Specs for three initial vulnerabilities

default.mspec

@@ -15,14 +15,17 @@ class MSpecScript
  # Command line specs
  set :command_line, [ 'command_line' ]
 
+ # Security specs
+ set :security, [ 'security' ]
+
  # C extension API specs
  set :capi, [ 'optional/capi' ]
 
  # A list of _all_ optional specs
  set :optional, get(:capi)
 
  # An ordered list of the directories containing specs to run
- set :files, get(:command_line) + get(:language) + get(:core) + get(:library) + get(:optional)
+ set :files, get(:command_line) + get(:language) + get(:core) + get(:library) + get(:security) + get(:optional)
 
  # This set of files is run by mspec ci
  set :ci_files, get(:files)
@@ -39,6 +42,7 @@ class MSpecScript
  [%r(core/), 'tags/1.9/core/'],
  [%r(command_line/), 'tags/1.9/command_line/'],
  [%r(library/), 'tags/1.9/library/'],
+ [%r(security/), 'tags/1.9/security/'],
  [/_spec.rb$/, '_tags.txt']
  ]
 

security/cve_2011_4815_spec.rb

@@ -0,0 +1,41 @@
+require File.expand_path('../../spec_helper', __FILE__)
+
+describe :resists_cve_2011_4815, shared: true do
+ it "resists CVE-2011-4815 by having different hash codes in different processes" do
+ eval("(#{@method}).hash.to_s").should_not == ruby_exe("print (#{@method}).hash")
+ end
+end
+
+describe "Object#hash" do
+ it_behaves_like :resists_cve_2011_4815, 'Object.new'
+end
+
+describe "Integer#hash with a small value" do
+ it_behaves_like :resists_cve_2011_4815, '14'
+end
+
+describe "Integer#hash with a large value" do
+ it_behaves_like :resists_cve_2011_4815, '100000000000000000000000000000'
+end
+
+describe "Float#hash" do
+ it_behaves_like :resists_cve_2011_4815, '3.14'
+end
+
+describe "String#hash" do
+ it_behaves_like :resists_cve_2011_4815, '"abc"'
+end
+
+describe "Symbol#hash" do
+ ruby_bug "#13376", "2.3"..."2.4" do
+ it_behaves_like :resists_cve_2011_4815, ':a'
+ end
+end
+
+describe "Array#hash" do
+ it_behaves_like :resists_cve_2011_4815, '[1, 2, 3]'
+end
+
+describe "Hash#hash" do
+ it_behaves_like :resists_cve_2011_4815, '{a: 1, b: 2, c: 3}'
+end

security/cve_2013_4164_spec.rb

@@ -0,0 +1,19 @@
+require File.expand_path('../../spec_helper', __FILE__)
+
+require 'json'
+
+describe "String#to_f" do
+
+ it "resists CVE-2013-4164 by converting very long Strings to a Float" do
+ "1.#{'1'*1000000}".to_f.should be_close(1.1111111111111112, TOLERANCE)
+ end
+
+end
+
+describe "JSON.parse" do
+
+ it "resists CVE-2013-4164 by converting very long Strings to a Float" do
+ JSON.parse("[1.#{'1'*1000000}]").first.should be_close(1.1111111111111112, TOLERANCE)
+ end
+
+end

security/cve_2014_8080_spec.rb

@@ -0,0 +1,32 @@
+require File.expand_path('../../spec_helper', __FILE__)
+
+require 'rexml/document'
+
+describe "REXML::Document.new" do
+
+ it "resists CVE-2014-8080 by raising an exception when entity expansion has grown too large" do
+ xml = <<XML
+ <?xml version="1.0" encoding="UTF-8" ?>
+ <!DOCTYPE x [
+ <!ENTITY % x0 "xxxxxxxxxx">
+ <!ENTITY % x1 "%x0;%x0;%x0;%x0;%x0;%x0;%x0;%x0;%x0;%x0;">
+ <!ENTITY % x2 "%x1;%x1;%x1;%x1;%x1;%x1;%x1;%x1;%x1;%x1;">
+ <!ENTITY % x3 "%x2;%x2;%x2;%x2;%x2;%x2;%x2;%x2;%x2;%x2;">
+ <!ENTITY % x4 "%x3;%x3;%x3;%x3;%x3;%x3;%x3;%x3;%x3;%x3;">
+ <!ENTITY % x5 "%x4;%x4;%x4;%x4;%x4;%x4;%x4;%x4;%x4;%x4;">
+ <!ENTITY % x6 "%x5;%x5;%x5;%x5;%x5;%x5;%x5;%x5;%x5;%x5;">
+ <!ENTITY % x7 "%x6;%x6;%x6;%x6;%x6;%x6;%x6;%x6;%x6;%x6;">
+ <!ENTITY % x8 "%x7;%x7;%x7;%x7;%x7;%x7;%x7;%x7;%x7;%x7;">
+ <!ENTITY % x9 "%x8;%x8;%x8;%x8;%x8;%x8;%x8;%x8;%x8;%x8;">
+ ]>
+ <x>
+ %x9;%x9;%x9;%x9;%x9;%x9;%x9;%x9;%x9;%x9;
+ </x>
+XML
+
+ lambda { REXML::Document.new(xml).doctype.entities['x9'].value }.should raise_error(REXML::ParseException) { |e|
+ e.message.should =~ /entity expansion has grown too large/
+ }
+ end
+
+end