Security is hard, it requires knowing your system is vulnerable, you should assume it is, but many Ruby on Rails developers seem to forget about it.
I’m writing this because a security vulnerability is promoted and it has to be stopped. The problem is adding
$PATH. This is extended version of the problem with
$PATH described here http://www.tldp.org/HOWTO/Path-12.html.
bin or it’s variation is in
$PATH, attacker can place there executable that will be executed instead of system files and gives attacker possibility to run code on your system easily. This is described better here (for the
. case): http://www.dankalia.com/tutor/01005/0100501004.htm.
So why would anyone advice us to jeopardize our system? The answer is
bundle exec, it is so long to write and is required to run proper versions of gems placed in
Gemfile. To avoid calling it the bundler gem introduces
binstubs, many developers advised adding the
bin variation to
$PATH to simplify calling
bin/binary to just
I guess you are thinking now “how is it relevant, I do review my code before running any commands”, the question is “are you?”. There is a lot of tools and extensions to shell that run commands for you, the simplest would be using
PS1 to display git status, something like
\u@\h:\w $(git branch) > it will execute a
git command when displaying the prompt. So when someone writes
bin/git into the repository – it will be executed before you can review code after
git pull. The prompt and pre command hooks are very popular now and give a lot of options for attackers when
bin is in
“What should I do then?”
First, you can stop being lazy and type
bundle exec rake this way
Bundler will be loaded without the possibility to add extra code to your
Another solution that helps to fix this problem – I wrote a gem rubygems-bundler which automates calling
bundle exec, it does check if the executed binary is part of
Gemfile and automatically calls
Bundler.setup when needed, this eliminates the need to use binstubs wrappers.