Skip to content

Commit

Permalink
fix(security): prevent command injection in Mechanize::File#save!
Browse files Browse the repository at this point in the history 
Related to GHSA-qrqm-fpv6-6r8g
  • Loading branch information
@flavorjones
flavorjones committed Jan 30, 2021
1 parent f43a395 commit b48b12f
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/mechanize/file.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ def save! filename = nil
dirname = File.dirname filename
FileUtils.mkdir_p dirname

open filename, 'wb' do |f|
::File.open(filename, 'wb')do |f|
f.write body
end

Expand Down
9 changes: 9 additions & 0 deletions test/test_mechanize_file.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,5 +103,14 @@ def test_save_overwrite
end
end

def test_save_bang_does_not_allow_command_injection
uri = URI 'http://example/test.html'
page = Mechanize::File.new uri, nil, ''

in_tmpdir do
page.save!('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
refute_operator(File, :exist?, "vul.txt")
end
end
end

0 comments on commit b48b12f

Please sign in to comment.