Disallow pushing gems where dependency names do not resolve #5055
Comments
|
Hey! I'd love to help implement this security improvement. Could you please confirm that we only need to verify the existence of dependency names, not their specific versions? I was thinking that might be a simpler first step that addresses the core supply chain concern. |
Could be good start, yes. |
|
Great! Is it alright if I take on this issue? Would be happy to work on implementing the dependency name verification as a first step. |
Sure, feel free to kick-off with PR we can continue discussion at. Some validations are happening inline in https://github.com/rubygems/rubygems.org/blob/master/app/models/pusher.rb and some in https://github.com/rubygems/rubygems.org/blob/master/app/models/version.rb. |
Is your feature request related to a problem?
We currently allow pushing a gem that has unresolved dependencies
Describe the solution you'd like
We should stop allowing it
Additional context
This would close a current supply chain attack vector, where someone could push a gem and a malicious actor could see the unresolved dependency and push a rubygem that gets added as a dependency of the first gem after the fact
The text was updated successfully, but these errors were encountered: