Title: Vulnerability Report for Ruby Gem lingq-0.3.1

Author: Larry W. Cashdollar, @_larry0<br><br>Date: 06/01/2014

Download: http://rubygems.org/gems/lingq

Gem Author:  ethan.vizitei@gmail.com

From: ./lingq-0.3.1/lib/lingq/client.rb

Line 46 exposes the lingq.com API key to the command line via #{@apikey} variable.  If this Gem is used in the context of a rails application a remote user may be able to inject commands into the shell via special meta characters like ; and & as the variables are not sanitized.

08-    attr_reader :target_language
9-    attr_reader :languages
10-    
11:    def initialize(api_key)
12:      @apikey = api_key
13-      load_languages!
14-    end
15-    
--
43-      #put_with_language("lingqs/",word.params)
44-      
46:      system_call("curl -X PUT -d id=#{word.id};status=#{word.status};hint=#{word.hint};fragment=#{word.fragment} http://www.lingq.com/api_v2/#{@target_language}/lingqs/?apikey=#{@apikey}")
47-    end