[ruby/rdoc] Use File.open to fix the OS Command Injection vulnerability in CVE-2021-31799

https://github.com/ruby/rdoc/commit/a7f5d6ab88
author: aycabta <aycabta@gmail.com> 2021-05-02 20:52:23 +0900
committer: aycabta <aycabta@gmail.com> 2021-05-21 13:42:24 +0900
commit: b1c73f239fe9af97de837331849f55d67c27561e (patch)
tree: 05dea67a20ab70c670d3f7b21b2a5d717327f4cd
parent: 9edad0df74c6ad39281852cca9793fc7dba5c81f (diff)
2 files changed, 13 insertions, 1 deletions
diff --git a/lib/rdoc/rdoc.rb b/lib/rdoc/rdoc.rb
index 680a8612f7..904625f105 100644
--- a/lib/rdoc/rdoc.rb
+++ b/lib/rdoc/rdoc.rb
@@ -444,7 +444,7 @@ The internal error was:
     files.reject do |file, *|
       file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or
         (file =~ /tags$/i and
-         open(file, 'rb') { |io|
+         File.open(file, 'rb') { |io|
            io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
          })
     end
diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb
index 3910dd4656..a83d5a1b88 100644
--- a/test/rdoc/test_rdoc_rdoc.rb
+++ b/test/rdoc/test_rdoc_rdoc.rb
@@ -456,6 +456,18 @@ class TestRDocRDoc < RDoc::TestCase
     end
   end
 
+  def test_remove_unparseable_CVE_2021_31799
+    temp_dir do
+      file_list = ['| touch evil.txt && echo tags']
+      file_list.each do |f|
+        FileUtils.touch f
+      end
+
+      assert_equal file_list, @rdoc.remove_unparseable(file_list)
+      assert_equal file_list, Dir.children('.')
+    end
+  end
+
   def test_setup_output_dir
     Dir.mktmpdir {|d|
       path = File.join d, 'testdir'
author	aycabta <aycabta@gmail.com>	2021-05-02 20:52:23 +0900
committer	aycabta <aycabta@gmail.com>	2021-05-21 13:42:24 +0900
commit	b1c73f239fe9af97de837331849f55d67c27561e (patch)
tree	05dea67a20ab70c670d3f7b21b2a5d717327f4cd
parent	9edad0df74c6ad39281852cca9793fc7dba5c81f (diff)