Skip to content
Permalink
Browse files

Disallow path segments and directory traversal in `.ruby-version` files

A malicious `.ruby-version` file in the current directory could inject
`../../../` into the version string and trigger execution of binaries
outside of `RBENV_ROOT/versions/`.

Fixes #977 OVE-20170303-0004
  • Loading branch information
mislav committed Apr 3, 2019
1 parent a3fa9b7 commit 370c26a6c9ee0511972ea04904fcc89014a22987
Showing with 19 additions and 1 deletion.
  1. +3 −1 libexec/rbenv-version-file-read
  2. +16 −0 test/version-file-read.bats
@@ -11,7 +11,9 @@ if [ -e "$VERSION_FILE" ]; then
words=( $(cut -b 1-1024 "$VERSION_FILE") )
version="${words[0]}"

if [ -n "$version" ]; then
if [ "$version" = ".." ] || [[ $version == */* ]]; then
echo "rbenv: invalid version in \`$VERSION_FILE'" >&2
elif [ -n "$version" ]; then
echo "$version"
exit
fi
@@ -70,3 +70,19 @@ IN
run rbenv-version-file-read my-version
assert_success "1.9.3"
}

@test "prevents directory traversal" {
cat > my-version <<<".."
run rbenv-version-file-read my-version
assert_failure "rbenv: invalid version in \`my-version'"

cat > my-version <<<"../foo"
run rbenv-version-file-read my-version
assert_failure "rbenv: invalid version in \`my-version'"
}

@test "disallows path segments in version string" {
cat > my-version <<<"foo/bar"
run rbenv-version-file-read my-version
assert_failure "rbenv: invalid version in \`my-version'"
}

0 comments on commit 370c26a

Please sign in to comment.
You can’t perform that action at this time.