diff options
author | aycabta <aycabta@gmail.com> | 2021-05-02 20:52:23 +0900 |
---|---|---|
committer | aycabta <aycabta@gmail.com> | 2021-05-21 13:42:24 +0900 |
commit | b1c73f239fe9af97de837331849f55d67c27561e (patch) | |
tree | 05dea67a20ab70c670d3f7b21b2a5d717327f4cd | |
parent | 9edad0df74c6ad39281852cca9793fc7dba5c81f (diff) |
[ruby/rdoc] Use File.open to fix the OS Command Injection vulnerability in CVE-2021-31799
https://github.com/ruby/rdoc/commit/a7f5d6ab88
-rw-r--r-- | lib/rdoc/rdoc.rb | 2 | ||||
-rw-r--r-- | test/rdoc/test_rdoc_rdoc.rb | 12 |
2 files changed, 13 insertions, 1 deletions
diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb index 680a8612f7..904625f105 100644 --- a/lib/rdoc/rdoc.rb +++ b/lib/rdoc/rdoc.rb @@ -444,7 +444,7 @@ The internal error was: files.reject do |file, *| file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or (file =~ /tags$/i and - open(file, 'rb') { |io| + File.open(file, 'rb') { |io| io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/ }) end diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb index 3910dd4656..a83d5a1b88 100644 --- a/test/rdoc/test_rdoc_rdoc.rb +++ b/test/rdoc/test_rdoc_rdoc.rb @@ -456,6 +456,18 @@ class TestRDocRDoc < RDoc::TestCase end end + def test_remove_unparseable_CVE_2021_31799 + temp_dir do + file_list = ['| touch evil.txt && echo tags'] + file_list.each do |f| + FileUtils.touch f + end + + assert_equal file_list, @rdoc.remove_unparseable(file_list) + assert_equal file_list, Dir.children('.') + end + end + def test_setup_output_dir Dir.mktmpdir {|d| path = File.join d, 'testdir' |