File: cve_2010_1330_spec.rb

package info (click to toggle)
ruby3.1 3.1.2-7%2Bdeb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 132,892 kB
  • sloc: ruby: 1,154,753; ansic: 736,782; yacc: 46,445; pascal: 10,401; sh: 3,931; cpp: 1,158; python: 838; makefile: 787; asm: 462; javascript: 382; lisp: 97; sed: 94; perl: 62; awk: 36; xml: 4
file content (19 lines) | stat: -rw-r--r-- 741 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 
require_relative '../spec_helper'

describe "String#gsub" do
  it "resists CVE-2010-1330 by raising an exception on invalid UTF-8 bytes" do
    # This original vulnerability talked about KCODE, which is no longer
    # used. Instead we are forcing encodings here. But I think the idea is the
    # same - we want to check that Ruby implementations raise an error on
    # #gsub on a string in the UTF-8 encoding but with invalid an UTF-8 byte
    # sequence.

    str = "\xF6<script>"
    str.force_encoding Encoding::BINARY
    str.gsub(/</, "&lt;").should == "\xF6&lt;script>".b
    str.force_encoding Encoding::UTF_8
    -> {
      str.gsub(/</, "&lt;")
    }.should raise_error(ArgumentError, /invalid byte sequence in UTF-8/)
  end
end