From 370c26a6c9ee0511972ea04904fcc89014a22987 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mislav=20Marohni=C4=87?= <mislav.marohnic@gmail.com>
Date: Wed, 3 Apr 2019 12:58:25 +0200
Subject: [PATCH] Disallow path segments and directory traversal in
 `.ruby-version` files

A malicious `.ruby-version` file in the current directory could inject
`../../../` into the version string and trigger execution of binaries
outside of `RBENV_ROOT/versions/`.

Fixes #977 OVE-20170303-0004
---
 libexec/rbenv-version-file-read |  4 +++-
 test/version-file-read.bats     | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/libexec/rbenv-version-file-read b/libexec/rbenv-version-file-read
index 2f046961..c94404ca 100755
--- a/libexec/rbenv-version-file-read
+++ b/libexec/rbenv-version-file-read
@@ -11,7 +11,9 @@ if [ -e "$VERSION_FILE" ]; then
   words=( $(cut -b 1-1024 "$VERSION_FILE") )
   version="${words[0]}"
 
-  if [ -n "$version" ]; then
+  if [ "$version" = ".." ] || [[ $version == */* ]]; then
+    echo "rbenv: invalid version in \`$VERSION_FILE'" >&2
+  elif [ -n "$version" ]; then
     echo "$version"
     exit
   fi
diff --git a/test/version-file-read.bats b/test/version-file-read.bats
index bf7bf910..9dc62327 100644
--- a/test/version-file-read.bats
+++ b/test/version-file-read.bats
@@ -70,3 +70,19 @@ IN
   run rbenv-version-file-read my-version
   assert_success "1.9.3"
 }
+
+@test "prevents directory traversal" {
+  cat > my-version <<<".."
+  run rbenv-version-file-read my-version
+  assert_failure "rbenv: invalid version in \`my-version'"
+
+  cat > my-version <<<"../foo"
+  run rbenv-version-file-read my-version
+  assert_failure "rbenv: invalid version in \`my-version'"
+}
+
+@test "disallows path segments in version string" {
+  cat > my-version <<<"foo/bar"
+  run rbenv-version-file-read my-version
+  assert_failure "rbenv: invalid version in \`my-version'"
+}