gibbon 3.4.3 → 3.4.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +2 -0
- data/lib/gibbon/gibbon_helpers.rb +6 -2
- data/lib/gibbon/version.rb +1 -1
- data/spec/gibbon/gibbon_spec.rb +10 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a078fe9c806ec8909a1f808a6d6983de6f1d1414c361a9b54156b66f8a796bb3
|
4
|
+
data.tar.gz: d0ded539be8f09eae933da1d20cace7ee804529668add90f8c892e672c61c362
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9963ae0173d0189cfe674e1547313ad6570f3dc6f502198e77118e67f067bb842478b36dc46ed72bd675f692b42067f1bda0db59c47e43f8f215364818ac1d33
|
7
|
+
data.tar.gz: 6f855c6ad7a73d447ed9c3219ba6383cd624dfa33abf3effbb655207b888e4eb2006297413aabb62f481f0adfde56dc67c863c47eb287a599c9f907db5c29aa9
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,7 @@
|
|
1
1
|
## [Unreleased][unreleased]
|
2
2
|
|
3
|
+
## [3.4.4] - 2022-02-24
|
4
|
+
- Remove non-alpha characters when parsing datacenter from API keys to prevent potential attackers from injecting a domain via the API key. This would only be possible if one were using user-provided API keys (e.g. from a form, etc.).
|
3
5
|
|
4
6
|
## [3.4.3] - 2022-01-19
|
5
7
|
- Support for Faraday 2.0, which requires new syntax for basic auth
|
@@ -5,8 +5,12 @@ module Gibbon
|
|
5
5
|
data_center = ""
|
6
6
|
|
7
7
|
if api_key && api_key["-"]
|
8
|
-
#
|
9
|
-
|
8
|
+
# Remove all non-alphanumberic characters in case someone attempts to inject
|
9
|
+
# a different domain into the API key (e.g. when consuming user form-provided keys)
|
10
|
+
# This approach avoids assuming a 3 letter prefix (e.g. is MC were to create
|
11
|
+
# a us10 DC, this would continue to work), and will continue to hit MC's server
|
12
|
+
# rather than a would-be attacker's servers.
|
13
|
+
data_center = "#{api_key.split('-').last.gsub(/[^0-9a-z ]/i, '')}."
|
10
14
|
end
|
11
15
|
|
12
16
|
data_center
|
data/lib/gibbon/version.rb
CHANGED
data/spec/gibbon/gibbon_spec.rb
CHANGED
@@ -14,6 +14,7 @@ describe Gibbon do
|
|
14
14
|
@gibbon = Gibbon::Request.new
|
15
15
|
expect(@gibbon.api_key).to be_nil
|
16
16
|
end
|
17
|
+
|
17
18
|
it "sets an API key in the constructor" do
|
18
19
|
@gibbon = Gibbon::Request.new(api_key: @api_key)
|
19
20
|
expect(@gibbon.api_key).to eq(@api_key)
|
@@ -162,6 +163,14 @@ describe Gibbon do
|
|
162
163
|
@request = Gibbon::APIRequest.new(builder: @gibbon)
|
163
164
|
expect {@request.validate_api_key}.not_to raise_error
|
164
165
|
end
|
166
|
+
|
167
|
+
it "removes non-alpha characters from datacenter prefix" do
|
168
|
+
@api_key = "123-attacker.net/test/?"
|
169
|
+
@gibbon.api_key = @api_key
|
170
|
+
@gibbon.try
|
171
|
+
@request = Gibbon::APIRequest.new(builder: @gibbon)
|
172
|
+
expect(@request.api_url).to eq("https://attackernettest.api.mailchimp.com/3.0/try")
|
173
|
+
end
|
165
174
|
end
|
166
175
|
|
167
176
|
describe "class variables" do
|
@@ -213,7 +222,7 @@ describe Gibbon do
|
|
213
222
|
it "set debug on new instances" do
|
214
223
|
expect(Gibbon::Request.new.debug).to eq(Gibbon::Request.debug)
|
215
224
|
end
|
216
|
-
|
225
|
+
|
217
226
|
it "set faraday_adapter on new instances" do
|
218
227
|
expect(Gibbon::Request.new.faraday_adapter).to eq(Gibbon::Request.faraday_adapter)
|
219
228
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: gibbon
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.4.
|
4
|
+
version: 3.4.4
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amro Mousa
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-02-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: faraday
|