9 files changed, 57 insertions, 140 deletions

diff --git a/spec/ruby/security/cve_2010_1330_spec.rb b/spec/ruby/security/cve_2010_1330_spec.rb
index fa4c756c6d..2594439550 100644
--- a/spec/ruby/security/cve_2010_1330_spec.rb
+++ b/spec/ruby/security/cve_2010_1330_spec.rb
@@ -1,7 +1,6 @@
 require_relative '../spec_helper'
 
 describe "String#gsub" do
-
   it "resists CVE-2010-1330 by raising an exception on invalid UTF-8 bytes" do
     # This original vulnerability talked about KCODE, which is no longer
     # used. Instead we are forcing encodings here. But I think the idea is the
@@ -9,7 +8,7 @@ describe "String#gsub" do
     # #gsub on a string in the UTF-8 encoding but with invalid an UTF-8 byte
     # sequence.
 
-    str = "\xF6<script>"
+    str = +"\xF6<script>"
     str.force_encoding Encoding::BINARY
     str.gsub(/</, "&lt;").should == "\xF6&lt;script>".b
     str.force_encoding Encoding::UTF_8
@@ -17,5 +16,4 @@ describe "String#gsub" do
       str.gsub(/</, "&lt;")
     }.should raise_error(ArgumentError, /invalid byte sequence in UTF-8/)
   end
-
 end
diff --git a/spec/ruby/security/cve_2013_4164_spec.rb b/spec/ruby/security/cve_2013_4164_spec.rb
index 94578cc7ce..d223b8fd5e 100644
--- a/spec/ruby/security/cve_2013_4164_spec.rb
+++ b/spec/ruby/security/cve_2013_4164_spec.rb
@@ -3,17 +3,13 @@ require_relative '../spec_helper'
 require 'json'
 
 describe "String#to_f" do
-
   it "resists CVE-2013-4164 by converting very long Strings to a Float" do
     "1.#{'1'*1000000}".to_f.should be_close(1.1111111111111112, TOLERANCE)
   end
-
 end
 
 describe "JSON.parse" do
-
   it "resists CVE-2013-4164 by converting very long Strings to a Float" do
     JSON.parse("[1.#{'1'*1000000}]").first.should be_close(1.1111111111111112, TOLERANCE)
   end
-
 end
diff --git a/spec/ruby/security/cve_2014_8080_spec.rb b/spec/ruby/security/cve_2014_8080_spec.rb
deleted file mode 100644
index a3f4483994..0000000000
--- a/spec/ruby/security/cve_2014_8080_spec.rb
+++ /dev/null
@@ -1,35 +0,0 @@
-require_relative '../spec_helper'
-
-
-ruby_version_is ''...'3.0' do
-  require 'rexml/document'
-
-  describe "REXML::Document.new" do
-
-    it "resists CVE-2014-8080 by raising an exception when entity expansion has grown too large" do
-      xml = <<XML
-      <?xml version="1.0" encoding="UTF-8" ?>
-        <!DOCTYPE x [
-          <!ENTITY % x0 "xxxxxxxxxx">
-          <!ENTITY % x1 "%x0;%x0;%x0;%x0;%x0;%x0;%x0;%x0;%x0;%x0;">
-          <!ENTITY % x2 "%x1;%x1;%x1;%x1;%x1;%x1;%x1;%x1;%x1;%x1;">
-          <!ENTITY % x3 "%x2;%x2;%x2;%x2;%x2;%x2;%x2;%x2;%x2;%x2;">
-          <!ENTITY % x4 "%x3;%x3;%x3;%x3;%x3;%x3;%x3;%x3;%x3;%x3;">
-          <!ENTITY % x5 "%x4;%x4;%x4;%x4;%x4;%x4;%x4;%x4;%x4;%x4;">
-          <!ENTITY % x6 "%x5;%x5;%x5;%x5;%x5;%x5;%x5;%x5;%x5;%x5;">
-          <!ENTITY % x7 "%x6;%x6;%x6;%x6;%x6;%x6;%x6;%x6;%x6;%x6;">
-          <!ENTITY % x8 "%x7;%x7;%x7;%x7;%x7;%x7;%x7;%x7;%x7;%x7;">
-          <!ENTITY % x9 "%x8;%x8;%x8;%x8;%x8;%x8;%x8;%x8;%x8;%x8;">
-        ]>
-        <x>
-          %x9;%x9;%x9;%x9;%x9;%x9;%x9;%x9;%x9;%x9;
-        </x>
-XML
-
-      -> {
-        REXML::Document.new(xml).doctype.entities['x9'].value
-      }.should raise_error(REXML::ParseException, /entity expansion has grown too large/)
-    end
-
-  end
-end
diff --git a/spec/ruby/security/cve_2017_17742_spec.rb b/spec/ruby/security/cve_2017_17742_spec.rb
deleted file mode 100644
index b0d93e42b8..0000000000
--- a/spec/ruby/security/cve_2017_17742_spec.rb
+++ /dev/null
@@ -1,37 +0,0 @@
-require_relative '../spec_helper'
-
-# webrick is no longer in stdlib in Ruby 3+
-ruby_version_is ""..."3.0" do
-  require "webrick"
-  require "stringio"
-  require "net/http"
-
-  describe "WEBrick" do
-    describe "resists CVE-2017-17742" do
-      it "for a response splitting headers" do
-        config = WEBrick::Config::HTTP
-        res = WEBrick::HTTPResponse.new config
-        res['X-header'] = "malicious\r\nCookie: hack"
-        io = StringIO.new
-        res.send_response io
-        io.rewind
-        res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
-        res.code.should == '500'
-        io.string.should_not =~ /hack/
-      end
-
-      it "for a response splitting cookie headers" do
-        user_input = "malicious\r\nCookie: hack"
-        config = WEBrick::Config::HTTP
-        res = WEBrick::HTTPResponse.new config
-        res.cookies << WEBrick::Cookie.new('author', user_input)
-        io = StringIO.new
-        res.send_response io
-        io.rewind
-        res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
-        res.code.should == '500'
-        io.string.should_not =~ /hack/
-      end
-    end
-  end
-end
diff --git a/spec/ruby/security/cve_2018_16396_spec.rb b/spec/ruby/security/cve_2018_16396_spec.rb
index 303c47a8c7..6f8a5d2f5d 100644
--- a/spec/ruby/security/cve_2018_16396_spec.rb
+++ b/spec/ruby/security/cve_2018_16396_spec.rb
@@ -1,25 +1,7 @@
 require_relative '../spec_helper'
 
 describe "Array#pack" do
-
-  ruby_version_is ''...'2.7' do
-    it "resists CVE-2018-16396 by tainting output based on input" do
-      "aAZBbHhuMmPp".each_char do |f|
-        ["123456".taint].pack(f).tainted?.should be_true
-      end
-    end
-  end
-
 end
 
 describe "String#unpack" do
-
-  ruby_version_is ''...'2.7' do
-    it "resists CVE-2018-16396 by tainting output based on input" do
-      "aAZBbHhuMm".each_char do |f|
-        "123456".taint.unpack(f).first.tainted?.should be_true
-      end
-    end
-  end
-
 end
diff --git a/spec/ruby/security/cve_2018_8778_spec.rb b/spec/ruby/security/cve_2018_8778_spec.rb
index 628159a4db..62057faa53 100644
--- a/spec/ruby/security/cve_2018_8778_spec.rb
+++ b/spec/ruby/security/cve_2018_8778_spec.rb
@@ -1,12 +1,10 @@
 require_relative '../spec_helper'
 
 describe "String#unpack" do
-
   it "resists CVE-2018-8778 by raising an exception when a position indicator is larger than a native integer" do
     pos = (1 << PlatformGuard::POINTER_SIZE) - 99
     -> {
       "0123456789".unpack("@#{pos}C10")
     }.should raise_error(RangeError, /pack length too big/)
   end
-
 end
diff --git a/spec/ruby/security/cve_2019_8323_spec.rb b/spec/ruby/security/cve_2019_8323_spec.rb
index d4606de054..49a31a6682 100644
--- a/spec/ruby/security/cve_2019_8323_spec.rb
+++ b/spec/ruby/security/cve_2019_8323_spec.rb
@@ -11,7 +11,12 @@ describe "CVE-2019-8323 is resisted by" do
       cutter = Class.new {
         include Gem::GemcutterUtilities
       }.new
-      response = Net::HTTPSuccess.new(nil, nil, nil)
+      klass = if defined?(Gem::Net::HTTPSuccess)
+                Gem::Net::HTTPSuccess
+              else
+                Net::HTTPSuccess
+              end
+      response = klass.new(nil, nil, nil)
       def response.body
         "\e]2;nyan\a"
       end
@@ -25,7 +30,12 @@ describe "CVE-2019-8323 is resisted by" do
       }.new
       def cutter.terminate_interaction(n)
       end
-      response = Net::HTTPNotFound.new(nil, nil, nil)
+      klass = if defined?(Gem::Net::HTTPNotFound)
+                Gem::Net::HTTPNotFound
+              else
+                Net::HTTPNotFound
+              end
+      response = klass.new(nil, nil, nil)
       def response.body
         "\e]2;nyan\a"
       end
diff --git a/spec/ruby/security/cve_2019_8325_spec.rb b/spec/ruby/security/cve_2019_8325_spec.rb
index 935f127d7f..bbddb3a6ce 100644
--- a/spec/ruby/security/cve_2019_8325_spec.rb
+++ b/spec/ruby/security/cve_2019_8325_spec.rb
@@ -3,36 +3,44 @@ require_relative '../spec_helper'
 require 'rubygems'
 require 'rubygems/command_manager'
 
-platform_is_not :darwin do # frequent timeout/hang on macOS
-  describe "CVE-2019-8325 is resisted by" do
-    describe "sanitising error message components" do
-      it "for the 'while executing' message" do
-        manager = Gem::CommandManager.new
-        def manager.process_args(args, build_args)
-          raise StandardError, "\e]2;nyan\a"
-        end
-        def manager.terminate_interaction(n)
-        end
-        manager.should_receive(:alert_error).with("While executing gem ... (StandardError)\n    .]2;nyan.")
-        manager.run nil, nil
+describe "CVE-2019-8325 is resisted by" do
+  describe "sanitising error message components" do
+    before :each do
+      @ui = Gem::SilentUI.new
+    end
+
+    after :each do
+      @ui.close
+    end
+
+    it "for the 'while executing' message" do
+      manager = Gem::CommandManager.new
+      manager.ui = @ui
+      def manager.process_args(args, build_args)
+        raise StandardError, "\e]2;nyan\a"
       end
+      def manager.terminate_interaction(n)
+      end
+      manager.should_receive(:alert_error).with("While executing gem ... (StandardError)\n    .]2;nyan.")
+      manager.run nil, nil
+    end
 
-      it "for the 'invalid option' message" do
-        manager = Gem::CommandManager.new
-        def manager.terminate_interaction(n)
-        end
-        manager.should_receive(:alert_error).with("Invalid option: --.]2;nyan.. See 'gem --help'.")
-        manager.process_args ["--\e]2;nyan\a"], nil
+    it "for the 'invalid option' message" do
+      manager = Gem::CommandManager.new
+      def manager.terminate_interaction(n)
       end
+      manager.should_receive(:alert_error).with("Invalid option: --.]2;nyan.. See 'gem --help'.")
+      manager.process_args ["--\e]2;nyan\a"], nil
+    end
 
-      it "for the 'loading command' message" do
-        manager = Gem::CommandManager.new
-        def manager.require(x)
-          raise 'foo'
-        end
-        manager.should_receive(:alert_error).with("Loading command: .]2;nyan. (RuntimeError)\n\tfoo")
-        manager.send :load_and_instantiate, "\e]2;nyan\a"
+    it "for the 'loading command' message" do
+      manager = Gem::CommandManager.new
+      manager.ui = @ui
+      def manager.require(x)
+        raise 'foo'
       end
+      manager.should_receive(:alert_error).with("Loading command: .]2;nyan. (RuntimeError)\n\tfoo")
+      manager.send :load_and_instantiate, "\e]2;nyan\a"
     end
   end
 end
diff --git a/spec/ruby/security/cve_2020_10663_spec.rb b/spec/ruby/security/cve_2020_10663_spec.rb
index 766590d501..cce1beb012 100644
--- a/spec/ruby/security/cve_2020_10663_spec.rb
+++ b/spec/ruby/security/cve_2020_10663_spec.rb
@@ -18,25 +18,22 @@ module JSONSpecs
 end
 
 guard -> {
-  ruby_version_is "2.6.6" or
   JSON.const_defined?(:Pure) or
   version_is(JSON::VERSION, '2.3.0')
 } do
-  platform_is_not :darwin do # frequent timeout/hang on macOS
-    describe "CVE-2020-10663 is resisted by" do
-      it "only creating custom objects if passed create_additions: true or using JSON.load" do
-        obj = JSONSpecs::MyClass.new("bar")
-        JSONSpecs::MyClass.should.json_creatable?
-        json = JSON.dump(obj)
+  describe "CVE-2020-10663 is resisted by" do
+    it "only creating custom objects if passed create_additions: true or using JSON.load" do
+      obj = JSONSpecs::MyClass.new("bar")
+      JSONSpecs::MyClass.should.json_creatable?
+      json = JSON.dump(obj)
 
-        JSON.parse(json, create_additions: true).class.should == JSONSpecs::MyClass
-        JSON(json, create_additions: true).class.should == JSONSpecs::MyClass
-        JSON.load(json).class.should == JSONSpecs::MyClass
+      JSON.parse(json, create_additions: true).class.should == JSONSpecs::MyClass
+      JSON(json, create_additions: true).class.should == JSONSpecs::MyClass
+      JSON.load(json).class.should == JSONSpecs::MyClass
 
-        JSON.parse(json).class.should == Hash
-        JSON.parse(json, nil).class.should == Hash
-        JSON(json).class.should == Hash
-      end
+      JSON.parse(json).class.should == Hash
+      JSON.parse(json, nil).class.should == Hash
+      JSON(json).class.should == Hash
     end
   end
 end