[ruby/net-ftp] Reduce resource cosumption of Net::FTP::TIME_PARSER

Reported by Alexandr Savca as a DoS vulnerability, but Net::FTP is a client library and the impact of the issue is low, so I have decided to fix it as a normal issue. Based on patch by nobu. https://github.com/ruby/net-ftp/commit/a93af636f8
author: Shugo Maeda <shugo@ruby-lang.org> 2021-04-21 09:43:39 +0900
committer: Hiroshi SHIBATA <hsbt@ruby-lang.org> 2021-04-27 21:21:33 +0900
commit: 4ae27d8075b2d138d13cb2b112f0ee50934b3017 (patch)
tree: 3723b485bba5fb28cff3fc80ef603e1846d0d457 /test/net
parent: 990baec41174a0b4cf7e285cf3185b4ab444437e (diff)
download: ruby-4ae27d8075b2d138d13cb2b112f0ee50934b3017.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/test/net/ftp/test_ftp.rb b/test/net/ftp/test_ftp.rb
index fb4fa78ae3..7aa80cdcb8 100644
--- a/test/net/ftp/test_ftp.rb
+++ b/test/net/ftp/test_ftp.rb
@@ -2509,6 +2509,17 @@ EOF
     end
   end
 
+  def test_time_parser
+    s = "20371231000000." + "9" * 999999999
+    assert_equal(Time.utc(2037, 12, 31, 0, 0, 0,
+                          99999999999999999r / 100000000000),
+                 Net::FTP::TIME_PARSER[s])
+    e = assert_raise(Net::FTPProtoError) {
+      Net::FTP::TIME_PARSER["x" * 999999999]
+    }
+    assert_equal("invalid time-val: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...", e.message)
+  end
+
   private
 
   def create_ftp_server(sleep_time = nil)
author	Shugo Maeda <shugo@ruby-lang.org>	2021-04-21 09:43:39 +0900
committer	Hiroshi SHIBATA <hsbt@ruby-lang.org>	2021-04-27 21:21:33 +0900
commit	4ae27d8075b2d138d13cb2b112f0ee50934b3017 (patch)
tree	3723b485bba5fb28cff3fc80ef603e1846d0d457 /test/net
parent	990baec41174a0b4cf7e285cf3185b4ab444437e (diff)
download	ruby-4ae27d8075b2d138d13cb2b112f0ee50934b3017.tar.gz