Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 243 lines (215 sloc) 5.173 kb
89be3aac »
2008-10-31 protect against dangerous methods, even w untained data
1 require 'test/unit'
2 require 'net/http'
3 require 'cgi'
4
0260380e »
2008-10-31 patched array glob vulnerability
5 OUTPUT = !!ENV['SERVER_OUTPUT']
cf407ff1 »
2008-11-03 fix test startup
6 puts "gem_eval server output disabled, set SERVER_OUTPUT=1 to enable" if ! OUTPUT
0260380e »
2008-10-31 patched array glob vulnerability
7
89be3aac »
2008-10-31 protect against dangerous methods, even w untained data
8 class GemEvalTest < Test::Unit::TestCase
9 def setup
b7e3f636 »
2008-11-01 moved all system commands outside of fork so security enhancements do…
10 system("mv git_mock git")
11 @pid = fork { exec("PATH=.:$PATH ruby gem_eval.rb #{' > /dev/null 2>&1' unless OUTPUT}") }
bafaaf3b »
2008-11-03 made base glob dir more specific
12
13 # wait for server to start
cf407ff1 »
2008-11-03 fix test startup
14 Timeout::timeout(5) do
bafaaf3b »
2008-11-03 made base glob dir more specific
15 begin
cf407ff1 »
2008-11-03 fix test startup
16 TCPSocket.open('localhost', 4567) {}
bafaaf3b »
2008-11-03 made base glob dir more specific
17 server_started = true
18 rescue Errno::ECONNREFUSED
19 server_started = false
cf407ff1 »
2008-11-03 fix test startup
20 sleep 0.1
21 retry
bafaaf3b »
2008-11-03 made base glob dir more specific
22 end until server_started
23 end
89be3aac »
2008-10-31 protect against dangerous methods, even w untained data
24 end
25
b7e3f636 »
2008-11-01 moved all system commands outside of fork so security enhancements do…
26 def teardown
27 system("pkill -f 'ruby gem_eval.rb'")
28 system("mv git git_mock")
89be3aac »
2008-10-31 protect against dangerous methods, even w untained data
29 end
30
31 def test_access_to_untainted_locals
32 %w(repo data spec params).each do |v|
33 assert_nil_error v
34 end
35 end
36
37 def test_timeout
fe3c8674 »
2008-10-31 added method_missing pass through to Dir for undefined LazyDir methods
38 puts "\ntesting timeout..."
89be3aac »
2008-10-31 protect against dangerous methods, even w untained data
39 begin
40 timeout(7) do
41 s = req <<-EOS
42 def forever
43 loop{}
44 ensure
45 forever
46 end
47 forever
48 EOS
49 assert_equal "ERROR: execution expired", s
50 end
51 rescue Timeout::Error
52 fail "timed out! no good!"
53 end
54 end
55
56 def test_legit_gemspec_works
57 gemspec = <<-EOS
58 Gem::Specification.new do |s|
59 s.name = "name"
60 s.description = 'description'
61 s.version = "0.0.9"
62 s.summary = ""
63 s.authors = ["coderrr"]
b7e3f636 »
2008-11-01 moved all system commands outside of fork so security enhancements do…
64 s.files = ['x']
89be3aac »
2008-10-31 protect against dangerous methods, even w untained data
65 end
66 EOS
67 expected_response = <<-EOS
68 --- !ruby/object:Gem::Specification
69 name: name
70 version: !ruby/object:Gem::Version
71 version: 0.0.9
72 platform: ruby
73 authors:
74 - coderrr
75 autorequire:
76 bindir: bin
77 cert_chain: []
78
79 date: 2008-10-31 00:00:00 +07:00
80 default_executable:
81 dependencies: []
82
83 description: description
84 email:
85 executables: []
86
87 extensions: []
88
89 extra_rdoc_files: []
90
91 files:
92 - x
93 has_rdoc: false
94 homepage:
95 post_install_message:
96 rdoc_options: []
97
98 require_paths:
99 - lib
100 required_ruby_version: !ruby/object:Gem::Requirement
101 requirements:
102 - - ">="
103 - !ruby/object:Gem::Version
104 version: "0"
105 version:
106 required_rubygems_version: !ruby/object:Gem::Requirement
107 requirements:
108 - - ">="
109 - !ruby/object:Gem::Version
110 version: "0"
111 version:
112 requirements: []
113
114 rubyforge_project:
115 rubygems_version: 1.3.0
116 signing_key:
117 specification_version: 2
118 summary: ""
119 test_files: []
120 EOS
b7e3f636 »
2008-11-01 moved all system commands outside of fork so security enhancements do…
121 assert_equal clean_yaml(expected_response), clean_yaml(req(gemspec))
89be3aac »
2008-10-31 protect against dangerous methods, even w untained data
122 end
123
0260380e »
2008-10-31 patched array glob vulnerability
124 def test_gemspec_with_glob_works
125 system("mkdir globdir && cd globdir && touch a.rb b.rb c.txt")
126 gemspec = <<-EOS
127 Gem::Specification.new do |s|
128 s.name = "name"
129 s.description = 'description'
130 s.version = "0.0.9"
131 s.summary = ""
132 s.authors = ["coderrr"]
133 s.files = Dir.glob("globdir/**.rb")
134 s.test_files = Dir["globdir/**"]
135 # make sure array globs work with .glob and make sure glob flags work
136 s.executables = Dir.glob(["globdir/*.TXT", "globdir/*.RB"], File::FNM_CASEFOLD)
137 # make sure array globs work with [] and make sure we cant access files in parent dirs
138 s.extra_rdoc_files = Dir["/etc/*", "globdir"]
139 end
140 EOS
141 expected_response = <<-EOS
142 --- !ruby/object:Gem::Specification
143 name: name
144 version: !ruby/object:Gem::Version
145 version: 0.0.9
146 platform: ruby
147 authors:
148 - coderrr
149 autorequire:
150 bindir: bin
151 cert_chain: []
152
153 date: 2008-10-31 00:00:00 +07:00
154 default_executable:
155 dependencies: []
156
157 description: description
158 email:
159 executables:
160 - globdir/c.txt
161 - globdir/b.rb
162 - globdir/a.rb
163 extensions: []
164
165 extra_rdoc_files:
166 - globdir
167 files:
168 - globdir/b.rb
169 - globdir/a.rb
170 has_rdoc: false
171 homepage:
172 post_install_message:
173 rdoc_options: []
174
175 require_paths:
176 - lib
177 required_ruby_version: !ruby/object:Gem::Requirement
178 requirements:
179 - - ">="
180 - !ruby/object:Gem::Version
181 version: "0"
182 version:
183 required_rubygems_version: !ruby/object:Gem::Requirement
184 requirements:
185 - - ">="
186 - !ruby/object:Gem::Version
187 version: "0"
188 version:
189 requirements: []
190
191 rubyforge_project:
192 rubygems_version: 1.3.0
193 signing_key:
194 specification_version: 2
195 summary: ""
196 test_files:
197 - globdir/b.rb
198 - globdir/a.rb
199 - globdir/c.txt
200 EOS
b7e3f636 »
2008-11-01 moved all system commands outside of fork so security enhancements do…
201 assert_equal clean_yaml(expected_response), clean_yaml(req(gemspec))
0260380e »
2008-10-31 patched array glob vulnerability
202 ensure
203 system("rm -rf globdir")
89be3aac »
2008-10-31 protect against dangerous methods, even w untained data
204 end
205
b7e3f636 »
2008-11-01 moved all system commands outside of fork so security enhancements do…
206 def test_tmpdir_is_destroyed
207 Dir.mkdir('tmp/gem_eval_test')
208 assert File.exist?('tmp/gem_eval_test')
209 req('')
210 assert ! File.exist?('tmp/gem_eval_test')
211 end
212
ca3643d3 »
2008-12-04 Add tests for parser security
213 def test_secure_parser_begin
214 resp = req <<-EOS
215 BEGIN {require 'bogus_file'}
216 EOS
217 assert resp.include?('Insecure operation')
218 end
219
220 def test_secure_parser_end
221 resp = req <<-EOS
222 END {fail 'secret exit'}
223 EOS
224 assert !resp.include?('secret exit')
225 end
226
89be3aac »
2008-10-31 protect against dangerous methods, even w untained data
227 private
228
b7e3f636 »
2008-11-01 moved all system commands outside of fork so security enhancements do…
229 def clean_yaml(y)
230 y.strip.sub(/^date:.+$/,'').sub(/^rubygems_version:.+$/,'')
231 end
232
89be3aac »
2008-10-31 protect against dangerous methods, even w untained data
233 def assert_nil_error(v)
234 assert req("#{v}.abc").include?("undefined method `abc' for nil"), "#{v} was not nil"
235 end
236
237 def req(data)
238 Net::HTTP.start 'localhost', 4567 do |h|
b7e3f636 »
2008-11-01 moved all system commands outside of fork so security enhancements do…
239 h.post('/', "data=#{CGI.escape data}&repo=gem_eval_test").body
89be3aac »
2008-10-31 protect against dangerous methods, even w untained data
240 end
241 end
242 end
Something went wrong with that request. Please try again.