Here's a gem that uses a malicious native extension to tar up your app inside your "public/" dir: https://github.com/benjaminleesmith/better_date_to_s/blob/1f855de5483668bd74f97c33aa7d09c9318cc6f6/lib/better_date_to_s/better_date_to_s.c …
@merbist yeah, saw his talk ;) Point being gems can do some pretty crazy stuff
-
-
@bascule agh ok I thought you thought you had found an "Evil" gem :p -
@merbist was part of a larger point that RubyGems sure could use some kind of security -
@bascule and bundler too, you can set an evil gem as a dependency of your gem and most people won't even notice they are using it. Hard prob -
@merbist yeah, people might scour gems like rails for compromises, but are people looking as closely at, say, "hike", a Rails dependency?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.