diff options
Diffstat (limited to 'spec/ruby/security/cve_2010_1330_spec.rb')
| -rw-r--r-- | spec/ruby/security/cve_2010_1330_spec.rb | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/spec/ruby/security/cve_2010_1330_spec.rb b/spec/ruby/security/cve_2010_1330_spec.rb new file mode 100644 index 0000000000..8867fb7135 --- /dev/null +++ b/spec/ruby/security/cve_2010_1330_spec.rb @@ -0,0 +1,19 @@ +require_relative '../spec_helper' + +describe "String#gsub" do + it "resists CVE-2010-1330 by raising an exception on invalid UTF-8 bytes" do + # This original vulnerability talked about KCODE, which is no longer + # used. Instead we are forcing encodings here. But I think the idea is the + # same - we want to check that Ruby implementations raise an error on + # #gsub on a string in the UTF-8 encoding but with invalid an UTF-8 byte + # sequence. + + str = +"\xF6<script>" + str.force_encoding Encoding::BINARY + str.gsub(/</, "<").should == "\xF6<script>".b + str.force_encoding Encoding::UTF_8 + -> { + str.gsub(/</, "<") + }.should.raise(ArgumentError, /invalid byte sequence in UTF-8/) + end +end |