I was just about to install a Ruby gem by someone I hadn't heard of. But something made me think "Who is this guy?". Is there any risk of a Ruby gem accessing private data on your machine and transmitting it elsewhere - since the gem system has Internet access? Or are there protections against this?
+3
A:
There is a risk of malicious code whenever you import unknown logic into an application. The risks are only as deep as the data to which that application has access. Like how Java applets are sandboxed.
Get signed packages you trust, or look at the source.
Aiden Bell
2009-06-04 21:15:24
+11
A:
Of course there is. You're installing software on your computer that runs with the privileges of the script/user that calls it. It's probably easier to spot malicious code in pure Ruby than in binary packages. But if you think source inspection is a guaranteed way to spot malicious code, check out the under-handed C contest.
That said, if you want to write malware there are more effective delivery systems than Ruby gems. I would not be surprised if the number of actual malicious gems in existence is 0, and thus that the probability that this one is malicious is likewise 0...
Steve Jessop
2009-06-04 21:23:33
Thanks for the links -> "How can I trust the Gems which are automatically downloaded from the net? The same way you can trust all other code you install. (I.e. ultimately, you can’t.)"
Hola
2009-06-04 21:29:57
Maybe there are very few (or zero) intentionally malicious gems, but there are lots of poorly written gems that have security holes. Read the Ruby on Rails security blog where really horrible gaping holes in critical RoR security components are regularly posted. Think twice before adding any Gem and always do a brief once over to get a guage for security code quality.
Chris Clark
2009-06-05 11:01:00
"poorly written gems that have security holes" - gems, applications, operating systems...
Steve Jessop
2009-06-05 17:11:03
+1
A:
I disagree with the above poster that the probability of malicious gems in existence is 0. There is always a danger of using malicious gems. Be paranoid, but still get things done.
e5
2009-06-04 22:08:26
I think the link he provides backs up your point: http://rubygems.org/read/chapter/14#page61
Hola
2009-06-04 22:21:43
+2
A:
If I wanted to get a handle on the likelihood of a malicious gem occurring, I'd look at whether malicious packages have been detected in any language (eg python egs, or Perl's CPAN), how likely it is that a malicious package has been produced without anyone noticing, and whether ruby is at any greater risk than other languages.
I might see if I could generate a web of trust - even if I don't know the gem author, do I know someone who does?
I might also look at whether package managers such as Debian examine whether packages are malicious, and if so, whether they've examined the gem you want to use.
Andrew Grimm
2009-06-04 23:33:08
+1
A:
I believe that there are two groups of gems.
First the "Well Known Gems", which are, coincidently the bigests and with more (sometimes obscure for my skills) code/logic. But those gems are reviewed a lot of other developers.
Then there are "Minor gems" (meaning that are not that widely used and spread). This gems use to have low versions, beta states and so.
My Rule of Thumb is: I trust the first group and read all the code I can from the second group of gems.
That is not totally true since I don't have the time to read the code of every gem in my system, but I try to go to the sources whenever I need to understand a method call, or how a certain function is implemented, that drives me, almost always to read at least 2-3 source files.
If I'm going to install a certain for a certain functionality I use to search github and review the implementation, the number of forks and developers, the activity (in number and frequency of commits) and so on.
That said, I use to trust gems, cause I've never found nothing intentionally harmful, but bad implementations and some security holes.
calas
2009-06-06 00:32:16
A:
There have been proposals to cryptographically sign gems, so you would know at least that the author's code hasn't been tampered with, but there's been no uptake on this
Gene T
2009-07-19 20:09:09