Update to ruby/spec@e81b3cd

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67361 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

spec/ruby/security/cve_2019_8321_spec.rb

@@ -0,0 +1,22 @@
+require_relative '../spec_helper'
+
+require 'rubygems'
+require 'rubygems/user_interaction'
+
+ruby_version_is "2.5.5" do
+  describe "CVE-2019-8321 is resisted by" do
+    it "sanitising verbose messages" do
+      ui = Class.new {
+        include Gem::UserInteraction
+      }.new
+      ui.should_receive(:say).with(".]2;nyan.")
+      verbose_before = Gem.configuration.verbose
+      begin
+        Gem.configuration.verbose = :really_verbose
+        ui.verbose("\e]2;nyan\a")
+      ensure
+        Gem.configuration.verbose = verbose_before
+      end
+    end
+  end
+end

spec/ruby/security/cve_2019_8322_spec.rb

@@ -0,0 +1,23 @@
+require_relative '../spec_helper'
+
+require 'yaml'
+require 'rubygems'
+require 'rubygems/safe_yaml'
+require 'rubygems/commands/owner_command'
+
+ruby_version_is "2.5.5" do
+  describe "CVE-2019-8322 is resisted by" do
+    it "sanitising owner names" do
+      command = Gem::Commands::OwnerCommand.new
+      def command.rubygems_api_request(*args)
+        Struct.new(:body).new("---\n- email: \"\e]2;nyan\a\"\n  handle: handle\n  id: id\n")
+      end
+      def command.with_response(response)
+        yield response
+      end
+      command.should_receive(:say).with("Owners for gem: name")
+      command.should_receive(:say).with("- .]2;nyan.")
+      command.show_owners "name"
+    end
+  end
+end

spec/ruby/security/cve_2019_8323_spec.rb

@@ -0,0 +1,38 @@
+require_relative '../spec_helper'
+
+require 'optparse'
+
+require 'rubygems'
+require 'rubygems/gemcutter_utilities'
+
+ruby_version_is "2.5.5" do
+  describe "CVE-2019-8323 is resisted by" do
+    describe "sanitising the body" do
+      it "for success codes" do
+        cutter = Class.new {
+          include Gem::GemcutterUtilities
+        }.new
+        response = Net::HTTPSuccess.new(nil, nil, nil)
+        def response.body
+          "\e]2;nyan\a"
+        end
+        cutter.should_receive(:say).with(".]2;nyan.")
+        cutter.with_response response
+      end
+
+      it "for error codes" do
+        cutter = Class.new {
+          include Gem::GemcutterUtilities
+        }.new
+        def cutter.terminate_interaction(n)
+        end
+        response = Net::HTTPNotFound.new(nil, nil, nil)
+        def response.body
+          "\e]2;nyan\a"
+        end
+        cutter.should_receive(:say).with(".]2;nyan.")
+        cutter.with_response response
+      end
+    end
+  end
+end

spec/ruby/security/cve_2019_8325_spec.rb

@@ -0,0 +1,38 @@
+require_relative '../spec_helper'
+
+require 'rubygems'
+require 'rubygems/command_manager'
+
+ruby_version_is "2.5.5" do
+  describe "CVE-2019-8325 is resisted by" do
+    describe "sanitising error message components" do
+      it "for the 'while executing' message" do
+        manager = Gem::CommandManager.new
+        def manager.process_args(args, build_args)
+          raise StandardError, "\e]2;nyan\a"
+        end
+        def manager.terminate_interaction(n)
+        end
+        manager.should_receive(:alert_error).with("While executing gem ... (StandardError)\n    .]2;nyan.")
+        manager.run nil, nil
+      end
+
+      it "for the 'invalid option' message" do
+        manager = Gem::CommandManager.new
+        def manager.terminate_interaction(n)
+        end
+        manager.should_receive(:alert_error).with("Invalid option: --.]2;nyan.. See 'gem --help'.")
+        manager.process_args ["--\e]2;nyan\a"], nil
+      end
+
+      it "for the 'loading command' message" do
+        manager = Gem::CommandManager.new
+        def manager.require(x)
+          raise 'foo'
+        end
+        manager.should_receive(:alert_error).with("Loading command: .]2;nyan. (RuntimeError)\n\tfoo")
+        manager.send :load_and_instantiate, "\e]2;nyan\a"
+      end
+    end
+  end
+end