diff options
| author | Nobuyoshi Nakada <nobu@ruby-lang.org> | 2019-10-29 22:39:30 +0900 |
|---|---|---|
| committer | Nobuyoshi Nakada <nobu@ruby-lang.org> | 2019-10-29 22:40:41 +0900 |
| commit | fee5cde00be7342dc6c00d0b0a0276d09e5252e3 (patch) | |
| tree | fd80f86afb77cfe29d90013adc6545d47c9518e2 /spec | |
| parent | ad4da86669454dee86844b3e0a3ecf9177084db3 (diff) | |
Fix tests for CVE-2018-6914
Since the current working directory is not involved in `Tempfile`
and `Dir.mktmpdir` (except for the last resort), it is incorrect
to derive the traversal path from it. Also, since the rubyspec
temporary directory is created under the build directory, this is
not involved in the target method. Fixed sporadic errors in
test-spec.
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/ruby/security/cve_2018_6914_spec.rb | 43 |
1 files changed, 19 insertions, 24 deletions
diff --git a/spec/ruby/security/cve_2018_6914_spec.rb b/spec/ruby/security/cve_2018_6914_spec.rb index 1eab3b84cc..dc2f2cd095 100644 --- a/spec/ruby/security/cve_2018_6914_spec.rb +++ b/spec/ruby/security/cve_2018_6914_spec.rb @@ -5,56 +5,51 @@ require 'tmpdir' describe "CVE-2018-6914 is resisted by" do before :each do + @tmpdir = ENV['TMPDIR'] @dir = tmp("CVE-2018-6914") Dir.mkdir(@dir) - touch "#{@dir}/bar" - - @traversal_path = Array.new(@dir.count('/'), '..').join('/') + @dir + '/' - @traversal_path.delete!(':') if platform_is(:windows) + ENV['TMPDIR'] = @dir + @dir << '/' @tempfile = nil end after :each do + ENV['TMPDIR'] = @tmpdir @tempfile.close! if @tempfile rm_r @dir end it "Tempfile.open by deleting separators" do - expect = Dir.glob(@traversal_path + '*').size - @tempfile = Tempfile.open([@traversal_path, 'foo']) - actual = Dir.glob(@traversal_path + '*').size - actual.should == expect + @tempfile = Tempfile.open(['../', 'foo']) + actual = @tempfile.path + File.absolute_path(actual).should.start_with?(@dir) end it "Tempfile.new by deleting separators" do - expect = Dir.glob(@traversal_path + '*').size - @tempfile = Tempfile.new(@traversal_path + 'foo') - actual = Dir.glob(@traversal_path + '*').size - actual.should == expect + @tempfile = Tempfile.new('../foo') + actual = @tempfile.path + File.absolute_path(actual).should.start_with?(@dir) end it "Tempfile.create by deleting separators" do - expect = Dir.glob(@traversal_path + '*').size - Tempfile.create(@traversal_path + 'foo') do - actual = Dir.glob(@traversal_path + '*').size - actual.should == expect + actual = Tempfile.create('../foo') do |t| + t.path end + File.absolute_path(actual).should.start_with?(@dir) end it "Dir.mktmpdir by deleting separators" do - expect = Dir.glob(@traversal_path + '*').size - Dir.mktmpdir(@traversal_path + 'foo') do - actual = Dir.glob(@traversal_path + '*').size - actual.should == expect + actual = Dir.mktmpdir('../foo') do |path| + path end + File.absolute_path(actual).should.start_with?(@dir) end it "Dir.mktmpdir with an array by deleting separators" do - expect = Dir.glob(@traversal_path + '*').size - Dir.mktmpdir([@traversal_path, 'foo']) do - actual = Dir.glob(@traversal_path + '*').size - actual.should == expect + actual = Dir.mktmpdir(['../', 'foo']) do |path| + path end + File.absolute_path(actual).should.start_with?(@dir) end end |