Rubygems.org: gem install bunlder
A very interesting blogpost and related thesis on the vulnerability of RubyGems (& other language libraries) to 'typosquatting' has recently got some press including from Bruce Schneier. Is the community aware that RubyGems was used for this 'experiment' and does it think is should/can defend against this vulnerability?
@benjaminleesmith (the author of the bunlder gem) did a series of amusing but v.scary presentations on crafting gems to execute malware code on install (e.g. this one) so I'd be interested in whether RubyGems feels this issue warrants attention. The blog's author suggests some countermeasures including namespace reservation for practical typos of common libraries (gems).
Manual peer review of new gems (e.g. as Homebrew does with new formulae) may be undesirable/impractical, but my own view is that this does have the potential to be a serious issue for users of the language - just look at the number of bunlder downloads..
Related to #1226 I guess, as it is namespace/security issue.
MatzFan
All 5 comments
Is the community aware that RubyGems was used for this 'experiment' and does it think is should/can defend against this vulnerability?
Yes and yes. In particular we already have a gem name blacklist, which we reappraised when one of the team members found that blog post. If I recall correctly, the consensus was that we can do more to defend against this, but it is fairly difficult to do so. Which is to say that this issue is open to brainstorming / PRs
coilysiren
on 22 Jun 2016
The blacklist seems to be designed to defend against impersonating stdlib namespace, not the 'bunlder' issue - but at least an 'openssl' gem is impossible. Good to see the problem has been flagged, thanks.
If you are happy to leave the issue open, I'd respectfully suggest it may be a good place for brainstorming this problem - I'll give a solution to the 'typosquatting' problem some more thought myself.
MatzFan
on 22 Jun 2016
There could be a soundex, smith-waterman or similar check for new gems against all popular gems (probably to be determined by total downloads or downloads in the last x months). We're using smith-waterman in our app to find typos and like the results. Whether the gem creation is automatically blocked or just reported is up for discussion.
iGEL
on 3 Jul 2016
I wonder... what if we did something like, run a levenshtein algo on new gem names and flag for review? In theory, at least, it puts a human into the loop.
kerrizor
on 4 May 2018
We released initial rules for this using Levenshtein distance in #2037. Post comments for improvements on #2058.
sonalkr132
on 22 Jul 2019
Related issues
sonalkr132
路
5Comments
lingfennan
路
7Comments
krithika369
路
8Comments
uri
路
7Comments
colby-swandale
路
6Comments
Most helpful comment
I wonder... what if we did something like, run a levenshtein algo on new gem names and flag for review? In theory, at least, it puts a human into the loop.