Skip to content

Commit

Permalink
fix(security): prevent command injection in Mechanize#download
Browse files Browse the repository at this point in the history
  • Loading branch information
flavorjones committed Jan 30, 2021
1 parent aae0b13 commit 2ac906b
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/mechanize.rb
Original file line number Diff line number Diff line change
Expand Up @@ -396,7 +396,7 @@ def download uri, io_or_filename, parameters = [], referer = nil, headers = {}
io = if io_or_filename.respond_to? :write then
io_or_filename
else
open io_or_filename, 'wb'
::File.open(io_or_filename, 'wb')
end

case page
Expand Down
8 changes: 8 additions & 0 deletions test/test_mechanize.rb
Original file line number Diff line number Diff line change
Expand Up @@ -345,6 +345,14 @@ def test_download_filename_error
end
end

def test_download_does_not_allow_command_injection
in_tmpdir do
@mech.download('http://example', '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')

refute_operator(File, :exist?, "vul.txt")
end
end

def test_get
uri = URI 'http://localhost'

Expand Down

0 comments on commit 2ac906b

Please sign in to comment.