As documented on the Wiki, uru currently adds two dummy entries to the PATH to mark the location where it added new Ruby directories to that variable. I understand why this is needed, but the specific names chosen for these markers have some unfortunate side effects which could be exploited by an attacker to trick a user into executing malicious code.
Specifically, if a malicious actor creates a directory with the name
_U1_, any executable files added to that directory will override system commands when the user cd's to that directory's parent after invoking uru. So the file
_U1_/ls could easily be run by a user accidentally if they cd to
_U1_'s parent directory and then decide they want to know what files are in it.
In order to prevent this, uru should use absolute paths to a directory it controls in place of the relative
_U2_ markers. (E.g.
/path/to/uru/dummy/_U2_ instead of
For more discussion on this, see Is it safe to add . to my PATH? How come? on StackExchange. All the same concerns there apply to this case.