 @@
     expect(the_bundle).not_to include_gems "myrack_middleware 1.0"
   end
 
+  it "raises a clear error when frozen mode is set and lockfile has empty checksums in CHECKSUMS section, and does not install any gems" do
+    lockfile <<-L
+      GEM
+        remote: https://gem.repo2/
+        specs:
+          myrack (0.9.1)
+
+      PLATFORMS
+        #{lockfile_platforms}
+
+      DEPENDENCIES
+        myrack
+
+      CHECKSUMS
+        myrack (0.9.1)
+
+      BUNDLED WITH
+         #{Bundler::VERSION}
+    L
+
+    install_gemfile <<-G, env: { "BUNDLE_FROZEN" => "true" }, raise_on_error: false
+      source "https://gem.repo2"
+      gem "myrack"
+    G
+
+    expect(err).to eq <<~L.strip
+      Your lockfile has an empty CHECKSUMS entry for \"myrack\", but can't be updated because frozen mode is set
+
+      Run `bundle install` elsewhere and add the updated Gemfile.lock to version control.
+    L
+
+    expect(the_bundle).not_to include_gems "myrack 0.9.1"
+  end
+
   it "automatically fixes the lockfile when it's missing deps, they conflict with other locked deps, but conflicts are fixable" do
     build_repo4 do
       build_gem "other_dep", "0.9"