---
engine: ruby
cve: 2019-16255
url: https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
title: A code injection vulnerability of Shell#[] and Shell#test
date: 2019-10-01
description: |
  Shell#[] and its alias Shell#test defined in lib/shell.rb allow code
  injection if the first argument (aka the “command” argument) is untrusted
  data. An attacker can exploit this to call an arbitrary Ruby method.

  Note that passing untrusted data to methods of Shell is dangerous in general.
  Users must never do it. However, we treat this particular case as a
  vulnerability because the purpose of Shell#[] and Shell#[] is considered file
  testing.
patched_versions:
  - "~> 2.4.8"
  - "~> 2.5.7"
  - "~> 2.6.5"
  - "> 2.7.0-preview1"