6 files changed, 197 insertions, 3 deletions

diff --git a/spec/ruby/security/cve_2014_8080_spec.rb b/spec/ruby/security/cve_2014_8080_spec.rb
index e12faa6a75..e9d7fd320c 100644
--- a/spec/ruby/security/cve_2014_8080_spec.rb
+++ b/spec/ruby/security/cve_2014_8080_spec.rb
@@ -24,9 +24,9 @@ describe "REXML::Document.new" do
       </x>
 XML
 
-    lambda { REXML::Document.new(xml).doctype.entities['x9'].value }.should raise_error(REXML::ParseException) { |e|
-      e.message.should =~ /entity expansion has grown too large/
-    }
+    lambda {
+      REXML::Document.new(xml).doctype.entities['x9'].value
+    }.should raise_error(REXML::ParseException, /entity expansion has grown too large/)
   end
 
 end
diff --git a/spec/ruby/security/cve_2017_17742_spec.rb b/spec/ruby/security/cve_2017_17742_spec.rb
new file mode 100644
index 0000000000..f1205412c6
--- /dev/null
+++ b/spec/ruby/security/cve_2017_17742_spec.rb
@@ -0,0 +1,40 @@
+require_relative '../spec_helper'
+
+require "webrick"
+require "stringio"
+require "net/http"
+
+guard -> {
+  ruby_version_is "2.3.7"..."2.4" or
+  ruby_version_is "2.4.4"..."2.5" or
+  ruby_version_is "2.5.1"
+} do
+  describe "WEBrick" do
+    describe "resists CVE-2017-17742" do
+      it "for a response splitting headers" do
+        config = WEBrick::Config::HTTP
+        res = WEBrick::HTTPResponse.new config
+        res['X-header'] = "malicious\r\nCookie: hack"
+        io = StringIO.new
+        res.send_response io
+        io.rewind
+        res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
+        res.code.should == '500'
+        io.string.should_not =~ /hack/
+      end
+
+      it "for a response splitting cookie headers" do
+        user_input = "malicious\r\nCookie: hack"
+        config = WEBrick::Config::HTTP
+        res = WEBrick::HTTPResponse.new config
+        res.cookies << WEBrick::Cookie.new('author', user_input)
+        io = StringIO.new
+        res.send_response io
+        io.rewind
+        res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
+        res.code.should == '500'
+        io.string.should_not =~ /hack/
+      end
+    end
+  end
+end
diff --git a/spec/ruby/security/cve_2018_6914_spec.rb b/spec/ruby/security/cve_2018_6914_spec.rb
new file mode 100644
index 0000000000..657341e474
--- /dev/null
+++ b/spec/ruby/security/cve_2018_6914_spec.rb
@@ -0,0 +1,59 @@
+require_relative '../spec_helper'
+
+require 'tempfile'
+
+guard -> {
+  ruby_version_is "2.3.7"..."2.4" or
+  ruby_version_is "2.4.4"..."2.5" or
+  ruby_version_is "2.5.1"
+} do
+  describe "CVE-2018-6914 is resisted by" do
+    before :all do
+      @traversal_path = Array.new(Dir.pwd.split('/').count, '..').join('/') + Dir.pwd + '/'
+      @traversal_path.delete!(':') if /mswin|mingw/ =~ RUBY_PLATFORM
+    end
+
+    it "Tempfile.open by deleting separators" do
+      begin
+        expect = Dir.glob(@traversal_path + '*').count
+        t = Tempfile.open([@traversal_path, 'foo'])
+        actual = Dir.glob(@traversal_path + '*').count
+        actual.should == expect
+      ensure
+        t.close!
+      end
+    end
+
+    it "Tempfile.new by deleting separators" do
+      begin
+        expect = Dir.glob(@traversal_path + '*').count
+        t = Tempfile.new(@traversal_path + 'foo')
+        actual = Dir.glob(@traversal_path + '*').count
+        actual.should == expect
+      ensure
+        t.close!
+      end
+    end
+
+    it "Tempfile.create by deleting separators" do
+      expect = Dir.glob(@traversal_path + '*').count
+      Tempfile.create(@traversal_path + 'foo')
+      actual = Dir.glob(@traversal_path + '*').count
+      actual.should == expect
+    end
+
+    it "Dir.mktmpdir by deleting separators" do
+      expect = Dir.glob(@traversal_path + '*').count
+      Dir.mktmpdir(@traversal_path + 'foo')
+      actual = Dir.glob(@traversal_path + '*').count
+      actual.should == expect
+    end
+
+    it "Dir.mktmpdir with an array by deleting separators" do
+      expect = Dir.glob(@traversal_path + '*').count
+      Dir.mktmpdir([@traversal_path, 'foo'])
+      actual = Dir.glob(@traversal_path + '*').count
+      actual.should == expect
+    end
+  end
+end
diff --git a/spec/ruby/security/cve_2018_8778_spec.rb b/spec/ruby/security/cve_2018_8778_spec.rb
new file mode 100644
index 0000000000..a264a8581e
--- /dev/null
+++ b/spec/ruby/security/cve_2018_8778_spec.rb
@@ -0,0 +1,12 @@
+require_relative '../spec_helper'
+
+describe "String#unpack" do
+
+  it "resists CVE-2018-8778 by raising an exception when a position indicator is larger than a native integer" do
+    pos = (1 << PlatformGuard::POINTER_SIZE) - 99
+    lambda {
+      "0123456789".unpack("@#{pos}C10")
+    }.should raise_error(RangeError, /pack length too big/)
+  end
+
+end
diff --git a/spec/ruby/security/cve_2018_8779_spec.rb b/spec/ruby/security/cve_2018_8779_spec.rb
new file mode 100644
index 0000000000..9659b321ee
--- /dev/null
+++ b/spec/ruby/security/cve_2018_8779_spec.rb
@@ -0,0 +1,30 @@
+require_relative '../spec_helper'
+
+require 'socket'
+require 'tempfile'
+
+platform_is_not :windows do
+  describe "CVE-2018-8779 is resisted by" do
+    before :each do
+      tmpfile = Tempfile.new("s")
+      @path = tmpfile.path
+      tmpfile.close(true)
+    end
+
+    after :each do
+      File.unlink @path if @path && File.socket?(@path)
+    end
+
+    it "UNIXServer.open by raising an exception when there is a NUL byte" do
+      lambda {
+        UNIXServer.open(@path+"\0")
+      }.should raise_error(ArgumentError, /(path name|string) contains null byte/)
+    end
+
+    it "UNIXSocket.open by raising an exception when there is a NUL byte" do
+      lambda {
+        UNIXSocket.open(@path+"\0")
+      }.should raise_error(ArgumentError, /(path name|string) contains null byte/)
+    end
+  end
+end
diff --git a/spec/ruby/security/cve_2018_8780_spec.rb b/spec/ruby/security/cve_2018_8780_spec.rb
new file mode 100644
index 0000000000..44be29bf22
--- /dev/null
+++ b/spec/ruby/security/cve_2018_8780_spec.rb
@@ -0,0 +1,53 @@
+require_relative '../spec_helper'
+
+guard -> {
+  ruby_version_is "2.3.7"..."2.4" or
+  ruby_version_is "2.4.4"..."2.5" or
+  ruby_version_is "2.5.1"
+} do
+  describe "CVE-2018-8780 is resisted by" do
+    before :all do
+      @root = File.realpath(tmp(""))
+    end
+
+    it "Dir.glob by raising an exception when there is a NUL byte" do
+      lambda {
+        Dir.glob([[@root, File.join(@root, "*")].join("\0")])
+      }.should raise_error(ArgumentError, /(path name|string) contains null byte/)
+    end
+
+    it "Dir.entries by raising an exception when there is a NUL byte" do
+      lambda {
+        Dir.entries(@root+"\0")
+      }.should raise_error(ArgumentError, /(path name|string) contains null byte/)
+    end
+
+    it "Dir.foreach by raising an exception when there is a NUL byte" do
+      lambda {
+        Dir.foreach(@root+"\0").to_a
+      }.should raise_error(ArgumentError, /(path name|string) contains null byte/)
+    end
+
+    ruby_version_is "2.5" do
+      it "Dir.children by raising an exception when there is a NUL byte" do
+        lambda {
+          Dir.children(@root+"\0")
+        }.should raise_error(ArgumentError, /(path name|string) contains null byte/)
+      end
+
+      it "Dir.each_child by raising an exception when there is a NUL byte" do
+        lambda {
+          Dir.each_child(@root+"\0").to_a
+        }.should raise_error(ArgumentError, /(path name|string) contains null byte/)
+      end
+    end
+
+    ruby_version_is "2.4" do
+      it "Dir.empty? by raising an exception when there is a NUL byte" do
+        lambda {
+          Dir.empty?(@root+"\0")
+        }.should raise_error(ArgumentError, /(path name|string) contains null byte/)
+      end
+    end
+  end
+end