[rubygems/rubygems] Boundary check in `Gem::StreamUI#choose_from_list`

https://github.com/rubygems/rubygems/commit/abacb0cb34

2 files changed, 31 insertions, 0 deletions

diff --git a/lib/rubygems/user_interaction.rb b/lib/rubygems/user_interaction.rb
index 9f0538a6b0..1cee1555a0 100644
--- a/lib/rubygems/user_interaction.rb
+++ b/lib/rubygems/user_interaction.rb
@@ -237,6 +237,7 @@ class Gem::StreamUI
     return nil, nil unless result
 
     result = result.strip.to_i - 1
+    return nil, nil unless (0...list.size) === result
     [list[result], result]
   end
 
diff --git a/test/rubygems/test_gem_stream_ui.rb b/test/rubygems/test_gem_stream_ui.rb
index 24a9a4ba19..00cc64629a 100644
--- a/test/rubygems/test_gem_stream_ui.rb
+++ b/test/rubygems/test_gem_stream_ui.rb
@@ -114,6 +114,36 @@ class TestGemStreamUI < Gem::TestCase
     assert_equal "which one?\n 1. foo\n 2. bar\n> ", @out.string
   end
 
+  def test_choose_from_list_0
+    @in.puts "0"
+    @in.rewind
+
+    result = @sui.choose_from_list "which one?", %w[foo bar]
+
+    assert_equal [nil, nil], result
+    assert_equal "which one?\n 1. foo\n 2. bar\n> ", @out.string
+  end
+
+  def test_choose_from_list_over
+    @in.puts "3"
+    @in.rewind
+
+    result = @sui.choose_from_list "which one?", %w[foo bar]
+
+    assert_equal [nil, nil], result
+    assert_equal "which one?\n 1. foo\n 2. bar\n> ", @out.string
+  end
+
+  def test_choose_from_list_negative
+    @in.puts "-1"
+    @in.rewind
+
+    result = @sui.choose_from_list "which one?", %w[foo bar]
+
+    assert_equal [nil, nil], result
+    assert_equal "which one?\n 1. foo\n 2. bar\n> ", @out.string
+  end
+
   def test_progress_reporter_silent_nil
     @cfg.verbose = nil
     reporter = @sui.progress_reporter 10, "hi"