1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
ruby--ruby/spec/ruby/security/cve_2010_1330_spec.rb

22 lines
743 B
Ruby
Raw Normal View History

require_relative '../spec_helper'
describe "String#gsub" do
it "resists CVE-2010-1330 by raising an exception on invalid UTF-8 bytes" do
# This original vulnerability talked about KCODE, which is no longer
# used. Instead we are forcing encodings here. But I think the idea is the
# same - we want to check that Ruby implementations raise an error on
# #gsub on a string in the UTF-8 encoding but with invalid an UTF-8 byte
# sequence.
str = "\xF6<script>"
2019-06-27 15:02:36 -04:00
str.force_encoding Encoding::BINARY
str.gsub(/</, "&lt;").should == "\xF6&lt;script>".b
str.force_encoding Encoding::UTF_8
2019-07-27 06:40:09 -04:00
-> {
str.gsub(/</, "&lt;")
}.should raise_error(ArgumentError, /invalid byte sequence in UTF-8/)
end
end