RubyGems - http - Versions diffs - 0.7.2 → 0.7.3 - Mend

http 0.7.2 → 0.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml +4 -4
data/.rubocop.yml +1 -1
data/CHANGES.md +7 -0
data/Gemfile +1 -0
data/lib/http/client.rb +7 -2
data/lib/http/version.rb +1 -1
data/spec/lib/http/client_spec.rb +36 -0
data/spec/spec_helper.rb +7 -0
data/spec/support/black_hole.rb +5 -0
data/spec/support/create_certs.rb +57 -0
data/spec/support/dummy_server.rb +52 -0
data/spec/support/dummy_server/servlet.rb +100 -0
data/spec/support/servers/config.rb +13 -0
data/spec/support/servers/runner.rb +17 -0
metadata +40 -4

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f805ef1ff977da3de5e63d6f83d4f8bca9acef53
-  data.tar.gz: c2cfbb035716d369fd9374029b277c414ac32280
+  metadata.gz: cb95fe4445c50c6c1af546a7bb70ece6eccb1f78
+  data.tar.gz: e5b2eb9695d742302e54f46f222d81c8921f13c0
 SHA512:
-  metadata.gz: d2fb7cf922b2154d82b1446046e79bfffae11bff2ac9315d140859c85bc52f66bbc91b70e580fbd28d620b889c7fcb72053e27ba15d01ca3fb804add736b1ce0
-  data.tar.gz: b999027d340c9dc7a48192253b59f08066e0b0f15ec0087648bbdfaefa2939578481201dc70fad0c2b8712741c70ed6625b6a13e3f37a7b71b13473df92a9ea7
+  metadata.gz: 267033f1a355e9023d4f62c1978a275f26f67313c0702036ceed2332d585e33c42e91f2bf2318c4631b157e8c1f9f2b1cd486d44c1d084e39c8792f06f735893
+  data.tar.gz: d20251b75cc74fec4643f31c27401f833b6eec2ba1e65d47c7edc9326525ccda4c27c8cad34e2d53f88707361446df6bd1eca6f37d6a9f0c6b2ae4ba0b1e6c80

data/.rubocop.yml CHANGED

@@ -3,7 +3,7 @@ Metrics/BlockNesting:
 Metrics/ClassLength:
   CountComments: false
-  Max: 100
+  Max: 110
 Metrics/CyclomaticComplexity:
   Max: 8 # TODO: Lower to 6

data/CHANGES.md CHANGED

@@ -1,3 +1,10 @@
+## 0.7.3 (2015-03-24)
+* SECURITY FIX: http.rb failed to call the #post_connection_check method
+  on SSL connections. This method implements hostname verification, and
+  without it http.rb was vulnerable to MitM attacks. The problem was
+  corrected by calling #post_connection_check (CVE-2015-1828)
 ## 0.7.2 (2015-03-02)
 * Swap from `form_data` to `http-form_data` (changed gem name).

data/Gemfile CHANGED

@@ -26,6 +26,7 @@ group :test do
   gem 'rubocop',      '~> 0.25.0'
   gem 'simplecov',    '>= 0.9'
   gem 'yardstick'
+  gem 'certificate_authority'
 end
 group :doc do

data/lib/http/client.rb CHANGED

@@ -52,7 +52,7 @@ module HTTP
       # TODO: keep-alive support
       @socket = options[:socket_class].open(req.socket_host, req.socket_port)
-      @socket = start_tls(@socket, options) if uri.is_a?(URI::HTTPS) && !req.using_proxy?
+      @socket = start_tls(@socket, uri.host, options) if uri.is_a?(URI::HTTPS) && !req.using_proxy?
       req.stream @socket
@@ -90,12 +90,17 @@ module HTTP
   private
     # Initialize TLS connection
-    def start_tls(socket, options)
+    def start_tls(socket, host, options)
       # TODO: abstract away SSLContexts so we can use other TLS libraries
       context = options[:ssl_context] || OpenSSL::SSL::SSLContext.new
       socket  = options[:ssl_socket_class].new(socket, context)
       socket.connect
+      if context.verify_mode == OpenSSL::SSL::VERIFY_PEER
+        socket.post_connection_check(host)
+      end
       socket
     end

data/lib/http/version.rb CHANGED

@@ -1,3 +1,3 @@
 module HTTP
-  VERSION = '0.7.2'
+  VERSION = '0.7.3'
 end

data/spec/lib/http/client_spec.rb CHANGED

@@ -1,5 +1,9 @@
+require 'support/dummy_server'
 RSpec.describe HTTP::Client do
   let(:test_endpoint)  { "http://#{ExampleServer::ADDR}" }
+  run_server(:dummy) { DummyServer.new }
+  run_server(:dummy_ssl) { DummyServer.new(:ssl => true) }
   StubbedClient = Class.new(HTTP::Client) do
     def perform(request, options)
@@ -142,6 +146,38 @@ RSpec.describe HTTP::Client do
     end
   end
+  describe 'SSL' do
+    let(:client) do
+      described_class.new(
+        :ssl_context => OpenSSL::SSL::SSLContext.new.tap do |context|
+          context.options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options]
+          context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          context.ca_file = File.join(certs_dir, 'ca.crt')
+          context.cert = OpenSSL::X509::Certificate.new(
+            File.read(File.join(certs_dir, 'client.crt'))
+          )
+          context.key = OpenSSL::PKey::RSA.new(
+            File.read(File.join(certs_dir, 'client.key'))
+          )
+          context
+        end
+      )
+    end
+    it 'works via SSL' do
+      response = client.get(dummy_ssl.endpoint)
+      expect(response.body.to_s).to eq('<!doctype html>')
+    end
+    context 'with a mismatch host' do
+      it 'errors' do
+        expect { client.get(dummy_ssl.endpoint.gsub('127.0.0.1', 'localhost')) }
+          .to raise_error(OpenSSL::SSL::SSLError, /does not match/)
+      end
+    end
+  end
   describe '#perform' do
     let(:client) { described_class.new }

data/spec/spec_helper.rb CHANGED

@@ -19,6 +19,13 @@ require 'support/example_server'
 require 'support/proxy_server'
 require 'support/capture_warning'
+# Allow testing against a SSL server
+def certs_dir
+  Pathname.new File.expand_path('../../tmp/certs', __FILE__)
+end
+require 'support/create_certs'
 # See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
 RSpec.configure do |config|
   config.expect_with :rspec do |expectations|

data/spec/support/black_hole.rb ADDED

@@ -0,0 +1,5 @@
+module BlackHole
+  def self.method_missing(*)
+    self
+  end
+end

data/spec/support/create_certs.rb ADDED

@@ -0,0 +1,57 @@
+require 'fileutils'
+require 'certificate_authority'
+FileUtils.mkdir_p(certs_dir)
+#
+# Certificate Authority
+#
+ca = CertificateAuthority::Certificate.new
+ca.subject.common_name  = 'honestachmed.com'
+ca.serial_number.number = 1
+ca.key_material.generate_key
+ca.signing_entity = true
+ca.sign! 'extensions' => {'keyUsage' => {'usage' => %w(critical keyCertSign)}}
+ca_cert_path = File.join(certs_dir, 'ca.crt')
+ca_key_path  = File.join(certs_dir, 'ca.key')
+File.write ca_cert_path, ca.to_pem
+File.write ca_key_path,  ca.key_material.private_key.to_pem
+#
+# Server Certificate
+#
+server_cert = CertificateAuthority::Certificate.new
+server_cert.subject.common_name  = '127.0.0.1'
+server_cert.serial_number.number = 1
+server_cert.key_material.generate_key
+server_cert.parent = ca
+server_cert.sign!
+server_cert_path = File.join(certs_dir, 'server.crt')
+server_key_path  = File.join(certs_dir, 'server.key')
+File.write server_cert_path, server_cert.to_pem
+File.write server_key_path,  server_cert.key_material.private_key.to_pem
+#
+# Client Certificate
+#
+client_cert = CertificateAuthority::Certificate.new
+client_cert.subject.common_name  = '127.0.0.1'
+client_cert.serial_number.number = 1
+client_cert.key_material.generate_key
+client_cert.parent = ca
+client_cert.sign!
+client_cert_path = File.join(certs_dir, 'client.crt')
+client_key_path  = File.join(certs_dir, 'client.key')
+File.write client_cert_path, client_cert.to_pem
+File.write client_key_path,  client_cert.key_material.private_key.to_pem

data/spec/support/dummy_server.rb ADDED

@@ -0,0 +1,52 @@
+require 'webrick'
+require 'webrick/ssl'
+require 'support/black_hole'
+require 'support/dummy_server/servlet'
+require 'support/servers/config'
+require 'support/servers/runner'
+class DummyServer < WEBrick::HTTPServer
+  include ServerConfig
+  CONFIG = {
+    :BindAddress  => '127.0.0.1',
+    :Port         => 0,
+    :AccessLog    => BlackHole,
+    :Logger       => BlackHole
+  }.freeze
+  def initialize(options = {})
+    if options[:ssl]
+      override_config = {
+        :SSLEnable            => true,
+        :SSLStartImmediately  => true
+      }
+    else
+      override_config = {}
+    end
+    super CONFIG.merge(override_config)
+    mount('/', Servlet)
+  end
+  def endpoint
+    "#{ssl? ? 'https' : 'http'}://#{addr}:#{port}"
+  end
+  def ssl_context
+    @ssl_context ||= begin
+      context = OpenSSL::SSL::SSLContext.new
+      context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      context.key = OpenSSL::PKey::RSA.new(
+        File.read(File.join(certs_dir, 'server.key'))
+      )
+      context.cert = OpenSSL::X509::Certificate.new(
+        File.read(File.join(certs_dir, 'server.crt'))
+      )
+      context.ca_file = File.join(certs_dir, 'ca.crt')
+      context
+    end
+  end
+end

data/spec/support/dummy_server/servlet.rb ADDED

@@ -0,0 +1,100 @@
+class DummyServer < WEBrick::HTTPServer
+  class Servlet < WEBrick::HTTPServlet::AbstractServlet
+    def not_found(_req, res)
+      res.status = 404
+      res.body   = 'Not Found'
+    end
+    def self.handlers
+      @handlers ||= {}
+    end
+    %w(get post head).each do |method|
+      class_eval <<-RUBY, __FILE__, __LINE__
+        def self.#{method}(path, &block)
+          handlers["#{method}:\#{path}"] = block
+        end
+        def do_#{method.upcase}(req, res)
+          handler = self.class.handlers["#{method}:\#{req.path}"]
+          return instance_exec(req, res, &handler) if handler
+          not_found
+        end
+      RUBY
+    end
+    get '/' do |req, res|
+      res.status = 200
+      case req['Accept']
+      when 'application/json'
+        res['Content-Type'] = 'application/json'
+        res.body = '{"json": true}'
+      else
+        res['Content-Type'] = 'text/html'
+        res.body   = '<!doctype html>'
+      end
+    end
+    get '/params' do |req, res|
+      next not_found unless 'foo=bar' == req.query_string
+      res.status = 200
+      res.body   = 'Params!'
+    end
+    get '/multiple-params' do |req, res|
+      params = CGI.parse req.query_string
+      next not_found unless {'foo' => ['bar'], 'baz' => ['quux']} == params
+      res.status = 200
+      res.body   = 'More Params!'
+    end
+    get '/proxy' do |_req, res|
+      res.status = 200
+      res.body   = 'Proxy!'
+    end
+    get '/not-found' do |_req, res|
+      res.status = 404
+      res.body   = 'not found'
+    end
+    get '/redirect-301' do |_req, res|
+      res.status      = 301
+      res['Location'] = "http://#{@server.config[:BindAddress]}:#{@server.config[:Port]}/"
+    end
+    get '/redirect-302' do |_req, res|
+      res.status      = 302
+      res['Location'] = "http://#{@server.config[:BindAddress]}:#{@server.config[:Port]}/"
+    end
+    post '/form' do |req, res|
+      if 'testing-form' == req.query['example']
+        res.status = 200
+        res.body   = 'passed :)'
+      else
+        res.status = 400
+        res.body   = 'invalid! >:E'
+      end
+    end
+    post '/body' do |req, res|
+      if 'testing-body' == req.body
+        res.status = 200
+        res.body   = 'passed :)'
+      else
+        res.status = 400
+        res.body   = 'invalid! >:E'
+      end
+    end
+    head '/' do |_req, res|
+      res.status          = 200
+      res['Content-Type'] = 'text/html'
+    end
+  end
+end

data/spec/support/servers/config.rb ADDED

@@ -0,0 +1,13 @@
+module ServerConfig
+  def ssl?
+    !!config[:SSLEnable]
+  end
+  def addr
+    config[:BindAddress]
+  end
+  def port
+    config[:Port]
+  end
+end

data/spec/support/servers/runner.rb ADDED

@@ -0,0 +1,17 @@
+module ServerRunner
+  def run_server(name, &block)
+    let! name do
+      server = block.call
+      Thread.new { server.start }
+      server
+    end
+    after do
+      send(name).shutdown
+    end
+  end
+end
+RSpec.configure { |c| c.extend ServerRunner }

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: http
 version: !ruby/object:Gem::Version
-  version: 0.7.2
+  version: 0.7.3
 platform: ruby
 authors:
 - Tony Arcieri
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-03-02 00:00:00.000000000 Z
+date: 2015-03-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: http_parser.rb
@@ -117,10 +117,16 @@ files:
 - spec/lib/http/response_spec.rb
 - spec/lib/http_spec.rb
 - spec/spec_helper.rb
+- spec/support/black_hole.rb
 - spec/support/capture_warning.rb
+- spec/support/create_certs.rb
+- spec/support/dummy_server.rb
+- spec/support/dummy_server/servlet.rb
 - spec/support/example_server.rb
 - spec/support/example_server/servlet.rb
 - spec/support/proxy_server.rb
+- spec/support/servers/config.rb
+- spec/support/servers/runner.rb
 homepage: https://github.com/httprb/http.rb
 licenses:
 - MIT
@@ -141,9 +147,39 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.2.2
+rubygems_version: 2.4.6
 signing_key:
 specification_version: 4
 summary: HTTP should be easy
-test_files: []
+test_files:
+- spec/lib/http/client_spec.rb
+- spec/lib/http/content_type_spec.rb
+- spec/lib/http/headers/mixin_spec.rb
+- spec/lib/http/headers_spec.rb
+- spec/lib/http/options/body_spec.rb
+- spec/lib/http/options/form_spec.rb
+- spec/lib/http/options/headers_spec.rb
+- spec/lib/http/options/json_spec.rb
+- spec/lib/http/options/merge_spec.rb
+- spec/lib/http/options/new_spec.rb
+- spec/lib/http/options/proxy_spec.rb
+- spec/lib/http/options_spec.rb
+- spec/lib/http/redirector_spec.rb
+- spec/lib/http/request/writer_spec.rb
+- spec/lib/http/request_spec.rb
+- spec/lib/http/response/body_spec.rb
+- spec/lib/http/response/status_spec.rb
+- spec/lib/http/response_spec.rb
+- spec/lib/http_spec.rb
+- spec/spec_helper.rb
+- spec/support/black_hole.rb
+- spec/support/capture_warning.rb
+- spec/support/create_certs.rb
+- spec/support/dummy_server.rb
+- spec/support/dummy_server/servlet.rb
+- spec/support/example_server.rb
+- spec/support/example_server/servlet.rb
+- spec/support/proxy_server.rb
+- spec/support/servers/config.rb
+- spec/support/servers/runner.rb
 has_rdoc: