From ea20c181c76ef339b5cf1ae02ce3f7593c57d14d Mon Sep 17 00:00:00 2001 From: Christian Brabandt Date: Sun, 17 May 2026 19:39:24 +0000 Subject: [PATCH] patch 9.2.0496: [security]: Code Injection in cucumber filetype plugin Problem: [security]: Code Injection in cucumber filetype plugin (Christopher Lusk) Solution: Use rubys Regexp.new() with the untrusted pattern Github Security Advisory: https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9 Signed-off-by: Christian Brabandt --- runtime/ftplugin/cucumber.vim | 3 ++- src/testdir/test_filetype.vim | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/runtime/ftplugin/cucumber.vim b/runtime/ftplugin/cucumber.vim index f4848d1..3361f1d 100644 --- a/runtime/ftplugin/cucumber.vim +++ b/runtime/ftplugin/cucumber.vim @@ -96,7 +96,8 @@ function! s:stepmatch(receiver,target) catch endtry if has("ruby") && pattern !~ '\\\@ s:steps -> s:stepmatch on every discovered step, + " including the malicious one. Suppress preview and error messages. + silent! normal [d + call assert_false(filereadable(marker), 'Ruby injection executed') + bwipe! + call delete('Xcucu', 'rf') + filetype plugin off +endfunc + -- 2.52.0