If you wish to audit a gem’s contents without installing it you can use the fetch command to download the .gem file then extract its contents with the unpack command.
$ gem fetch malice
Fetching malice-13.gem
Downloaded malice-13
$ gem unpack malice-13.gem
Unpacked gem: '.../malice-13'
$ more malice-13/README
Malice v. 13
DESCRIPTION
A small, malicious library.
[...]
$ rm -r malice-13*
You can also unpack a gem you have installed, modify a few files, then use the modified gem in place of the installed one:
$ gem unpack rake
Unpacked gem: '.../13.0.6'
$ vim 13.0.6/lib/rake/...
$ ruby -I 13.0.6/lib -S rake some_rake_task
[...]
The -I argument adds your unpacked rake to the ruby $LOAD_PATH which prevents RubyGems from loading the gem version (or the default version). The -S argument finds rake in the shell’s $PATH so you don’t have to type out the full path.
Leave a Reply