2018-08-03 16:19:40 +00:00
|
|
|
require_relative '../spec_helper'
|
|
|
|
|
|
|
|
|
|
describe "String#gsub" do
|
|
|
|
|
it "resists CVE-2010-1330 by raising an exception on invalid UTF-8 bytes" do
|
|
|
|
|
# This original vulnerability talked about KCODE, which is no longer
|
|
|
|
|
# used. Instead we are forcing encodings here. But I think the idea is the
|
|
|
|
|
# same - we want to check that Ruby implementations raise an error on
|
|
|
|
|
# #gsub on a string in the UTF-8 encoding but with invalid an UTF-8 byte
|
|
|
|
|
# sequence.
|
|
|
|
|
|
|
|
|
|
str = "\xF6<script>"
|
2019-06-27 21:02:36 +02:00
|
|
|
str.force_encoding Encoding::BINARY
|
2018-08-03 16:19:40 +00:00
|
|
|
str.gsub(/</, "<").should == "\xF6<script>".b
|
|
|
|
|
str.force_encoding Encoding::UTF_8
|
2019-07-27 12:40:09 +02:00
|
|
|
-> {
|
2018-08-03 16:19:40 +00:00
|
|
|
str.gsub(/</, "<")
|
|
|
|
|
}.should raise_error(ArgumentError, /invalid byte sequence in UTF-8/)
|
|
|
|
|
end
|
|
|
|
|
end
|
