Skip to content

Commit

Permalink
fix(security): prevent command injection in CookieJar
Browse files Browse the repository at this point in the history
  • Loading branch information
kyoshidajp authored and flavorjones committed Jan 30, 2021
1 parent 687c538 commit aae0b13
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 2 deletions.
4 changes: 2 additions & 2 deletions lib/mechanize/cookie_jar.rb
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ def dump_cookiestxt(io)
class CookieJar < ::HTTP::CookieJar
def save(output, *options)
output.respond_to?(:write) or
return open(output, 'w') { |io| save(io, *options) }
return ::File.open(output, 'w') { |io| save(io, *options) }

opthash = {
:format => :yaml,
Expand Down Expand Up @@ -119,7 +119,7 @@ def save(output, *options)

def load(input, *options)
input.respond_to?(:write) or
return open(input, 'r') { |io| load(io, *options) }
return ::File.open(input, 'r') { |io| load(io, *options) }

opthash = {
:format => :yaml,
Expand Down
30 changes: 30 additions & 0 deletions test/test_mechanize_cookie_jar.rb
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
require 'mechanize/test_case'
require 'fileutils'

class TestMechanizeCookieJar < Mechanize::TestCase

Expand Down Expand Up @@ -500,6 +501,35 @@ def test_save_and_read_cookiestxt_with_session_cookies
assert_equal(0, @jar.cookies(url).length)
end

def test_prevent_command_injection_when_saving
url = URI 'http://rubygems.org/'
path = '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\''

@jar.add(url, Mechanize::Cookie.new(cookie_values))

in_tmpdir do
@jar.save_as(path, :cookiestxt)
assert_equal(false, File.exist?('vul.txt'))
end
end

def test_prevent_command_injection_when_loading
url = URI 'http://rubygems.org/'
path = '| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\''

@jar.add(url, Mechanize::Cookie.new(cookie_values))

in_tmpdir do
@jar.save_as("cookies.txt", :cookiestxt)
@jar.clear!

assert_raises Errno::ENOENT do
@jar.load(path, :cookiestxt)
end
assert_equal(false, File.exist?('vul.txt'))
end
end

def test_save_and_read_expired_cookies
url = URI 'http://rubygems.org/'

Expand Down

0 comments on commit aae0b13

Please sign in to comment.