是否存在Ruby特洛伊像木马一样的风险？ [英] Is there a risk of a Ruby gem acting like a trojan?

问题描述

我正要安装一个我从未听说过的人的Ruby宝石。但有些让我想到这个人是谁？。是否有任何Ruby宝石可以在您的机器上访问私人数据并将其传输到别处 - 因为宝石系统可以访问互联网？或者是否有保护措施呢？ 当然有。您正在计算机上安装软件，该软件使用调用它的脚本/用户的权限运行。在纯Ruby中找到恶意代码比在二进制包中更容易。但是，如果您认为源代码检查是确定恶意代码的有效方法，请查看举手的C比赛。这就是说，如果你想编写恶意软件，那么比Ruby的宝石更有效的交付系统。如果存在的实际恶意宝石的数量是0，并且因此这个恶意的可能性同样是0，那么我不会感到惊讶......

请参阅： http://rubygems.org/read/chapter/14#page61

I was just about to install a Ruby gem by someone I hadn't heard of. But something made me think "Who is this guy?". Is there any risk of a Ruby gem accessing private data on your machine and transmitting it elsewhere - since the gem system has Internet access? Or are there protections against this?

解决方案

Of course there is. You're installing software on your computer that runs with the privileges of the script/user that calls it. It's probably easier to spot malicious code in pure Ruby than in binary packages. But if you think source inspection is a guaranteed way to spot malicious code, check out the under-handed C contest.

That said, if you want to write malware there are more effective delivery systems than Ruby gems. I would not be surprised if the number of actual malicious gems in existence is 0, and thus that the probability that this one is malicious is likewise 0...

See: http://rubygems.org/read/chapter/14#page61

这篇关于是否存在Ruby特洛伊像木马一样的风险？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！