fix(security): prevent command injection in Mechanize::File#save!

Related to GHSA-qrqm-fpv6-6r8g

Author: flavorjones

lib/mechanize/file.rb

@@ -82,7 +82,7 @@ def save! filename = nil
  dirname = File.dirname filename
  FileUtils.mkdir_p dirname
 
- open filename, 'wb' do |f|
+ ::File.open(filename, 'wb')do |f|
  f.write body
  end
 

test/test_mechanize_file.rb

@@ -103,5 +103,14 @@ def test_save_overwrite
  end
  end
 
+ def test_save_bang_does_not_allow_command_injection
+ uri = URI 'http://example/test.html'
+ page = Mechanize::File.new uri, nil, ''
+
+ in_tmpdir do
+ page.save!('| ruby -rfileutils -e \'FileUtils.touch("vul.txt")\'')
+ refute_operator(File, :exist?, "vul.txt")
+ end
+ end
 end