Is there a risk of a Ruby gem acting like a trojan

2019-06-15 07:12发布

问题:

I was just about to install a Ruby gem by someone I hadn't heard of. But something made me think "Who is this guy?". Is there any risk of a Ruby gem accessing private data on your machine and transmitting it elsewhere - since the gem system has Internet access? Or are there protections against this?

回答1:

Of course there is. You're installing software on your computer that runs with the privileges of the script/user that calls it. It's probably easier to spot malicious code in pure Ruby than in binary packages. But if you think source inspection is a guaranteed way to spot malicious code, check out the under-handed C contest.

That said, if you want to write malware there are more effective delivery systems than Ruby gems. I would not be surprised if the number of actual malicious gems in existence is 0, and thus that the probability that this one is malicious is likewise 0...

See: http://rubygems.org/read/chapter/14#page61



回答2:

There is a risk of malicious code whenever you import unknown logic into an application. The risks are only as deep as the data to which that application has access. Like how Java applets are sandboxed.

Get signed packages you trust, or look at the source.



回答3:

If I wanted to get a handle on the likelihood of a malicious gem occurring, I'd look at whether malicious packages have been detected in any language (eg python egs, or Perl's CPAN), how likely it is that a malicious package has been produced without anyone noticing, and whether ruby is at any greater risk than other languages.

I might see if I could generate a web of trust - even if I don't know the gem author, do I know someone who does?

I might also look at whether package managers such as Debian examine whether packages are malicious, and if so, whether they've examined the gem you want to use.



回答4:

I disagree with the above poster that the probability of malicious gems in existence is 0. There is always a danger of using malicious gems. Be paranoid, but still get things done.



回答5:

I believe that there are two groups of gems.

First the "Well Known Gems", which are, coincidently the bigests and with more (sometimes obscure for my skills) code/logic. But those gems are reviewed a lot of other developers.

Then there are "Minor gems" (meaning that are not that widely used and spread). This gems use to have low versions, beta states and so.

My Rule of Thumb is: I trust the first group and read all the code I can from the second group of gems.

That is not totally true since I don't have the time to read the code of every gem in my system, but I try to go to the sources whenever I need to understand a method call, or how a certain function is implemented, that drives me, almost always to read at least 2-3 source files.

If I'm going to install a certain for a certain functionality I use to search github and review the implementation, the number of forks and developers, the activity (in number and frequency of commits) and so on.

That said, I use to trust gems, cause I've never found nothing intentionally harmful, but bad implementations and some security holes.



回答6:

There have been proposals to cryptographically sign gems, so you would know at least that the author's code hasn't been tampered with, but there's been no uptake on this

http://pablotron.org/files/signing_gems.txt