gibbon 3.4.3 → 3.4.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: cbf98318183318809515680772c41112c958c6bbe179cca742be0ede39a7ff00
4
- data.tar.gz: b5ef43d8313654cd65cc57da8698189cf559200e89da98cd269b9e3973d02b9e
3
+ metadata.gz: a078fe9c806ec8909a1f808a6d6983de6f1d1414c361a9b54156b66f8a796bb3
4
+ data.tar.gz: d0ded539be8f09eae933da1d20cace7ee804529668add90f8c892e672c61c362
5
5
  SHA512:
6
- metadata.gz: 6c4534f315ae5d1bdf712bbdb56414ba2e96170af76c6e70dde47f1d01157e2d3707d4473be60f3a38b9cfa3ab8780694bcde7b007d5dc0919c103d5b7f69598
7
- data.tar.gz: fe7e4f3f2c55b289ee93c8f72ce28204a55ad013c3f997f287a734e0cb7e07b2ec5ce635a9c5534f2be11e25eda8ed291365d6c7579f6fb5cbfcf2a1287f1bdf
6
+ metadata.gz: 9963ae0173d0189cfe674e1547313ad6570f3dc6f502198e77118e67f067bb842478b36dc46ed72bd675f692b42067f1bda0db59c47e43f8f215364818ac1d33
7
+ data.tar.gz: 6f855c6ad7a73d447ed9c3219ba6383cd624dfa33abf3effbb655207b888e4eb2006297413aabb62f481f0adfde56dc67c863c47eb287a599c9f907db5c29aa9
data/CHANGELOG.md CHANGED
@@ -1,5 +1,7 @@
1
1
  ## [Unreleased][unreleased]
2
2
 
3
+ ## [3.4.4] - 2022-02-24
4
+ - Remove non-alpha characters when parsing datacenter from API keys to prevent potential attackers from injecting a domain via the API key. This would only be possible if one were using user-provided API keys (e.g. from a form, etc.).
3
5
 
4
6
  ## [3.4.3] - 2022-01-19
5
7
  - Support for Faraday 2.0, which requires new syntax for basic auth
@@ -5,8 +5,12 @@ module Gibbon
5
5
  data_center = ""
6
6
 
7
7
  if api_key && api_key["-"]
8
- # Add a period since the data_center is a subdomain and it keeps things dry
9
- data_center = "#{api_key.split('-').last}."
8
+ # Remove all non-alphanumberic characters in case someone attempts to inject
9
+ # a different domain into the API key (e.g. when consuming user form-provided keys)
10
+ # This approach avoids assuming a 3 letter prefix (e.g. is MC were to create
11
+ # a us10 DC, this would continue to work), and will continue to hit MC's server
12
+ # rather than a would-be attacker's servers.
13
+ data_center = "#{api_key.split('-').last.gsub(/[^0-9a-z ]/i, '')}."
10
14
  end
11
15
 
12
16
  data_center
@@ -1,3 +1,3 @@
1
1
  module Gibbon
2
- VERSION = "3.4.3"
2
+ VERSION = "3.4.4"
3
3
  end
@@ -14,6 +14,7 @@ describe Gibbon do
14
14
  @gibbon = Gibbon::Request.new
15
15
  expect(@gibbon.api_key).to be_nil
16
16
  end
17
+
17
18
  it "sets an API key in the constructor" do
18
19
  @gibbon = Gibbon::Request.new(api_key: @api_key)
19
20
  expect(@gibbon.api_key).to eq(@api_key)
@@ -162,6 +163,14 @@ describe Gibbon do
162
163
  @request = Gibbon::APIRequest.new(builder: @gibbon)
163
164
  expect {@request.validate_api_key}.not_to raise_error
164
165
  end
166
+
167
+ it "removes non-alpha characters from datacenter prefix" do
168
+ @api_key = "123-attacker.net/test/?"
169
+ @gibbon.api_key = @api_key
170
+ @gibbon.try
171
+ @request = Gibbon::APIRequest.new(builder: @gibbon)
172
+ expect(@request.api_url).to eq("https://attackernettest.api.mailchimp.com/3.0/try")
173
+ end
165
174
  end
166
175
 
167
176
  describe "class variables" do
@@ -213,7 +222,7 @@ describe Gibbon do
213
222
  it "set debug on new instances" do
214
223
  expect(Gibbon::Request.new.debug).to eq(Gibbon::Request.debug)
215
224
  end
216
-
225
+
217
226
  it "set faraday_adapter on new instances" do
218
227
  expect(Gibbon::Request.new.faraday_adapter).to eq(Gibbon::Request.faraday_adapter)
219
228
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: gibbon
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.4.3
4
+ version: 3.4.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amro Mousa
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-01-21 00:00:00.000000000 Z
11
+ date: 2022-02-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: faraday