Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bundler audit is not thread safe #156

Open
mensfeld opened this issue Jul 15, 2016 · 3 comments · May be fixed by #397
Open

Bundler audit is not thread safe #156

mensfeld opened this issue Jul 15, 2016 · 3 comments · May be fixed by #397
Labels
enhancement

Comments

@mensfeld
Copy link

mensfeld commented Jul 15, 2016
edited
Loading

Because of the Dir.chdir in lib/bundler/audit/database.rb, the gem itself is not threadsafe

I believe that this should do the trick:

module Bundler
  module Audit
    # Represents the directory of advisories, grouped by gem name
    # and CVE number.
    class Database
      def path
        return VENDORED_PATH unless File.directory?(USER_PATH)

        t1 = Time.parse(`git -C #{USER_PATH} log --date=iso8601 --pretty="%cd" -1`)
        t2 = VENDORED_TIMESTAMP

        t1 >= t2 ? USER_PATH : VENDORED_PATH
      end

      # Updates the ruby-advisory-db.
      # @return [Boolean, nil]
      #   Specifies whether the update was successful.
      #   A `nil` indicates no update was performed.
      def update!
        if File.directory?(USER_PATH)
          cmd = "git -C #{USER_PATH} pull origin master"
        else
          cmd = "git clone #{URL} #{USER_PATH}"
        end

        system cmd
      end
    end
  end
end
@mensfeld
Copy link
Author

Any update on that?

@nijikon
Copy link

nijikon commented Mar 31, 2017

Ping?

@postmodern
Copy link
Member

Pull Requests welcomed. git pull does not seem to support passing in the path to the git repository, so Dir.chdir is necessary. A workaround to this is simply to avoid calling Database#update! within threads.

@lovro-bikic lovro-bikic linked a pull request Oct 27, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove Dir.chdir for thread-safety lovro-bikic/bundler-audit
3 participants
@postmodern @nijikon @mensfeld