Skip to content

fix: Unsafe shell command constructed from library input #897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 18, 2025
Merged

fix: Unsafe shell command constructed from library input #897

merged 1 commit into from
Jul 18, 2025

Conversation

opsysdebug
Copy link
Contributor

@opsysdebug opsysdebug commented Feb 28, 2025
edited
Loading

Dynamically constructing a shell command with inputs from exported functions may inadvertently change the meaning of the shell command. Clients using the exported function may use inputs containing characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.

def run(merge_tool, destination)
  system %(#{merge_tool} "#{temp.path}" "#{destination}") 
end

[email protected]

@rafaelfranca rafaelfranca merged commit 536b790 into rails:main Jul 18, 2025
9 checks passed
kenyon added a commit to kenyon/modulesync that referenced this pull request Jul 23, 2025
@kenyon
thor: allow 1.4
b13c3fc 
Allowing 1.4 resolves a security issue in Thor:

* https://github.com/voxpupuli/modulesync/security/dependabot/1
* rails/thor#897

We shouldn't need to support ancient Perforce facter anymore.
@kenyon kenyon mentioned this pull request Jul 23, 2025
Merged
kenyon added a commit to kenyon/openfact that referenced this pull request Jul 23, 2025
@kenyon
thor: require 1.4 or newer
7167258 
Thor 1.4.0 resolves a security issue: rails/thor#897

Related: voxpupuli/modulesync#309
@kenyon kenyon mentioned this pull request Jul 23, 2025
Open
crsantos added a commit to crsantos/danger-ruby-swiftlint that referenced this pull request Jul 23, 2025
@crsantos
Bumping thor to minor 1.4 due to CVE
a40cfea 
rails/thor#897
crsantos added a commit to crsantos/danger-ruby-swiftlint that referenced this pull request Jul 23, 2025
@crsantos
Bumping thor to minor 1.4 due to CVE
fff957c 
Fixes ashfurrow#208
Reference: rails/thor#897
crsantos added a commit to crsantos/danger-ruby-swiftlint that referenced this pull request Jul 23, 2025
@crsantos
Bumping thor to minor 1.4 due to CVE
3f89cd2 
Fixes ashfurrow#208
Reference: rails/thor#897
@crsantos crsantos mentioned this pull request Jul 23, 2025
Merged
2 tasks
bmwiedemann pushed a commit to bmwiedemann/openSUSE that referenced this pull request Jul 24, 2025
@bmwiedemann
Update rubygem-thor to version 1.4.0 / rev 28 via SR 1295381
208be62 
https://build.opensuse.org/request/show/1295381
by user dancermak + dimstar_suse
- 1.4.0:
## What's Changed
* Lazy-load YAML for performance improvement in rails/thor#892
* Fix encoding error when displaying diffs in rails/thor#898
* Fix unsafe shell command construction (security issue) in rails/thor#897 (bsc#1246809)
* Support `git difftool`-style merge tool identifiers in rails/thor#900
* Add `gsub_file!` and make `gsub_file` fail if no substitutions occur in rails/thor#877
## Security
* CVE-2025-54314: Fixed a vulnerability where user input could result in unsafe shell command execution. (bsc#1246809)
## New Contributors
* @hlascelles made their first contribution in rails/thor#893
**Full Changelog**: https://github.com/rail
@shelbyc shelbyc mentioned this pull request Aug 5, 2025
Merged
@rafaelfranca
Copy link
Member

Wait I sec, why was a CVE emitted for this fix? None of the maintainers requested it. I don't think there is a CVE here. Thor is a CLI tool and this is used for used controller input, not random input from the internet. In fact, I'm thinking about reverting this change because it breaks the use case it was made to, that is allow people to configure merge tools to resolve conflicts. See #909

@Sumynwa Sumynwa mentioned this pull request Aug 11, 2025
Merged
12 tasks
kenyon added a commit to kenyon/openfact that referenced this pull request Aug 28, 2025
@kenyon
thor: require 1.4 or newer
b8c4254 
Thor 1.4.0 resolves a security issue: rails/thor#897

Related: voxpupuli/modulesync#309
kenyon added a commit to kenyon/openfact that referenced this pull request Aug 28, 2025
@kenyon
thor: require 1.4 or newer
bac435f 
Thor 1.4.0 resolves a security issue: rails/thor#897

Related: voxpupuli/modulesync#309
kenyon added a commit to kenyon/openfact that referenced this pull request Aug 28, 2025
@kenyon
thor: require 1.4 or newer
992f060 
Thor 1.4.0 resolves a security issue: rails/thor#897

Related: voxpupuli/modulesync#309
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@opsysdebug @rafaelfranca