Skip to content
Permalink
Browse files Browse the repository at this point in the history
Validate specification names when installing
This prevents a malicious user from crafting a gem that could write to an arbitrary directory, outside of the gems directory, by using metacharacters such as `..`
  • Loading branch information
segiddins committed Aug 28, 2017
1 parent 44cc27c commit ad5c0a5
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 0 deletions.
7 changes: 7 additions & 0 deletions lib/rubygems/installer.rb
Expand Up @@ -697,6 +697,11 @@ def verify_gem_home(unpack = false) # :nodoc:
unpack or File.writable?(gem_home)
end

def verify_spec_name
return if spec.name =~ Gem::Specification::VALID_NAME_PATTERN
raise Gem::InstallError, "#{spec} has an invalid name"
end

##
# Return the text for an application file.

Expand Down Expand Up @@ -823,6 +828,8 @@ def pre_install_checks

ensure_loadable_spec

verify_spec_name

if options[:install_as_default]
Gem.ensure_default_gem_subdirectories gem_home
else
Expand Down
20 changes: 20 additions & 0 deletions test/rubygems/test_gem_installer.rb
Expand Up @@ -1448,6 +1448,26 @@ def test_pre_install_checks_wrong_rubygems_version
end
end

def test_pre_install_checks_malicious_name
spec = util_spec '../malicious', '1'
def spec.full_name # so the spec is buildable
"malicious-1"
end
def spec.validate; end

util_build_gem spec

gem = File.join(@gemhome, 'cache', spec.file_name)

use_ui @ui do
@installer = Gem::Installer.at gem
e = assert_raises Gem::InstallError do
@installer.pre_install_checks
end
assert_equal '#<Gem::Specification name=../malicious version=1> has an invalid name', e.message
end
end

def test_shebang
util_make_exec @spec, "#!/usr/bin/ruby"

Expand Down

0 comments on commit ad5c0a5

Please sign in to comment.