Merge pull request dependabot#3911 from dependabot/bundler-auth-uri

bundler: ignore invalid auth_uri

bundler/helpers/v2/spec/functions_spec.rb

@@ -21,4 +21,37 @@
       end
     end
   end
+
+  describe "#git_specs" do
+    let(:project_name) { "git_source" }
+    subject(:git_specs) do
+      in_tmp_folder do
+        Functions.git_specs(
+          dir: tmp_path,
+          gemfile_name: "Gemfile",
+          credentials: {}
+        )
+      end
+    end
+
+    def expect_specs(count)
+      expect(git_specs.size).to eq(count)
+      git_specs.each do |gs|
+        uri = URI.parse(gs[:auth_uri])
+        expect(uri.scheme).to(satisfy { |s| %w(http https).include?(s) })
+      end
+    end
+
+    it "returns git specs" do
+      expect_specs(4)
+    end
+
+    context "with github shorthand" do
+      let(:project_name) { "github_source" }
+
+      it "returns git specs" do
+        expect_specs(1)
+      end
+    end
+  end
 end

bundler/lib/dependabot/bundler/update_checker/shared_bundler_helpers.rb

@@ -174,8 +174,11 @@ def inaccessible_git_dependencies
               }
             )
             git_specs.reject do |spec|
+              uri = URI.parse(spec.fetch("auth_uri"))
+              next false unless %w(http https).include?(uri.scheme)
+
               Excon.get(
-                spec.fetch("auth_uri"),
+                uri.to_s,
                 idempotent: true,
                 **SharedHelpers.excon_defaults
               ).status == 200

bundler/spec/dependabot/bundler/update_checker/latest_version_finder/dependency_source_spec.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+require "dependabot/bundler/update_checker"
+
+RSpec.describe Dependabot::Bundler::UpdateChecker::LatestVersionFinder::DependencySource do
+  let(:project_name) { "git_source" }
+  let(:files) { project_dependency_files(File.join("bundler2", project_name)) }
+  let(:credentials) do
+    [{
+      "type" => "git_source",
+      "host" => "github.com",
+      "username" => "x-access-token",
+      "password" => "token"
+    }]
+  end
+  let(:source) { described_class.new(dependency: nil, dependency_files: files, credentials: credentials, options: {}) }
+
+  describe "#inaccessible_git_dependencies", :vcr do
+    subject(:inaccessible_git_dependencies) { source.inaccessible_git_dependencies }
+
+    it "is empty when all dependencies are accessible" do
+      expect(inaccessible_git_dependencies).to be_empty
+    end
+
+    context "with inaccessible dependency", :vcr do
+      let(:project_name) { "private_git_source" }
+
+      it "includes inaccessible dependency" do
+        expect(inaccessible_git_dependencies.size).to eq(1)
+        expect(inaccessible_git_dependencies.first).to eq({
+          "auth_uri" => "https://x-access-token:token@github.com/no-exist-sorry/prius.git/info/refs?service=git-upload-pack",
+          "uri" => "git@github.com:no-exist-sorry/prius"
+        })
+      end
+    end
+
+    context "with non-URI dependency", :vcr do
+      let(:project_name) { "git_source_invalid_github" }
+
+      it "includes invalid dependency" do
+        expect(inaccessible_git_dependencies.size).to eq(1)
+        expect(inaccessible_git_dependencies.first).to eq({
+          "auth_uri" => "dependabot-fixtures/business.git/info/refs?service=git-upload-pack",
+          "uri" => "dependabot-fixtures/business"
+        })
+      end
+    end
+  end
+end

bundler/spec/fixtures/projects/bundler2/git_source_invalid_github/Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+source "https://rubygems.org"
+
+# this user meant: github:  "dependabot-fixtures/business"
+gem "business", git: "dependabot-fixtures/business"