Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

A security issue was found on Rubygems.org. This is a website that stores packages (gems in Ruby land) and allows that creators of the package to manage them.

Imagine we want to yank (remove) a gem (such as where this is a security bug) of a popular package. For instance, we want to hit rails-html-sanitizer. We could set up a gem called rails-html.

While yanking a gem, there are a few parameters to identify the gem: name and slug. The slug is simply the version being used.

To do the gem lookup, it first validates that we have access to the gem name that we specified. After this, the two are concatenated together to find the name and version. This looks like so: name-slug. Do you see the problem!?

We can simply have our slug contain the remaining part of the package and the version. From our previous example with control over rails-html we could use the slug sanitizer-version_no. Now, we have control over the gem by using the slug!

String concatenation with arbitrary data can lead to security problems. This just goes to show that security bugs will never go away!