Update to ruby/spec@e81b3cd

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@67361 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: eregon <eregon@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2019-03-28 14:22:29 +0000
committer: eregon <eregon@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2019-03-28 14:22:29 +0000
commit: a28aa80c739a1d169649a4da833ef48cfb3465b3 (patch)
tree: c2f6bb79c268bd60116b54319ea96f01bb7dda79 /spec/ruby/security
parent: 0f64776745ef31e626dec0d42b7fb2a5988397ec (diff)
4 files changed, 121 insertions, 0 deletions
diff --git a/spec/ruby/security/cve_2019_8321_spec.rb b/spec/ruby/security/cve_2019_8321_spec.rb
new file mode 100644
index 0000000000..affcd00e02
--- /dev/null
+++ b/spec/ruby/security/cve_2019_8321_spec.rb
@@ -0,0 +1,22 @@
+require_relative '../spec_helper'
+
+require 'rubygems'
+require 'rubygems/user_interaction'
+
+ruby_version_is "2.5.5" do
+  describe "CVE-2019-8321 is resisted by" do
+    it "sanitising verbose messages" do
+      ui = Class.new {
+        include Gem::UserInteraction
+      }.new
+      ui.should_receive(:say).with(".]2;nyan.")
+      verbose_before = Gem.configuration.verbose
+      begin
+        Gem.configuration.verbose = :really_verbose
+        ui.verbose("\e]2;nyan\a")
+      ensure
+        Gem.configuration.verbose = verbose_before
+      end
+    end
+  end
+end
diff --git a/spec/ruby/security/cve_2019_8322_spec.rb b/spec/ruby/security/cve_2019_8322_spec.rb
new file mode 100644
index 0000000000..04fb1a7a26
--- /dev/null
+++ b/spec/ruby/security/cve_2019_8322_spec.rb
@@ -0,0 +1,23 @@
+require_relative '../spec_helper'
+
+require 'yaml'
+require 'rubygems'
+require 'rubygems/safe_yaml'
+require 'rubygems/commands/owner_command'
+
+ruby_version_is "2.5.5" do
+  describe "CVE-2019-8322 is resisted by" do
+    it "sanitising owner names" do
+      command = Gem::Commands::OwnerCommand.new
+      def command.rubygems_api_request(*args)
+        Struct.new(:body).new("---\n- email: \"\e]2;nyan\a\"\n  handle: handle\n  id: id\n")
+      end
+      def command.with_response(response)
+        yield response
+      end
+      command.should_receive(:say).with("Owners for gem: name")
+      command.should_receive(:say).with("- .]2;nyan.")
+      command.show_owners "name"
+    end
+  end
+end
diff --git a/spec/ruby/security/cve_2019_8323_spec.rb b/spec/ruby/security/cve_2019_8323_spec.rb
new file mode 100644
index 0000000000..af0b270880
--- /dev/null
+++ b/spec/ruby/security/cve_2019_8323_spec.rb
@@ -0,0 +1,38 @@
+require_relative '../spec_helper'
+
+require 'optparse'
+
+require 'rubygems'
+require 'rubygems/gemcutter_utilities'
+
+ruby_version_is "2.5.5" do
+  describe "CVE-2019-8323 is resisted by" do
+    describe "sanitising the body" do
+      it "for success codes" do
+        cutter = Class.new {
+          include Gem::GemcutterUtilities
+        }.new
+        response = Net::HTTPSuccess.new(nil, nil, nil)
+        def response.body
+          "\e]2;nyan\a"
+        end
+        cutter.should_receive(:say).with(".]2;nyan.")
+        cutter.with_response response
+      end
+
+      it "for error codes" do
+        cutter = Class.new {
+          include Gem::GemcutterUtilities
+        }.new
+        def cutter.terminate_interaction(n)
+        end
+        response = Net::HTTPNotFound.new(nil, nil, nil)
+        def response.body
+          "\e]2;nyan\a"
+        end
+        cutter.should_receive(:say).with(".]2;nyan.")
+        cutter.with_response response
+      end
+    end
+  end
+end
diff --git a/spec/ruby/security/cve_2019_8325_spec.rb b/spec/ruby/security/cve_2019_8325_spec.rb
new file mode 100644
index 0000000000..dcdbe34210
--- /dev/null
+++ b/spec/ruby/security/cve_2019_8325_spec.rb
@@ -0,0 +1,38 @@
+require_relative '../spec_helper'
+
+require 'rubygems'
+require 'rubygems/command_manager'
+
+ruby_version_is "2.5.5" do
+  describe "CVE-2019-8325 is resisted by" do
+    describe "sanitising error message components" do
+      it "for the 'while executing' message" do
+        manager = Gem::CommandManager.new
+        def manager.process_args(args, build_args)
+          raise StandardError, "\e]2;nyan\a"
+        end
+        def manager.terminate_interaction(n)
+        end
+        manager.should_receive(:alert_error).with("While executing gem ... (StandardError)\n    .]2;nyan.")
+        manager.run nil, nil
+      end
+
+      it "for the 'invalid option' message" do
+        manager = Gem::CommandManager.new
+        def manager.terminate_interaction(n)
+        end
+        manager.should_receive(:alert_error).with("Invalid option: --.]2;nyan.. See 'gem --help'.")
+        manager.process_args ["--\e]2;nyan\a"], nil
+      end
+
+      it "for the 'loading command' message" do
+        manager = Gem::CommandManager.new
+        def manager.require(x)
+          raise 'foo'
+        end
+        manager.should_receive(:alert_error).with("Loading command: .]2;nyan. (RuntimeError)\n\tfoo")
+        manager.send :load_and_instantiate, "\e]2;nyan\a"
+      end
+    end
+  end
+end
author	eregon <eregon@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2019-03-28 14:22:29 +0000
committer	eregon <eregon@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2019-03-28 14:22:29 +0000
commit	a28aa80c739a1d169649a4da833ef48cfb3465b3 (patch)
tree	c2f6bb79c268bd60116b54319ea96f01bb7dda79 /spec/ruby/security
parent	0f64776745ef31e626dec0d42b7fb2a5988397ec (diff)