Remote command injection in Ruby Gem Webbynode 1.0.5.3

11/11/2014
Larry W. Cashdollar, @_larry0

./working.W/data.W/webbynode-1.0.5.3/lib/webbynode/notify.rb

Messages via the growlnotify command line can possibly be used to execute
shell commands if the message contains shell meta characters.

    def self.message(message)
      if self.installed? and !$testing
        message = message.gsub(/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]/, "")
        %x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}")
      end
    end

The message.gsub regex strips ANSI encoded characters from the #{message} variable, it doesn't strip characters like ;&| etc.  If the attacker can control the contents of #{message}, #{TITLE} or #{IMAGE_PATH} they can possibly inject
shell commands and execute them as the client user.