Is it a popular thing to bundle gems from random dev websites? I only use Ruby for Sass and I assumed that basically everyone used RubyGems.org.
I’ve worked in environments where we ran our own Rubygems source inside the production infrastructure, although it only had dependencies for our application. I’d hope that most usage of multiple sources has both the public one that people tend to trust, and a private one run by the same organization deploying gems from it.
I wouldn’t say “random”. If you purchase a gem as service, they can deliver it to you as a gem from a secure source that is secured that you are able to access with a private key. Some popular options are sidekiq and rails LTS. I suspect there are others that I am not aware of. You can also run your internal gem server and distribute your own gems that way. So if someone is running a knock-off version of your trusted gem that gets installed instead of the one you wanted, then a malicious agent could cause problems.
Is this really a security vulnerability? Assuming you’re actually running code from that secondary source gem, it seems the other gem could do arbitrary things to your computer in the same way that a malicious rails gem could.
The reason why this is (supposedly) a problem is that you may inspect the gem that you grabbed from that alternative source, but you may not have noticed or had any insight into that alternative server also having a ‘rails’ gem.
‘Rails’ is important because most Rubyists will install it and so a malicious person would have a good possibility of you installing the fake gem.