4 files changed, 13 insertions, 74 deletions

diff --git a/spec/ruby/security/cve_2010_1330_spec.rb b/spec/ruby/security/cve_2010_1330_spec.rb
index 33e88d652e..2594439550 100644
--- a/spec/ruby/security/cve_2010_1330_spec.rb
+++ b/spec/ruby/security/cve_2010_1330_spec.rb
@@ -8,7 +8,7 @@ describe "String#gsub" do
     # #gsub on a string in the UTF-8 encoding but with invalid an UTF-8 byte
     # sequence.
 
-    str = "\xF6<script>"
+    str = +"\xF6<script>"
     str.force_encoding Encoding::BINARY
     str.gsub(/</, "&lt;").should == "\xF6&lt;script>".b
     str.force_encoding Encoding::UTF_8
diff --git a/spec/ruby/security/cve_2014_8080_spec.rb b/spec/ruby/security/cve_2014_8080_spec.rb
deleted file mode 100644
index 23770f94b1..0000000000
--- a/spec/ruby/security/cve_2014_8080_spec.rb
+++ /dev/null
@@ -1,34 +0,0 @@
-require_relative '../spec_helper'
-
-ruby_version_is ''...'3.0' do
-  require 'rexml/document'
-
-  describe "REXML::Document.new" do
-
-    it "resists CVE-2014-8080 by raising an exception when entity expansion has grown too large" do
-      xml = <<XML
-      <?xml version="1.0" encoding="UTF-8" ?>
-        <!DOCTYPE x [
-          <!ENTITY % x0 "xxxxxxxxxx">
-          <!ENTITY % x1 "%x0;%x0;%x0;%x0;%x0;%x0;%x0;%x0;%x0;%x0;">
-          <!ENTITY % x2 "%x1;%x1;%x1;%x1;%x1;%x1;%x1;%x1;%x1;%x1;">
-          <!ENTITY % x3 "%x2;%x2;%x2;%x2;%x2;%x2;%x2;%x2;%x2;%x2;">
-          <!ENTITY % x4 "%x3;%x3;%x3;%x3;%x3;%x3;%x3;%x3;%x3;%x3;">
-          <!ENTITY % x5 "%x4;%x4;%x4;%x4;%x4;%x4;%x4;%x4;%x4;%x4;">
-          <!ENTITY % x6 "%x5;%x5;%x5;%x5;%x5;%x5;%x5;%x5;%x5;%x5;">
-          <!ENTITY % x7 "%x6;%x6;%x6;%x6;%x6;%x6;%x6;%x6;%x6;%x6;">
-          <!ENTITY % x8 "%x7;%x7;%x7;%x7;%x7;%x7;%x7;%x7;%x7;%x7;">
-          <!ENTITY % x9 "%x8;%x8;%x8;%x8;%x8;%x8;%x8;%x8;%x8;%x8;">
-        ]>
-        <x>
-          %x9;%x9;%x9;%x9;%x9;%x9;%x9;%x9;%x9;%x9;
-        </x>
-XML
-
-      -> {
-        REXML::Document.new(xml).doctype.entities['x9'].value
-      }.should raise_error(REXML::ParseException, /entity expansion has grown too large/)
-    end
-
-  end
-end
diff --git a/spec/ruby/security/cve_2017_17742_spec.rb b/spec/ruby/security/cve_2017_17742_spec.rb
deleted file mode 100644
index b0d93e42b8..0000000000
--- a/spec/ruby/security/cve_2017_17742_spec.rb
+++ /dev/null
@@ -1,37 +0,0 @@
-require_relative '../spec_helper'
-
-# webrick is no longer in stdlib in Ruby 3+
-ruby_version_is ""..."3.0" do
-  require "webrick"
-  require "stringio"
-  require "net/http"
-
-  describe "WEBrick" do
-    describe "resists CVE-2017-17742" do
-      it "for a response splitting headers" do
-        config = WEBrick::Config::HTTP
-        res = WEBrick::HTTPResponse.new config
-        res['X-header'] = "malicious\r\nCookie: hack"
-        io = StringIO.new
-        res.send_response io
-        io.rewind
-        res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
-        res.code.should == '500'
-        io.string.should_not =~ /hack/
-      end
-
-      it "for a response splitting cookie headers" do
-        user_input = "malicious\r\nCookie: hack"
-        config = WEBrick::Config::HTTP
-        res = WEBrick::HTTPResponse.new config
-        res.cookies << WEBrick::Cookie.new('author', user_input)
-        io = StringIO.new
-        res.send_response io
-        io.rewind
-        res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
-        res.code.should == '500'
-        io.string.should_not =~ /hack/
-      end
-    end
-  end
-end
diff --git a/spec/ruby/security/cve_2019_8323_spec.rb b/spec/ruby/security/cve_2019_8323_spec.rb
index d4606de054..49a31a6682 100644
--- a/spec/ruby/security/cve_2019_8323_spec.rb
+++ b/spec/ruby/security/cve_2019_8323_spec.rb
@@ -11,7 +11,12 @@ describe "CVE-2019-8323 is resisted by" do
       cutter = Class.new {
         include Gem::GemcutterUtilities
       }.new
-      response = Net::HTTPSuccess.new(nil, nil, nil)
+      klass = if defined?(Gem::Net::HTTPSuccess)
+                Gem::Net::HTTPSuccess
+              else
+                Net::HTTPSuccess
+              end
+      response = klass.new(nil, nil, nil)
       def response.body
         "\e]2;nyan\a"
       end
@@ -25,7 +30,12 @@ describe "CVE-2019-8323 is resisted by" do
       }.new
       def cutter.terminate_interaction(n)
       end
-      response = Net::HTTPNotFound.new(nil, nil, nil)
+      klass = if defined?(Gem::Net::HTTPNotFound)
+                Gem::Net::HTTPNotFound
+              else
+                Net::HTTPNotFound
+              end
+      response = klass.new(nil, nil, nil)
       def response.body
         "\e]2;nyan\a"
       end