kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

[ruby/rdoc] Use File.open to fix the OS Command Injection vulnerability in CVE-2021-31799

Browse source 
https://github.com/ruby/rdoc/commit/a7f5d6ab88
This commit is contained in:
aycabta 2021-05-02 20:52:23 +09:00
parent 9edad0df74
commit b1c73f239f
2 changed files with 13 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/rdoc/rdoc.rb
View file

@ -444,7 +444,7 @@ The internal error was:
files.reject do |file, *| files.reject do |file, *|
file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or
(file =~ /tags$/i and (file =~ /tags$/i and
open(file, 'rb') { |io| File.open(file, 'rb') { |io|
io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/ io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
}) })
end end

12
test/rdoc/test_rdoc_rdoc.rb
View file

@ -456,6 +456,18 @@ class TestRDocRDoc < RDoc::TestCase
end end
end end
def test_remove_unparseable_CVE_2021_31799
temp_dir do
file_list = ['| touch evil.txt && echo tags']
file_list.each do |f|
FileUtils.touch f
end
assert_equal file_list, @rdoc.remove_unparseable(file_list)
assert_equal file_list, Dir.children('.')
end
end
def test_setup_output_dir def test_setup_output_dir
Dir.mktmpdir {|d| Dir.mktmpdir {|d|
path = File.join d, 'testdir' path = File.join d, 'testdir'