Disallow pushing gems where dependency names do not resolve

[segiddins]

Is your feature request related to a problem?

We currently allow pushing a gem that has unresolved dependencies

Describe the solution you'd like

We should stop allowing it

Additional context

This would close a current supply chain attack vector, where someone could push a gem and a malicious actor could see the unresolved dependency and push a rubygem that gets added as a dependency of the first gem after the fact

[Kuanchiliao1]

Hey! I'd love to help implement this security improvement. Could you please confirm that we only need to verify the existence of dependency names, not their specific versions? I was thinking that might be a simpler first step that addresses the core supply chain concern.

[simi]

Hey! I'd love to help implement this security improvement. Could you please confirm that we only need to verify the existence of dependency names, not their specific versions? I was thinking that might be a simpler first step that addresses the core supply chain concern.

Could be good start, yes.

[Kuanchiliao1]

Great! Is it alright if I take on this issue? Would be happy to work on implementing the dependency name verification as a first step.

[simi]

Great! Is it alright if I take on this issue? Would be happy to work on implementing the dependency name verification as a first step.

Sure, feel free to kick-off with PR we can continue discussion at. Some validations are happening inline in https://github.com/rubygems/rubygems.org/blob/master/app/models/pusher.rb and some in https://github.com/rubygems/rubygems.org/blob/master/app/models/version.rb.