Specs for new RubyGems CVEs

Author: chrisseaton

spec/ruby/security/cve_2019_8321_spec.rb

@@ -0,0 +1,20 @@
+require_relative '../spec_helper'
+
+require 'rubygems'
+require 'rubygems/user_interaction'
+
+describe "CVE-2019-8321 is resisted by" do
+  it "sanitising verbose messages" do
+    ui = Class.new {
+      include Gem::UserInteraction
+    }.new
+    ui.should_receive(:say).with(".]2;nyan.")
+    verbose_before = Gem.configuration.verbose
+    begin
+      Gem.configuration.verbose = :really_verbose
+      ui.verbose("\e]2;nyan\a")
+    ensure
+      Gem.configuration.verbose = verbose_before
+    end
+  end
+end

spec/ruby/security/cve_2019_8322_spec.rb

@@ -0,0 +1,21 @@
+require_relative '../spec_helper'
+
+require 'yaml'
+require 'rubygems'
+require 'rubygems/safe_yaml'
+require 'rubygems/commands/owner_command'
+
+describe "CVE-2019-8322 is resisted by" do
+  it "sanitising owner names" do
+    command = Gem::Commands::OwnerCommand.new
+    def command.rubygems_api_request(*args)
+      Struct.new(:body).new("---\n- email: \"\e]2;nyan\a\"\n  handle: handle\n  id: id\n")
+    end
+    def command.with_response(response)
+      yield response
+    end
+    command.should_receive(:say).with("Owners for gem: name")
+    command.should_receive(:say).with("- .]2;nyan.")
+    command.show_owners "name"
+  end
+end

spec/ruby/security/cve_2019_8323_spec.rb

@@ -0,0 +1,36 @@
+require_relative '../spec_helper'
+
+require 'optparse'
+
+require 'rubygems'
+require 'rubygems/gemcutter_utilities'
+
+describe "CVE-2019-8323 is resisted by" do
+  describe "sanitising the body" do
+    it "for success codes" do
+      cutter = Class.new {
+        include Gem::GemcutterUtilities
+      }.new
+      response = Net::HTTPSuccess.new(nil, nil, nil)
+      def response.body
+        "\e]2;nyan\a"
+      end
+      cutter.should_receive(:say).with(".]2;nyan.")
+      cutter.with_response response
+    end
+
+    it "for error codes" do
+      cutter = Class.new {
+        include Gem::GemcutterUtilities
+      }.new
+      def cutter.terminate_interaction(n)
+      end
+      response = Net::HTTPNotFound.new(nil, nil, nil)
+      def response.body
+        "\e]2;nyan\a"
+      end
+      cutter.should_receive(:say).with(".]2;nyan.")
+      cutter.with_response response
+    end
+  end
+end

spec/ruby/security/cve_2019_8325_spec.rb

@@ -0,0 +1,36 @@
+require_relative '../spec_helper'
+
+require 'rubygems'
+require 'rubygems/command_manager'
+
+describe "CVE-2019-8325 is resisted by" do
+  describe "sanitising error message components" do
+    it "for the 'while executing' message" do
+      manager = Gem::CommandManager.new
+      def manager.process_args(args, build_args)
+        raise StandardError, "\e]2;nyan\a"
+      end
+      def manager.terminate_interaction(n)
+      end
+      manager.should_receive(:alert_error).with("While executing gem ... (StandardError)\n    .]2;nyan.")
+      manager.run nil, nil
+    end
+
+    it "for the 'invalid option' message" do
+      manager = Gem::CommandManager.new
+      def manager.terminate_interaction(n)
+      end
+      manager.should_receive(:alert_error).with("Invalid option: --.]2;nyan.. See 'gem --help'.")
+      manager.process_args ["--\e]2;nyan\a"], nil
+    end
+
+    it "for the 'loading command' message" do
+      manager = Gem::CommandManager.new
+      def manager.require(x)
+        raise 'foo'
+      end
+      manager.should_receive(:alert_error).with("Loading command: .]2;nyan. (RuntimeError)\n\tfoo")
+      manager.send :load_and_instantiate, "\e]2;nyan\a"
+    end
+  end
+end

spec/tags/security/cve_2019_8321_tags.txt

@@ -0,0 +1 @@
+fails:CVE-2019-8321 is resisted by sanitising verbose messages

spec/tags/security/cve_2019_8322_tags.txt

@@ -0,0 +1 @@
+fails:CVE-2019-8322 is resisted by sanitising owner names

spec/tags/security/cve_2019_8323_tags.txt

@@ -0,0 +1,2 @@
+fails:CVE-2019-8323 is resisted by sanitising the body for success codes
+fails:CVE-2019-8323 is resisted by sanitising the body for error codes

spec/tags/security/cve_2019_8325_tags.txt

@@ -0,0 +1,3 @@
+fails:CVE-2019-8325 is resisted by sanitising error message components for the 'while executing' message
+fails:CVE-2019-8325 is resisted by sanitising error message components for the 'invalid option' message
+fails:CVE-2019-8325 is resisted by sanitising error message components for the 'loading command' message

spec/truffle.mspec

@@ -38,6 +38,10 @@ class MSpecScript
     spec/ruby/library/yaml
     spec/ruby/library/zlib
     spec/ruby/security/cve_2017_17742_spec.rb
+    spec/ruby/security/cve_2019_8321_spec.rb
+    spec/ruby/security/cve_2019_8322_spec.rb
+    spec/ruby/security/cve_2019_8323_spec.rb
+    spec/ruby/security/cve_2019_8325_spec.rb
   ]
 
   set :command_line, [