6

Normally, when installing a Ruby gem, I'd ask my system admin to do

sudo gem install gemname

However, there was recently a security breach with the source of gems, http://rubygems.org , and I'm wondering how safe this is, and whether alternatives are safer.

Would the major risks involved with installing from rubygems.org be that

  1. rubygems.org, or one of its mirrors, got hacked, and supplied me with a malicious package instead of the one I wanted.
  2. Someone successfully impersonated a gem author, and uploaded a malicious package.

If I wanted to avoid such risks, would it be safer to clone the git repository of the source code for the gem, and build the gem myself?

One problem with this approach is I'm not that confident about the security of Github, the main source of git repositories for Ruby related projects. Github uses Ruby on Rails, and Github's security record hasn't been flawless - Egor Homakov was able to hack the website and commit to a project without proper credentials.

Would using code from github have less risk than using a gem from rubygems.org?

Also, would not using sudo while installing Ruby gems reduce my risk?

I use Ruby merely for a command line application that analyses data. I don't use Rails or any of its gems, I'm not building a web application, and my application doesn't need to access the internet.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
Andrew Grimm
  • 2,100
  • 2
  • 20
  • 27

2 Answers2

5

If I wanted to avoid such risks, would it be safer to clone the git repository of the source code for the gem, and build the gem myself?

Probably not. More effort is likely to go into releasing (and potentially approving) a gem for inclusion onto rubygems than you will go to when cloning the source, especially for popular gems. Furthermore, there might be particular configuration / build options that are taken care of on your behalf when getting from rubygems which you might not be aware of when cloning from github.

However as Deer Hunter said, if you are going to go to the effort of thoroughly reviewing the code yourself, then cloning it from source is a good way to go.

Note that if the code of the gem in question is hosted on github, then in trusting rubygems you are implicitly trusting github, as any attack on the source there is very likely to also affect the author's gem publishing environment.

Community
  • 1
Michael
  • 2,118
  • 15
  • 26
  • see, I would foolishly *assume* that what I see on the github web page is what clone would download...which is I always lke to read answers by pros. – Thufir Jan 02 '17 at 04:43
4

The risks are the same as with other language-specific package management systems (npm for node.js, pypi for python, CRAN for R, CPAN for perl etc.) Yet, it is very often prudent to install this stuff without superuser's privileges, or at least have the chance to review what is being installed. To do the review one may use an utility like fpm to roll up an .rpm or a .deb, and look up switches that force gem installation into your /home directory.

As for security of sites hosting users' code, no site can be considered immune (note the recent hack of a South Korean SourceForge mirror).

By using a ready-made code (and running a compiler to build native extensions) you give a potential attacker some vulnerability surface (compilers may have a slew of buffer overflows and other nasty bugs). Using sudo doesn't make the process automatically safe.

The bottom line would be that by re-using other people's code, you put a lot of trust in the chain of authors, maintainers and site owners. If you want additional assurance, you have to conduct thorough code review before deploying code to production.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50