From f43a3952ab39341136656b0a8b2c8597ba1b4adc Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Sat, 30 Jan 2021 12:09:24 -0500
Subject: [PATCH] fix(security): prevent command injection in Download#save!

Related to https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g
---
 lib/mechanize/download.rb       |  2 +-
 test/test_mechanize_download.rb | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/lib/mechanize/download.rb b/lib/mechanize/download.rb
index 5ae7c87f..64338cc8 100644
--- a/lib/mechanize/download.rb
+++ b/lib/mechanize/download.rb
@@ -71,7 +71,7 @@ def save! filename = nil
     dirname = File.dirname filename
     FileUtils.mkdir_p dirname
 
-    open filename, 'wb' do |io|
+    ::File.open(filename, 'wb')do |io|
       until @body_io.eof? do
         io.write @body_io.read 16384
       end
diff --git a/test/test_mechanize_download.rb b/test/test_mechanize_download.rb
index ef79e259..3215f40c 100644
--- a/test/test_mechanize_download.rb
+++ b/test/test_mechanize_download.rb
@@ -46,6 +46,18 @@ def test_save_bang
     end
   end
 
+  def test_save_bang_does_not_allow_command_injection
+    uri = URI.parse 'http://example/foo.html'
+    body_io = StringIO.new '0123456789'
+
+    download = @parser.new uri, nil, body_io
+
+    in_tmpdir do
+      download.save!('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+      refute_operator(File, :exist?, "vul.txt")
+    end
+  end
+
   def test_save_tempfile
     uri = URI.parse 'http://example/foo.html'
     Tempfile.open @NAME do |body_io|
@@ -84,6 +96,5 @@ def test_filename
 
     assert_equal "foo.html", download.filename
   end
-
 end