Gemfury Blog

Funny how time flies when you do what you love. Here at Gemfury, 2013 started out a bit rough, but has finished as another outstanding year. Scrolling back through the big announcements doesn't give enough insight into all the other hard work we've dedicated this year to delighting our customers and community. Today is a good day to sum up what has kept us busy.

Not so long ago, Gemfury started out as a simple solution to a single developer's problem. Since then the service has grown to be an invaluable tool in both our team's and others' toolkits. Today, we are introducing Organizations - a growing set of improvements that make Gemfury better for team and business use.

Your team meets here

By creating an Organization account, you will decouple your team's code from any individual member. All the packages, billing, ownership, and access will be centralized and controlled within your new Organization account. Furthermore, unlike Personal accounts, you will no longer be compelled to share your password to share administrative duties - an Organization can be administered by one or more owners just by switching the context of your new Dashboard.

Extended collaboration control

Personal accounts have offered the ability to open your account to a few colleagues; Organizations take this a step further.

All Organization accounts include unlimited collaborators. Moreover, we've expanded collaboration beyond just the Upload/Download permission and now offer you one of three permission levels:

Download-only is the most basic level of access that allows the team member to download and install packages from your account.

Upload/Download is for those tireless developers who move your code base forward. This level is for both uploading and installing packages.

Owner is the highest permission level reserved for administration of the account. In addition to having full Upload/Download capabilities, Owners can update settings, payment plan, and manage collaborators.

Our early Organization users have discovered a multitude of ways to use these new permission levels. Consultants use Download-only to allow multiple clients to use packages across projects without interfering with each other. Large businesses, on the other hand, use Download-only accounts to create dummy/bot collaborators to limit and control access when distributing a secret Repo-URL within their organization.

Manage your accounts

Organizations is an easy way to compartmentalize your work, but participating or managing many projects doesn't need to be overwhelming. That is why we are introducing the Manage Accounts page that gives you a single-glance overview and a fast way to dive into any part of any account.

You can also use it to create new organizations or to convert an existing Personal account to an Organization, if you have already adopted Gemfury for your business. Don't worry, all packages and collaborators will be kept through the conversion.

Pricing

In order to really make Organizations a team-oriented way to use Gemfury, we are providing all Organization accounts with no collaborator limit - go crazy! Instead, these accounts are priced by the number of packages you upload starting from $25/mo for 10 packages. This will better suit our business customers and keep allowing us to innovate on Gemfury for both team and personal use.

Comments or questions?

Please reply to the following tweet or contact us:

Introducing Organizations - Gemfury goes to Work http://t.co/HOvh6eLb96

A few months ago, we have arrived at the conclusion that the design and the underlying technology behind our dashboard no longer fits in the future of Gemfury. Since then, we've worked with many of you, our customers, to develop a better way to manage your packages. Today, we're happy to share the product of this collaboration -- the new Gemfury Dashboard.

Navigate quickly

The most significant improvement is the consolidation of all navigation into the left menu -- whatever you're looking for, it is here. Each tab corresponds to a distinct purpose with which you may visit Gemfury: to upload or delete packages, to connect to your repository, or to update any other part of your account.

Built for teams

Collaborating across multiple accounts is not an afterthought -- easily switch your context by using the accounts drop-down at the top of the left menu. Managing collaborators and permissions for your account is still a familiar part of the Collaborate tab.

Unbreak the browser

One of the most frustrating deficiencies of the old dashboard was the lack of browser history and deep linking. This is now fixed. The back button works, and for every location in the dashboard, you can now bookmark or share the link to return directly to that page later.

We’re really excited to launch these and many other improvements with this update, and we look forward to your feedback. If you already have a Gemfury account, go ahead and switch to the New Dashboard now. If you're new to Gemfury, it is on by default for all new customers.

Comments or questions?

Please reply to the following tweet or contact us:

Introducing Your New Gemfury Dashboard http://t.co/1nrFjajr1D

Although Gemfury Package Repo is our main vocation, we believe that it's part of our mission to give back to the hacker community through code contribution, guides, and value-add services. So while we are putting the final touches on some major updates to Gemfury, today, I'd like to note a couple of recent improvements that we have made to the Version Badge service.

Since the original announcement two months ago, hundreds of package owners have installed the Version Badge, helping thousands of developers every day to quickly identify and find the installable package associated with a Github repo or a project webpage. Among many others, some notable projects are Devise, CanCan, Celluloid, and Slim.

Today, we are happy to introduce Version Badge for NPM modules.

Node.js and NPM allow many new and experienced JavaScript developers to package and quickly deploy code to any server. The Version Badge will further speed up this process of discovery and integration. Module owners have already jumped at the opportunity to enhance their modules: Engine.IO, JS Beautifier, JSHint, and more.

Install your 'Pieces of Flair'

If you're an NPM module owner, go ahead and try it for your module, check out projects already using Version Badge, and help us reach other module authors on Twitter and Facebook.

Special Thanks

I thank all of the initial Badge users who have given us feedback, and helped to get this project off the ground. I would also like to thank @olivierlacan and @ackerdev for the new badge design, and Put a Shield on It™ effort to standardize badges across services.

And last but not least, a big thank you to all Gemfury customers who allow us to build great tools for the programming community by chosing our service.

Comments or questions?

If you have any comments or questions, please email us or reply on Twitter:

Version Badge for NPM modules is here! badge.fury.io/for/js

Over the course of the last few months, we have been carefully extending Gemfury for multi-user and multi-language use. Today, we would like to announce two big changes to the way you download and install your packages. ### New Repository URL We are taking one more step toward Gemfury being truly language-agnostic by officially switching to a new set of default endpoints for private repositories. Starting today, the proper way to install your packages is by using one of the following Repo-URLs: "https://[email protected]/me/" # RubyGems "https://pypi.fury.io/secret-token/me/" # PyPI "https://npm.fury.io/secret-token/me/" # NPM By switching to shorter per-language domains, we feel it will make Gemfury integration even easier, more intuitive, and more extendable in the future. We encourage all of our customers to switch from `gems.gemfury.com` endpoint to using one of the new `fury.io` URLs. The old `gems.gemfury.com` endpoint is now deprecated and will not be supported after **April 19, 2013**. Learn more about your new [Repo-URL](http://devcenter.gemfury.com/articles/repository-url.html) and keep track of [upcoming changes to Gemfury](http://devcenter.gemfury.com/articles/changes-deprecations.html). ### Sharing of accounts With the new Repo-URL format, we are also enabling the ability to share your account for package download and installation. With the old repository endpoint, the only way to give a collaborator download access to your repository was by sharing your secret token. This is neither safe nor scalable. With the new Repo-URL, a collaborator can now get *download* access to your team account by modifying the URL as follows: https://[email protected]/team-username/ You can find out more at our [Dev Center article about collaboration](http://devcenter.gemfury.com/articles/collaboration.html). If this permission/access model is too limiting for your needs, we are testing extended permission control for our [Organization accounts](http://devcenter.gemfury.com/articles/organizations.html) -- please [contact us](mailto:[email protected]) if you're interested. ### Comments or questions? *If you have any comments or questions, please [email us](mailto:[email protected]) or reply on Twitter:*

Unleash the Fury.io blog.gemfury.com/post/434720059…

*After evaluating Gemfury's processing of RubyGems, we feel it is important to share our understanding and bring awareness to possible security issues when parsing untrusted YAML input.* On January 30, 2013, the community package server [RubyGems.org](https://rubygems.org) was compromised with a rogue code execution vulnerability. The all-volunteer team sprung to action and in the following 53 hours yanked the expoit, patched the vulnerability, [verified all the existing gems](http://blog.rubygems.org/2013/01/31/data-verification.html), and migrated the service to AWS. As of today, the service has been [restored](https://twitter.com/rubygems_status/status/297610518292738048) and [deemed safe for use](https://twitter.com/rubygems_status/status/297130703445979136). __Important__: This vulnerability came from misuse of a standard YAML library and might not be specific to just RubyGems.org. Many applications depend on this library and are potentially vulnerable to a similar exploit if exposed to untrusted YAML input -- **please take this opportunity to audit and secure your own applications**. ## Quick review of RubyGem structure RubyGems are used to encapsulate, package, and share Ruby code. A Gem is nothing more than a __tar.gz__ archive of the files packaged with `gem build`: $ tar -ztf rails-3.2.11.gem data.tar.gz metadata.gz The `data.tar.gz` archive contains all packaged files that the author has chosen to distribute. A list of these files is specified in the original [gemspec](http://guides.rubygems.org/specification-reference/). The `metadata.gz` file is a compressed `YAML.dump` serialization of the `Gem::Specification` object that is defined by the above-mentioned *gemspec*. This specification contains the name, version, author, file list, dependencies, and other important information about the Gem. ## Uploading to RubyGems.org When a Gem is uploaded to RubyGems.org or [Gemfury](http://www.gemfury.com), the server extracts the contents of `metadata.gz` and uses this to index the Gem. The extracted data is used on the [Gem information page](https://rubygems.org/gems/gemfury) and, more importantly, in the backend indexes queried by `gem install` and Bundler when a developer installs that Gem. ## The vulnerability Before the discovery of this exploit, RubyGems.org loaded the content of `metadata.gz` by calling `YAML.load` which is a part of the standard Ruby libraries. A powerful feature of the Ruby YAML library is the ability to serialize Ruby objects. For example, when `YAML.load` was called on the Gem metadata, the returned object was a `Gem::Specification` instance and not one of the basic types. This feature was used to compromise RubyGems.org -- the exploit was an uploaded gem with a well-crafted `metadata.gz` file that instantiated an object that could and did execute arbitrary Ruby code. YAML has a number of ways to [deserialize Ruby objects](http://www.yaml.org/YAML_for_ruby.html#yaml_for_ruby) and one of them is specifically designed for subclasses of `Hash` that takes the following form in the YAML file: --- !ruby/hash:MyHashClass Hello: World Foo: Bar In this example, when the parser encounters this input, it will create a new instance of `MyHashClass` and call `[]=` method for each listed key/value pair. And it does so without verifying whether `MyHashClass` is actually a subclass of `Hash`. So now, to execute arbitrary code, one just has to find any existing class that calls `eval` on either of the arguments to the `[]=` method. Unfortunately, the class that was used in this exploit is included in every Ruby on Rails application as part of Action Pack's routing. If you trace the `[]=` method of `NamedRouteCollection`, you will find that it inserts the content of the first argument into a `module_eval` block, thus executing rogue code. ## Assesment Please evaluate whether your applications is loading YAML input anywhere from an untrusted source. A good way to catch it is to stub the `YAML.load` method after all your configuration files are loaded and re-run your test suite. ## Mitigation If your application is supposed to process untrusted YAML input, I recommend two possible solutions: If your input is only expected to have basic types without any Ruby objects, I recommend looking at [safe_yaml](https://github.com/dtao/safe_yaml) which disables non-basic types for both Syck and Psych parsers. Using only basic types should be the standard approach of serializing to YAML. It is not a good practice to expose internal details of your application (like class names) outside of a trusted environment. However if, like RubyGems.org, your input does expect to contain certain Ruby classes, then you should customize the behavior of Psych to only instantiate a whitelist set of classes. Also, audit and/or stub the following methods for each of the whitelisted classes. def []=(k, v) end def init_with(v) end def yaml_initialize(k, v) end ## Additional resources * [RubyGems.org 1/30/13 incident status](http://t.co/iUY2lebz) * [RubyGems.org data verification status](http://blog.rubygems.org/2013/01/31/data-verification.html) * [RubyGems.org class-whitelist YAML patch](https://github.com/rubygems/rubygems.org/blob/master/config/initializers/forbidden_yaml.rb) * [safe_yaml project](https://github.com/dtao/safe_yaml) * [YAML for Ruby](http://www.yaml.org/YAML_for_ruby.html) *If you have any comments or corrections, please [email me](mailto:[email protected]) or reply on Twitter:*

RubyGems.org Vulnerability Explained blog.gemfury.com/post/422594562…

If you enjoy using Gemfury, you already know the benefits of DRY, encapsulation, and modularizing your code. However, building a new Gem is still not as easy as sticking a stray file or two into ./lib.

Today, we're opening the Gemfury Dev Center as the best place to learn about packaging code. As we read countless blog posts, emails, and raw code, we will continue to extract some of the most precious tips, tricks, and other gems (haha, get it?) to share with you.

Take a look and email us what you think at [email protected]. We would love to hear what other topics and techniques that you want to learn.

Say Hello to Gemfury Dev Center - packaging code simplified devcenter.gemfury.com

Today we're officially launching Gemfury to finally bring all the conveniences of RubyGems to your private Gems. What started as an internal collection of scripts has finally turned into a "real thing." We love using it, and hope that you will too.