✅ test: add coverage for Ruby license fetching and path traversal

pboling · pboling · commit 3625d8827247 · 2025-12-19T19:06:33.000-07:00
- Add unit tests for `fetchInstalledLicense` in `pkg/deps/ruby_test.go` covering:
  - Multiple versions of the same gem
  - Invalid version strings
  - Missing gemspec files
  - Gems with similar names
- Add unit tests for path traversal protection in `pkg/deps/ruby_test.go` covering:
  - Path traversal attempts in `Gemfile.lock`
- Fix `fetchInstalledLicense` in `pkg/deps/ruby.go` to return empty string for invalid version strings instead of falling back to any installed version.
diff --git a/pkg/deps/ruby.go b/pkg/deps/ruby.go
@@ -540,6 +540,9 @@ func fetchLocalLicense(dir, targetName string) (string, error) {
 }
 
 func fetchInstalledLicense(name, version string) string {
+	if version != "" && !rubyVersionRe.MatchString(version) {
+		return ""
+	}
 	gems := getAllGemspecs()
 	for _, path := range gems {
 		filename := filepath.Base(path)
diff --git a/pkg/deps/ruby_test.go b/pkg/deps/ruby_test.go
@@ -20,6 +20,7 @@ package deps
 import (
 	"bufio"
 	"embed"
+	"fmt"
 	"io"
 	"io/fs"
 	"net/http"
@@ -353,3 +354,132 @@ func TestGemspecIgnoresCommentedRuntimeDependencies(t *testing.T) {
 		t.Fatalf("expected 0 dependencies when runtime deps are only commented, got %d", got)
 	}
 }
+
+func TestFetchInstalledLicense(t *testing.T) {
+	gemHome := t.TempDir()
+	specsDir := filepath.Join(gemHome, "specifications")
+	if err := os.MkdirAll(specsDir, 0755); err != nil {
+		t.Fatal(err)
+	}
+
+	createGemspec := func(filename, name, version, license string) {
+		content := fmt.Sprintf(`
+Gem::Specification.new do |s|
+  s.name = "%s"
+  s.version = "%s"
+  s.licenses = ["%s"]
+end
+`, name, version, license)
+		if err := os.WriteFile(filepath.Join(specsDir, filename), []byte(content), 0644); err != nil {
+			t.Fatal(err)
+		}
+	}
+
+	createGemspec("foo-1.0.0.gemspec", "foo", "1.0.0", "MIT")
+	createGemspec("foo-2.0.0.gemspec", "foo", "2.0.0", "GPL-3.0")
+	createGemspec("foo-bar-1.0.0.gemspec", "foo-bar", "1.0.0", "Apache-2.0")
+	createGemspec("bar-1.0.0.gemspec", "bar", "1.0.0", "BSD-3-Clause")
+	// Invalid version string in filename
+	createGemspec("foo-invalid.gemspec", "foo", "invalid", "WTFPL")
+
+	t.Setenv("GEM_HOME", gemHome)
+
+	tests := []struct {
+		name    string
+		version string
+		want    string
+	}{
+		{"foo", "1.0.0", "MIT"},
+		{"foo", "2.0.0", "GPL-3.0"},
+		{"foo-bar", "1.0.0", "Apache-2.0"},
+		{"bar", "1.0.0", "BSD-3-Clause"},
+		{"foo", "", "MIT"},   // Should find first available version (1.0.0 comes before 2.0.0)
+		{"foo", "3.0.0", ""}, // Not found
+		{"unknown", "1.0.0", ""},
+		{"foo", "invalid", ""}, // Invalid version requested, regex won't match
+	}
+
+	for _, tt := range tests {
+		t.Run(fmt.Sprintf("%s-%s", tt.name, tt.version), func(t *testing.T) {
+			got := fetchInstalledLicense(tt.name, tt.version)
+			if got != tt.want {
+				t.Errorf("fetchInstalledLicense(%q, %q) = %q, want %q", tt.name, tt.version, got, tt.want)
+			}
+		})
+	}
+}
+
+func TestRubyGemfileLockResolver_PathTraversal(t *testing.T) {
+	resolver := new(GemfileLockResolver)
+	dir := t.TempDir()
+
+	// Create a directory outside the project
+	outsideDir := t.TempDir()
+	// Create a gemspec in outsideDir
+	outsideGemspec := filepath.Join(outsideDir, "evil.gemspec")
+	if err := os.WriteFile(outsideGemspec, []byte(`
+Gem::Specification.new do |s|
+  s.name = "evil"
+  s.version = "1.0.0"
+  s.licenses = ["Evil-License"]
+end
+`), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	// Calculate relative path from dir to outsideDir
+	relPath, err := filepath.Rel(dir, outsideDir)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	lockContent := fmt.Sprintf(`
+PATH
+  remote: %s
+  specs:
+    evil (1.0.0)
+
+GEM
+  remote: https://gem.coop/
+  specs:
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  evil!
+
+BUNDLED WITH
+   2.4.10
+`, relPath)
+
+	lock := filepath.Join(dir, "Gemfile.lock")
+	if err := writeFileRuby(lock, lockContent); err != nil {
+		t.Fatal(err)
+	}
+
+	cfg := &ConfigDeps{Files: []string{lock}}
+	report := Report{}
+	if err := resolver.Resolve(lock, cfg, &report); err != nil {
+		t.Fatal(err)
+	}
+
+	found := false
+	for _, r := range report.Resolved {
+		if r.Dependency == "evil" {
+			found = true
+			if r.LicenseSpdxID == "Evil-License" {
+				t.Errorf("Path traversal succeeded! Found license from outside directory.")
+			}
+		}
+	}
+	// If it's skipped, that's also fine (means it didn't resolve license)
+	for _, r := range report.Skipped {
+		if r.Dependency == "evil" {
+			found = true
+		}
+	}
+	if !found {
+		t.Errorf("Dependency 'evil' was not found in report")
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -540,6 +540,9 @@ func fetchLocalLicense(dir, targetName string) (string, error) {`
`540`	`540`	`}`
`541`	`541`
`542`	`542`	`func fetchInstalledLicense(name, version string) string {`
	`543`	`+ if version != "" && !rubyVersionRe.MatchString(version) {`
	`544`	`+ return ""`
	`545`	`+ }`
`543`	`546`	`gems := getAllGemspecs()`
`544`	`547`	`for _, path := range gems {`
`545`	`548`	`filename := filepath.Base(path)`