fix(security): prevent command injection in Download#save!

Related to GHSA-qrqm-fpv6-6r8g
sparklemotion · Jan 30, 2021 · f43a395 · f43a395
1 parent 2ac906b
commit f43a395
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/lib/mechanize/download.rb b/lib/mechanize/download.rb
@@ -71,7 +71,7 @@ def save! filename = nil
     dirname = File.dirname filename
     FileUtils.mkdir_p dirname
 
-    open filename, 'wb' do |io|
+    ::File.open(filename, 'wb')do |io|
       until @body_io.eof? do
         io.write @body_io.read 16384
       end

diff --git a/test/test_mechanize_download.rb b/test/test_mechanize_download.rb
@@ -46,6 +46,18 @@ def test_save_bang
     end
   end
 
+  def test_save_bang_does_not_allow_command_injection
+    uri = URI.parse 'http://example/foo.html'
+    body_io = StringIO.new '0123456789'
+
+    download = @parser.new uri, nil, body_io
+
+    in_tmpdir do
+      download.save!('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      refute_operator(File, :exist?, "vul.txt")
+    end
+  end
+
   def test_save_tempfile
     uri = URI.parse 'http://example/foo.html'
     Tempfile.open @NAME do |body_io|
@@ -84,6 +96,5 @@ def test_filename
 
     assert_equal "foo.html", download.filename
   end
-
 end