fix(security): prevent command injection in FileResponse#read_body

Also add general test coverage for FileResponse#read_body Related to GHSA-qrqm-fpv6-6r8g
sparklemotion · Jan 30, 2021 · 63f8779 · 63f8779
1 parent b48b12f
commit 63f8779
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/lib/mechanize/file_response.rb b/lib/mechanize/file_response.rb
@@ -15,7 +15,7 @@ def read_body
     if directory?
       yield dir_body
     else
-      open @file_path, 'rb' do |io|
+      ::File.open(@file_path, 'rb') do |io|
         yield io.read
       end
     end

diff --git a/test/test_mechanize_file_response.rb b/test/test_mechanize_file_response.rb
@@ -1,7 +1,6 @@
 require 'mechanize/test_case'
 
 class TestMechanizeFileResponse < Mechanize::TestCase
-
   def test_content_type
     Tempfile.open %w[pi .nothtml] do |tempfile|
       res = Mechanize::FileResponse.new tempfile.path
@@ -19,5 +18,24 @@ def test_content_type
     end
   end
 
-end
+  def test_read_body
+    Tempfile.open %w[pi .html] do |tempfile|
+      tempfile.write("asdfasdfasdf")
+      tempfile.close
 
+      res = Mechanize::FileResponse.new(tempfile.path)
+      res.read_body do |input|
+        assert_equal("asdfasdfasdf", input)
+      end
+    end
+  end
+
+  def test_read_body_does_not_allow_command_injection
+    in_tmpdir do
+      FileUtils.touch('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      res = Mechanize::FileResponse.new('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      res.read_body { |_| }
+      refute_operator(File, :exist?, "vul.txt")
+    end
+  end
+end