Yet another case of turning attacker data into full-blown objects automatically being a bad idea, in this case we have the Sawyer library used by Octokit turning API response into Ruby objects that is used to build Redis commands, allowing an attacker to inject arbitrary Redis commands leading to code execution with a crafted API response.

As the API responses are trusted, an attacker could setup that own attack server and provide a custom github_domain when importing so that an attacker controllered server will be used instead of the actual GitHub.com API (this is to support Enterprise customers with self-hosted GitHub instances). the build_command method basically takes in the object right from the API so an attacker has complete control over the object, and uses it without any validation, allowing an attacker to craft a malicious to_s (Ruby’s version of a toString or __string__ type method) that will contain Redis commands.