Ruby

With File.expand_path(), if one of the arguments is of the form "~/.*", then it will search for the environment variable $HOME. If this is set to:

export HOME="/home/peter"

Then searching for File.expand_path '~/.bashrc' works as expected. If the variable is specified as:

export HOME="ls -la / #"

Then File.expand_path '~/.bashrc' works as expected and raises an ArgumentError for a non-absolute home. However this performs a poor validation on the environment variable, as this works around the issue:

export HOME="/bin/bash -c \"ls -la /\" #/home/peter"

From here File.expand_path '~/.bashrc' returns:

"/bin/bash -c \"ls -la /\" #/home/peter/.bashrc"

This potentially enables various security vulnerabilities such as command injection above, if this is passed to a function that runs commands, or could potentially allow an attacker other means of attack on privilege escalation, or to change other values within an application.
Please note that this affects both arguments for File.expand_path()