gibbon 3.4.3 → 3.4.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cbf98318183318809515680772c41112c958c6bbe179cca742be0ede39a7ff00
-  data.tar.gz: b5ef43d8313654cd65cc57da8698189cf559200e89da98cd269b9e3973d02b9e
+  metadata.gz: a078fe9c806ec8909a1f808a6d6983de6f1d1414c361a9b54156b66f8a796bb3
+  data.tar.gz: d0ded539be8f09eae933da1d20cace7ee804529668add90f8c892e672c61c362
 SHA512:
-  metadata.gz: 6c4534f315ae5d1bdf712bbdb56414ba2e96170af76c6e70dde47f1d01157e2d3707d4473be60f3a38b9cfa3ab8780694bcde7b007d5dc0919c103d5b7f69598
-  data.tar.gz: fe7e4f3f2c55b289ee93c8f72ce28204a55ad013c3f997f287a734e0cb7e07b2ec5ce635a9c5534f2be11e25eda8ed291365d6c7579f6fb5cbfcf2a1287f1bdf
+  metadata.gz: 9963ae0173d0189cfe674e1547313ad6570f3dc6f502198e77118e67f067bb842478b36dc46ed72bd675f692b42067f1bda0db59c47e43f8f215364818ac1d33
+  data.tar.gz: 6f855c6ad7a73d447ed9c3219ba6383cd624dfa33abf3effbb655207b888e4eb2006297413aabb62f481f0adfde56dc67c863c47eb287a599c9f907db5c29aa9

data/CHANGELOG.md

@@ -1,5 +1,7 @@
 ## [Unreleased][unreleased]
 
+## [3.4.4] - 2022-02-24
+- Remove non-alpha characters when parsing datacenter from API keys to prevent potential attackers from injecting a domain via the API key. This would only be possible if one were using user-provided API keys (e.g. from a form, etc.).
 
 ## [3.4.3] - 2022-01-19
 - Support for Faraday 2.0, which requires new syntax for basic auth

data/lib/gibbon/gibbon_helpers.rb

@@ -5,8 +5,12 @@ module Gibbon
       data_center = ""
 
       if api_key && api_key["-"]
-        # Add a period since the data_center is a subdomain and it keeps things dry
-        data_center = "#{api_key.split('-').last}."
+        # Remove all non-alphanumberic characters in case someone attempts to inject
+        # a different domain into the API key (e.g. when consuming user form-provided keys)
+        # This approach avoids assuming a 3 letter prefix (e.g. is MC were to create 
+        # a us10 DC, this would continue to work), and will continue to hit MC's server
+        # rather than a would-be attacker's servers.
+        data_center = "#{api_key.split('-').last.gsub(/[^0-9a-z ]/i, '')}."
       end
 
       data_center

data/lib/gibbon/version.rb

@@ -1,3 +1,3 @@
 module Gibbon
-  VERSION = "3.4.3"
+  VERSION = "3.4.4"
 end

data/spec/gibbon/gibbon_spec.rb

@@ -14,6 +14,7 @@ describe Gibbon do
       @gibbon = Gibbon::Request.new
       expect(@gibbon.api_key).to be_nil
     end
+  
     it "sets an API key in the constructor" do
       @gibbon = Gibbon::Request.new(api_key: @api_key)
       expect(@gibbon.api_key).to eq(@api_key)
@@ -162,6 +163,14 @@ describe Gibbon do
       @request = Gibbon::APIRequest.new(builder: @gibbon)
       expect {@request.validate_api_key}.not_to raise_error
     end
+
+    it "removes non-alpha characters from datacenter prefix" do
+      @api_key = "123-attacker.net/test/?"
+      @gibbon.api_key = @api_key
+      @gibbon.try
+      @request = Gibbon::APIRequest.new(builder: @gibbon)
+      expect(@request.api_url).to eq("https://attackernettest.api.mailchimp.com/3.0/try")
+    end
   end
 
   describe "class variables" do
@@ -213,7 +222,7 @@ describe Gibbon do
     it "set debug on new instances" do
       expect(Gibbon::Request.new.debug).to eq(Gibbon::Request.debug)
     end
-    
+
     it "set faraday_adapter on new instances" do
       expect(Gibbon::Request.new.faraday_adapter).to eq(Gibbon::Request.faraday_adapter)
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gibbon
 version: !ruby/object:Gem::Version
-  version: 3.4.3
+  version: 3.4.4
 platform: ruby
 authors:
 - Amro Mousa
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-01-21 00:00:00.000000000 Z
+date: 2022-02-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday