At https://github.com/projecthydra/om/blob/master/lib/om/xml/term_value_operators.rb#L168, OM trusts that the template will not contain a double-quote. If it does...
require "om"
class MockMetadata
include OM::XML::Document
set_terminology do |t|
t.root(path: 'fields')
t.title(path: '//title[@attr=";puts %q{I can inject ruby here!}; exit;"]')
end
def self.xml_template
Nokogiri::XML.parse("<fields/>")
end
end
newdoc = MockMetadata.new
newdoc.title = 'test'$ ruby test.rb
I can inject ruby here!
That double quotes are not allowed is not immediately obvious. We see it being done at https://github.com/projecthydra-labs/hydradam/blob/master/app/models/datastreams/import_pbcore_datastream.rb#L10
At the root, this is another symptom of the same problem described in #11.
At https://github.com/projecthydra/om/blob/master/lib/om/xml/term_value_operators.rb#L168, OM trusts that the template will not contain a double-quote. If it does...
That double quotes are not allowed is not immediately obvious. We see it being done at https://github.com/projecthydra-labs/hydradam/blob/master/app/models/datastreams/import_pbcore_datastream.rb#L10
At the root, this is another symptom of the same problem described in #11.