Skip to content

Commit

Permalink
fix(security): prevent command injection in FileResponse#read_body
Browse files Browse the repository at this point in the history
Also add general test coverage for FileResponse#read_body

Related to GHSA-qrqm-fpv6-6r8g
  • Loading branch information
flavorjones committed Jan 30, 2021
1 parent b48b12f commit 63f8779
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 3 deletions.
2 changes: 1 addition & 1 deletion lib/mechanize/file_response.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ def read_body
if directory?
yield dir_body
else
open @file_path, 'rb' do |io|
::File.open(@file_path, 'rb') do |io|
yield io.read
end
end
Expand Down
22 changes: 20 additions & 2 deletions test/test_mechanize_file_response.rb
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
require 'mechanize/test_case'

class TestMechanizeFileResponse < Mechanize::TestCase

def test_content_type
Tempfile.open %w[pi .nothtml] do |tempfile|
res = Mechanize::FileResponse.new tempfile.path
Expand All @@ -19,5 +18,24 @@ def test_content_type
end
end

end
def test_read_body
Tempfile.open %w[pi .html] do |tempfile|
tempfile.write("asdfasdfasdf")
tempfile.close

res = Mechanize::FileResponse.new(tempfile.path)
res.read_body do |input|
assert_equal("asdfasdfasdf", input)
end
end
end

def test_read_body_does_not_allow_command_injection
in_tmpdir do
FileUtils.touch('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
res = Mechanize::FileResponse.new('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
res.read_body { |_| }
refute_operator(File, :exist?, "vul.txt")
end
end
end

0 comments on commit 63f8779

Please sign in to comment.