or Create a profile

Home Suggestions

Security Concern with the gem system...

Stephen Blackstone's Avatar

Stephen Blackstone

03 Nov, 2010 02:21 PM

Suppose I wrote a gem.. Lets call it "rals". It does the following

1) something Malicious
2) Installs Rails

For bonus points, it would also uninstall itself and try to suppress "rals successfully installed". (perhaps it spawns a new thread and then kills the gem process)...

A simple typo could lead to a massive security breach on the users system. Its particularly bad that many people do "sudo gem install" so the process is running as root...

  1. Support Staff 2 Posted by Nick Quaranto on 04 Aug, 2012 06:49 PM

    Nick Quaranto's Avatar

    Sorry, this comment was buried in our spam inbox. And WOW from 2010! Very buried under tons of Russian spam.

    gem install can't run any code on the users' system after install. You have to specifically invoke code within it from another ruby process. In general, yes, typos are a problem, but we haven't seen anything yet. Thanks for bringing this up though.

  2. Nick Quaranto closed this discussion on 04 Aug, 2012 06:49 PM.

Comments are currently closed for this discussion. You can start a new one.

2 people watching.

  • New Issue

  • Conversation Started

  • The discussion is closed

    No more actions from RubyGems.org or the discussion starter are required.

  • Re-open the discussion

Recent Discussions

04 Aug, 2012 05:46 PM No registration email received
13 May, 2013 06:18 PM Redirect Loop when Downloading Rubygems
17 May, 2013 09:14 PM I cannot install 'Ruby on Rails' on OSX10.8.3
19 Dec, 2012 01:31 AM Dependency API is not reporting latest release

Recent Articles

Supporter FAQ
Gem ownership
Installing gems with no network
Removing a published RubyGem
Why do I get HTTP Response 302 or 301 when installing a gem?