By Devlin Zed on August 27, 2013

For a while, Bundler has had the ability to create binstubs in your projects. They're mock scripts that load your Bundler environment before running the command, allowing you to omit that tiresome bundle exec: putting ./bin on your $PATH means you can run rake instead of bundle exec rake.

Before Rails' fourth version, it was discouraged to check these scripts into version control. Now, however, it's encouraged. Binstubs can be very convenient and removing boilerplate is always a good thing.

However, adding ./bin to your $PATH presents a dangerous security vulnerability. Consider, for example, that you check out a repository with a .bin/bundle script that runs rm -rf $HOME &. When you try to run bundle install, you'll delete everything inside your home directory!

Looking for an alternative, I came across the concept of trusted repositories in tpope's dotfiles. Instead of adding ./bin to your $PATH, we can add .git/trusted/../../bin by putting this in your ~/.bashrc:

export PATH="./.git/trusted/../../bin:$PATH" 

This is effectively the same as adding ./bin, but it only works if you've created the .git/trusted directory. Since you can't possibly clone a project that contains that folder, it allows you to whitelist repositories by creating it. Now, we can manage this with git aliases:

git config --global '!mkdir .git/trusted'
git config --global alias.untrust '!rmdir .git/trusted'

Run git trust in a new directory and you'll be able to run its binstubs. Run git untrust to remove the flag.  You can also create ~/.bundle/config with the following content to automatically create binstubs when you install your gems.


Share this post:

Passionate People. Creative Minds.

We view our clients as partners. Knowing that great ideas can come from anywhere, we find ourselves constantly inspired by our partnerships.