Skip to content

Commit

Permalink
Use File.open to fix the OS Command Injection vulnerability in CVE-20…
Browse files Browse the repository at this point in the history
  • Loading branch information
aycabta committed May 2, 2021
1 parent 06112d5 commit a7f5d6a
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/rdoc/rdoc.rb
Original file line number Diff line number Diff line change
Expand Up @@ -443,7 +443,7 @@ def remove_unparseable files
files.reject do |file, *|
file =~ /\.(?:class|eps|erb|scpt\.txt|svg|ttf|yml)$/i or
(file =~ /tags$/i and
open(file, 'rb') { |io|
File.open(file, 'rb') { |io|
io.read(100) =~ /\A(\f\n[^,]+,\d+$|!_TAG_)/
})
end
Expand Down
12 changes: 12 additions & 0 deletions test/rdoc/test_rdoc_rdoc.rb
Original file line number Diff line number Diff line change
Expand Up @@ -456,6 +456,18 @@ def test_remove_unparseable_tags_vim
end
end

def test_remove_unparseable_CVE_2021_31799
temp_dir do
file_list = ['| touch evil.txt && echo tags']
file_list.each do |f|
FileUtils.touch f
end

assert_equal file_list, @rdoc.remove_unparseable(file_list)
assert_equal file_list, Dir.children('.')
end
end

def test_setup_output_dir
Dir.mktmpdir {|d|
path = File.join d, 'testdir'
Expand Down

0 comments on commit a7f5d6a

Please sign in to comment.