Menu
I was just about to install a Ruby gem by someone I hadn't heard of. But something made me think "Who is this guy?". Is there any risk of a Ruby gem accessing private data on your machine and transmitting it elsewhere - since the gem system has Internet access? Or are there protections against this?
206
Of course there is. You're installing software on your computer that runs with the privileges of the script/user that calls it. It's probably easier to spot malicious code in pure Ruby than in binary packages. But if you think source inspection is a guaranteed way to spot malicious code, check out the under-handed C contest.
That said, if you want to write malware there are more effective delivery systems than Ruby gems. I would not be surprised if the number of actual malicious gems in existence is 0, and thus that the probability that this one is malicious is likewise 0...
See: http://rubygems.org/read/chapter/14#page61
198
answered Oct 19 '22 16:10
There is a risk of malicious code whenever you import unknown logic into an application. The risks are only as deep as the data to which that application has access. Like how Java applets are sandboxed.
Get signed packages you trust, or look at the source.
40
If I wanted to get a handle on the likelihood of a malicious gem occurring, I'd look at whether malicious packages have been detected in any language (eg python egs, or Perl's CPAN), how likely it is that a malicious package has been produced without anyone noticing, and whether ruby is at any greater risk than other languages.
I might see if I could generate a web of trust - even if I don't know the gem author, do I know someone who does?
I might also look at whether package managers such as Debian examine whether packages are malicious, and if so, whether they've examined the gem you want to use.
2
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
