|
|
121925 |
From dcd09da317d9710c61000dbda5df2c9a6d59b1fb Mon Sep 17 00:00:00 2001
|
|
|
121925 |
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
|
|
|
121925 |
Date: Fri, 16 Feb 2018 16:21:44 +0000
|
|
|
121925 |
Subject: [PATCH] Fix Unsafe Object Deserialization Vulnerability in gem owner.
|
|
|
121925 |
|
|
|
121925 |
merge revision(s) 58471,58493,62436: [Backport #13505]
|
|
|
121925 |
|
|
|
121925 |
load.c: backtrace of circular require
|
|
|
121925 |
|
|
|
121925 |
* load.c (load_lock): print backtrace of circular require via
|
|
|
121925 |
`Warning.warn` [ruby-core:80850] [Bug #13505]
|
|
|
121925 |
|
|
|
121925 |
Send the backtrace of the circular require warning as a single String to Warning.warn
|
|
|
121925 |
|
|
|
121925 |
* load.c: send as a single string.
|
|
|
121925 |
* error.c: expose the string formatted by rb_warning as rb_warning_string().
|
|
|
121925 |
* test/ruby/test_exception.rb: update tests.
|
|
|
121925 |
[ruby-core:80850] [Bug #13505]
|
|
|
121925 |
|
|
|
121925 |
fix regexp literal warning.
|
|
|
121925 |
|
|
|
121925 |
* test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
|
|
|
121925 |
[Bug #14481]
|
|
|
121925 |
|
|
|
121925 |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62439 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
121925 |
---
|
|
|
121925 |
lib/rubygems/commands/owner_command.rb | 2 +-
|
|
|
121925 |
.../test_gem_commands_owner_command.rb | 24 +++++++++++++++++++
|
|
|
121925 |
2 files changed, 25 insertions(+), 1 deletion(-)
|
|
|
121925 |
|
|
|
121925 |
diff --git a/lib/rubygems/commands/owner_command.rb b/lib/rubygems/commands/owner_command.rb
|
|
|
121925 |
index 11e6e026fd..df64f41e59 100644
|
|
|
121925 |
--- a/lib/rubygems/commands/owner_command.rb
|
|
|
121925 |
+++ b/lib/rubygems/commands/owner_command.rb
|
|
|
121925 |
@@ -48,7 +48,7 @@ class Gem::Commands::OwnerCommand < Gem::Command
|
|
|
121925 |
end
|
|
|
121925 |
|
|
|
121925 |
with_response response do |resp|
|
|
|
121925 |
- owners = YAML.load resp.body
|
|
|
121925 |
+ owners = Gem::SafeYAML.load resp.body
|
|
|
121925 |
|
|
|
121925 |
say "Owners for gem: #{name}"
|
|
|
121925 |
owners.each do |owner|
|
|
|
121925 |
diff --git a/test/rubygems/test_gem_commands_owner_command.rb b/test/rubygems/test_gem_commands_owner_command.rb
|
|
|
121925 |
index dfbc2572dc..22272d4a22 100644
|
|
|
121925 |
--- a/test/rubygems/test_gem_commands_owner_command.rb
|
|
|
121925 |
+++ b/test/rubygems/test_gem_commands_owner_command.rb
|
|
|
121925 |
@@ -34,6 +34,30 @@ EOF
|
|
|
121925 |
assert_match %r{- user2@example.com}, @ui.output
|
|
|
121925 |
end
|
|
|
121925 |
|
|
|
121925 |
+ def test_show_owners_dont_load_objects
|
|
|
121925 |
+ skip "testing a psych-only API" unless defined?(::Psych::DisallowedClass)
|
|
|
121925 |
+
|
|
|
121925 |
+ response = <
|
|
|
121925 |
+---
|
|
|
121925 |
+- email: !ruby/object:Object {}
|
|
|
121925 |
+ id: 1
|
|
|
121925 |
+ handle: user1
|
|
|
121925 |
+- email: user2@example.com
|
|
|
121925 |
+- id: 3
|
|
|
121925 |
+ handle: user3
|
|
|
121925 |
+- id: 4
|
|
|
121925 |
+EOF
|
|
|
121925 |
+
|
|
|
121925 |
+ @fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 200, 'OK']
|
|
|
121925 |
+
|
|
|
121925 |
+ assert_raises Psych::DisallowedClass do
|
|
|
121925 |
+ use_ui @ui do
|
|
|
121925 |
+ @cmd.show_owners("freewill")
|
|
|
121925 |
+ end
|
|
|
121925 |
+ end
|
|
|
121925 |
+
|
|
|
121925 |
+ end
|
|
|
121925 |
+
|
|
|
121925 |
def test_show_owners_denied
|
|
|
121925 |
response = "You don't have permission to push to this gem"
|
|
|
121925 |
@fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 403, 'Forbidden']
|
|
|
121925 |
--
|
|
|
121925 |
2.17.1
|
|
|
121925 |
|