haveapi-client 0.27.3 → 0.28.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f19892484687b15ed8dc7c1316dd17d45bd087f156adf9cd6ad5a225dce8dedd
-  data.tar.gz: 422dea297e175322052513f595328cdf685c11e04cfe1fbcf15a014caa7c99aa
+  metadata.gz: 2e8b97599e4a2afdab12412cb851dced954f8efc0961a69055947cefd69edc28
+  data.tar.gz: ee5f1df9fa2e1687cbccf240c6de1a38cf66a6765621a7c56dbf1cd72213ded7
 SHA512:
-  metadata.gz: f1cd0cb7f2278a71879e9575dc5fc71064b1bdb61cf87a65b17f3ae47f6e7ba754d8019cffefd1afeed275fea333bab67df2b7746f8fdd0e09b4ff443cd370a0
-  data.tar.gz: 24f159b459283e909da0b70568b6b10565d2f61d5016f11423ac0f612601ddd7df4480fcac8fdb48ebcf84a30100ff637bdadaa4518539fed9b98b3c45ce0bc4
+  metadata.gz: 7fdd0d0e2b1cab27295094fd8ec99300e62226685fb223fcec684f1126ab611be2db1b9e0367b807c888748c665761af5baedca3b03f98750130a02e616ae2a9
+  data.tar.gz: c80f685e74a80e3e4ba440d380ef4d60fd566606d35e8b8ed19478567045b1f3539586d5786bea0a2a47f179fbf6a05f62c91b73d65e744307c3d3e66547ecb8

data/lib/haveapi/cli/cli.rb

@@ -72,7 +72,7 @@ module HaveAPI::CLI
         end
 
         if (sep = ARGV.index('--'))
-          cmd_opt.parse!(ARGV[sep + 1..])
+          cmd_opt.parse!(ARGV[(sep + 1)..])
         end
 
         c.exec(args[2..] || [])
@@ -80,7 +80,7 @@ module HaveAPI::CLI
         exit
       end
 
-      if args.count == 1
+      if args.one?
         describe_resource(resources)
         exit
       end
@@ -374,7 +374,7 @@ module HaveAPI::CLI
 
       return {} unless sep
 
-      @action_opt.parse!(ARGV[sep + 1..])
+      @action_opt.parse!(ARGV[(sep + 1)..])
 
       options
     end
@@ -646,7 +646,11 @@ module HaveAPI::CLI
     end
 
     def write_config
-      File.write(config_path, YAML.dump(@config))
+      File.open(config_path, File::WRONLY | File::CREAT | File::TRUNC, 0o600) do |f|
+        f.write(YAML.dump(@config))
+      end
+
+      File.chmod(0o600, config_path)
     end
 
     def read_config

data/lib/haveapi/client/action.rb

@@ -1,3 +1,5 @@
+require 'cgi'
+
 module HaveAPI::Client
   class Action
     attr_reader :client, :api, :name
@@ -29,9 +31,9 @@ module HaveAPI::Client
         params_arg = params.to_api
       end
 
-      ret = @api.call(self, params_arg)
+      @api.call(self, params_arg)
+    ensure
       reset
-      ret
     end
 
     def auth?
@@ -237,9 +239,15 @@ module HaveAPI::Client
       @prepared_help ||= @spec[:help].dup
 
       args.each do |arg|
-        @prepared_path.sub!(/\{[a-zA-Z0-9\-_]+\}/, arg.to_s)
-        @prepared_help.sub!(/\{[a-zA-Z0-9\-_]+\}/, arg.to_s)
+        encoded = encode_path_arg(arg)
+
+        @prepared_path.sub!(/\{[a-zA-Z0-9\-_]+\}/, encoded)
+        @prepared_help.sub!(/\{[a-zA-Z0-9\-_]+\}/, encoded)
       end
     end
+
+    def encode_path_arg(arg)
+      CGI.escape(arg.to_s).gsub('+', '%20')
+    end
   end
 end

data/lib/haveapi/client/authentication/token.rb

@@ -3,6 +3,8 @@ require 'haveapi/client/authentication/base'
 module HaveAPI::Client::Authentication
   class Token < Base
     register :token
+    HTTP_HEADER_NAME = /\A[A-Za-z0-9!#$%&'*+\-.^_`|~]+\z/
+
     attr_reader :token, :valid_to
 
     def setup
@@ -33,7 +35,7 @@ module HaveAPI::Client::Authentication
       return {} unless @configured
 
       check_validity
-      @via == :header ? { @desc[:http_header] => @token } : {}
+      @via == :header ? { http_header => @token } : {}
     end
 
     def save
@@ -131,5 +133,12 @@ module HaveAPI::Client::Authentication
     def auth_action_input(name)
       @desc[:resources][:token][:actions][name][:input][:parameters].except(:token)
     end
+
+    def http_header
+      header = @desc[:http_header]
+      return header if header.is_a?(String) && header.match?(HTTP_HEADER_NAME)
+
+      raise ArgumentError, "invalid token authentication HTTP header name: #{header.inspect}"
+    end
   end
 end

data/lib/haveapi/client/client.rb

@@ -100,7 +100,7 @@ class HaveAPI::Client::Client
 
     setup_api
 
-    if @resources.include?(symbol)
+    if @resource_methods.include?(symbol)
       method(symbol).call(*args)
 
     else
@@ -112,7 +112,7 @@ class HaveAPI::Client::Client
     return super if @setup
 
     setup_api
-    @resources.include?(symbol)
+    @resource_methods.include?(symbol)
   end
 
   private
@@ -120,17 +120,24 @@ class HaveAPI::Client::Client
   # Get the description from the API and setup resource methods.
   def setup_api
     @description = @api.describe_api(@version)
+    old_resource_methods = @resource_methods || {}
     @resources = {}
+    @resource_methods = {}
 
     @description[:resources].each do |name, desc|
       r = HaveAPI::Client::Resource.new(self, @api, name)
       r.setup(desc)
+      method_name = name.to_sym
 
-      define_singleton_method(name) do |*args|
-        tmp = r.dup
-        tmp.prepared_args = args
-        tmp.setup_from_clone(r)
-        tmp
+      if old_resource_methods.include?(method_name) || define_resource_method?(name)
+        define_singleton_method(name) do |*args|
+          tmp = r.dup
+          tmp.prepared_args = args
+          tmp.setup_from_clone(r)
+          tmp
+        end
+
+        @resource_methods[method_name] = true
       end
 
       @resources[name] = r
@@ -138,4 +145,13 @@ class HaveAPI::Client::Client
 
     @setup = true
   end
+
+  def define_resource_method?(name)
+    method_name = name.to_sym
+
+    !singleton_class.public_method_defined?(method_name) &&
+      !singleton_class.protected_method_defined?(method_name) &&
+      !singleton_class.private_method_defined?(method_name, false) &&
+      !self.class.private_method_defined?(method_name, false)
+  end
 end

data/lib/haveapi/client/resource.rb

@@ -78,24 +78,26 @@ module HaveAPI::Client
         next unless define_method?(action, name)
 
         define_singleton_method(name) do |*args, **kwargs, &block|
+          call_action = action.dup
+          call_action.reset
           client_opts = @client.opts(:block, :block_interval, :block_timeout)
           all_args = @prepared_args + args
 
-          if action.unresolved_args?
+          if call_action.unresolved_args?
             all_args.delete_if do |arg|
-              break unless action.unresolved_args?
+              break unless call_action.unresolved_args?
 
-              action.provide_args(arg)
+              call_action.provide_args(arg)
               true
             end
 
-            if action.unresolved_args?
+            if call_action.unresolved_args?
               raise ArgumentError, 'one or more object ids missing'
             end
           end
 
           if all_args.length > 1 || (kwargs.any? && all_args.any?)
-            raise ArgumentError, "too many arguments for action #{@name}##{action.name}"
+            raise ArgumentError, "too many arguments for action #{@name}##{call_action.name}"
           end
 
           arg = all_args.shift
@@ -111,7 +113,7 @@ module HaveAPI::Client
             end
 
           if user_params.nil?
-            input_params = default_action_input_params(action)
+            input_params = default_action_input_params(call_action)
 
           else
             if user_params.has_key?(:meta)
@@ -122,25 +124,25 @@ module HaveAPI::Client
               end
             end
 
-            input_params = default_action_input_params(action).update(user_params)
+            input_params = default_action_input_params(call_action).update(user_params)
           end
 
-          ret = Response.new(action, action.execute(input_params))
+          ret = Response.new(call_action, call_action.execute(input_params))
 
           raise ActionFailed, ret unless ret.ok?
 
-          return_value = case action.output && action.output_layout
+          return_value = case call_action.output && call_action.output_layout
                          when :object
-                           ResourceInstance.new(@client, @api, self, action: action, response: ret)
+                           ResourceInstance.new(@client, @api, self, action: call_action, response: ret)
 
                          when :object_list
-                           ResourceInstanceList.new(@client, @api, self, action, ret)
+                           ResourceInstanceList.new(@client, @api, self, call_action, ret)
 
                          else # :hash, :hash_list
                            ret
                          end
 
-          if action.blocking? && client_opts[:block]
+          if call_action.blocking? && client_opts[:block]
             wait_opts = {}
 
             {
@@ -156,6 +158,8 @@ module HaveAPI::Client
           end
 
           return_value
+        ensure
+          call_action.reset if call_action
         end
       end
     end
@@ -163,7 +167,12 @@ module HaveAPI::Client
     # Called before defining a method named +name+ that will
     # invoke +action+.
     def define_method?(action, name)
-      return false if %i[new].include?(name.to_sym)
+      method_name = name.to_sym
+
+      return false if singleton_class.public_method_defined?(method_name)
+      return false if singleton_class.protected_method_defined?(method_name)
+      return false if singleton_class.private_method_defined?(method_name, false)
+      return false if self.class.private_method_defined?(method_name, false)
 
       true
     end
@@ -176,6 +185,8 @@ module HaveAPI::Client
     end
 
     def define_resource(resource)
+      return unless define_resource_method?(resource._name)
+
       define_singleton_method(resource._name) do |*args|
         tmp = resource.dup
         tmp.prepared_args = @prepared_args + args
@@ -183,5 +194,14 @@ module HaveAPI::Client
         tmp
       end
     end
+
+    def define_resource_method?(name)
+      method_name = name.to_sym
+
+      !singleton_class.public_method_defined?(method_name) &&
+        !singleton_class.protected_method_defined?(method_name) &&
+        !singleton_class.private_method_defined?(method_name, false) &&
+        !self.class.private_method_defined?(method_name, false)
+    end
   end
 end

data/lib/haveapi/client/version.rb

@@ -1,6 +1,6 @@
 module HaveAPI
   module Client
     PROTOCOL_VERSION = '2.0'.freeze
-    VERSION = '0.27.3'.freeze
+    VERSION = '0.28.0'.freeze
   end
 end

data/spec/action_security_spec.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'uri'
+
+RSpec.describe HaveAPI::Client::Action do
+  let(:action_spec) do
+    {
+      path: '/v1/users/{user_id}',
+      help: '/v1/users/{user_id}?describe=action',
+      method: 'GET',
+      auth: false,
+      blocking: false,
+      aliases: [],
+      input: {
+        layout: :hash,
+        namespace: :user,
+        parameters: {}
+      },
+      output: {
+        layout: :hash,
+        namespace: :user,
+        parameters: {}
+      },
+      meta: {}
+    }
+  end
+
+  let(:path_arg) { '42?user[name]=alice&_meta[includes]=group__secret' }
+  let(:encoded_arg) do
+    '42%3Fuser%5Bname%5D%3Dalice%26_meta%5Bincludes%5D%3Dgroup__secret'
+  end
+
+  let(:communicator) do
+    Class.new do
+      attr_reader :called_paths
+
+      def initialize
+        @called_paths = []
+      end
+
+      def url
+        'https://api.example'
+      end
+
+      def describe_api(_version)
+        {
+          resources: {
+            users: {
+              actions: {
+                show: {
+                  auth: false,
+                  description: 'Show a user',
+                  aliases: [],
+                  blocking: false,
+                  input: {
+                    layout: 'hash',
+                    namespace: 'user',
+                    parameters: {
+                      note: {
+                        type: 'String',
+                        nullable: false,
+                        validators: {
+                          present: {
+                            empty: false,
+                            message: 'required'
+                          }
+                        }
+                      }
+                    }
+                  },
+                  output: {
+                    layout: 'hash',
+                    namespace: 'user',
+                    parameters: {}
+                  },
+                  meta: {
+                    object: nil,
+                    global: nil
+                  },
+                  path: '/v1/users/{user_id}',
+                  help: '/v1/users/{user_id}?method=GET',
+                  method: 'GET'
+                }
+              },
+              resources: {}
+            }
+          }
+        }
+      end
+
+      def call(action, params = {})
+        @called_paths << action.prepared_path
+
+        {
+          status: true,
+          response: {
+            user: {
+              path: action.prepared_path,
+              params: params
+            }
+          }
+        }
+      end
+    end.new
+  end
+
+  let(:client) do
+    HaveAPI::Client::Client.new(
+      'https://api.example',
+      communicator: communicator
+    ).tap(&:setup)
+  end
+
+  it 'encodes constructor path arguments as path components' do
+    action = described_class.new(nil, nil, :show, action_spec, [path_arg])
+    parsed = URI.parse("https://api.example#{action.prepared_path}")
+
+    expect(action.prepared_path).to eq("/v1/users/#{encoded_arg}")
+    expect(parsed.path).to eq("/v1/users/#{encoded_arg}")
+    expect(parsed.query).to be_nil
+  end
+
+  it 'encodes provided path arguments as path components' do
+    action = described_class.new(nil, nil, :show, action_spec, [])
+
+    action.provide_args(path_arg)
+
+    expect(action.prepared_path).to eq("/v1/users/#{encoded_arg}")
+    expect(action.prepared_help).to eq("/v1/users/#{encoded_arg}?describe=action")
+  end
+
+  it 'does not reuse path arguments after validation fails' do
+    expect do
+      client.users.show(42, {})
+    end.to raise_error(HaveAPI::Client::ValidationError)
+
+    expect do
+      client.users.show(note: 'allowed follow-up input')
+    end.to raise_error(ArgumentError, 'one or more object ids missing')
+
+    response = client.users.show(7, note: 'allowed follow-up input')
+
+    expect(communicator.called_paths).to eq(['/v1/users/7'])
+    expect(response[:path]).to eq('/v1/users/7')
+  end
+
+  it 'does not reuse path arguments after argument parsing fails' do
+    expect do
+      client.users.show(42, { note: 'valid input' }, { note: 'extra input' })
+    end.to raise_error(ArgumentError, 'too many arguments for action users#show')
+
+    expect do
+      client.users.show(note: 'allowed follow-up input')
+    end.to raise_error(ArgumentError, 'one or more object ids missing')
+
+    expect(communicator.called_paths).to eq([])
+  end
+end

data/spec/authentication_token_security_spec.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe HaveAPI::Client::Authentication::Token do
+  let(:communicator) do
+    Class.new do
+      def url
+        'https://api.example'
+      end
+
+      def verify_ssl
+        true
+      end
+    end.new
+  end
+
+  let(:http_header) { 'X-HaveAPI-Auth-Token' }
+
+  let(:description) do
+    {
+      http_header: http_header,
+      query_parameter: 'auth_token',
+      resources: { token: { actions: {} } }
+    }
+  end
+
+  context 'when sending tokens in HTTP headers' do
+    it 'uses RFC-safe token header names from the API description' do
+      http_header = 'X-HaveAPI-Auth-Token'
+      auth = described_class.new(
+        communicator,
+        description.merge(http_header: http_header),
+        token: 'secret-token'
+      )
+
+      expect(auth.request_headers).to eq(http_header => 'secret-token')
+    end
+
+    it 'rejects description-controlled header names that can inject headers' do
+      http_header = "X-HaveAPI-Auth-Token\r\nX-Injected-Token"
+      auth = described_class.new(
+        communicator,
+        description.merge(http_header: http_header),
+        token: 'secret-token'
+      )
+
+      expect { auth.request_headers }.to raise_error(
+        ArgumentError,
+        /invalid token authentication HTTP header name/
+      )
+    end
+
+    it 'rejects header names outside the HTTP token grammar' do
+      invalid_headers = [
+        nil,
+        '',
+        'X HaveAPI Token',
+        'X-HaveAPI-Token:',
+        "X-HaveAPI-Token\n"
+      ]
+
+      invalid_headers.each do |http_header|
+        auth = described_class.new(
+          communicator,
+          description.merge(http_header: http_header),
+          token: 'secret-token'
+        )
+
+        expect { auth.request_headers }.to raise_error(ArgumentError)
+      end
+    end
+  end
+
+  context 'when sending tokens in query parameters' do
+    let(:http_header) { "X-HaveAPI-Auth-Token\r\nX-Injected-Token" }
+
+    it 'does not use the HTTP header name from the API description' do
+      auth = described_class.new(
+        communicator,
+        description,
+        token: 'secret-token',
+        via: :query_param
+      )
+
+      expect(auth.request_headers).to eq({})
+      expect(auth.request_query_params).to eq('auth_token' => 'secret-token')
+    end
+  end
+end

data/spec/cli_security_spec.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'fileutils'
+require 'tmpdir'
+require 'haveapi/cli'
+
+RSpec.describe HaveAPI::CLI::Cli do
+  around do |example|
+    old_umask = File.umask(0o022)
+
+    example.run
+  ensure
+    File.umask(old_umask) if old_umask
+  end
+
+  before do
+    allow(Dir).to receive(:home).and_return(home)
+  end
+
+  after do
+    FileUtils.rm_rf(home)
+  end
+
+  let(:home) { Dir.mktmpdir('haveapi-home-') }
+  let(:config_path) { File.join(home, '.haveapi-client.yml') }
+  let(:secret_token) { 'vuln75-secret-token' }
+  let(:config) do
+    {
+      servers: [
+        {
+          url: 'https://api.example',
+          auth: {
+            token: {
+              token: secret_token,
+              valid_to: 1_800_000_000
+            }
+          },
+          last_auth: :token
+        }
+      ]
+    }
+  end
+
+  def cli_with_config(config)
+    described_class.allocate.tap do |cli|
+      cli.instance_variable_set(:@config, config)
+    end
+  end
+
+  it 'creates saved credential config files with owner-only permissions' do
+    cli_with_config(config).send(:write_config)
+
+    expect(File.read(config_path)).to include(secret_token)
+    expect(File.stat(config_path).mode & 0o777).to eq(0o600)
+  end
+
+  it 'narrows existing saved credential config files before rewriting them' do
+    File.write(config_path, 'previous config')
+    File.chmod(0o644, config_path)
+
+    cli_with_config(config).send(:write_config)
+
+    expect(File.read(config_path)).to include(secret_token)
+    expect(File.stat(config_path).mode & 0o777).to eq(0o600)
+  end
+end

data/spec/description_method_security_spec.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe HaveAPI::Client::Client do
+  let(:communicator_class) do
+    Struct.new(:description, :authenticate_calls, :describe_calls) do
+      def initialize(description)
+        super(description, 0, 0)
+      end
+
+      def describe_api(_version)
+        self.describe_calls += 1
+        description
+      end
+
+      def authenticate(*)
+        self.authenticate_calls += 1
+        :authenticated
+      end
+
+      def call(action, _params = {})
+        {
+          status: true,
+          response: {
+            action: action.name
+          }
+        }
+      end
+
+      def url
+        'https://api.example'
+      end
+    end
+  end
+
+  def action_description(aliases: [])
+    {
+      auth: false,
+      description: 'test action',
+      aliases: aliases,
+      blocking: false,
+      input: {
+        layout: 'hash',
+        namespace: 'input',
+        parameters: {}
+      },
+      output: {
+        layout: 'hash',
+        namespace: 'output',
+        parameters: {}
+      },
+      meta: {
+        object: nil,
+        global: nil
+      },
+      path: '/v1/test',
+      help: '/v1/test?method=GET',
+      method: 'GET'
+    }
+  end
+
+  def client_for(resources)
+    api = communicator_class.new(resources: resources)
+    client = described_class.new(
+      'https://api.example',
+      communicator: api
+    )
+
+    [client, api]
+  end
+
+  it 'does not let top-level resources replace existing client methods' do
+    client, api = client_for(
+      authenticate: {
+        actions: {},
+        resources: {}
+      },
+      setup: {
+        actions: {},
+        resources: {}
+      },
+      users: {
+        actions: {},
+        resources: {}
+      }
+    )
+
+    expect(client.method(:setup).owner).to eq(described_class)
+    expect(client.authenticate(:token, token: 'secret-token')).to eq(:authenticated)
+
+    client.setup
+
+    expect(client.method(:setup).owner).to eq(described_class)
+    expect(client.authenticate(:token, token: 'secret-token')).to eq(:authenticated)
+    expect(api.authenticate_calls).to eq(2)
+    expect(client.users).to be_a(HaveAPI::Client::Resource)
+    expect(client.resources.keys).to contain_exactly(:authenticate, :setup, :users)
+  end
+
+  it 'does not let actions or nested resources replace resource methods' do
+    client, = client_for(
+      users: {
+        actions: {
+          inspect: action_description,
+          show: action_description(aliases: %w[resources details])
+        },
+        resources: {
+          posts: {
+            actions: {},
+            resources: {}
+          },
+          setup: {
+            actions: {},
+            resources: {}
+          }
+        }
+      }
+    )
+
+    client.setup
+    users = client.users
+
+    expect(users.method(:inspect).owner).to eq(HaveAPI::Client::Resource)
+    expect(users.resources).to be_a(Hash)
+    expect(users.method(:setup).owner).to eq(HaveAPI::Client::Resource)
+    expect(users.show).to be_a(HaveAPI::Client::Response)
+    expect(users.details).to be_a(HaveAPI::Client::Response)
+    expect(users.posts).to be_a(HaveAPI::Client::Resource)
+    expect(users.actions.keys).to contain_exactly(:inspect, :show)
+    expect(users.resources.keys).to contain_exactly(:posts, :setup)
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: haveapi-client
 version: !ruby/object:Gem::Version
-  version: 0.27.3
+  version: 0.28.0
 platform: ruby
 authors:
 - Jakub Skokan
@@ -150,7 +150,10 @@ files:
 - lib/haveapi/client/validators/presence.rb
 - lib/haveapi/client/version.rb
 - lib/restclient_ext/resource.rb
-- shell.nix
+- spec/action_security_spec.rb
+- spec/authentication_token_security_spec.rb
+- spec/cli_security_spec.rb
+- spec/description_method_security_spec.rb
 - spec/integration/client_spec.rb
 - spec/integration/typed_input_spec.rb
 - spec/spec_helper.rb

data/shell.nix

@@ -1,20 +0,0 @@
-let
-  pkgs = import <nixpkgs> {};
-  stdenv = pkgs.stdenv;
-
-in stdenv.mkDerivation rec {
-  name = "haveapi-client";
-
-  buildInputs = with pkgs;[
-    ruby
-    git
-    openssl
-  ];
-
-  shellHook = ''
-    export GEM_HOME=$(pwd)/../../.gems
-    export PATH="$GEM_HOME/bin:$PATH"
-    gem install bundler
-    bundle install
-  '';
-}