From 4c46a15e0a7815ca9e4cd7c7fda042eb8c1b7724 Mon Sep 17 00:00:00 2001
From: Matthew Draper <matthew@trebex.net>
Date: Fri, 8 May 2020 11:52:26 -0400
Subject: [PATCH] Restrict which local names can be eval'd

[CVE-2020-8163]
---
 actionview/lib/action_view/template.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/actionview/lib/action_view/template.rb b/actionview/lib/action_view/template.rb
index 6b61378a1f..753b854aef 100644
--- a/actionview/lib/action_view/template.rb
+++ b/actionview/lib/action_view/template.rb
@@ -312,8 +312,12 @@ def handle_render_error(view, e) #:nodoc:
       end
 
       def locals_code #:nodoc:
+        # Only locals with valid variable names get set directly. Others will
+        # still be available in local_assigns.
+        locals = @locals.to_set - Module::DELEGATION_RESERVED_METHOD_NAMES
+        locals = locals.grep(/\A(?![A-Z0-9])(?:[[:alnum:]_]|[^\0-\177])+\z/)
         # Double assign to suppress the dreaded 'assigned but unused variable' warning
-        @locals.each_with_object('') { |key, code| code << "#{key} = #{key} = local_assigns[:#{key}];" }
+        locals.each_with_object('') { |key, code| code << "#{key} = #{key} = local_assigns[:#{key}];" }
       end
 
       def method_name #:nodoc:
-- 
GitLab