Rubygems: gem typosquatting prevention

Created on 15 Aug 2019  路  5Comments  路  Source: rubygems/rubygems

I would like to suggest a feature to prevent Typosquatting programming language package managers.

I suggest that RubyGems should make it difficult to publish gems whose names are too similar to some pre-existing popular gem. "Too similar" may be defined as having a Levenshtein distance of 1. "Popular" may be defined simply as having more than some threshold of downloads in some period, e.g., more than 1k downloads in the last month.

RubyGems could automatically refuse such submissions by stating that in order to prevent malicious gem typosquatting, in case of high lexical similarity to a pre-existing popular gem, manual authorization by admins is required, which may be requested by email with proper justification.

This issue is related to:

  • [ ] Network problems
  • [ ] Installing a library
  • [x] Publishing a library
  • [ ] The command line gem
  • [x] Other (Security)

I will abide by the code of conduct.

picture adrianomitre
👍1

Most helpful comment

A variant of the levenshtein distance aspect of this issue was added in https://github.com/rubygems/rubygems.org/pull/2037 ("Invalidate gem name using levenshtein distance for gems with ten million downloads"), back June of this year. This, as of that PR ,applies to anything similar to existing gems with >10 million downloads total.

There's also https://github.com/rubygems/rubygems.org/pull/1357 , from June 2016, which made the name check case-insensitive. This is for creation only, as there's at least once instance of case-only-difference from prior to that PR (saikuro vs Saikuro).

picture duckinator on 17 Aug 2019
👍2

All 5 comments

I imagine step 1 of enforcing this would be disallowing case-sensitive gem names...

djberg96 picture djberg96 on 15 Aug 2019
👍1

Maybe the problem is not case-sensitivity _per se_, but allowing two gems whose name differ only in terms of case.

Something along the following lines could implement @djberg96's idea of step 1?

def disallow?(new_gem_name)
  # pre_existing_gem_names comes from the database, disallowed may be cached
  disallowed = pre_existing_gem_names.map(&:downcase).to_set
  disallowed.include?(new_gem_name.downcase)
end
adrianomitre picture adrianomitre on 16 Aug 2019

A variant of the levenshtein distance aspect of this issue was added in https://github.com/rubygems/rubygems.org/pull/2037 ("Invalidate gem name using levenshtein distance for gems with ten million downloads"), back June of this year. This, as of that PR ,applies to anything similar to existing gems with >10 million downloads total.

There's also https://github.com/rubygems/rubygems.org/pull/1357 , from June 2016, which made the name check case-insensitive. This is for creation only, as there's at least once instance of case-only-difference from prior to that PR (saikuro vs Saikuro).

duckinator picture duckinator on 17 Aug 2019
👍2

@adrianomitre does my previous comment address everything, or do you have potential ideas for changes/tweaks?

duckinator picture duckinator on 17 Aug 2019

@duckinator Your previous comment addressed everything. Thanks!

adrianomitre picture adrianomitre on 19 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

marctrem picture marctrem  路  5Comments
sebroeder picture sebroeder  路  3Comments
djberg96 picture djberg96  路  4Comments
morgoth picture morgoth  路  4Comments
khiav223577 picture khiav223577  路  3Comments