A script to run on CI to make sure that:
- no private gems are accidentally listed on rubygems.org (rake release happily does that for you)
- nobody is trying to attack your private gems by releasing similar named ones
This is written for secure https://github.com/geminabox/geminabox via https://github.com/zendesk/geminastrongbox and might need to be modified to fit other gem servers.
#!/usr/bin/env ruby def sh(command) result = `#{command}` raise "FAILED #{result}" unless $?.success? result end key = ENV.fetch('PRIVATE_SERVER_KEY') host = ENV.fetch('PRIVATE_SERVER_HOST') private_gem_names = sh("curl -fs 'https://#{key}@#{host}/gems'") private_gem_names = private_gem_names.scan(%r{"#{host}/gems/gems/([^"]+)"}).flatten puts "Found #{private_gem_names.size} private gems" puts private_gem_names.join(", ") exposed = sh("curl -fs 'https://rubygems.org/api/v1/dependencies?gems=#{private_gem_names.join(",")}'") exposed = Marshal.load(exposed).map { |d| d[:name] }.uniq puts "Found #{exposed.size} of them on rubygems.org" puts exposed.join(", ") if exposed.sort == ["LIST KNOW DUPLICATE HERE"].sort puts "All good!" else raise "Hacked private gems !?: #{exposed.join(", ")}" end