Block pushes from an owner if gem is reserved (#6406)

jenshenny · web-flow · commit 728bc2634d5b · 2026-04-09T11:48:16.000+10:00
* Block pushes from an owner owned gem if reserved

* Prevent pending trusted publisher creation if gem is reserved
diff --git a/app/models/oidc/pending_trusted_publisher.rb b/app/models/oidc/pending_trusted_publisher.rb
@@ -32,6 +32,10 @@ def build_trusted_publisher(params)
 
   def available_rubygem_name
     return if rubygem_name.blank?
+
+    reserved = GemNameReservation.reserved?(rubygem_name)
+    return errors.add(:rubygem_name, :reserved) if reserved
+
     rubygem = Rubygem.name_is(rubygem_name).first
     return if rubygem.nil? || rubygem.pushable?
 
diff --git a/app/models/pusher.rb b/app/models/pusher.rb
@@ -35,7 +35,11 @@ def process
   end
 
   def authorize
-    (rubygem.pushable? && (api_key.user? || find_pending_trusted_publisher)) || owner.owns_gem?(rubygem) || notify_unauthorized
+    return notify_reserved if rubygem.reserved_name?
+    return true if rubygem.pushable? && (api_key.user? || find_pending_trusted_publisher)
+    return true if owner.owns_gem?(rubygem)
+
+    notify_unauthorized
   end
 
   def verify_gem_scope
@@ -255,8 +259,12 @@ def republish_notification(version)
     end
   end
 
+  def notify_reserved
+    notify("This gem name is reserved. You are not allowed to push this gem.", 403)
+  end
+
   def notify_unauthorized
-    if !api_key.user? || rubygem.reserved_name?
+    if !api_key.user?
       notify("You are not allowed to push this gem.", 403)
     elsif rubygem.unconfirmed_ownership?(owner)
       notify("You do not have permission to push to this gem. " \
diff --git a/app/models/rubygem.rb b/app/models/rubygem.rb
@@ -295,7 +295,7 @@ def pushable?
   end
 
   def reserved_name?
-    GemNameReservation.reserved?(name)
+    GemNameReservation.reserved?(name) if name.present?
   end
 
   def create_ownership(user)
diff --git a/config/locales/de.yml b/config/locales/de.yml
@@ -151,6 +151,7 @@ de:
           attributes:
             rubygem_name:
               unavailable: wird bereits verwendet
+              reserved:
     models:
       user: Benutzer
       api_key:
diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -144,6 +144,7 @@ en:
           attributes:
             rubygem_name:
               unavailable: "is already in use"
+              reserved: "is reserved"
     models:
       user: User
       api_key:
diff --git a/config/locales/es.yml b/config/locales/es.yml
@@ -147,6 +147,7 @@ es:
           attributes:
             rubygem_name:
               unavailable:
+              reserved:
     models:
       user: Usuario
       api_key:
diff --git a/config/locales/fr.yml b/config/locales/fr.yml
@@ -144,6 +144,7 @@ fr:
           attributes:
             rubygem_name:
               unavailable:
+              reserved:
     models:
       user:
       api_key:
diff --git a/config/locales/ja.yml b/config/locales/ja.yml
@@ -140,6 +140,7 @@ ja:
           attributes:
             rubygem_name:
               unavailable: 既に使われています
+              reserved:
     models:
       user: ユーザー
       api_key:
diff --git a/config/locales/nl.yml b/config/locales/nl.yml
@@ -139,6 +139,7 @@ nl:
           attributes:
             rubygem_name:
               unavailable:
+              reserved:
     models:
       user:
       api_key:
diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml
@@ -145,6 +145,7 @@ pt-BR:
           attributes:
             rubygem_name:
               unavailable:
+              reserved:
     models:
       user: Usuário
       api_key:
diff --git a/config/locales/zh-CN.yml b/config/locales/zh-CN.yml
@@ -140,6 +140,7 @@ zh-CN:
           attributes:
             rubygem_name:
               unavailable:
+              reserved:
     models:
       user: 用户
       api_key:
diff --git a/config/locales/zh-TW.yml b/config/locales/zh-TW.yml
@@ -139,6 +139,7 @@ zh-TW:
           attributes:
             rubygem_name:
               unavailable:
+              reserved:
     models:
       user:
       api_key:
diff --git a/test/functional/api/v1/rubygems_controller_test.rb b/test/functional/api/v1/rubygems_controller_test.rb
@@ -425,7 +425,7 @@ def self.should_respond_to(format)
       should respond_with 403
       should "not register gem" do
         assert_predicate Rubygem.count, :zero?
-        assert_match(/There was a problem saving your gem: Name 'rubygems' is a reserved gem name./, @response.body)
+        assert_match(/This gem name is reserved. You are not allowed to push this gem./, @response.body)
       end
     end
 
diff --git a/test/models/oidc/pending_trusted_publisher_test.rb b/test/models/oidc/pending_trusted_publisher_test.rb
@@ -28,4 +28,12 @@ class OIDC::PendingTrustedPublisherTest < ActiveSupport::TestCase
     refute_predicate publisher, :valid?
     assert_equal ["is already in use"], publisher.errors[:rubygem_name]
   end
+
+  test "validates rubygem name is not reserved" do
+    create(:gem_name_reservation, name: "ruby")
+    publisher = build(:oidc_pending_trusted_publisher, rubygem_name: "ruby")
+
+    refute_predicate publisher, :valid?
+    assert_equal ["is reserved"], publisher.errors[:rubygem_name]
+  end
 end
diff --git a/test/models/pusher_test.rb b/test/models/pusher_test.rb
@@ -343,12 +343,21 @@ class PusherTest < ActiveSupport::TestCase
         assert @cutter.authorize
       end
 
-      should "be false if gem name is reserved" do
+      should "be false if gem is pushable but is reserved" do
         create(:version, rubygem: @rubygem, number: "0.1.1", indexed: false)
         create(:gem_name_reservation, name: @rubygem.name.downcase)
 
         refute @cutter.authorize
-        assert_equal "You are not allowed to push this gem.", @cutter.message
+        assert_equal "This gem name is reserved. You are not allowed to push this gem.", @cutter.message
+        assert_equal 403, @cutter.code
+      end
+
+      should "be false if gem is owned by user but is reserved" do
+        create(:ownership, rubygem: @rubygem, user: @user)
+        create(:gem_name_reservation, name: @rubygem.name.downcase)
+
+        refute @cutter.authorize
+        assert_equal "This gem name is reserved. You are not allowed to push this gem.", @cutter.message
         assert_equal 403, @cutter.code
       end
 
