Reject non-String executables and bindir with a clear error

hsbt · claude · hsbt · commit 89bf13a11bf1 · 2026-06-04T18:45:18.000+09:00
A non-String executable name or bindir previously raised TypeError from
File.basename or File.join. Guard the type so verify_spec raises
Gem::InstallError instead of aborting with an unexpected exception.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/lib/rubygems/installer.rb b/lib/rubygems/installer.rb
@@ -713,10 +713,12 @@ def verify_spec
       raise Gem::InstallError, "#{spec} has an invalid dependencies"
     end
 
-    if spec.executables.any? {|name| name != File.basename(name) || /\A\.\.?\z|\R/.match?(name) }
+    if spec.executables.any? {|name| !name.is_a?(String) || name != File.basename(name) || /\A\.\.?\z|\R/.match?(name) }
       raise Gem::InstallError, "#{spec} has an invalid executable"
     end
 
+    raise Gem::InstallError, "#{spec} has an invalid bindir" unless spec.bindir.is_a?(String)
+
     expanded_gem_dir = File.expand_path(gem_dir)
     expanded_bindir = File.expand_path(File.join(gem_dir, spec.bindir))
     unless expanded_bindir == expanded_gem_dir || expanded_bindir.start_with?("#{expanded_gem_dir}/")
diff --git a/test/rubygems/test_gem_installer.rb b/test/rubygems/test_gem_installer.rb
@@ -1980,6 +1980,38 @@ def spec.validate(*args); end
     end
   end
 
+  def test_pre_install_checks_non_string_executable
+    spec = util_spec "malicious", "1"
+    def spec.validate(*args); end
+    spec.executables = [nil]
+
+    installer = Gem::Installer.for_spec spec
+    installer.gem_home = @gemhome
+
+    use_ui @ui do
+      e = assert_raise Gem::InstallError do
+        installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid executable", e.message
+    end
+  end
+
+  def test_pre_install_checks_non_string_bindir
+    spec = util_spec "malicious", "1"
+    def spec.validate(*args); end
+    spec.bindir = true
+
+    installer = Gem::Installer.for_spec spec
+    installer.gem_home = @gemhome
+
+    use_ui @ui do
+      e = assert_raise Gem::InstallError do
+        installer.pre_install_checks
+      end
+      assert_equal "#<Gem::Specification name=malicious version=1> has an invalid bindir", e.message
+    end
+  end
+
   def test_pre_install_checks_malicious_platform_before_eval
     gem_with_ill_formatted_platform = File.expand_path("packages/ill-formatted-platform-1.0.0.10.gem", __dir__)
 
