gocardless 1.11.1 → 1.11.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b3a88d8a7aa3c33e45904af4ef911e8cb130769d
-  data.tar.gz: b10e98e102e8b39325c0d63f361c45887ea83ea9
+  metadata.gz: 417cec8542edd246281e1e82b45294ad06d09a5e
+  data.tar.gz: 2dae626c784514a1b722dbb348bd782e954f7c46
 SHA512:
-  metadata.gz: 5b29a3f20bb862f1068fd4a117bbd7f6354e05cb58d6db2a80b7b99e89e0811d4b0b68c3ba27f90b8936df8d441e660f5e7b7540dac6ebe074fbe0aeab9ca8a7
-  data.tar.gz: c9fd6c36424dbeed58426043b92d7669067f0199fe904b58f06f338daf7713b500ce3f8ab493c276e741a9386180c28eb6d549eda8edf03d7ea2789478a8f0ad
+  metadata.gz: d47705fcf702d7fb7ed80a1e847b7953c4b235f6bb78d16961978c97166eaa9c9b1d790dde027e3a2cac7109170e5b2063e1fac1a4588a576aeb143314a68795
+  data.tar.gz: b8c4cc2cc8ad7aebf8586a8f9b901e160116b03039c1c820b5c3bdab1848bddd233e061c07ded755d63f67f5df2ae096dad29169f2c1ad9ffc221ab8932eccf2

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 1.11.2 - October 27, 2014
+
+- Use a constant time string comparison to avoid timing attacks
+- Switch to Rspec3 style param checking
+
 ## 1.11.1 - August 22, 2014
 
 - Fix bug affecting paginated sub-resources

data/lib/gocardless/client.rb

@@ -418,7 +418,7 @@ module GoCardless
     def signature_valid?(params)
       params = params.clone
       signature = params.delete(:signature)
-      sign_params(params)[:signature] == signature
+      Utils.secure_compare(sign_params(params)[:signature], signature)
     end
 
     # Generate a random base64-encoded string

data/lib/gocardless/utils.rb

@@ -82,7 +82,7 @@ module GoCardless
       end * '&'
     end
 
-    # Given a Hash of parameters, normalize then (flatten and convert to a
+    # Given a Hash of parameters, normalize them (flatten and convert to a
     # string), then generate the HMAC-SHA-256 signature using the provided key.
     #
     # @param [Hash] params the parameters to sign
@@ -94,6 +94,25 @@ module GoCardless
       OpenSSL::HMAC.hexdigest(digest, key, msg)
     end
 
+    # Given two strings, compare them in constant time (for the length of the
+    # string). This can avoid timing attacks when used to compare signed
+    # parameters.
+    # Borrowed from ActiveSupport::MessageVerifier.
+    # https://github.com/rails/rails/blob/master/activesupport/lib/active_support/message_verifier.rb
+    #
+    # @param [String] the first string to compare
+    # @param [String] this second string to compare
+    # @return [Boolean] the result of the comparison
+    def secure_compare(a, b)
+      return false unless a.bytesize == b.bytesize
+
+      l = a.unpack("C#{a.bytesize}")
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
     # Format a Time object according to ISO 8601, and convert to UTC.
     #
     # @param [Time] time the time object to format

data/lib/gocardless/version.rb

@@ -1,3 +1,3 @@
 module GoCardless
-  VERSION = '1.11.1'.freeze
+  VERSION = '1.11.2'.freeze
 end

data/spec/client_spec.rb

@@ -235,7 +235,9 @@ describe GoCardless::Client do
       token = @client.instance_variable_get(:@access_token)
       r = double
       r.stub(:parsed)
-      token.should_receive(:get).with { |p,o| p =~ %r|/api/v1/test| }.and_return(r)
+      token.should_receive(:get) do |p, o|
+        expect(p).to satisfy { |v| v =~ %r|/api/v1/test| }
+      end.and_return(r)
       @client.api_get('/test')
     end
 
@@ -250,7 +252,9 @@ describe GoCardless::Client do
       token = @client.instance_variable_get(:@access_token)
       r = double
       r.stub(:parsed)
-      token.should_receive(:post).with { |p,opts| opts[:body] == '{"a":1}' }.and_return(r)
+      token.should_receive(:post) do |p,opts|
+        expect(opts[:body]).to eq('{"a":1}')
+      end.and_return(r)
       @client.api_post('/test', {:a => 1})
     end
 
@@ -265,7 +269,9 @@ describe GoCardless::Client do
       token = @client.instance_variable_get(:@access_token)
       r = double
       r.stub(:parsed)
-      token.should_receive(:delete).with { |p,opts| opts[:body] == '{"a":1}' }.and_return(r)
+      token.should_receive(:delete) do |p,opts|
+        expect(opts[:body]).to eq('{"a":1}')
+      end.and_return(r)
       @client.api_delete('/test', {:a => 1})
     end
 
@@ -283,7 +289,9 @@ describe GoCardless::Client do
 
       token = @client.instance_variable_get(:@access_token)
       merchant_url = '/api/v1/merchants/123'
-      token.should_receive(:get).with { |p,o| p == merchant_url }.and_return response
+      token.should_receive(:get) do |p,o|
+        expect(p).to eq(merchant_url)
+      end.and_return response
 
       GoCardless::Merchant.stub(:new_with_client)
 
@@ -331,12 +339,12 @@ describe GoCardless::Client do
 
     it "succeeds with a valid signature" do
       params = @client.send(:sign_params, @params)
-      @client.send(:signature_valid?, params).should be_true
+      @client.send(:signature_valid?, params).should be_truthy
     end
 
     it "fails with an invalid signature" do
       params = {:signature => 'invalid'}.merge(@params)
-      @client.send(:signature_valid?, params).should be_false
+      @client.send(:signature_valid?, params).should be_falsey
     end
   end
 
@@ -380,11 +388,11 @@ describe GoCardless::Client do
     it "includes valid http basic credentials" do
       GoCardless::Subscription.stub(:find_with_client)
       auth = 'Basic YWJjOnh5eg=='
-      @client.should_receive(:request).once.with do |type, path, opts|
+      @client.should_receive(:request) do |type, path, opts|
         opts.should include :headers
         opts[:headers].should include 'Authorization'
         opts[:headers]['Authorization'].should == auth
-      end
+      end.once
       @client.confirm_resource(@client.send(:sign_params, @params))
     end
 
@@ -438,12 +446,12 @@ describe GoCardless::Client do
 
     it "and_return false when the signature is invalid" do
       params = {:signature => 'xxx'}.merge(@params)
-      @client.response_params_valid?(params).should be_false
+      @client.response_params_valid?(params).should be_falsey
     end
 
     it "and_return true when the signature is valid" do
       params = @client.send(:sign_params, @params)
-      @client.response_params_valid?(params).should be_true
+      @client.response_params_valid?(params).should be_truthy
     end
   end
 
@@ -501,7 +509,7 @@ describe GoCardless::Client do
 
     it "should include a valid signature" do
       params = get_params(@client.send(:new_limit_url, :subscription, :x => 1))
-      params.key?('signature').should be_true
+      params.key?('signature').should be_truthy
       sig = params.delete('signature')
       sig.should == @client.send(:sign_params, params.clone)[:signature]
     end
@@ -542,13 +550,13 @@ describe GoCardless::Client do
   describe "#webhook_valid?" do
     it "and_return false when the webhook signature is invalid" do
       @client.webhook_valid?({:some => 'stuff', :signature => 'invalid'}).
-        should be_false
+        should be_falsey
     end
 
     it "and_return true when the webhook signature is valid" do
       valid_signature = '175e814f0f64e5e86d41fb8fe06a857cedda715a96d3dc3d885e6d97dbeb7e49'
       @client.webhook_valid?({:some => 'stuff', :signature => valid_signature}).
-        should be_true
+        should be_truthy
     end
   end
 

data/spec/page_spec.rb

@@ -14,12 +14,12 @@ describe GoCardless::Page do
 
     context "when there is next page available" do
       let(:links) {{ "next" => 2, "last" => 2 }}
-      it { should be_true }
+      it { should be_truthy }
     end
 
     context "when there is no next page" do
       let(:links) {{ "previous" => 1, "first" => 1 }}
-      it { should be_false }
+      it { should be_falsey }
     end
   end
 

data/spec/resource_spec.rb

@@ -170,8 +170,8 @@ describe GoCardless::Resource do
   end
 
   it "#persisted? works" do
-    GoCardless::Resource.new.persisted?.should be_false
-    GoCardless::Resource.new(:id => 1).persisted?.should be_true
+    GoCardless::Resource.new.persisted?.should be_falsey
+    GoCardless::Resource.new(:id => 1).persisted?.should be_truthy
   end
 
   describe "#save" do
@@ -288,8 +288,8 @@ describe GoCardless::Resource do
 
   describe "resource permissions" do
     it "are not given by default" do
-      GoCardless::Resource.creatable?.should be_false
-      GoCardless::Resource.updatable?.should be_false
+      GoCardless::Resource.creatable?.should be_falsey
+      GoCardless::Resource.updatable?.should be_falsey
     end
 
     it "are present when specified" do
@@ -301,14 +301,14 @@ describe GoCardless::Resource do
         updatable
       end
 
-      CreatableResource.creatable?.should be_true
-      CreatableResource.updatable?.should be_false
+      CreatableResource.creatable?.should be_truthy
+      CreatableResource.updatable?.should be_falsey
 
-      UpdatableResource.creatable?.should be_false
-      UpdatableResource.updatable?.should be_true
+      UpdatableResource.creatable?.should be_falsey
+      UpdatableResource.updatable?.should be_truthy
 
-      GoCardless::Resource.creatable?.should be_false
-      GoCardless::Resource.updatable?.should be_false
+      GoCardless::Resource.creatable?.should be_falsey
+      GoCardless::Resource.updatable?.should be_falsey
     end
   end
 

data/spec/spec_helper.rb

@@ -17,12 +17,12 @@ shared_examples_for "it has a query method for" do |status|
   describe "##{status}?" do
     context "when #{status}" do
       let(:object) { described_class.new(:status => status) }
-      specify { object.send("#{status}?").should be_true }
+      specify { object.send("#{status}?").should be_truthy }
     end
 
     context "when not #{status}" do
       let(:object) { described_class.new }
-      specify { object.send("#{status}?").should be_false }
+      specify { object.send("#{status}?").should be_falsey }
     end
   end
 end

data/spec/utils_spec.rb

@@ -26,6 +26,16 @@ describe GoCardless::Utils do
         GoCardless::Utils.singularize("cacti").should == "cactus"
       end
     end
+
+    describe '.secure_compare' do
+      it 'is true for the same strings' do
+        GoCardless::Utils.secure_compare('hello', 'hello').should be_truthy
+      end
+
+      it 'is false for different strings' do
+        GoCardless::Utils.secure_compare('hello', 'banjo').should be_falsey
+      end
+    end
   end
 
   describe "hash helpers" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gocardless
 version: !ruby/object:Gem::Version
-  version: 1.11.1
+  version: 1.11.2
 platform: ruby
 authors:
 - Harry Marr
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-08-22 00:00:00.000000000 Z
+date: 2014-10-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oauth2
@@ -157,7 +157,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.2
 signing_key: 
 specification_version: 4
 summary: Ruby wrapper for the GoCardless API