From 9905ca93abf7bf3e387bd592406e403cd18334c7 Mon Sep 17 00:00:00 2001
From: Tobias Kraze <tobias.kraze@makandra.de>
Date: Mon, 11 Jul 2022 09:54:12 +0200
Subject: [PATCH] Fix directory traversal in Timezone.get when using Ruby data
 source

origin: https://github.com/tzinfo/tzinfo/commit/9905ca93abf7bf3e387bd592406e403cd18334c7

---
 lib/tzinfo/ruby_data_source.rb | 2 +-
 test/assets/payload.rb         | 1 +
 test/tc_ruby_data_source.rb    | 6 ++++++
 test/tc_timezone.rb            | 2 +-
 4 files changed, 9 insertions(+), 2 deletions(-)
 create mode 100644 test/assets/payload.rb

diff --git a/lib/tzinfo/ruby_data_source.rb b/lib/tzinfo/ruby_data_source.rb
index b5a67524..b8a34e78 100644
--- a/lib/tzinfo/ruby_data_source.rb
+++ b/lib/tzinfo/ruby_data_source.rb
@@ -38,7 +38,7 @@ def initialize
     # Raises InvalidTimezoneIdentifier if the timezone is not found or the 
     # identifier is invalid.
     def load_timezone_info(identifier)
-      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
+      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*\z/
       
       identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
       
diff --git a/test/assets/payload.rb b/test/assets/payload.rb
new file mode 100644
index 00000000..7ad83fc9
--- /dev/null
+++ b/test/assets/payload.rb
@@ -0,0 +1 @@
+raise 'This should never be executed'
diff --git a/test/tc_ruby_data_source.rb b/test/tc_ruby_data_source.rb
index 790dd8eb..9bd069a4 100644
--- a/test/tc_ruby_data_source.rb
+++ b/test/tc_ruby_data_source.rb
@@ -51,6 +51,12 @@ def test_load_timezone_info_invalid
       @data_source.load_timezone_info('../Definitions/UTC')
     end
   end
+
+  def test_load_timezone_info_directory_traversal
+    test_data_depth = TZINFO_TEST_DATA_DIR.scan('/').size
+    payload_path = File.join(TESTS_DIR, 'assets', 'payload')
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n#{'/..' * (test_data_depth + 4)}#{payload_path}") }
+  end
   
   def test_load_timezone_info_nil
     assert_raises(InvalidTimezoneIdentifier) do
diff --git a/test/tc_timezone.rb b/test/tc_timezone.rb
index 0dc06111..5f4614d3 100644
--- a/test/tc_timezone.rb
+++ b/test/tc_timezone.rb
@@ -213,7 +213,7 @@ def test_get_not_exist
   end
   
   def test_get_invalid
-    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
   end
   
   def test_get_nil