GitLab: Use of Ruby Forwardable module and runtime meta-programming may introduce vulnerabilities

I was digging through the gitlab-foss repository and noticed an interested pattern that seems to be adopted in a few places: the use of Forwardable with meta-programming over delegators, explicit attrreader methods or methodmissing. Heads up: the arbitrary file read vulnerability I demonstrate in...

shopify-scripts: Crash in mrb_ary_push

PoC === The following demonstrates a crash: def methodmissing end .00 %= begin0=0 00end Debug info ========== The crash happens in mrbarypush: 495│ mrbarypushmrbstate mrb, mrbvalue ary, mrbvalue elem 496│ 497│ struct RArray a = mrbaryptrary; 498├─ mrbint len = ARYLENa; gdb p a $1 = struct RArray...

shopify-scripts: SIGABRT - mirb and mruby

PoC ------------------- The following code triggers the bug attached as test.rb: def methodmissingm,e self.ff||=00end e Debug - mirb ------------------- x@x:/Desktop/test/mruby/bin$ gdb -q ./mirb Reading symbols from ./mirb...done. gdb r test.rb Starting program: /home/x/Desktop/test/mruby/bin/mi...

shopify-scripts: SIGABRT - method_missing - mark_context_stack

PoC ------------------- The following code triggers the bug attached as testmethodmissing.rb: def methodmissinge,0.n||=0 00end b Debug - mirb ------------------- gdb r testmethodmissing.rb Starting program: /home/x/Desktop/research/test/mruby/bin/mirb testmethodmissing.rb mirb - Embeddable...

shopify-scripts: Undefined method_missing null pointer dereference

It's possible to segfault mruby by undefining BasicObjectmethodmissing in certain cases. There is a fallback methodmissing C function mrbmethodmissing which is called in some cases when the VM fails to look up the methodmissing method: BasicObject.removemethod:methodmissing; 1.foo NoMethodError:...