Vendor hex_core 0.12.2

apps/rebar/src/vendored/r3_hex_api.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex HTTP API
@@ -106,7 +106,12 @@ request(Config, Method, Path, Body) when is_binary(Path) and is_map(Config) ->
             Response =
                 case binary:match(ContentType, ?ERL_CONTENT_TYPE) of
                     {_, _} ->
-                        {ok, {Status, RespHeaders, binary_to_term(RespBody)}};
+                        case r3_hex_safe_binary_to_term:safe_binary_to_term(RespBody) of
+                            {ok, Term} ->
+                                {ok, {Status, RespHeaders, Term}};
+                            {error, Reason} ->
+                                {error, Reason}
+                        end;
                     nomatch ->
                         {ok, {Status, RespHeaders, nil}}
                 end,

apps/rebar/src/vendored/r3_hex_api_key.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Keys.

apps/rebar/src/vendored/r3_hex_api_package.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Packages.

apps/rebar/src/vendored/r3_hex_api_package_owner.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Package Owners.

apps/rebar/src/vendored/r3_hex_api_release.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Releases.

apps/rebar/src/vendored/r3_hex_api_user.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex HTTP API - Users.

apps/rebar/src/vendored/r3_hex_core.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% `hex_core' entrypoint module.

apps/rebar/src/vendored/r3_hex_core.hrl

@@ -1,3 +1,3 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
--define(HEX_CORE_VERSION, "0.12.0").
+-define(HEX_CORE_VERSION, "0.12.1").

apps/rebar/src/vendored/r3_hex_erl_tar.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @private
 %% Copied from https://github.com/erlang/otp/blob/OTP-20.0.1/lib/stdlib/src/erl_tar.erl

apps/rebar/src/vendored/r3_hex_erl_tar.hrl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 % Copied from https://github.com/erlang/otp/blob/OTP-20.0.1/lib/stdlib/src/erl_tar.hrl
 
@@ -36,7 +36,7 @@
 %% Options used when reading a tar archive.
 -record(read_opts, {
           cwd                    :: string(),  %% Current working directory.
-          keep_old_files = false :: boolean(), %% Overwrite or not.
+          keep_old_files = false :: boolean(), %% Owerwrite or not.
           files = all,                         %% Set of files to extract (or all)
           output = file :: 'file' | 'memory',
           open_mode = [],                      %% Open mode options.
@@ -202,7 +202,7 @@
 %% These constants (except S_IFMT) are
 %% used to determine what type of device
 %% a file is. Namely, `S_IFMT band file_info.mode`
-%% will equal one of these constants, and tells us
+%% will equal one of these contants, and tells us
 %% which type it is. The stdlib file_info record
 %% does not differentiate between device types, and
 %% will not allow us to differentiate between sockets

apps/rebar/src/vendored/r3_hex_filename.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 % @private
 % Excerpt from https://github.com/erlang/otp/blob/OTP-20.0.1/lib/stdlib/src/filename.erl#L761-L788

apps/rebar/src/vendored/r3_hex_http.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% HTTP contract.

apps/rebar/src/vendored/r3_hex_http_httpc.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% httpc-based implementation of {@link r3_hex_http} contract.

apps/rebar/src/vendored/r3_hex_licenses.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Hex Licenses.

apps/rebar/src/vendored/r3_hex_pb_names.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% -*- coding: utf-8 -*-
 %% % this file is @generated

apps/rebar/src/vendored/r3_hex_pb_package.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% -*- coding: utf-8 -*-
 %% % this file is @generated

apps/rebar/src/vendored/r3_hex_pb_signed.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% -*- coding: utf-8 -*-
 %% % this file is @generated

apps/rebar/src/vendored/r3_hex_pb_versions.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% -*- coding: utf-8 -*-
 %% % this file is @generated

apps/rebar/src/vendored/r3_hex_registry.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Functions for encoding and decoding Hex registries.

apps/rebar/src/vendored/r3_hex_repo.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Repo API.

apps/rebar/src/vendored/r3_hex_safe_binary_to_term.erl

@@ -0,0 +1,94 @@
+%% Vendored from hex_core v0.12.1, do not edit manually
+
+%% @hidden
+%% Safe deserialization of Erlang terms from binary.
+%%
+%% This module provides a restricted version of `binary_to_term/1' that:
+%% - Uses the `safe' option to prevent creation of new atoms (DoS protection)
+%% - Validates that the term contains no executable code (RCE protection)
+%%
+%% Inspired by Plug.Crypto's non_executable_binary_to_term:
+%% https://github.com/elixir-plug/plug_crypto/blob/c326c3c743b18cf5f4b12735d06dd90c72dcd779/lib/plug/crypto.ex
+-module(r3_hex_safe_binary_to_term).
+
+-export([safe_binary_to_term/1]).
+
+-type unsafe_term() :: function() | port().
+-type error_reason() :: invalid_term | {unsafe_term, unsafe_term()}.
+
+-spec safe_binary_to_term(binary()) -> {ok, term()} | {error, error_reason()}.
+safe_binary_to_term(Binary) when is_binary(Binary) ->
+    try binary_to_term(Binary, [safe]) of
+        Term ->
+            case validate_term(Term) of
+                ok -> {ok, Term};
+                {error, _} = Error -> Error
+            end
+    catch
+        error:badarg ->
+            {error, invalid_term}
+    end.
+
+-spec validate_term(term()) -> ok | {error, {unsafe_term, term()}}.
+validate_term(Term) when is_list(Term) ->
+    validate_list(Term);
+validate_term(Term) when is_tuple(Term) ->
+    validate_tuple(Term, tuple_size(Term));
+validate_term(Term) when is_map(Term) ->
+    validate_map(Term);
+validate_term(Term) when
+    is_atom(Term);
+    is_number(Term);
+    is_bitstring(Term);
+    is_pid(Term);
+    is_reference(Term)
+->
+    ok;
+validate_term(Term) ->
+    {error, {unsafe_term, Term}}.
+
+-spec validate_list(list()) -> ok | {error, {unsafe_term, term()}}.
+validate_list([]) ->
+    ok;
+validate_list([H | T]) when is_list(T) ->
+    case validate_term(H) of
+        ok -> validate_list(T);
+        Error -> Error
+    end;
+validate_list([H | T]) ->
+    %% Improper list
+    case validate_term(H) of
+        ok -> validate_term(T);
+        Error -> Error
+    end.
+
+-spec validate_tuple(tuple(), non_neg_integer()) -> ok | {error, {unsafe_term, term()}}.
+validate_tuple(_Tuple, 0) ->
+    ok;
+validate_tuple(Tuple, N) ->
+    case validate_term(element(N, Tuple)) of
+        ok -> validate_tuple(Tuple, N - 1);
+        Error -> Error
+    end.
+
+-spec validate_map(map()) -> ok | {error, {unsafe_term, term()}}.
+validate_map(Map) ->
+    try
+        maps:fold(
+            fun(Key, Value, ok) ->
+                case validate_term(Key) of
+                    ok ->
+                        case validate_term(Value) of
+                            ok -> ok;
+                            Error -> throw(Error)
+                        end;
+                    Error ->
+                        throw(Error)
+                end
+            end,
+            ok,
+            Map
+        )
+    catch
+        throw:{error, _} = Error -> Error
+    end.

apps/rebar/src/vendored/r3_hex_tarball.erl

@@ -1,4 +1,4 @@
-%% Vendored from hex_core v0.12.0, do not edit manually
+%% Vendored from hex_core v0.12.1, do not edit manually
 
 %% @doc
 %% Functions for creating and unpacking Hex tarballs.