RubyGems - cerner-oauth1a - Versions diffs - 2.5.2 → 2.5.3 - Mend

cerner-oauth1a 2.5.2 → 2.5.3

Files changed (7) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ca8300adcad968664fcc86fc549aea148270447a03b551a3a4ab3205768bc39b
-  data.tar.gz: 83979ce58e001e22b1c1f88f5f7f32f7c743955d1f6f01772e4ff59073b2ba54
+  metadata.gz: a554af1b8a4a44ff14a05c9fb71517046cdb1a5bf677b5a4792eaa7d01423b83
+  data.tar.gz: 3f16a0c5584bae17e6edfcecb277c92d04da581fcc883f687b91719089543b8e
 SHA512:
-  metadata.gz: f80154214e20e2bad8ecea32520af361b51e700740bb51cff3688bec67363cd1187bf08a089a4fbccb32be241d0677f924d87471076c67e40fb3cace036e22e3
-  data.tar.gz: 492f0ba94453e2c13e276a7074467df0764153d45c0424286835191d2fb2c214c802569ac35436b17bc8dcdcca9dc9588008e33866e28e217cb0689971a23b0b
+  metadata.gz: 6b501e8559461f9a2a24aa9515403f6ee3d071786005f56eb1e466560b5b53a78f4992fc8c4b8ae9c17a819263c401b7474b732a21b261bb7890902e88a69f05
+  data.tar.gz: 0ee901ddfa558db983229086f6f5e4cd20de2c9575c20a6457e09862b5e2d1eeadd662e856de1851e6528b834a0a5dcfe714f01a8b521d542a2927e14aac4552

data/CHANGELOG.md CHANGED

@@ -1,3 +1,6 @@
+# v2.5.3
+Use a constant time compare algorithm for checking a signature
 # v2.5.2
 Adjust `Cerner::OAuth1a::Protocol.parse_www_authenticate_header` to handle parameters
 that are either tokens or quoted strings.

@@ -474,7 +474,7 @@ module Cerner
           )
         end
-        return if @signature == expected_signature
+        return if Internal.constant_time_compare(@signature, expected_signature)
         raise OAuthError.new('signature is not valid', nil, 'signature_invalid', nil, @realm)
       end

@@ -19,6 +19,7 @@ module Cerner
       #
       # rails_cache - An instance of ActiveSupport::Cache::Store.
       def initialize(rails_cache)
+        super()
         @cache = rails_cache
       end

@@ -61,6 +61,35 @@ module Cerner
       def self.generate_timestamp
         Time.now.to_i
       end
+      # Internal: Compares two Strings using a constant time algorithm to protect against timing
+      # attacks.
+      #
+      # left  - The left String
+      # right - The right String
+      #
+      # Return true if left and right match, false otherwise.
+      def self.constant_time_compare(left, right)
+        max_size = [left.bytesize, right.bytesize].max
+        # convert left and right to array of bytes (Integer)
+        left = left.unpack('C*')
+        right = right.unpack('C*')
+        # if either array is not the max size, expand it with zeros
+        # having equal arrays keeps the algorithm execution time constant
+        left = left.fill(0, left.size, max_size - left.size) if left.size < max_size
+        right = right.fill(0, right.size, max_size - right.size) if right.size < max_size
+        result = 0
+        left.each_with_index do |left_value, i|
+          # XOR the two bytes, if equal, the operation is 0
+          # OR the XOR operation with the previous result
+          result |= left_value ^ right[i]
+        end
+        # if every comparison resuled in 0, then left and right are equal
+        result.zero?
+      end
     end
   end
 end

@@ -2,6 +2,6 @@
 module Cerner
   module OAuth1a
-    VERSION = '2.5.2'
+    VERSION = '2.5.3'
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cerner-oauth1a
 version: !ruby/object:Gem::Version
-  version: 2.5.2
+  version: 2.5.3
 platform: ruby
 authors:
 - Nathan Beyer
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-12 00:00:00.000000000 Z
+date: 2020-10-28 00:00:00.000000000 Z
 dependencies: []
 description: |
   A minimal dependency library for interacting with a Cerner OAuth 1.0a Access
@@ -40,7 +40,7 @@ homepage: http://github.com/cerner/cerner-oauth1a
 licenses:
 - Apache-2.0
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -55,8 +55,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
-signing_key:
+rubygems_version: 3.0.8
+signing_key:
 specification_version: 4
 summary: Cerner OAuth 1.0a Consumer and Service Provider Library.
 test_files: []