rubygems.org shipped two security improvements to protect the Ruby package ecosystem. First, gem metadata validation was redesigned to parse YAML as an AST rather than deserializing it into Ruby objects, eliminating an entire class of insecure deserialization attacks that could exhaust server resources or execute arbitrary code. Second, rubygems.org now checks passwords against Have I Been Pwned at login, registration, and password reset using the k-anonymity model so passwords are never exposed. Since launch, 1,166 accounts with compromised passwords have been detected and blocked. Together these changes address supply chain integrity at two distinct layers: what gets pushed and who is doing the pushing.
Table of contents
What rubygems.org checks when you gem pushExploiting the validation processValidating gems without Gem :: SpecificationCompromised passwords and the supply chainChecking passwords without exposing themShipping the workSort: