Require rubyzip version 1.3.0 or higher (#153)

titusfortner · Oct 7, 2019 · c9cfef0 · c9cfef0
1 parent 1af4557
commit c9cfef0
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/lib/webdrivers/common.rb b/lib/webdrivers/common.rb
@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'rubygems/package'
-require 'zip'
 require 'webdrivers/logger'
 require 'webdrivers/network'
 require 'webdrivers/system'

diff --git a/lib/webdrivers/system.rb b/lib/webdrivers/system.rb
@@ -4,6 +4,12 @@
 require 'zip'
 require 'English'
 
+# validate zip entry sizes to avoid zip bombs
+# see https://github.com/rubyzip/rubyzip#size-validation
+# and https://github.com/rubyzip/rubyzip/pull/403 for further details
+# this will be the default in rubyzip 2.0+
+Zip.validate_entry_sizes = true
+
 module Webdrivers
   #
   # @api private

diff --git a/webdrivers.gemspec b/webdrivers.gemspec
@@ -29,6 +29,6 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'simplecov', '~>0.16'
 
   s.add_runtime_dependency 'nokogiri', '~> 1.6'
-  s.add_runtime_dependency 'rubyzip', '~> 1.0'
+  s.add_runtime_dependency 'rubyzip', '>= 1.3.0'
   s.add_runtime_dependency 'selenium-webdriver', '>= 3.0', '< 4.0'
 end