mirror of
https://github.com/rbenv/rbenv.git
synced 2025-01-01 14:45:03 +01:00
370c26a6c9
A malicious `.ruby-version` file in the current directory could inject `../../../` into the version string and trigger execution of binaries outside of `RBENV_ROOT/versions/`. Fixes #977 OVE-20170303-0004
88 lines
1.9 KiB
Bash
88 lines
1.9 KiB
Bash
#!/usr/bin/env bats
|
|
|
|
load test_helper
|
|
|
|
setup() {
|
|
mkdir -p "${RBENV_TEST_DIR}/myproject"
|
|
cd "${RBENV_TEST_DIR}/myproject"
|
|
}
|
|
|
|
@test "fails without arguments" {
|
|
run rbenv-version-file-read
|
|
assert_failure ""
|
|
}
|
|
|
|
@test "fails for invalid file" {
|
|
run rbenv-version-file-read "non-existent"
|
|
assert_failure ""
|
|
}
|
|
|
|
@test "fails for blank file" {
|
|
echo > my-version
|
|
run rbenv-version-file-read my-version
|
|
assert_failure ""
|
|
}
|
|
|
|
@test "reads simple version file" {
|
|
cat > my-version <<<"1.9.3"
|
|
run rbenv-version-file-read my-version
|
|
assert_success "1.9.3"
|
|
}
|
|
|
|
@test "ignores leading spaces" {
|
|
cat > my-version <<<" 1.9.3"
|
|
run rbenv-version-file-read my-version
|
|
assert_success "1.9.3"
|
|
}
|
|
|
|
@test "reads only the first word from file" {
|
|
cat > my-version <<<"1.9.3-p194@tag 1.8.7 hi"
|
|
run rbenv-version-file-read my-version
|
|
assert_success "1.9.3-p194@tag"
|
|
}
|
|
|
|
@test "loads only the first line in file" {
|
|
cat > my-version <<IN
|
|
1.8.7 one
|
|
1.9.3 two
|
|
IN
|
|
run rbenv-version-file-read my-version
|
|
assert_success "1.8.7"
|
|
}
|
|
|
|
@test "ignores leading blank lines" {
|
|
cat > my-version <<IN
|
|
|
|
1.9.3
|
|
IN
|
|
run rbenv-version-file-read my-version
|
|
assert_success "1.9.3"
|
|
}
|
|
|
|
@test "handles the file with no trailing newline" {
|
|
echo -n "1.8.7" > my-version
|
|
run rbenv-version-file-read my-version
|
|
assert_success "1.8.7"
|
|
}
|
|
|
|
@test "ignores carriage returns" {
|
|
cat > my-version <<< $'1.9.3\r'
|
|
run rbenv-version-file-read my-version
|
|
assert_success "1.9.3"
|
|
}
|
|
|
|
@test "prevents directory traversal" {
|
|
cat > my-version <<<".."
|
|
run rbenv-version-file-read my-version
|
|
assert_failure "rbenv: invalid version in \`my-version'"
|
|
|
|
cat > my-version <<<"../foo"
|
|
run rbenv-version-file-read my-version
|
|
assert_failure "rbenv: invalid version in \`my-version'"
|
|
}
|
|
|
|
@test "disallows path segments in version string" {
|
|
cat > my-version <<<"foo/bar"
|
|
run rbenv-version-file-read my-version
|
|
assert_failure "rbenv: invalid version in \`my-version'"
|
|
}
|