Fix directory traversal in Timezone.get when using Ruby data source

Author: kratob

lib/tzinfo/ruby_data_source.rb

@@ -38,7 +38,7 @@ def initialize
     # Raises InvalidTimezoneIdentifier if the timezone is not found or the 
     # identifier is invalid.
     def load_timezone_info(identifier)
-      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
+      raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /\A[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*\z/
 
       identifier = identifier.gsub(/-/, '__m__').gsub(/\+/, '__p__')
 

test/assets/payload.rb

@@ -0,0 +1 @@
+raise 'This should never be executed'

test/tc_ruby_data_source.rb

@@ -51,6 +51,12 @@ def test_load_timezone_info_invalid
       @data_source.load_timezone_info('../Definitions/UTC')
     end
   end
+
+  def test_load_timezone_info_directory_traversal
+    test_data_depth = TZINFO_TEST_DATA_DIR.scan('/').size
+    payload_path = File.join(TESTS_DIR, 'assets', 'payload')
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get("foo\n#{'/..' * (test_data_depth + 4)}#{payload_path}") }
+  end
 
   def test_load_timezone_info_nil
     assert_raises(InvalidTimezoneIdentifier) do

test/tc_timezone.rb

@@ -213,7 +213,7 @@ def test_get_not_exist
   end
 
   def test_get_invalid
-    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
+    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../definitions/UTC') }
   end
 
   def test_get_nil