ADVISORIES
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
CVSS v2.0: 7.5 (High)
PATCHED VERSIONS
- >= 0.26.9
DESCRIPTION
Summary
The rubyLsp.branch VS Code workspace setting was interpolated without
sanitization into a generated Gemfile, allowing arbitrary Ruby code
execution when a user opens a project containing a malicious
.vscode/settings.json.
Other editors that support workspace setting that get automatically applied upon opening the editor and trusting the workspace are also impacted since the server is the component that performs the interpolation.
Details
The branch CLI argument passed to the ruby-lsp server was
interpolated in the generated .ruby-lsp/Gemfile without sanitization.
Editors that allow defining settings saved at the workspace level
(e.g.: .vscode/settings.json) that gets automatically applied open
the possibility to craft a malicious repository that once opened and
trusted in the editor would run arbitrary code.
Impact
Code execution with the privileges of the user who opens the malicious project. Ruby LSP assumes workspace code is trusted and so opening the editor on an untrusted workspace can lead to executing potentially dangerous code.
Remediation
The rubyLsp.branch setting has been removed entirely. VS Code extensions
auto-update by default, so most users will receive the fix without
action. Users who have disabled auto-updates should update to extension
version >= 0.10.2.
The branch CLI flag was also entirely removed from the ruby-lsp
gem. For users that don't add ruby-lsp to their Gemfiles, the
server should auto-update. Users with the ruby-lsp in the Gemfile
and locked to a specific version should update to >= 0.26.9.