[DNM] Limit type-squatting on top gems when creating new rubygems #1809

segiddins · 2018-10-24T06:05:30Z

DNM since I couldn't get tests running locally. Needs new tests added as well, in addition to some performance profiling

indirect

I like it! It's nice that it's so straightforward, too. r+ from me with a test.

indirect · 2018-10-24T06:34:27Z

app/models/pusher.rb

-    unless @rubygem.new_record?
+    if @rubygem.new_record?
+      Rubygem.downloaded(50).each do |rubygem|
+        if Gem::Text.levenstein_distance(name.downcase, rubygem.name.downcase) < 3


Pretty sure it's levenshtein_distance? Unrelated, if it's fast enough I'd like to do the top 100 (or top 1000?). Maybe Rubygem.downloded(1000).pluck(:name).first{|n| Gem::Text.levenshtein_distance(name.downcase, n.downcase) < 3 }?

indirect · 2018-10-24T06:34:46Z

app/models/pusher.rb

+      Rubygem.downloaded(50).each do |rubygem|
+        if Gem::Text.levenstein_distance(name.downcase, rubygem.name.downcase) < 3
+          return notify("The name #{name.inspect} is too close to #{rubygem.name.inspect}.\n" \
+                        "Please send an email to xxx@rubygems.org if you believe this is an error.", 409)


I believe help@rubygems.org is the Tender support email queue.

simi · 2018-10-24T09:26:57Z

app/models/pusher.rb

-    unless @rubygem.new_record?
+    if @rubygem.new_record?
+      Rubygem.downloaded(50).each do |rubygem|
+        if Gem::Text.levenstein_distance(name.downcase, rubygem.name.downcase) < 3


If I understand this well, this checks for ld distance for top x (now 50) gems and if distance is less than 3, it fails.

In top 50 gems, there is 3 letter gem and 4 letter gems now (according to https://rubygems.org/stats) and it is really easy to came up with a proper name being blocked by this condition.

Is this expected limitation?

list of gems having short (< 5 characters) name in top 50 rubygems:

ffi rack rake json i18n thor tilt sass arel mail

PS: Is it possible to use this method directly? I had to do Class.new.extend(Gem::Text).levenshtein_distance('rack', 'rado').

good point -- maybe allow a distance of 1 for 3 letters, and 2 for four letters?

simi · 2019-07-03T22:23:14Z

Isn't this "superseeded" by #2037 ❓

sonalkr132 · 2019-07-08T12:52:38Z

See #2037

Limit type-squatting on top gems when creating new rubygems

56b39e9

segiddins requested a review from indirect October 24, 2018 06:05

indirect requested changes Oct 24, 2018

View reviewed changes

simi reviewed Oct 24, 2018

View reviewed changes

Require gem::text

17f3284

segiddins force-pushed the segiddins/limit-top-gem-typo-squatting branch from 40459e3 to 17f3284 Compare October 31, 2018 05:39

sonalkr132 added needs-more-work needs-review labels Nov 3, 2018

Use the correct variable names

cc53b7e

sonalkr132 removed the needs-more-work label Nov 14, 2018

sonalkr132 mentioned this pull request Jun 24, 2019

Invalidate gem name using levenshtein distance for gems with ten million downloads #2037

Merged

sonalkr132 closed this Jul 8, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DNM] Limit type-squatting on top gems when creating new rubygems #1809

[DNM] Limit type-squatting on top gems when creating new rubygems #1809

segiddins commented Oct 24, 2018

indirect left a comment

indirect Oct 24, 2018

indirect Oct 24, 2018

simi Oct 24, 2018

segiddins Oct 31, 2018

simi commented Jul 3, 2019

sonalkr132 commented Jul 8, 2019

[DNM] Limit type-squatting on top gems when creating new rubygems #1809

[DNM] Limit type-squatting on top gems when creating new rubygems #1809

Conversation

segiddins commented Oct 24, 2018

indirect left a comment

Choose a reason for hiding this comment

indirect Oct 24, 2018

Choose a reason for hiding this comment

indirect Oct 24, 2018

Choose a reason for hiding this comment

simi Oct 24, 2018

Choose a reason for hiding this comment

segiddins Oct 31, 2018

Choose a reason for hiding this comment

simi commented Jul 3, 2019

sonalkr132 commented Jul 8, 2019