Merge branch 'fix-directory-traversal-1.2' into 1.2

philr · philr · commit b98c32efd612 · 2022-07-19T19:08:56.000+01:00
diff --git a/lib/tzinfo/ruby_data_source.rb b/lib/tzinfo/ruby_data_source.rb
@@ -38,7 +38,7 @@ def initialize
     # Raises InvalidTimezoneIdentifier if the timezone is not found or the 
     # identifier is invalid.
     def load_timezone_info(identifier)
-      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
+      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9+\-_]+(\/[A-Za-z0-9+\-_]+)*\z/
       
       identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
       
diff --git a/test/assets/payload.rb b/test/assets/payload.rb
@@ -0,0 +1 @@
+raise 'This should never be executed'
diff --git a/test/tc_ruby_data_source.rb b/test/tc_ruby_data_source.rb
@@ -48,9 +48,15 @@ def test_load_timezone_info_does_not_exist
   
   def test_load_timezone_info_invalid
     assert_raises(InvalidTimezoneIdentifier) do
-      @data_source.load_timezone_info('../Definitions/UTC')
+      @data_source.load_timezone_info('../definitions/UTC')
     end
   end
+
+  def test_load_timezone_info_directory_traversal
+    test_data_depth = TZINFO_TEST_DATA_DIR.scan('/').size
+    payload_path = File.join(TESTS_DIR, 'assets', 'payload')
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n#{'/..' * (test_data_depth + 4)}#{payload_path}") }
+  end
   
   def test_load_timezone_info_nil
     assert_raises(InvalidTimezoneIdentifier) do
diff --git a/test/tc_timezone.rb b/test/tc_timezone.rb
@@ -213,7 +213,7 @@ def test_get_not_exist
   end
   
   def test_get_invalid
-    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
   end
   
   def test_get_nil
diff --git a/test/tc_zoneinfo_data_source.rb b/test/tc_zoneinfo_data_source.rb
@@ -374,7 +374,7 @@ def test_load_timezone_info_does_not_exist
   
   def test_load_timezone_info_invalid
     assert_raises(InvalidTimezoneIdentifier) do
-      @data_source.load_timezone_info('../Definitions/Europe/London')
+      @data_source.load_timezone_info('../zoneinfo/Europe/London')
     end
   end
   
