A script to run on CI to make sure that:
- no private gems are accidentally listed on rubygems.org (rake release happily does that for you)
- nobody is trying to attack your private gems by releasing similar named ones
This is written for secure https://github.com/geminabox/geminabox via https://github.com/zendesk/geminastrongbox and might need to be modified to fit other gem servers.
#!/usr/bin/env ruby
def sh(command)
result = `#{command}`
raise "FAILED #{result}" unless $?.success?
result
end
key = ENV.fetch('PRIVATE_SERVER_KEY')
host = ENV.fetch('PRIVATE_SERVER_HOST')
private_gem_names = sh("curl -fs 'https://#{key}@#{host}/gems'")
private_gem_names = private_gem_names.scan(%r{"#{host}/gems/gems/([^"]+)"}).flatten
puts "Found #{private_gem_names.size} private gems"
puts private_gem_names.join(", ")
exposed = sh("curl -fs 'https://rubygems.org/api/v1/dependencies?gems=#{private_gem_names.join(",")}'")
exposed = Marshal.load(exposed).map { |d| d[:name] }.uniq
puts "Found #{exposed.size} of them on rubygems.org"
puts exposed.join(", ")
if exposed.sort == ["LIST KNOW DUPLICATE HERE"].sort
puts "All good!"
else
raise "Hacked private gems !?: #{exposed.join(", ")}"
end
Michael Grosser, the Blog 