Information Disclosure
Description
The commit mitigates an information disclosure risk in the Rails test suite by stopping direct modification of the RAKEOPT environment variable and instead using a quiet execution wrapper. Previously, the test helper set ENV["RAKEOPT"] to a value (e.g., enabling --silent) and even restored it, which could lead to leakage of internal configuration/state through environment state visible in test logs or artifacts. The change removes the environment mutation (and the accompanying teardown of RAKEOPT) and relies on a quiet wrapper to suppress output, reducing the chance that RAKEOPT or related internal settings leak into logs.
Proof of Concept
PoC (illustrative, pre-fix leakage path):
# Vulnerable behavior (simulated in a minimal repro to illustrate leakage):
# Suppose a test helper mutates RAKEOPT and prints it as part of test setup/logs.
# Guarded by the assumption that such leakage could happen when logs capture environment state.
# Vulnerable reproduction (pre-fix):
# The following Ruby snippet simulates mutating ENV["RAKEOPT"] and printing it to logs.
# In a real Rails test, this would occur inside test setup and could end up in CI logs.
ENV["RAKEOPT"] = "--silent" # test helper mutates environment to silence rake tasks
puts "RAKEOPT=#{ENV["RAKEOPT"]}" # this line would leak the chosen RAKEOPT value to logs
# Expected attacker impact: if RAKEOPT contained sensitive guidance or internal configuration,
# its value could be captured in logs or test artifacts.
# Fixed reproduction (post-fix):
# The code path uses a quietly wrapper and does not mutate or print RAKEOPT.
def quietly(&block)
# simplified representation of a quiet wrapper that suppresses command output
block.call
end
# The risky mutation is avoided here
quietly do
# normal test work (e.g., with_database_configuration) would run without altering ENV["RAKEOPT"]
# no leakage of ENV["RAKEOPT"] occurs
end
Commit Details
Author: zzak
Date: 2025-12-29 07:18 UTC
Message:
Prefer quietly over modifying RAKEOPT env
Added in a6b503c, the was originally to silence the following output:
```
bin/test test/generators/action_text_install_generator_test.rb
Run options: --seed 20435
# Running:
(in /home/zzak/code/rails/railties/test/fixtures)
.(in /home/zzak/code/rails/railties/test/fixtures)
.(in /home/zzak/code/rails/railties/test/fixtures)
.(in /home/zzak/code/rails/railties/test/fixtures)
.(in /home/zzak/code/rails/railties/test/fixtures)
.(in /home/zzak/code/rails/railties/test/fixtures)
.(in /home/zzak/code/rails/railties/test/fixtures)
.(in /home/zzak/code/rails/railties/test/fixtures)
.
```
Using `quietly` is preferred than modifying the execution environment as
it can result in leaks, this code was detected as leaking `RAKEOPT`.
Similar to fcc3d29.
Triage Assessment
Vulnerability Type: Information Disclosure
Confidence: HIGH
Reasoning:
The commit addresses leaking an environment variable (RAKEOPT) by avoiding direct modification of the environment and using a quiet execution wrapper instead. This reduces information leakage during test runs and prevents potential exposure of internal configuration through environment state.
Verification Assessment
Vulnerability Type: Information Disclosure
Confidence: HIGH
Affected Versions: 8.1.x prior to 8.1.3 (fixed in 8.1.3 by this commit)
Code Diff
diff --git a/railties/test/generators/action_text_install_generator_test.rb b/railties/test/generators/action_text_install_generator_test.rb
index 92e3b64e473f3..a11a5ac546b48 100644
--- a/railties/test/generators/action_text_install_generator_test.rb
+++ b/railties/test/generators/action_text_install_generator_test.rb
@@ -83,7 +83,7 @@ def run_generator_instance
run_command_stub = -> (command, *) { @run_commands << command }
generator.stub :run, run_command_stub do
- with_database_configuration { super }
+ quietly { with_database_configuration { super } }
end
end
end
diff --git a/railties/test/generators/generators_test_helper.rb b/railties/test/generators/generators_test_helper.rb
index e0294328cc144..6447e185ceef0 100644
--- a/railties/test/generators/generators_test_helper.rb
+++ b/railties/test/generators/generators_test_helper.rb
@@ -28,9 +28,6 @@ def self.included(base)
setup { Rails.application.config.root = Pathname("../fixtures").expand_path(__dir__) }
- setup { @original_rakeopt, ENV["RAKEOPT"] = ENV["RAKEOPT"], "--silent" }
- teardown { ENV["RAKEOPT"] = @original_rakeopt }
-
begin
base.tests Rails::Generators.const_get(base.name.delete_suffix("Test"))
rescue