Skip to content

chore(ruby): avoid shell invocation in extsources.rb#3813

Open
orbisai0security wants to merge 1 commit into
ggml-org:masterfrom
orbisai0security:fix-ruby-dangerous-subshell-extsources
Open

chore(ruby): avoid shell invocation in extsources.rb#3813
orbisai0security wants to merge 1 commit into
ggml-org:masterfrom
orbisai0security:fix-ruby-dangerous-subshell-extsources

Conversation

@orbisai0security
Copy link
Copy Markdown

@orbisai0security orbisai0security commented May 17, 2026
edited
Loading

Summary

This PR updates the Ruby binding helper in bindings/ruby/extsources.rb to avoid invoking a shell when listing tracked source files.

The previous implementation used Ruby backticks to run:

git ls-files -z #{root}

Description: Detected non-static command inside .... If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.

Changes

  • bindings/ruby/extsources.rb

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

@orbisai0security
fix: ruby.lang.security.dangerous-subshell.dangerous-subshell securit…
c0357b7 
…y vulnerability

Automated security fix generated by Orbis Security AI
@KitaitiMakoto
Copy link
Copy Markdown
Contributor

KitaitiMakoto commented May 17, 2026

Thank you for report!

Could you detail why the ` (backtick) method call is, especially at high severity, danger in the file's context?

@orbisai0security
Copy link
Copy Markdown
Author

orbisai0security commented May 17, 2026

Thanks for the review, you’re right to ask for context.

After looking again, I agree this should not be framed as a confirmed high-severity exploitable vulnerability in the current code path. root is currently a fixed Pathname value, so I do not have evidence that attacker-controlled input reaches the backtick call today.

The reason for the change is defensive hardening: the current implementation invokes a shell unnecessarily, while Ruby’s argv form of IO.popen can run git directly without shell parsing. That avoids this class of issue if the command arguments are ever made dynamic later, and it also makes the intent more explicit.

I’m happy to update the PR title/description to something like:

“chore(ruby): avoid shell invocation in extsources.rb”

and remove the “high severity” / arbitrary code execution wording. This should be treated as a low-risk hardening cleanup rather than a confirmed security vulnerability.

@orbisai0security orbisai0security changed the title fix: remove unsafe exec() in extsources.rb... chore(ruby): avoid shell invocation in extsources.rb May 17, 2026
@KitaitiMakoto
Copy link
Copy Markdown
Contributor

KitaitiMakoto commented May 19, 2026

I don't think extsources.rb requires such strict hardening because now it's clear.

@orbisai0security
Copy link
Copy Markdown
Author

orbisai0security commented May 19, 2026

Thanks, that’s fair.

I agree that this is not a confirmed vulnerability in the current code, since the path is static and the script is clear. I’ll drop the security framing.

My only remaining rationale is cleanup/defence-in-depth: array-form process execution avoids shell parsing without changing behaviour. But I understand if you prefer not to add hardening where the current code is already clear and constrained.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@orbisai0security @KitaitiMakoto