Specs for three initial vulnerabilities #393
Conversation
| describe "String#to_f" do | ||
| | ||
| it "resists CVE-2013-4164 by converting very long Strings to a Float" do | ||
| "1.#{'1'*1000000}".to_f.should be_close(1.1111111111111112, TOLERANCE) |
There was a problem hiding this comment.
Is this enough to test for this issue? Is CVE-2013-4164 a SEGV bug in float parsing?
I know a variant where essentially Float parsing time is quadratic to the input length, potential for DDoS.
There was a problem hiding this comment.
It was a segmentation fault before, yes:
/Users/chrisseaton/Documents/ruby/spec/vulnerabilities/cve_2013_4164_spec.rb:8: [BUG] Segmentation fault ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-darwin16.4.0] -- Crash Report log information -------------------------------------------- See Crash Report log file under the one of following: * ~/Library/Logs/CrashReporter * /Library/Logs/CrashReporter * ~/Library/Logs/DiagnosticReports * /Library/Logs/DiagnosticReports the more detail of. -- Control frame information ----------------------------------------------- c:0032 p:---- s:0111 e:000110 CFUNC :to_f c:0031 p:0017 s:0108 e:000107 BLOCK /Users/chrisseaton/Documents/ruby/spec/vulnerabilities/cve_2013_4164_spec.rb:8 [FINISH] c:0030 p:---- s:0106 e:000105 CFUNC :instance_eval c:0029 p:0013 s:0103 e:000102 METHOD /Users/chrisseaton/Documents/ruby/mspec/lib/mspec/runner/mspec.rb:90 c:0028 p:0017 s:0097 e:000096 BLOCK /Users/chrisseaton/Documents/ruby/mspec/lib/mspec/runner/context.rb:250 [FINISH] c:0027 p:---- s:0094 e:000093 IFUNC c:0026 p:---- s:0092 e:000091 CFUNC :each c:0025 p:---- s:0090 e:000089 CFUNC :all? ..... | </x> | ||
| XML | ||
| | ||
| lambda { REXML::Document.new(xml).doctype.entities['x9'].value }.should raise_error(REXML::ParseException) |
There was a problem hiding this comment.
Could you also check the exception message here?
It can be done like
Lines 261 to 263 in 2e2057a
| @eregon what do I do about the failure on 2.3? Is this due to how they changed how symbols are treated by the GC? |
default.mspec Outdated
| set :command_line, [ 'command_line' ] | ||
| | ||
| # Vulnerability resistance specs | ||
| set :vulnerabilities, [ 'vulnerabilities' ] |
There was a problem hiding this comment.
I am thinking to call this security specs.
Vulnerabilities is quite specific and long (so easy to mistype).
What do you think?
There was a problem hiding this comment.
Yes I can't type it either 😀
I think you might just have found a bug on 2.3. ruby_bug "#number", "2.3" do end |
default.mspec Outdated
| | ||
| # An ordered list of the directories containing specs to run | ||
| set :files, get(:command_line) + get(:language) + get(:core) + get(:library) + get(:optional) | ||
| set :files, get(:command_line) + get(:language) + get(:core) + get(:library) + get(:vulnerabilities) + get(:optional) |
There was a problem hiding this comment.
It also needs to be changed here
| end | ||
| | ||
| describe "Integer#hash" do | ||
| it_behaves_like :resists_cve_2011_4815, '14' |
There was a problem hiding this comment.
This would benefit from also checking numbers >= 2^63.
bignum_value.to_s can be used to generate such a number.
| it_behaves_like :resists_cve_2011_4815, '"abc"' | ||
| end | ||
| | ||
| describe "Symbol#hash" do |
There was a problem hiding this comment.
| Could be ready for merge now. |
eregon left a comment
eregon left a comment There was a problem hiding this comment.
Thank you for these, I think it's big step towards better security issues awareness.
2 participants
No description provided.