Merge pull request #86 from fnxpt/fixNullByteString

fix issue with null byte string by dumping it first
CycloneDX · Jan 7, 2025 · 93c3904 · 93c3904
2 parents d39e38e + 9a000b2
commit 93c3904
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/lib/cyclonedx/cocoapods/bom_builder.rb b/lib/cyclonedx/cocoapods/bom_builder.rb
@@ -127,7 +127,8 @@ def add_to_bom(xml, manifest_path, trim_strings_length = 0)
           xml_add_author(xml, trim_strings_length)
           xml.name_ name
           xml.version version.to_s
-          xml.description { xml.cdata description } unless description.nil?
+          # Use `dump` to escape non-printing characters, then remove the starting/trailing double-quotes from `dump`.
+          xml.description { xml.cdata description.dump[1..-2] } unless description.nil?
           unless checksum.nil?
             xml.hashes do
               xml.hash_(checksum, alg: CHECKSUM_ALGORITHM)

diff --git a/spec/cyclonedx/cocoapods/bom_builder_spec.rb b/spec/cyclonedx/cocoapods/bom_builder_spec.rb
@@ -123,6 +123,17 @@
       end
     end
 
+    context 'when having a null byte description' do
+      let(:pod) do
+        described_class.new(name: pod_name, version: pod_version, checksum: checksum).populate(summary: "'\0'")
+      end
+
+      it 'should generate a correct component description' do
+        expect(xml.at('/component/description')).not_to be_nil
+        expect(xml.at('/component/description').text).to eql("'\\x00'")
+      end
+    end
+
     context 'when not having a checksum' do
       let(:pod) { described_class.new(name: pod_name, version: pod_version) }