On the Floor

Safe Binstubs with Rails

For a while, Bundler has had the ability to create binstubs in your projects. They're mock scripts that load your Bundler environment before running the command, allowing you to omit that tiresome bundle exec: putting ./bin on your $PATH means you can run rake instead of bundle exec rake.

Before Rails' fourth version, it was discouraged to check these scripts into version control. Now, however, it's encouraged. Binstubs can be very convenient and removing boilerplate is always a good thing.

However, adding ./bin to your $PATH presents a dangerous security vulnerability. Consider, for example, that you check out a repository with a .bin/bundle script that runs rm -rf $HOME &. When you try to run bundle install, you'll delete everything inside your home directory!

Looking for an alternative, I came across the concept of trusted repositories in tpope's dotfiles. Instead of adding ./bin to your $PATH, we can add .git/trusted/../../bin by putting this in your ~/.bashrc:

export PATH="./.git/trusted/../../bin:$PATH" 

This is effectively the same as adding ./bin, but it only works if you've created the .git/trusted directory. Since you can't possibly clone a project that contains that folder, it allows you to whitelist repositories by creating it. Now, we can manage this with git aliases:

git config --global alias.trust '!mkdir .git/trusted'
git config --global alias.untrust '!rmdir .git/trusted'

Run git trust in a new directory and you'll be able to run its binstubs. Run git untrust to remove the flag.  You can also create ~/.bundle/config with the following content to automatically create binstubs when you install your gems.



There are no comments to display.