Protecting rubygems.org from the outside in: DoS prevention and compromised passwords

DRANK

Every gem published to rubygems.org ends up running on someone’s computer. It’s up to rubygems.org to ensure that each gem contains what it claims, that its metadata is well-formed, and that the person who pushed it is who they say they are.We’ve been chipping away at that. Over the past few months, we shipped two changes that tighten rubygems.org’s defences at very different layers: stronger validation of gem contents at push time, and integration with Have I Been Pwned to catch compromised passwords at login.What rubygems.org checks when you gem pushA RubyGem is actually just a regular tar file, which contains 3 sections: the code, metadata, and checksums, which you can inspect for yourself.$ gem fetch rails Fetching rails-8.1.3.gem Downloaded rails-8.1.3 $ tar -xvf rails-8.1.3.gem x metadata.gz x data.tar.gz x checksums.yaml.gz rubygems.org closely inspects all 3 of these files when a gem is published, but the ones we’re looking at are the metadata and checksums.yaml.The check…