" Language: Cucumber
" Maintainer: Tim Pope <vimNOSPAM@tpope.org>
" Last Change: 2016 Aug 29
+" 2026 May 26 by Vim Project: prevent Code Injection
+" https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9
" Only do this when not done yet for this buffer
if (exists("b:did_ftplugin"))
catch
endtry
if has("ruby") && pattern !~ '\\\@<!#{'
- ruby VIM.command("return #{if (begin; Kernel.eval('/'+VIM.evaluate('pattern')+'/'); rescue SyntaxError; end) === VIM.evaluate('a:target') then 1 else 0 end}")
+ " Use Regexp.new, so the pattern stays untrusted data and cannot inject Ruby
+ ruby VIM.command("return #{if (begin; Regexp.new(VIM.evaluate('pattern')); rescue RegexpError; end) === VIM.evaluate('a:target') then 1 else 0 end}")
else
return 0
endif
filetype off
endfunc
+func Test_cucumber_code_injection()
+ CheckFeature ruby
+ filetype plugin on
+
+ call mkdir('Xcucu/features/step_definitions', 'pR')
+ call writefile([
+ \ 'Feature: demo',
+ \ ' Scenario: trigger',
+ \ ' Given xyzzy',
+ \ ], 'Xcucu/features/test.feature')
+ let marker = getcwd() . '/Xcucu/MARKER'
+ " Malicious step: terminates the regex literal, injects Ruby system(),
+ " comments the trailing slash. With the fix, the pattern is passed to
+ " Regexp.new() instead of Kernel.eval() and the payload is inert.
+ call writefile([
+ \ 'Given /xyzzy/; system("touch ' . marker . '"); #/ do',
+ \ 'end',
+ \ ], 'Xcucu/features/step_definitions/poc.rb')
+
+ new Xcucu/features/test.feature
+ call assert_equal('cucumber', &filetype)
+ call cursor(3, 1)
+ " Triggers s:jump -> s:steps -> s:stepmatch on every discovered step,
+ " including the malicious one. Suppress preview and error messages.
+ silent! normal [d
+ call assert_false(filereadable(marker), 'Ruby injection executed')
+ bwipe!
+ filetype plugin off
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
projects / thirdparty / vim.git / commitdiff
