Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Gem pushing is vulnerable. #93

Closed
blambeau opened this Issue · 3 comments

2 participants

@blambeau

For the same reasons than rubygems.org, Geminabox is vulnerable because rubygems is vulnerable in in the first place.

I haven't see anything moving here. This is a kind reminder.

@cwninja
Owner

As best as I can tell, this is the same old YAML allocating arbitrary ruby objects class of exploit? If so, the fix is tricky without breaking things.

At this point, I'm not going to panic. Here's why:

  • This software is not designed to run on public infrastructure, so I'm less concerned than I would be on a public facing app.

  • We're running a fairly small get of gems, with no autoloading of missing constants. This gives a much smaller target area, for exploitation, and the now standard ActionController::Routing::RouteSet::NamedRouteCollection path to actual evaluation is not open (we don't run on Rails).

My plan for right now is to stay calm, carry on, then watch for what Rubygems.org do.

You never know, but the whole "let's keep things in YAML" part of RubyGems may have to die, opening up a whole new world of magic and wonderment and endless updating :grinning:

What I'm actually expecting, is a fix in rubygems, that closes the hole. As geminabox offloads most of the interesting work to rubygems (it actually does exactly 0 work with YAML apart from passing them around uninspected), the fix will be "Upgrade rubygems", and I'll probably end up setting it up as a minimal requirement for running the app.

That said, if anyone can find a path through, and get a patch out, please do let me know.

@blambeau

I think you're right here. It was just in case.

What I'm actually expecting, is a fix in rubygems, that closes the hole.

So glad to hear clear thinking in here :+1:

@cwninja
Owner

Cool Beanz!

@blambeau blambeau closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.