ruby--ruby/spec/ruby/security/cve_2018_6914_spec.rb

require_relative '../spec_helper'

require 'tempfile'
require 'tmpdir'

describe "CVE-2018-6914 is resisted by" do
  before :each do
    @tmpdir = ENV['TMPDIR']
    @dir = tmp("CVE-2018-6914")
    Dir.mkdir(@dir, 0700)
    ENV['TMPDIR'] = @dir
    @dir << '/'

    @tempfile = nil
  end

  after :each do
    ENV['TMPDIR'] = @tmpdir
    @tempfile.close! if @tempfile
    rm_r @dir
  end

  it "Tempfile.open by deleting separators" do
    @tempfile = Tempfile.open(['../', 'foo'])
    actual = @tempfile.path
    File.absolute_path(actual).should.start_with?(@dir)
  end

  it "Tempfile.new by deleting separators" do
    @tempfile = Tempfile.new('../foo')
    actual = @tempfile.path
    File.absolute_path(actual).should.start_with?(@dir)
  end

  it "Tempfile.create by deleting separators" do
    actual = Tempfile.create('../foo') do |t|
      t.path
    end
    File.absolute_path(actual).should.start_with?(@dir)
  end

  it "Dir.mktmpdir by deleting separators" do
    actual = Dir.mktmpdir('../foo') do |path|
      path
    end
    File.absolute_path(actual).should.start_with?(@dir)
  end

  it "Dir.mktmpdir with an array by deleting separators" do
    actual = Dir.mktmpdir(['../', 'foo']) do |path|
      path
    end
    File.absolute_path(actual).should.start_with?(@dir)
  end
end
Update to ruby/spec@6f38a82 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63293 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-04-28 19:50:06 +00:00			`require_relative '../spec_helper'`

			`require 'tempfile'`
Update to ruby/spec@7a16e01 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67112 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2019-02-21 15:38:59 +00:00			`require 'tmpdir'`
Update to ruby/spec@6f38a82 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63293 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-04-28 19:50:06 +00:00
Update to ruby/spec@4bc7a2b git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63652 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-06-13 21:41:45 +00:00			`describe "CVE-2018-6914 is resisted by" do`
Update to ruby/spec@7a16e01 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67112 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2019-02-21 15:38:59 +00:00			`before :each do`
Fix tests for CVE-2018-6914 Since the current working directory is not involved in `Tempfile` and `Dir.mktmpdir` (except for the last resort), it is incorrect to derive the traversal path from it. Also, since the rubyspec temporary directory is created under the build directory, this is not involved in the target method. Fixed sporadic errors in test-spec. 2019-10-29 13:39:30 +00:00			`@tmpdir = ENV['TMPDIR']`
Update to ruby/spec@7a16e01 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67112 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2019-02-21 15:38:59 +00:00			`@dir = tmp("CVE-2018-6914")`
Specify the permission To make the temporary directory non-writable by group and others. 2019-11-09 13:40:14 +00:00			`Dir.mkdir(@dir, 0700)`
Fix tests for CVE-2018-6914 Since the current working directory is not involved in `Tempfile` and `Dir.mktmpdir` (except for the last resort), it is incorrect to derive the traversal path from it. Also, since the rubyspec temporary directory is created under the build directory, this is not involved in the target method. Fixed sporadic errors in test-spec. 2019-10-29 13:39:30 +00:00			`ENV['TMPDIR'] = @dir`
			`@dir << '/'`
Update to ruby/spec@7a16e01 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67112 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2019-02-21 15:38:59 +00:00
			`@tempfile = nil`
			`end`

			`after :each do`
Fix tests for CVE-2018-6914 Since the current working directory is not involved in `Tempfile` and `Dir.mktmpdir` (except for the last resort), it is incorrect to derive the traversal path from it. Also, since the rubyspec temporary directory is created under the build directory, this is not involved in the target method. Fixed sporadic errors in test-spec. 2019-10-29 13:39:30 +00:00			`ENV['TMPDIR'] = @tmpdir`
Update to ruby/spec@7a16e01 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67112 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2019-02-21 15:38:59 +00:00			`@tempfile.close! if @tempfile`
			`rm_r @dir`
Update to ruby/spec@4bc7a2b git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63652 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-06-13 21:41:45 +00:00			`end`
Update to ruby/spec@6f38a82 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63293 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-04-28 19:50:06 +00:00
Update to ruby/spec@4bc7a2b git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63652 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-06-13 21:41:45 +00:00			`it "Tempfile.open by deleting separators" do`
Fix tests for CVE-2018-6914 Since the current working directory is not involved in `Tempfile` and `Dir.mktmpdir` (except for the last resort), it is incorrect to derive the traversal path from it. Also, since the rubyspec temporary directory is created under the build directory, this is not involved in the target method. Fixed sporadic errors in test-spec. 2019-10-29 13:39:30 +00:00			`@tempfile = Tempfile.open(['../', 'foo'])`
			`actual = @tempfile.path`
			`File.absolute_path(actual).should.start_with?(@dir)`
Update to ruby/spec@4bc7a2b git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63652 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-06-13 21:41:45 +00:00			`end`
Update to ruby/spec@6f38a82 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63293 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-04-28 19:50:06 +00:00
Update to ruby/spec@4bc7a2b git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63652 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-06-13 21:41:45 +00:00			`it "Tempfile.new by deleting separators" do`
Fix tests for CVE-2018-6914 Since the current working directory is not involved in `Tempfile` and `Dir.mktmpdir` (except for the last resort), it is incorrect to derive the traversal path from it. Also, since the rubyspec temporary directory is created under the build directory, this is not involved in the target method. Fixed sporadic errors in test-spec. 2019-10-29 13:39:30 +00:00			`@tempfile = Tempfile.new('../foo')`
			`actual = @tempfile.path`
			`File.absolute_path(actual).should.start_with?(@dir)`
Update to ruby/spec@4bc7a2b git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63652 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-06-13 21:41:45 +00:00			`end`
Update to ruby/spec@6f38a82 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63293 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-04-28 19:50:06 +00:00
Update to ruby/spec@4bc7a2b git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63652 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-06-13 21:41:45 +00:00			`it "Tempfile.create by deleting separators" do`
Fix tests for CVE-2018-6914 Since the current working directory is not involved in `Tempfile` and `Dir.mktmpdir` (except for the last resort), it is incorrect to derive the traversal path from it. Also, since the rubyspec temporary directory is created under the build directory, this is not involved in the target method. Fixed sporadic errors in test-spec. 2019-10-29 13:39:30 +00:00			`actual = Tempfile.create('../foo') do \|t\|`
			`t.path`
spec/ruby/security/cve_2018_6914_spec.rb: get rid of leftover files I ran out of inodes in $TMPDIR :< git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-07-11 08:33:32 +00:00			`end`
Fix tests for CVE-2018-6914 Since the current working directory is not involved in `Tempfile` and `Dir.mktmpdir` (except for the last resort), it is incorrect to derive the traversal path from it. Also, since the rubyspec temporary directory is created under the build directory, this is not involved in the target method. Fixed sporadic errors in test-spec. 2019-10-29 13:39:30 +00:00			`File.absolute_path(actual).should.start_with?(@dir)`
Update to ruby/spec@4bc7a2b git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63652 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-06-13 21:41:45 +00:00			`end`

			`it "Dir.mktmpdir by deleting separators" do`
Fix tests for CVE-2018-6914 Since the current working directory is not involved in `Tempfile` and `Dir.mktmpdir` (except for the last resort), it is incorrect to derive the traversal path from it. Also, since the rubyspec temporary directory is created under the build directory, this is not involved in the target method. Fixed sporadic errors in test-spec. 2019-10-29 13:39:30 +00:00			`actual = Dir.mktmpdir('../foo') do \|path\|`
			`path`
spec/ruby/security/cve_2018_6914_spec.rb: get rid of leftover files I ran out of inodes in $TMPDIR :< git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-07-11 08:33:32 +00:00			`end`
Fix tests for CVE-2018-6914 Since the current working directory is not involved in `Tempfile` and `Dir.mktmpdir` (except for the last resort), it is incorrect to derive the traversal path from it. Also, since the rubyspec temporary directory is created under the build directory, this is not involved in the target method. Fixed sporadic errors in test-spec. 2019-10-29 13:39:30 +00:00			`File.absolute_path(actual).should.start_with?(@dir)`
Update to ruby/spec@4bc7a2b git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63652 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-06-13 21:41:45 +00:00			`end`

			`it "Dir.mktmpdir with an array by deleting separators" do`
Fix tests for CVE-2018-6914 Since the current working directory is not involved in `Tempfile` and `Dir.mktmpdir` (except for the last resort), it is incorrect to derive the traversal path from it. Also, since the rubyspec temporary directory is created under the build directory, this is not involved in the target method. Fixed sporadic errors in test-spec. 2019-10-29 13:39:30 +00:00			`actual = Dir.mktmpdir(['../', 'foo']) do \|path\|`
			`path`
spec/ruby/security/cve_2018_6914_spec.rb: get rid of leftover files I ran out of inodes in $TMPDIR :< git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-07-11 08:33:32 +00:00			`end`
Fix tests for CVE-2018-6914 Since the current working directory is not involved in `Tempfile` and `Dir.mktmpdir` (except for the last resort), it is incorrect to derive the traversal path from it. Also, since the rubyspec temporary directory is created under the build directory, this is not involved in the target method. Fixed sporadic errors in test-spec. 2019-10-29 13:39:30 +00:00			`File.absolute_path(actual).should.start_with?(@dir)`
Update to ruby/spec@6f38a82 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63293 b2dd03c8-39d4-4d8f-98ff-823fe69b080e 2018-04-28 19:50:06 +00:00			`end`
			`end`