cerner-oauth1a 2.5.2 → 2.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +3 -0
  3. data/lib/cerner/oauth1a/access_token.rb +1 -1
  4. data/lib/cerner/oauth1a/cache_rails.rb +1 -0
  5. data/lib/cerner/oauth1a/internal.rb +29 -0
  6. data/lib/cerner/oauth1a/version.rb +1 -1
  7. metadata +6 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ca8300adcad968664fcc86fc549aea148270447a03b551a3a4ab3205768bc39b
4
- data.tar.gz: 83979ce58e001e22b1c1f88f5f7f32f7c743955d1f6f01772e4ff59073b2ba54
3
+ metadata.gz: a554af1b8a4a44ff14a05c9fb71517046cdb1a5bf677b5a4792eaa7d01423b83
4
+ data.tar.gz: 3f16a0c5584bae17e6edfcecb277c92d04da581fcc883f687b91719089543b8e
5
5
  SHA512:
6
- metadata.gz: f80154214e20e2bad8ecea32520af361b51e700740bb51cff3688bec67363cd1187bf08a089a4fbccb32be241d0677f924d87471076c67e40fb3cace036e22e3
7
- data.tar.gz: 492f0ba94453e2c13e276a7074467df0764153d45c0424286835191d2fb2c214c802569ac35436b17bc8dcdcca9dc9588008e33866e28e217cb0689971a23b0b
6
+ metadata.gz: 6b501e8559461f9a2a24aa9515403f6ee3d071786005f56eb1e466560b5b53a78f4992fc8c4b8ae9c17a819263c401b7474b732a21b261bb7890902e88a69f05
7
+ data.tar.gz: 0ee901ddfa558db983229086f6f5e4cd20de2c9575c20a6457e09862b5e2d1eeadd662e856de1851e6528b834a0a5dcfe714f01a8b521d542a2927e14aac4552
data/CHANGELOG.md CHANGED
@@ -1,3 +1,6 @@
1
+ # v2.5.3
2
+ Use a constant time compare algorithm for checking a signature
3
+
1
4
  # v2.5.2
2
5
  Adjust `Cerner::OAuth1a::Protocol.parse_www_authenticate_header` to handle parameters
3
6
  that are either tokens or quoted strings.
data/lib/cerner/oauth1a/access_token.rb CHANGED
@@ -474,7 +474,7 @@ module Cerner
474
474
  )
475
475
  end
476
476
 
477
- return if @signature == expected_signature
477
+ return if Internal.constant_time_compare(@signature, expected_signature)
478
478
 
479
479
  raise OAuthError.new('signature is not valid', nil, 'signature_invalid', nil, @realm)
480
480
  end
data/lib/cerner/oauth1a/cache_rails.rb CHANGED
@@ -19,6 +19,7 @@ module Cerner
19
19
  #
20
20
  # rails_cache - An instance of ActiveSupport::Cache::Store.
21
21
  def initialize(rails_cache)
22
+ super()
22
23
  @cache = rails_cache
23
24
  end
24
25
 
data/lib/cerner/oauth1a/internal.rb CHANGED
@@ -61,6 +61,35 @@ module Cerner
61
61
  def self.generate_timestamp
62
62
  Time.now.to_i
63
63
  end
64
+
65
+ # Internal: Compares two Strings using a constant time algorithm to protect against timing
66
+ # attacks.
67
+ #
68
+ # left - The left String
69
+ # right - The right String
70
+ #
71
+ # Return true if left and right match, false otherwise.
72
+ def self.constant_time_compare(left, right)
73
+ max_size = [left.bytesize, right.bytesize].max
74
+ # convert left and right to array of bytes (Integer)
75
+ left = left.unpack('C*')
76
+ right = right.unpack('C*')
77
+
78
+ # if either array is not the max size, expand it with zeros
79
+ # having equal arrays keeps the algorithm execution time constant
80
+ left = left.fill(0, left.size, max_size - left.size) if left.size < max_size
81
+ right = right.fill(0, right.size, max_size - right.size) if right.size < max_size
82
+
83
+ result = 0
84
+ left.each_with_index do |left_value, i|
85
+ # XOR the two bytes, if equal, the operation is 0
86
+ # OR the XOR operation with the previous result
87
+ result |= left_value ^ right[i]
88
+ end
89
+
90
+ # if every comparison resuled in 0, then left and right are equal
91
+ result.zero?
92
+ end
64
93
  end
65
94
  end
66
95
  end
data/lib/cerner/oauth1a/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Cerner
4
4
  module OAuth1a
5
- VERSION = '2.5.2'
5
+ VERSION = '2.5.3'
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cerner-oauth1a
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.5.2
4
+ version: 2.5.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Nathan Beyer
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-05-12 00:00:00.000000000 Z
11
+ date: 2020-10-28 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: |
14
14
  A minimal dependency library for interacting with a Cerner OAuth 1.0a Access
@@ -40,7 +40,7 @@ homepage: http://github.com/cerner/cerner-oauth1a
40
40
  licenses:
41
41
  - Apache-2.0
42
42
  metadata: {}
43
- post_install_message:
43
+ post_install_message:
44
44
  rdoc_options: []
45
45
  require_paths:
46
46
  - lib
@@ -55,8 +55,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
55
55
  - !ruby/object:Gem::Version
56
56
  version: '0'
57
57
  requirements: []
58
- rubygems_version: 3.0.6
59
- signing_key:
58
+ rubygems_version: 3.0.8
59
+ signing_key:
60
60
  specification_version: 4
61
61
  summary: Cerner OAuth 1.0a Consumer and Service Provider Library.
62
62
  test_files: []