guarddog 2.7.1__py3-none-any.whl → 2.9.0__py3-none-any.whl

guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml

@@ -21,13 +21,13 @@ rules:
               regex: ([\"\'].*(.aws/credentials|.docker/config.json)[\"\'])
       - patterns:
           - pattern-either:
-              - pattern: os.getenv($ENVVAR)
+              - pattern: os.getenv($ENVVAR, ...)
               - pattern: os.environ[$ENVVAR]
-              - pattern: os.environ.get($ENVVAR)
+              - pattern: os.environ.get($ENVVAR, ...)
 
-              - pattern: getenv($ENVVAR)
+              - pattern: getenv($ENVVAR, ...)
               - pattern: environ[$ENVVAR]
-              - pattern: environ.get($ENVVAR)
+              - pattern: environ.get($ENVVAR, ...)
           - metavariable-regex:
               metavariable: $ENVVAR
               regex: ([\"\'](AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN)[\"\'])
@@ -54,6 +54,32 @@ rules:
               - pattern-inside: $S = socket.socket(...); ...
               - pattern-inside: $S.connect(...); ...
               - pattern-inside: $S.send(...)
+          # DNS exfiltration - socket module (built-in)
+          - pattern-inside: socket.gethostbyname(...)
+          - pattern-inside: socket.getaddrinfo(...)
+          - pattern-inside: socket.gethostbyname_ex(...)
+          # DNS exfiltration - dnspython library (direct calls)
+          - pattern-inside: dns.resolver.query(...)
+          - pattern-inside: dns.resolver.resolve(...)
+          - pattern-inside: dns.query.udp(...)
+          - pattern-inside: dns.query.tcp(...)
+          # DNS exfiltration - dnspython Resolver instance
+          - patterns:
+              - pattern-inside: |
+                  $R = dns.resolver.Resolver()
+                  ...
+              - pattern-inside: $R.query(...)
+          - patterns:
+              - pattern-inside: |
+                  $R = dns.resolver.Resolver()
+                  ...
+              - pattern-inside: $R.resolve(...)
+          # DNS exfiltration - aiodns (async)
+          - patterns:
+              - pattern-inside: |
+                  $R = aiodns.DNSResolver()
+                  ...
+              - pattern-inside: $R.query(...)
     languages:
       - python
-    severity: WARNING
+    severity: WARNING

guarddog/analyzer/sourcecode/npm-api-obfuscation.yml

@@ -0,0 +1,51 @@
+rules:
+  - id: npm-api-obfuscation
+    languages:
+      - javascript
+    message: This package uses obfuscated API calls that may evade static analysis detection
+    metadata:
+      description: Identify obfuscated API calls using alternative JS syntax patterns
+    severity: WARNING
+    patterns:
+      - pattern-either:
+        # Covered cases:
+        # 1) module["function"]()
+        # 2) Reflect.get(module, "function")()
+        # 3) Object.getOwnPropertyDescriptor(module, "function").value()
+        # 4) module[Object.getOwnPropertyNames(module).find(name => name === "function")]()
+        # 5) module[Object.keys(module).find(name => name === "function")]()
+        # 6) Object.entries(module).find(([name, value]) => name === "function")[1]()
+        # 7) Object.entries(module).filter(([k]) => k === 'function')[0][1]()
+        # Each of these can also use .call(), .apply(), .bind() variants as well:
+        # e.g., module["function"].call({}, ...), module["function"].apply({}, [...]), module["function"].bind({})(...)
+        - pattern: $MODULE[$FUNCTION]($...ARGS)
+        - pattern: $MODULE[$FUNCTION].call($...ARGS)
+        - pattern: $MODULE[$FUNCTION].apply($...ARGS)
+        - pattern: $MODULE[$FUNCTION].bind($...ARGS)()
+        - pattern: Reflect.get($MODULE, $FUNCTION)($...ARGS)
+        - pattern: Reflect.get($MODULE, $FUNCTION).call($...ARGS)
+        - pattern: Reflect.get($MODULE, $FUNCTION).apply($...ARGS)
+        - pattern: Reflect.get($MODULE, $FUNCTION).bind($...ARGS)()
+        - pattern: Object.getOwnPropertyDescriptor($MODULE, $FUNCTION).value($...ARGS)
+        - pattern: Object.getOwnPropertyDescriptor($MODULE, $FUNCTION).value.call($...ARGS)
+        - pattern: Object.getOwnPropertyDescriptor($MODULE, $FUNCTION).value.apply($...ARGS)
+        - pattern: Object.getOwnPropertyDescriptor($MODULE, $FUNCTION).value.bind($...ARGS)()
+        - pattern: $MODULE[Object.getOwnPropertyNames($MODULE).find($VAR => $VAR === $FUNCTION)]($...ARGS)
+        - pattern: $MODULE[Object.getOwnPropertyNames($MODULE).find($VAR => $VAR === $FUNCTION)].call($...ARGS)
+        - pattern: $MODULE[Object.getOwnPropertyNames($MODULE).find($VAR => $VAR === $FUNCTION)].apply($...ARGS)
+        - pattern: $MODULE[Object.getOwnPropertyNames($MODULE).find($VAR => $VAR === $FUNCTION)].bind($...ARGS)()
+        - pattern: $MODULE[Object.keys($MODULE).find($VAR => $VAR === $FUNCTION)]($...ARGS)
+        - pattern: $MODULE[Object.keys($MODULE).find($VAR => $VAR === $FUNCTION)].call($...ARGS)
+        - pattern: $MODULE[Object.keys($MODULE).find($VAR => $VAR === $FUNCTION)].apply($...ARGS)
+        - pattern: $MODULE[Object.keys($MODULE).find($VAR => $VAR === $FUNCTION)].bind($...ARGS)()
+        - pattern: Object.entries($MODULE).find(([$VAR, $VALUE]) => $VAR === $FUNCTION)[1]($...ARGS)
+        - pattern: Object.entries($MODULE).find(([$VAR, $VALUE]) => $VAR === $FUNCTION)[1].call($...ARGS)
+        - pattern: Object.entries($MODULE).find(([$VAR, $VALUE]) => $VAR === $FUNCTION)[1].apply($...ARGS)
+        - pattern: Object.entries($MODULE).find(([$VAR, $VALUE]) => $VAR === $FUNCTION)[1].bind($...ARGS)()
+        - pattern: Object.entries($MODULE).filter(([$VAR]) => $VAR === $FUNCTION)[0][1]($...ARGS)
+        - pattern: Object.entries($MODULE).filter(([$VAR]) => $VAR === $FUNCTION)[0][1].call($...ARGS)
+        - pattern: Object.entries($MODULE).filter(([$VAR]) => $VAR === $FUNCTION)[0][1].apply($...ARGS)
+        - pattern: Object.entries($MODULE).filter(([$VAR]) => $VAR === $FUNCTION)[0][1].bind($...ARGS)()
+      - metavariable-regex:
+          metavariable: $MODULE
+          regex: "^[A-Za-z_][A-Za-z0-9_]*$"

guarddog/analyzer/sourcecode/rubygems-code-execution.yml

@@ -0,0 +1,67 @@
+rules:
+  - id: rubygems-code-execution
+    languages:
+      - ruby
+    message: |
+      This package executes OS commands. While this can be legitimate,
+      it is commonly used by malicious packages to run arbitrary code.
+    metadata:
+      description: Identify when a gem executes OS commands
+    patterns:
+      - pattern-either:
+          # Kernel methods for command execution
+          - pattern: system(...)
+          - pattern: exec(...)
+          - pattern: spawn(...)
+          - pattern: Kernel.system(...)
+          - pattern: Kernel.exec(...)
+          - pattern: Kernel.spawn(...)
+
+          # Backtick execution - semgrep uses pattern for this
+          - pattern: "`...`"
+
+          # %x{} command execution
+          - pattern: "%x{...}"
+          - pattern: "%x[...]"
+          - pattern: "%x(...)"
+
+          # Open3 module
+          - pattern: Open3.capture2(...)
+          - pattern: Open3.capture2e(...)
+          - pattern: Open3.capture3(...)
+          - pattern: Open3.pipeline(...)
+          - pattern: Open3.pipeline_r(...)
+          - pattern: Open3.pipeline_rw(...)
+          - pattern: Open3.pipeline_start(...)
+          - pattern: Open3.pipeline_w(...)
+          - pattern: Open3.popen2(...)
+          - pattern: Open3.popen2e(...)
+          - pattern: Open3.popen3(...)
+
+          # IO.popen
+          - pattern: IO.popen(...)
+
+          # Process.spawn
+          - pattern: Process.spawn(...)
+          - pattern: Process.exec(...)
+
+          # PTY for pseudo-terminal
+          - pattern: PTY.spawn(...)
+
+          # eval with dynamic content
+          - patterns:
+              - pattern-either:
+                  - pattern: eval($ARG)
+                  - pattern: instance_eval($ARG)
+                  - pattern: class_eval($ARG)
+                  - pattern: module_eval($ARG)
+              - pattern-not: eval("...")
+              - pattern-not: instance_eval("...")
+              - pattern-not: class_eval("...")
+              - pattern-not: module_eval("...")
+    severity: WARNING
+    paths:
+      include:
+        - "*.gemspec"
+        - "**/extconf.rb"
+        - "**/Rakefile"

guarddog/analyzer/sourcecode/rubygems-exec-base64.yml

@@ -0,0 +1,26 @@
+rules:
+  - id: rubygems-exec-base64
+    languages:
+      - ruby
+    message: |
+      This package contains a call to eval with base64-decoded content.
+      This is a common method to hide malicious payloads from static analysis.
+    metadata:
+      description: Identify when a package dynamically executes base64-encoded code
+    mode: taint
+    pattern-sources:
+      - pattern-either:
+          - pattern: Base64.decode64(...)
+          - pattern: Base64.strict_decode64(...)
+          - pattern: Base64.urlsafe_decode64(...)
+          - pattern: $X.unpack("m")
+          - pattern: $X.unpack("m0")
+    pattern-sinks:
+      - pattern-either:
+          - pattern: eval(...)
+          - pattern: instance_eval(...)
+          - pattern: class_eval(...)
+          - pattern: module_eval(...)
+          - pattern: Kernel.eval(...)
+          - pattern: binding.eval(...)
+    severity: WARNING

guarddog/analyzer/sourcecode/rubygems-exfiltrate-sensitive-data.yml

@@ -0,0 +1,70 @@
+rules:
+  - id: rubygems-exfiltrate-sensitive-data
+    languages:
+      - ruby
+    mode: taint
+    message: |
+      This package reads sensitive data and sends it to a remote server.
+      This could indicate credential theft or data exfiltration.
+    metadata:
+      description: Identify when a package reads and exfiltrates sensitive data from the local system
+    pattern-sources:
+      - pattern-either:
+          # Environment variables
+          - pattern: ENV
+          - pattern: ENV[...]
+          - pattern: ENV.fetch(...)
+          - pattern: ENV.to_h
+          - pattern: ENV.to_hash
+
+          # Specific sensitive env vars
+          - pattern: ENV['HOME']
+          - pattern: ENV['USER']
+          - pattern: ENV['USERNAME']
+          - pattern: ENV['AWS_ACCESS_KEY_ID']
+          - pattern: ENV['AWS_SECRET_ACCESS_KEY']
+          - pattern: ENV['AWS_SESSION_TOKEN']
+          - pattern: ENV['GITHUB_TOKEN']
+          - pattern: ENV['GH_TOKEN']
+
+          # System info
+          - pattern: Socket.gethostname
+          - pattern: Etc.getlogin
+          - pattern: Etc.getpwuid(...)
+
+          # Reading sensitive files
+          - pattern: File.read("~/.ssh/...")
+          - pattern: File.read("~/.aws/...")
+          - pattern: File.read("~/.netrc")
+          - pattern: File.read("~/.git-credentials")
+
+          # Dir patterns for sensitive locations
+          - pattern: Dir.home
+          - pattern: Dir.glob("~/.ssh/*")
+          - pattern: Dir.glob("~/.aws/*")
+    pattern-sinks:
+      - pattern-either:
+          # Net::HTTP
+          - pattern: Net::HTTP.post(...)
+          - pattern: Net::HTTP.post_form(...)
+          - pattern: $HTTP.request(...)
+          - pattern: $HTTP.post(...)
+          - pattern: $HTTP.put(...)
+
+          # open-uri
+          - pattern: URI.open(...)
+          - pattern: OpenURI.open_uri(...)
+
+          # HTTParty, Faraday, RestClient
+          - pattern: HTTParty.post(...)
+          - pattern: HTTParty.put(...)
+          - pattern: Faraday.post(...)
+          - pattern: Faraday.put(...)
+          - pattern: RestClient.post(...)
+          - pattern: RestClient.put(...)
+
+          # Socket
+          - pattern: $SOCKET.write(...)
+          - pattern: $SOCKET.send(...)
+          - pattern: TCPSocket.new(...)
+    severity: WARNING

guarddog/analyzer/sourcecode/rubygems-install-hook.yml

@@ -0,0 +1,45 @@
+rules:
+  - id: rubygems-install-hook
+    languages:
+      - ruby
+    message: |
+      This package uses Gem::Installer hooks which execute code during gem installation.
+      This is a common technique for malicious gems to run code when installed.
+    metadata:
+      description: Identify when a gem registers installation hooks
+    patterns:
+      - pattern-either:
+          # Post-install hooks
+          - pattern: Gem.post_install(...)
+          - pattern: Gem.post_install { ... }
+          - pattern: Gem.post_install do ... end
+          - pattern: Gem::Installer.post_install(...)
+          - pattern: Gem::Installer.post_install { ... }
+          - pattern: Gem::Installer.post_install do ... end
+
+          # Pre-install hooks
+          - pattern: Gem.pre_install(...)
+          - pattern: Gem.pre_install { ... }
+          - pattern: Gem.pre_install do ... end
+          - pattern: Gem::Installer.pre_install(...)
+          - pattern: Gem::Installer.pre_install { ... }
+          - pattern: Gem::Installer.pre_install do ... end
+
+          # Post-uninstall hooks
+          - pattern: Gem.post_uninstall(...)
+          - pattern: Gem.post_uninstall { ... }
+          - pattern: Gem.post_uninstall do ... end
+
+          # Pre-uninstall hooks
+          - pattern: Gem.pre_uninstall(...)
+          - pattern: Gem.pre_uninstall { ... }
+          - pattern: Gem.pre_uninstall do ... end
+
+          # Extension building (can run arbitrary code)
+          - pattern: |
+              Gem::Specification.new do |$S|
+                ...
+                $S.extensions = ...
+                ...
+              end
+    severity: WARNING

guarddog/analyzer/sourcecode/rubygems-network-on-require.yml

@@ -0,0 +1,78 @@
+rules:
+  - id: rubygems-network-on-require
+    languages:
+      - ruby
+    message: |
+      This package makes network requests at the top level, which means it runs
+      when the gem is required. Malicious gems often use this to phone home or
+      download additional payloads.
+    metadata:
+      description: Identify when a gem makes network requests when required
+    patterns:
+      - pattern-either:
+          # Net::HTTP at top level
+          - pattern: |
+              require 'net/http'
+              ...
+              Net::HTTP.$METHOD(...)
+          - pattern: |
+              require "net/http"
+              ...
+              Net::HTTP.$METHOD(...)
+
+          # open-uri at top level
+          - pattern: |
+              require 'open-uri'
+              ...
+              URI.open(...)
+          - pattern: |
+              require "open-uri"
+              ...
+              URI.open(...)
+          - pattern: |
+              require 'open-uri'
+              ...
+              open(...)
+          - pattern: |
+              require "open-uri"
+              ...
+              open(...)
+
+          # HTTParty at top level
+          - pattern: |
+              require 'httparty'
+              ...
+              HTTParty.$METHOD(...)
+          - pattern: |
+              require "httparty"
+              ...
+              HTTParty.$METHOD(...)
+
+          # Faraday at top level
+          - pattern: |
+              require 'faraday'
+              ...
+              Faraday.$METHOD(...)
+          - pattern: |
+              require "faraday"
+              ...
+              Faraday.$METHOD(...)
+
+          # Socket connections at top level
+          - pattern: |
+              require 'socket'
+              ...
+              TCPSocket.new(...)
+          - pattern: |
+              require "socket"
+              ...
+              TCPSocket.new(...)
+          - pattern: |
+              require 'socket'
+              ...
+              TCPSocket.open(...)
+          - pattern: |
+              require "socket"
+              ...
+              TCPSocket.open(...)
+    severity: WARNING

guarddog/analyzer/sourcecode/rubygems-serialize-environment.yml

@@ -0,0 +1,38 @@
+rules:
+  - id: rubygems-serialize-environment
+    languages:
+      - ruby
+    message: |
+      This package serializes the entire ENV hash, which may indicate
+      an attempt to steal environment variables including secrets and credentials.
+    metadata:
+      description: Identify when a package serializes ENV to exfiltrate environment variables
+    patterns:
+      - pattern-either:
+          # JSON serialization
+          - pattern: ENV.to_h.to_json
+          - pattern: ENV.to_hash.to_json
+          - pattern: JSON.dump(ENV)
+          - pattern: JSON.dump(ENV.to_h)
+          - pattern: JSON.dump(ENV.to_hash)
+          - pattern: JSON.generate(ENV)
+          - pattern: JSON.generate(ENV.to_h)
+          - pattern: JSON.generate(ENV.to_hash)
+
+          # YAML serialization
+          - pattern: ENV.to_h.to_yaml
+          - pattern: ENV.to_hash.to_yaml
+          - pattern: YAML.dump(ENV)
+          - pattern: YAML.dump(ENV.to_h)
+          - pattern: YAML.dump(ENV.to_hash)
+
+          # Marshal serialization
+          - pattern: Marshal.dump(ENV)
+          - pattern: Marshal.dump(ENV.to_h)
+          - pattern: Marshal.dump(ENV.to_hash)
+
+          # Converting to string for sending
+          - pattern: ENV.to_h.inspect
+          - pattern: ENV.to_hash.inspect
+          - pattern: ENV.inspect
+    severity: WARNING

guarddog/analyzer/sourcecode/screenshot.yml

@@ -0,0 +1,38 @@
+rules:
+  - id: screenshot
+    languages:
+      - python
+    message: This package is taking screenshots, which can be used to steal sensitive information displayed on screen
+    metadata:
+      description: Identify when a package captures screenshots of the user's display
+    patterns:
+      - pattern-either:
+          # PIL ImageGrab
+          - pattern: ImageGrab.grab(...)
+          - pattern: PIL.ImageGrab.grab(...)
+
+          # pyscreenshot library
+          - pattern: pyscreenshot.grab(...)
+
+          # pyautogui library
+          - pattern: pyautogui.screenshot(...)
+
+          # mss library - various patterns
+          - pattern: mss.mss().grab(...)
+          - pattern: |
+              with mss.mss() as $SCT:
+                  ...
+                  $SCT.grab(...)
+          - pattern: |
+              $SCT = mss.mss()
+              ...
+              $SCT.grab(...)
+          - pattern: $MSS.grab(...)
+
+          # D3DShot (Windows DirectX screenshots)
+          - pattern: d3dshot.create(...).screenshot(...)
+          - pattern: |
+              $D3D = d3dshot.create(...)
+              ...
+              $D3D.screenshot(...)
+    severity: WARNING

guarddog/ecosystems.py

@@ -7,6 +7,7 @@ class ECOSYSTEM(Enum):
     GO = "go"
     GITHUB_ACTION = "github-action"
     EXTENSION = "extension"
+    RUBYGEMS = "rubygems"
 
 
 def get_friendly_name(ecosystem: ECOSYSTEM) -> str:
@@ -21,5 +22,7 @@ def get_friendly_name(ecosystem: ECOSYSTEM) -> str:
             return "GitHub Action"
         case ECOSYSTEM.EXTENSION:
             return "Extension"
+        case ECOSYSTEM.RUBYGEMS:
+            return "RubyGems"
         case _:
             return ecosystem.value

guarddog/scanners/__init__.py

@@ -9,6 +9,8 @@ from .go_package_scanner import GoModuleScanner
 from .go_project_scanner import GoDependenciesScanner
 from .github_action_scanner import GithubActionScanner
 from .extension_scanner import ExtensionScanner
+from .rubygems_package_scanner import RubyGemsPackageScanner
+from .rubygems_project_scanner import RubyGemsRequirementsScanner
 from .scanner import PackageScanner, ProjectScanner
 from ..ecosystems import ECOSYSTEM
 
@@ -36,6 +38,8 @@ def get_package_scanner(ecosystem: ECOSYSTEM) -> Optional[PackageScanner]:
             return GithubActionScanner()
         case ECOSYSTEM.EXTENSION:
             return ExtensionScanner()
+        case ECOSYSTEM.RUBYGEMS:
+            return RubyGemsPackageScanner()
     return None
 
 
@@ -62,4 +66,6 @@ def get_project_scanner(ecosystem: ECOSYSTEM) -> Optional[ProjectScanner]:
             return GitHubActionDependencyScanner()
         case ECOSYSTEM.EXTENSION:
             return None  # we're not including dependency scanning for this PR
+        case ECOSYSTEM.RUBYGEMS:
+            return RubyGemsRequirementsScanner()
     return None

guarddog/scanners/npm_project_scanner.py

@@ -5,7 +5,7 @@ import re
 from typing import List
 
 import requests
-from semantic_version import NpmSpec, Version  # type:ignore
+from semantic_version import NpmSpec, Version  # type: ignore
 
 from guarddog.scanners.npm_package_scanner import NPMPackageScanner
 from guarddog.scanners.scanner import Dependency, DependencyVersion, ProjectScanner

guarddog/scanners/rubygems_package_scanner.py

@@ -0,0 +1,112 @@
+import logging
+import os
+from typing import Tuple
+
+import requests
+
+from guarddog.analyzer.analyzer import Analyzer
+from guarddog.ecosystems import ECOSYSTEM
+from guarddog.scanners.scanner import PackageScanner
+from guarddog.utils.archives import safe_extract
+
+log = logging.getLogger("guarddog")
+
+RUBYGEMS_API_URL = "https://rubygems.org/api/v1"
+
+
+class RubyGemsPackageScanner(PackageScanner):
+    def __init__(self) -> None:
+        super().__init__(Analyzer(ECOSYSTEM.RUBYGEMS))
+
+    def _extract_archive(self, archive_path: str, target_path: str) -> None:
+        """
+        Override to handle .gem files which are nested tar archives.
+        The outer tar contains data.tar.gz which has the actual source code.
+
+        Args:
+            archive_path (str): path to the .gem file
+            target_path (str): directory to extract the source code into
+        """
+        if not archive_path.endswith(".gem"):
+            # Fall back to default behavior for non-gem archives
+            super()._extract_archive(archive_path, target_path)
+            return
+
+        os.makedirs(target_path, exist_ok=True)
+
+        # Extract outer .gem archive to a temporary location
+        outer_extract = os.path.join(target_path, "_gem_contents")
+        os.makedirs(outer_extract, exist_ok=True)
+
+        log.debug(f"Extracting outer gem archive {archive_path}")
+        safe_extract(archive_path, outer_extract)
+
+        # Find the inner data archive (data.tar.gz or data.tar)
+        data_tar_path = os.path.join(outer_extract, "data.tar.gz")
+        if not os.path.exists(data_tar_path):
+            data_tar_path = os.path.join(outer_extract, "data.tar")
+
+        if not os.path.exists(data_tar_path):
+            raise Exception(f"data.tar.gz not found in gem {archive_path}")
+
+        # Extract the inner data archive to the final target
+        log.debug(f"Extracting inner data archive {data_tar_path}")
+        safe_extract(data_tar_path, target_path)
+
+        log.debug(f"Successfully extracted gem files to {target_path}")
+
+    def download_and_get_package_info(
+        self, directory: str, package_name: str, version=None
+    ) -> Tuple[dict, str]:
+        gem_info = self._get_gem_info(package_name)
+
+        if version is None:
+            version = gem_info["version"]
+
+        extract_dir = self._download_gem(package_name, version, directory)
+        return gem_info, extract_dir
+
+    def _get_gem_info(self, package_name: str) -> dict:
+        url = f"{RUBYGEMS_API_URL}/gems/{package_name}.json"
+        log.debug(f"Fetching gem info from {url}")
+        response = requests.get(url)
+        response.raise_for_status()
+        return response.json()
+
+    def _get_gem_version_info(self, package_name: str, version: str) -> dict:
+        url = f"{RUBYGEMS_API_URL}/versions/{package_name}.json"
+        log.debug(f"Fetching version info from {url}")
+        response = requests.get(url)
+        response.raise_for_status()
+
+        versions = response.json()
+        for v in versions:
+            if v["number"] == version:
+                return v
+
+        raise Exception(f"Version {version} for gem {package_name} not found")
+
+    def _download_gem(self, package_name: str, version: str, directory: str) -> str:
+        """
+        Downloads and extracts a RubyGem package.
+
+        Uses the parent class's download_compressed method which will call our
+        overridden _extract_archive method to handle the nested .gem format.
+
+        Args:
+            package_name (str): name of the gem
+            version (str): version of the gem
+            directory (str): directory to download and extract to
+
+        Returns:
+            str: path to the extracted gem contents
+        """
+        gem_url = f"https://rubygems.org/gems/{package_name}-{version}.gem"
+        gem_path = os.path.join(directory, f"{package_name}-{version}.gem")
+        extract_dir = os.path.join(directory, package_name)
+
+        # Use parent class method which handles download and extraction
+        # The extraction will use our overridden _extract_archive method
+        self.download_compressed(gem_url, gem_path, extract_dir)
+
+        return extract_dir