From 5a4a64dc0f91591edf362d5434d4b0cde83d21d8 Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada Date: Sat, 15 May 2021 01:24:15 +0900 Subject: [PATCH 1/2] Dir.children is 2.5+ RDoc seems still supporting outdated 2.4. https://github.com/ruby/rdoc/runs/2565344070?check_suite_focus=true#step:5:64 ``` Error: test_remove_unparseable_CVE_2021_31799(TestRDocRDoc): NoMethodError: undefined method `children' for Dir:Class /home/runner/work/rdoc/rdoc/test/rdoc/test_rdoc_rdoc.rb:467:in `block in test_remove_unparseable_CVE_2021_31799' 464: end 465: 466: assert_equal file_list, @rdoc.remove_unparseable(file_list) => 467: assert_equal file_list, Dir.children('.') 468: end 469: end 470: ``` --- test/rdoc/test_rdoc_rdoc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb index a83d5a1b88..15f5383fa7 100644 --- a/test/rdoc/test_rdoc_rdoc.rb +++ b/test/rdoc/test_rdoc_rdoc.rb @@ -464,7 +464,7 @@ def test_remove_unparseable_CVE_2021_31799 end assert_equal file_list, @rdoc.remove_unparseable(file_list) - assert_equal file_list, Dir.children('.') + assert_equal file_list, Dir.entries('.') - %w[. ..] end end From a7df7dc8fa10491d964ac765419855163ce44c03 Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada Date: Sat, 15 May 2021 01:26:51 +0900 Subject: [PATCH 2/2] Vertical-bar is disallowed in path names on Windows No risk of remote code execution, when the file cannot be created. https://github.com/ruby/rdoc/runs/2565343916?check_suite_focus=true#step:5:58 ``` Error: test_remove_unparseable_CVE_2021_31799(TestRDocRDoc): Errno::EINVAL: Invalid argument @ utime_failed - | touch evil.txt && echo tags D:/rubyinstaller-head-x64/lib/ruby/3.1.0/fileutils.rb:1142:in `utime' D:/rubyinstaller-head-x64/lib/ruby/3.1.0/fileutils.rb:1142:in `block in touch' D:/rubyinstaller-head-x64/lib/ruby/3.1.0/fileutils.rb:1139:in `each' D:/rubyinstaller-head-x64/lib/ruby/3.1.0/fileutils.rb:1139:in `touch' D:/a/rdoc/rdoc/test/rdoc/test_rdoc_rdoc.rb:463:in `block (2 levels) in test_remove_unparseable_CVE_2021_31799' 460: temp_dir do 461: file_list = ['| touch evil.txt && echo tags'] 462: file_list.each do |f| => 463: FileUtils.touch f 464: end 465: 466: assert_equal file_list, @rdoc.remove_unparseable(file_list) ``` --- test/rdoc/test_rdoc_rdoc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rdoc/test_rdoc_rdoc.rb b/test/rdoc/test_rdoc_rdoc.rb index 15f5383fa7..22e9bb2b8a 100644 --- a/test/rdoc/test_rdoc_rdoc.rb +++ b/test/rdoc/test_rdoc_rdoc.rb @@ -460,7 +460,7 @@ def test_remove_unparseable_CVE_2021_31799 temp_dir do file_list = ['| touch evil.txt && echo tags'] file_list.each do |f| - FileUtils.touch f + FileUtils.touch f rescue omit end assert_equal file_list, @rdoc.remove_unparseable(file_list)