blake.app

Ruby Dependency Confusion

This article talks about dependency-confusion for many different programming languages, but does specificity mention ruby:

One such company is the Canadian e-commerce giant Shopify, whose build system automatically installed a Ruby gem named shopify-cloud only a few hours after I had uploaded it, and then tried to run the code inside it.

I’m not entirely sure how this was possible, but one possible way was that they had multiple sources listed in their Gemfile:

source 'https://rubygems.org'
source 'https://supersecret.privatehost.internal'

gem 'my_gem'

which Bundler has a warning about:

If you want to pick up gems from a different source, make sure to wrap the extra sources in a block. Multiple global source lines are a security risk and should not be used as they can lead to gems being installed from unintended sources.

For private gems I personally prefer specifying the source for each gem individually with the source flag:

If some of your gems need to be fetched from a private gem server, this default source can be overridden for those gems. For a gem server that contains a single gem, it is easiest to use the :source option on that gem.

gem 'my_gem', '1.0', :source => 'https://gems.example.com'

This way if a private gem that you are pulling down also happens to be public it will throw an error if the private gem is not available for some reason or if the public one happens to be a newer version.

Could not find gem 'my_gem' in rubygems repository https://supersecret.privatehost.internal  or installed locally.
The source does not contain any versions of 'my_gem'

Please be careful with your Gemfiles and be sure to do an audit of your Gemfiles if you happen to use private gem servers.