summaryrefslogtreecommitdiff
path: root/test/test_tmpdir.rb
diff options
context:
space:
mode:
authorNobuyoshi Nakada <nobu@ruby-lang.org>2019-10-29 22:39:30 +0900
committerNobuyoshi Nakada <nobu@ruby-lang.org>2019-10-29 22:40:41 +0900
commitfee5cde00be7342dc6c00d0b0a0276d09e5252e3 (patch)
treefd80f86afb77cfe29d90013adc6545d47c9518e2 /test/test_tmpdir.rb
parentad4da86669454dee86844b3e0a3ecf9177084db3 (diff)
Fix tests for CVE-2018-6914
Since the current working directory is not involved in `Tempfile` and `Dir.mktmpdir` (except for the last resort), it is incorrect to derive the traversal path from it. Also, since the rubyspec temporary directory is created under the build directory, this is not involved in the target method. Fixed sporadic errors in test-spec.
Diffstat (limited to 'test/test_tmpdir.rb')
-rw-r--r--test/test_tmpdir.rb29
1 files changed, 18 insertions, 11 deletions
diff --git a/test/test_tmpdir.rb b/test/test_tmpdir.rb
index 1e633d2..42bcbc0 100644
--- a/test/test_tmpdir.rb
+++ b/test/test_tmpdir.rb
@@ -65,22 +65,29 @@ class TestTmpdir < Test::Unit::TestCase
}
end
- TRAVERSAL_PATH = Array.new(Dir.pwd.split('/').count, '..').join('/') + Dir.pwd + '/'
- TRAVERSAL_PATH.delete!(':') if /mswin|mingw/ =~ RUBY_PLATFORM
-
def test_mktmpdir_traversal
- expect = Dir.glob(TRAVERSAL_PATH + '*').count
- Dir.mktmpdir(TRAVERSAL_PATH + 'foo') do
- actual = Dir.glob(TRAVERSAL_PATH + '*').count
- assert_equal expect, actual
+ assert_mktmpdir_traversal do |traversal_path|
+ Dir.mktmpdir(traversal_path + 'foo') do |actual|
+ actual
+ end
end
end
def test_mktmpdir_traversal_array
- expect = Dir.glob(TRAVERSAL_PATH + '*').count
- Dir.mktmpdir([TRAVERSAL_PATH, 'foo']) do
- actual = Dir.glob(TRAVERSAL_PATH + '*').count
- assert_equal expect, actual
+ assert_mktmpdir_traversal do |traversal_path|
+ Dir.mktmpdir([traversal_path, 'foo']) do |actual|
+ actual
+ end
+ end
+ end
+
+ def assert_mktmpdir_traversal
+ Dir.mktmpdir do |target|
+ target = target.chomp('/') + '/'
+ traversal_path = target.sub(/\A\w:/, '') # for DOSISH
+ traversal_path = Array.new(target.count('/')-2, '..').join('/') + traversal_path
+ actual = yield traversal_path
+ assert_not_send([File.absolute_path(actual), :start_with?, target])
end
end
end