diff options
author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-02-16 14:58:30 +0000 |
---|---|---|
committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-02-16 14:58:30 +0000 |
commit | 4237809aa3983fca36b520f95b48fdf9e7e88de2 (patch) | |
tree | a3c20aec8122b8a40614d84a987654dc3e9da47c /test/rubygems/test_gem_package.rb | |
parent | 3b3d4b6bf5ea028246a432c4a9874b755b1438a0 (diff) |
merge revision(s) 62422: [Backport #14481]
Merge RubyGems 2.7.6 from upstream.
It fixed some security vulnerabilities.
http://blog.rubygems.org/2018/02/15/2.7.6-released.html
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@62434 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test/rubygems/test_gem_package.rb')
-rw-r--r-- | test/rubygems/test_gem_package.rb | 74 |
1 files changed, 73 insertions, 1 deletions
diff --git a/test/rubygems/test_gem_package.rb b/test/rubygems/test_gem_package.rb index 9d47f0dea4..5b93475314 100644 --- a/test/rubygems/test_gem_package.rb +++ b/test/rubygems/test_gem_package.rb @@ -455,6 +455,31 @@ class TestGemPackage < Gem::Package::TarTestCase File.read(extracted) end + def test_extract_symlink_parent + skip 'symlink not supported' if Gem.win_platform? + + package = Gem::Package.new @gem + + tgz_io = util_tar_gz do |tar| + tar.mkdir 'lib', 0755 + tar.add_symlink 'lib/link', '../..', 0644 + tar.add_file 'lib/link/outside.txt', 0644 do |io| io.write 'hi' end + end + + # Extract into a subdirectory of @destination; if this test fails it writes + # a file outside destination_subdir, but we want the file to remain inside + # @destination so it will be cleaned up. + destination_subdir = File.join @destination, 'subdir' + FileUtils.mkdir_p destination_subdir + + e = assert_raises Gem::Package::PathError do + package.extract_tar_gz tgz_io, destination_subdir + end + + assert_equal("installing into parent path lib/link/outside.txt of " + + "#{destination_subdir} is not allowed", e.message) + end + def test_extract_tar_gz_directory package = Gem::Package.new @gem @@ -566,6 +591,21 @@ class TestGemPackage < Gem::Package::TarTestCase "#{@destination} is not allowed", e.message) end + def test_install_location_suffix + package = Gem::Package.new @gem + + filename = "../#{File.basename(@destination)}suffix.rb" + + e = assert_raises Gem::Package::PathError do + package.install_location filename, @destination + end + + parent = File.expand_path File.join @destination, filename + + assert_equal("installing into parent path #{parent} of " + + "#{@destination} is not allowed", e.message) + end + def test_load_spec entry = StringIO.new Gem.gzip @spec.to_yaml def entry.full_name() 'metadata.gz' end @@ -723,6 +763,32 @@ class TestGemPackage < Gem::Package::TarTestCase assert_match %r%nonexistent.gem$%, e.message end + def test_verify_duplicate_file + FileUtils.mkdir_p 'lib' + FileUtils.touch 'lib/code.rb' + + build = Gem::Package.new @gem + build.spec = @spec + build.setup_signer + open @gem, 'wb' do |gem_io| + Gem::Package::TarWriter.new gem_io do |gem| + build.add_metadata gem + build.add_contents gem + + gem.add_file_simple 'a.sig', 0444, 0 + gem.add_file_simple 'a.sig', 0444, 0 + end + end + + package = Gem::Package.new @gem + + e = assert_raises Gem::Security::Exception do + package.verify + end + + assert_equal 'duplicate files in the package: ("a.sig")', e.message + end + def test_verify_security_policy skip 'openssl is missing' unless defined?(OpenSSL::SSL) @@ -780,7 +846,13 @@ class TestGemPackage < Gem::Package::TarTestCase # write bogus data.tar.gz to foil signature bogus_data = Gem.gzip 'hello' - gem.add_file_simple 'data.tar.gz', 0444, bogus_data.length do |io| + fake_signer = Class.new do + def digest_name; 'SHA512'; end + def digest_algorithm; Digest(:SHA512); end + def key; 'key'; end + def sign(*); 'fake_sig'; end + end + gem.add_file_signed 'data2.tar.gz', 0444, fake_signer.new do |io| io.write bogus_data end |