diff options
| author | Benoit Daloze <eregontp@gmail.com> | 2021-10-20 21:41:46 +0200 |
|---|---|---|
| committer | Benoit Daloze <eregontp@gmail.com> | 2021-10-20 21:41:46 +0200 |
| commit | a6c6eef04aaa075f4bbd0eef740d011737afec91 (patch) | |
| tree | e8779ca2ddc044899caabca88c16abc9a9054fff /spec/ruby/security | |
| parent | 207a5a5bc13018344dc2ab7913fdcaeaeca01292 (diff) | |
| download | ruby-a6c6eef04aaa075f4bbd0eef740d011737afec91.tar.gz | |
Update to ruby/spec@d6921ef
Diffstat (limited to 'spec/ruby/security')
| -rw-r--r-- | spec/ruby/security/cve_2010_1330_spec.rb | 2 | ||||
| -rw-r--r-- | spec/ruby/security/cve_2013_4164_spec.rb | 4 | ||||
| -rw-r--r-- | spec/ruby/security/cve_2014_8080_spec.rb | 1 | ||||
| -rw-r--r-- | spec/ruby/security/cve_2018_16396_spec.rb | 4 | ||||
| -rw-r--r-- | spec/ruby/security/cve_2018_8778_spec.rb | 2 | ||||
| -rw-r--r-- | spec/ruby/security/cve_2019_8323_spec.rb | 54 | ||||
| -rw-r--r-- | spec/ruby/security/cve_2019_8325_spec.rb | 6 |
7 files changed, 31 insertions, 42 deletions
diff --git a/spec/ruby/security/cve_2010_1330_spec.rb b/spec/ruby/security/cve_2010_1330_spec.rb index fa4c756c6d..33e88d652e 100644 --- a/spec/ruby/security/cve_2010_1330_spec.rb +++ b/spec/ruby/security/cve_2010_1330_spec.rb @@ -1,7 +1,6 @@ require_relative '../spec_helper' describe "String#gsub" do - it "resists CVE-2010-1330 by raising an exception on invalid UTF-8 bytes" do # This original vulnerability talked about KCODE, which is no longer # used. Instead we are forcing encodings here. But I think the idea is the @@ -17,5 +16,4 @@ describe "String#gsub" do str.gsub(/</, "<") }.should raise_error(ArgumentError, /invalid byte sequence in UTF-8/) end - end diff --git a/spec/ruby/security/cve_2013_4164_spec.rb b/spec/ruby/security/cve_2013_4164_spec.rb index 94578cc7ce..d223b8fd5e 100644 --- a/spec/ruby/security/cve_2013_4164_spec.rb +++ b/spec/ruby/security/cve_2013_4164_spec.rb @@ -3,17 +3,13 @@ require_relative '../spec_helper' require 'json' describe "String#to_f" do - it "resists CVE-2013-4164 by converting very long Strings to a Float" do "1.#{'1'*1000000}".to_f.should be_close(1.1111111111111112, TOLERANCE) end - end describe "JSON.parse" do - it "resists CVE-2013-4164 by converting very long Strings to a Float" do JSON.parse("[1.#{'1'*1000000}]").first.should be_close(1.1111111111111112, TOLERANCE) end - end diff --git a/spec/ruby/security/cve_2014_8080_spec.rb b/spec/ruby/security/cve_2014_8080_spec.rb index a3f4483994..23770f94b1 100644 --- a/spec/ruby/security/cve_2014_8080_spec.rb +++ b/spec/ruby/security/cve_2014_8080_spec.rb @@ -1,6 +1,5 @@ require_relative '../spec_helper' - ruby_version_is ''...'3.0' do require 'rexml/document' diff --git a/spec/ruby/security/cve_2018_16396_spec.rb b/spec/ruby/security/cve_2018_16396_spec.rb index 303c47a8c7..c9624e9c63 100644 --- a/spec/ruby/security/cve_2018_16396_spec.rb +++ b/spec/ruby/security/cve_2018_16396_spec.rb @@ -1,7 +1,6 @@ require_relative '../spec_helper' describe "Array#pack" do - ruby_version_is ''...'2.7' do it "resists CVE-2018-16396 by tainting output based on input" do "aAZBbHhuMmPp".each_char do |f| @@ -9,11 +8,9 @@ describe "Array#pack" do end end end - end describe "String#unpack" do - ruby_version_is ''...'2.7' do it "resists CVE-2018-16396 by tainting output based on input" do "aAZBbHhuMm".each_char do |f| @@ -21,5 +18,4 @@ describe "String#unpack" do end end end - end diff --git a/spec/ruby/security/cve_2018_8778_spec.rb b/spec/ruby/security/cve_2018_8778_spec.rb index 628159a4db..62057faa53 100644 --- a/spec/ruby/security/cve_2018_8778_spec.rb +++ b/spec/ruby/security/cve_2018_8778_spec.rb @@ -1,12 +1,10 @@ require_relative '../spec_helper' describe "String#unpack" do - it "resists CVE-2018-8778 by raising an exception when a position indicator is larger than a native integer" do pos = (1 << PlatformGuard::POINTER_SIZE) - 99 -> { "0123456789".unpack("@#{pos}C10") }.should raise_error(RangeError, /pack length too big/) end - end diff --git a/spec/ruby/security/cve_2019_8323_spec.rb b/spec/ruby/security/cve_2019_8323_spec.rb index d4606de054..3632d3b028 100644 --- a/spec/ruby/security/cve_2019_8323_spec.rb +++ b/spec/ruby/security/cve_2019_8323_spec.rb @@ -1,36 +1,38 @@ require_relative '../spec_helper' -require 'optparse' +platform_is_not :darwin do # frequent timeout/hang on macOS + require 'optparse' -require 'rubygems' -require 'rubygems/gemcutter_utilities' + require 'rubygems' + require 'rubygems/gemcutter_utilities' -describe "CVE-2019-8323 is resisted by" do - describe "sanitising the body" do - it "for success codes" do - cutter = Class.new { - include Gem::GemcutterUtilities - }.new - response = Net::HTTPSuccess.new(nil, nil, nil) - def response.body - "\e]2;nyan\a" + describe "CVE-2019-8323 is resisted by" do + describe "sanitising the body" do + it "for success codes" do + cutter = Class.new { + include Gem::GemcutterUtilities + }.new + response = Net::HTTPSuccess.new(nil, nil, nil) + def response.body + "\e]2;nyan\a" + end + cutter.should_receive(:say).with(".]2;nyan.") + cutter.with_response response end - cutter.should_receive(:say).with(".]2;nyan.") - cutter.with_response response - end - it "for error codes" do - cutter = Class.new { - include Gem::GemcutterUtilities - }.new - def cutter.terminate_interaction(n) - end - response = Net::HTTPNotFound.new(nil, nil, nil) - def response.body - "\e]2;nyan\a" + it "for error codes" do + cutter = Class.new { + include Gem::GemcutterUtilities + }.new + def cutter.terminate_interaction(n) + end + response = Net::HTTPNotFound.new(nil, nil, nil) + def response.body + "\e]2;nyan\a" + end + cutter.should_receive(:say).with(".]2;nyan.") + cutter.with_response response end - cutter.should_receive(:say).with(".]2;nyan.") - cutter.with_response response end end end diff --git a/spec/ruby/security/cve_2019_8325_spec.rb b/spec/ruby/security/cve_2019_8325_spec.rb index 935f127d7f..309445a50f 100644 --- a/spec/ruby/security/cve_2019_8325_spec.rb +++ b/spec/ruby/security/cve_2019_8325_spec.rb @@ -1,9 +1,9 @@ require_relative '../spec_helper' -require 'rubygems' -require 'rubygems/command_manager' - platform_is_not :darwin do # frequent timeout/hang on macOS + require 'rubygems' + require 'rubygems/command_manager' + describe "CVE-2019-8325 is resisted by" do describe "sanitising error message components" do it "for the 'while executing' message" do |