Tanaka Akira <akr / fsij.org> wrote:
> 2013/11/22  <drbrain / ruby-lang.org>:
> > drbrain 2013-11-22 08:27:30 +0900 (Fri, 22 Nov 2013)
> >
> >   New Revision: 43767
> >
> >   http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=43767
> >
> >   Log:
> >     * lib/rubygems:  Update to RubyGems master 50a8210.  Important changes
> >       in this commit:
> >
> >       RubyGems now automatically checks for gem.deps.rb or Gemfile when
> >       running ruby executables.  This behavior is similar to `bundle exec
> >       rake`.  This change may be reverted before Ruby 2.1.0 if too many bugs
> >       are found.
> 
> I think that running ./Gemfile is a security risk.
> It may match "CWE-114: Process Control".
> http://cwe.mitre.org/data/definitions/114.html

I agree with akr, this looks very scary.

I clone + read code for many projects, but rarely /run/ the code because
I'm still reviewing it and do not yet trust it to run.

However, if I run any RubyGem executable in the working directory (e.g.
dtas-ctl to control my music player), I could be loading that Gemfile
code inadvertantly.  This is totally surprising and dangerous behavior.