firebase_id_token 2.4.0 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eef2d227ba8e21f033a7d4c68f7d973a6d25b26e1c1900f43784606f1020332c
-  data.tar.gz: 2899b73b48998f8e14337eada01a76980e02fd1994821afd8a902f23ec40dfd5
+  metadata.gz: d323f3f19f0e2cfa9f511adac526f38261ee28386d4abc210a22e26358008143
+  data.tar.gz: 82095062bbd88ebfe9ddbee3f769f2bc9e4fb0b9289fa673f4bf81d6a24132d0
 SHA512:
-  metadata.gz: 7f64121a625def6dd48f7090fd5bfe25ed3ca754510a993b3dc9124b865e92c5610010a156c5520359c9c93d7301e8dfe9c4a46630f99df50b84742a61129fbf
-  data.tar.gz: 6b0fd92129b034f482fe8ed910a23e9f7201d42d510b03100f974e7adc919d9125915885c5211cf1c1cbf42363c72a987e3a1b493047aec27193317e2569d4f8
+  metadata.gz: 5d056894ee1051fb9ccb0984624282805f153aca7e9bb41b5d3b39a93b749150311e45e11f7e182fdb4ee1814bea722a5fc49ddb975394f319edb3bbea7424d6
+  data.tar.gz: 998d1b74cdf9b036892e12ab9e7c271417ead8d18c6bbb8dcea04ea555c4fe6a856b79840872676c4aa530726132826f795c686ba5096502004a22ab7df82751

data/CHANGELOG.md

@@ -6,6 +6,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.5.0] - 2022-04-13
+
+### Fixed
+- Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile [CVE-2021-43809](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43809).
+- Dependency Confusion in Bundler [CVE-2020-36327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36327).
+- Insecure path handling in Bundler [CVE-2019-3881](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3881).
+
+### Changed
+- Using Bundler 2.3.11.
+- Using `Time.current` instead of `Time.now` to work with timezones [PR 34](https://github.com/fschuindt/firebase_id_token/pull/34).
+- Caching certificates on memory using `Thread` to avoid unnecessary calls into Redis [PR 33](https://github.com/fschuindt/firebase_id_token/pull/33).
+
+## [2.4.0] - 2020-05-02
+
 ### Fixed
 - Rake development dependency vulnerability [CVE-2020-8130](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130).
 
@@ -95,6 +109,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [0.1.0] - 2017-04-23
 *Version removed.*
 
+[2.5.0]: https://github.com/fschuindt/firebase_id_token/compare/2.4.0...2.5.0
+[2.4.0]: https://github.com/fschuindt/firebase_id_token/compare/2.3.2...2.4.0
 [2.3.2]: https://github.com/fschuindt/firebase_id_token/compare/2.3.1...2.3.2
 [2.3.1]: https://github.com/fschuindt/firebase_id_token/compare/2.3.0...2.3.1
 [2.3.0]: https://github.com/fschuindt/firebase_id_token/compare/2.0.0...2.3.0

data/README.md

@@ -29,7 +29,7 @@ gem install firebase_id_token
 
 or in your Gemfile
 ```
-gem 'firebase_id_token', '~> 2.4.0'
+gem 'firebase_id_token', '~> 2.5.0'
 ```
 then
 ```

data/firebase_id_token.gemspec

@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_development_dependency 'bundler', '~> 1.17', '>= 1.17.2'
+  spec.add_development_dependency 'bundler', '~> 2.3', '>= 2.3.11'
   spec.add_development_dependency 'rake', '~> 12.3', '>= 12.3.3'
   spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'redcarpet', '~> 3.4', '>= 3.4.0'

data/lib/firebase_id_token/signature.rb

@@ -78,7 +78,20 @@ module FirebaseIdToken
 
     # @see Signature.verify
     def verify
-      certificate = firebase_id_token_certificates.find(@kid, raise_error: @raise_error)
+      var_name = :_firebase_id_token_cert
+      Thread.current[var_name] ||= {
+        cert: nil,
+        expires_at: Time.now.utc - 1
+      }
+
+      if Thread.current[var_name][:expires_at] <= Time.now.utc
+        Thread.current[var_name] = {
+          cert: firebase_id_token_certificates.find(@kid, raise_error: @raise_error),
+          expires_at: Time.now.utc + firebase_id_token_certificates.ttl
+        }
+      end
+
+      certificate = Thread.current[var_name][:cert]
       return unless certificate
 
       payload = decode_jwt_payload(@jwt_token, certificate.public_key)
@@ -117,8 +130,8 @@ module FirebaseIdToken
     end
 
     def still_valid?(payload)
-      payload['exp'].to_i > Time.now.to_i &&
-      payload['iat'].to_i <= Time.now.to_i
+      payload['exp'].to_i > Time.current.to_i &&
+      payload['iat'].to_i <= Time.current.to_i
     end
 
     def issuer_authorized?(payload)

data/lib/firebase_id_token/testing/certificates.rb

@@ -80,6 +80,10 @@ module FirebaseIdToken
           )
         )
       end
+
+      def self.ttl
+        10
+      end
     end
   end
 end

data/lib/firebase_id_token/version.rb

@@ -1,3 +1,3 @@
 module FirebaseIdToken
-  VERSION = '2.4.0'
+  VERSION = '2.5.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: firebase_id_token
 version: !ruby/object:Gem::Version
-  version: 2.4.0
+  version: 2.5.0
 platform: ruby
 authors:
 - Fernando Schuindt
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-05-02 00:00:00.000000000 Z
+date: 2022-04-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -16,20 +16,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '2.3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.17.2
+        version: 2.3.11
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '2.3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.17.2
+        version: 2.3.11
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -68,22 +68,22 @@ dependencies:
   name: redcarpet
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.4.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.4.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.4.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.4.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -102,22 +102,22 @@ dependencies:
   name: codeclimate-test-reporter
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.0.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.0.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -156,22 +156,22 @@ dependencies:
   name: redis-namespace
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.6.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.6.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
 - !ruby/object:Gem::Dependency
   name: httparty
   requirement: !ruby/object:Gem::Requirement
@@ -196,22 +196,22 @@ dependencies:
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.0
 description: A Ruby gem to verify the signature of Firebase ID Tokens. It uses Redis
   to store Google's x509 certificates and manage their expiration time, so you don't
   need to request Google's API in every execution and can access it as fast as reading
@@ -260,7 +260,7 @@ homepage: https://github.com/fschuindt/firebase_id_token
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -275,8 +275,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: A Firebase ID Token verifier.
 test_files: []