Blob Blame History Raw
From dcd09da317d9710c61000dbda5df2c9a6d59b1fb Mon Sep 17 00:00:00 2001
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Fri, 16 Feb 2018 16:21:44 +0000
Subject: [PATCH] Fix Unsafe Object Deserialization Vulnerability in gem owner.

merge revision(s) 58471,58493,62436: [Backport #13505]

	load.c: backtrace of circular require

	* load.c (load_lock): print backtrace of circular require via
	  `Warning.warn` [ruby-core:80850] [Bug #13505]

	  Send the backtrace of the circular require warning as a single String to Warning.warn

	* load.c: send as a single string.
	* error.c: expose the string formatted by rb_warning as rb_warning_string().
	* test/ruby/test_exception.rb: update tests.
	  [ruby-core:80850] [Bug #13505]

	fix regexp literal warning.

	* test/rubygems/test_gem_server.rb: eliminate duplicated character class warning.
	  [Bug #14481]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62439 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 lib/rubygems/commands/owner_command.rb        |  2 +-
 .../test_gem_commands_owner_command.rb        | 24 +++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/lib/rubygems/commands/owner_command.rb b/lib/rubygems/commands/owner_command.rb
index 11e6e026fd..df64f41e59 100644
--- a/lib/rubygems/commands/owner_command.rb
+++ b/lib/rubygems/commands/owner_command.rb
@@ -48,7 +48,7 @@ class Gem::Commands::OwnerCommand < Gem::Command
     end
 
     with_response response do |resp|
-      owners = YAML.load resp.body
+      owners = Gem::SafeYAML.load resp.body
 
       say "Owners for gem: #{name}"
       owners.each do |owner|
diff --git a/test/rubygems/test_gem_commands_owner_command.rb b/test/rubygems/test_gem_commands_owner_command.rb
index dfbc2572dc..22272d4a22 100644
--- a/test/rubygems/test_gem_commands_owner_command.rb
+++ b/test/rubygems/test_gem_commands_owner_command.rb
@@ -34,6 +34,30 @@ EOF
     assert_match %r{- user2@example.com}, @ui.output
   end
 
+  def test_show_owners_dont_load_objects
+    skip "testing a psych-only API" unless defined?(::Psych::DisallowedClass)
+
+    response = <<EOF
+---
+- email: !ruby/object:Object {}
+  id: 1
+  handle: user1
+- email: user2@example.com
+- id: 3
+  handle: user3
+- id: 4
+EOF
+
+    @fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 200, 'OK']
+
+    assert_raises Psych::DisallowedClass do
+      use_ui @ui do
+        @cmd.show_owners("freewill")
+      end
+    end
+
+  end
+
   def test_show_owners_denied
     response = "You don't have permission to push to this gem"
     @fetcher.data["#{Gem.host}/api/v1/gems/freewill/owners.yaml"] = [response, 403, 'Forbidden']
-- 
2.17.1