-
-
Notifications
You must be signed in to change notification settings - Fork 933
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow pushing gems where dependency names do not resolve #5055
Comments
Hey! I'd love to help implement this security improvement. Could you please confirm that we only need to verify the existence of dependency names, not their specific versions? I was thinking that might be a simpler first step that addresses the core supply chain concern. |
Could be good start, yes. |
Great! Is it alright if I take on this issue? Would be happy to work on implementing the dependency name verification as a first step. |
Sure, feel free to kick-off with PR we can continue discussion at. Some validations are happening inline in https://github.com/rubygems/rubygems.org/blob/master/app/models/pusher.rb and some in https://github.com/rubygems/rubygems.org/blob/master/app/models/version.rb. |
Is your feature request related to a problem?
We currently allow pushing a gem that has unresolved dependencies
Describe the solution you'd like
We should stop allowing it
Additional context
This would close a current supply chain attack vector, where someone could push a gem and a malicious actor could see the unresolved dependency and push a rubygem that gets added as a dependency of the first gem after the fact
The text was updated successfully, but these errors were encountered: