vim/0001-patch-9.2.0496-security-Code-Injection-in-cucumber-f.patch
Zdenek Dohnal 6a0060b814 Fix CVE-2026-47167: Code Injection in cucumber filetype plugin
Backport upstream fix (commit a65a52d6) for CVE-2026-47167 to
vim 8.0.1763 on c8s. The patch replaces the unsafe
Kernel.eval('/'+pattern+'/') call in cucumber.vim with
Regexp.new(pattern), preventing Ruby code injection through
malicious step definition patterns.

Added Patch3059 with adaptations for vim 8.0: replaced
CheckFeature with has() guard and adjusted mkdir/cleanup
calls for compatibility.

CVE: CVE-2026-47167
Upstream patches:
 - a65a52d684.patch
Resolves: RHEL-185863

This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.

Assisted-by: Ymir
2026-07-01 10:46:23 +02:00

78 lines
2.8 KiB
Diff

From ea20c181c76ef339b5cf1ae02ce3f7593c57d14d Mon Sep 17 00:00:00 2001
From: Christian Brabandt <cb@256bit.org>
Date: Sun, 17 May 2026 19:39:24 +0000
Subject: [PATCH] patch 9.2.0496: [security]: Code Injection in cucumber
filetype plugin
Problem: [security]: Code Injection in cucumber filetype plugin
(Christopher Lusk)
Solution: Use rubys Regexp.new() with the untrusted pattern
Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9
Signed-off-by: Christian Brabandt <cb@256bit.org>
---
runtime/ftplugin/cucumber.vim | 3 ++-
src/testdir/test_filetype.vim | 33 +++++++++++++++++++++++++++++++++
2 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/runtime/ftplugin/cucumber.vim b/runtime/ftplugin/cucumber.vim
index f4848d1..3361f1d 100644
--- a/runtime/ftplugin/cucumber.vim
+++ b/runtime/ftplugin/cucumber.vim
@@ -96,7 +96,8 @@ function! s:stepmatch(receiver,target)
catch
endtry
if has("ruby") && pattern !~ '\\\@<!#{'
- ruby VIM.command("return #{if (begin; Kernel.eval('/'+VIM.evaluate('pattern')+'/'); rescue SyntaxError; end) === VIM.evaluate('a:target') then 1 else 0 end}")
+ " Use Regexp.new, so the pattern stays untrusted data and cannot inject Ruby
+ ruby VIM.command("return #{if (begin; Regexp.new(VIM.evaluate('pattern')); rescue RegexpError; end) === VIM.evaluate('a:target') then 1 else 0 end}")
else
return 0
endif
diff --git a/src/testdir/test_filetype.vim b/src/testdir/test_filetype.vim
index 62dbc74..e484d2f 100644
--- a/src/testdir/test_filetype.vim
+++ b/src/testdir/test_filetype.vim
@@ -595,3 +595,36 @@ func Test_script_detection()
filetype off
endfunc
+func Test_cucumber_code_injection()
+ if !has('ruby')
+ return
+ endif
+ filetype plugin on
+
+ call mkdir('Xcucu/features/step_definitions', 'p')
+ call writefile([
+ \ 'Feature: demo',
+ \ ' Scenario: trigger',
+ \ ' Given xyzzy',
+ \ ], 'Xcucu/features/test.feature')
+ let marker = getcwd() . '/Xcucu/MARKER'
+ " Malicious step: terminates the regex literal, injects Ruby system(),
+ " comments the trailing slash. With the fix, the pattern is passed to
+ " Regexp.new() instead of Kernel.eval() and the payload is inert.
+ call writefile([
+ \ 'Given /xyzzy/; system("touch ' . marker . '"); #/ do',
+ \ 'end',
+ \ ], 'Xcucu/features/step_definitions/poc.rb')
+
+ new Xcucu/features/test.feature
+ call assert_equal('cucumber', &filetype)
+ call cursor(3, 1)
+ " Triggers s:jump -> s:steps -> s:stepmatch on every discovered step,
+ " including the malicious one. Suppress preview and error messages.
+ silent! normal [d
+ call assert_false(filereadable(marker), 'Ruby injection executed')
+ bwipe!
+ call delete('Xcucu', 'rf')
+ filetype plugin off
+endfunc
+
--
2.52.0