RubyGems - http - Versions diffs - 0.7.2 → 0.7.3 - Mend

http 0.7.2 → 0.7.3

Files changed (15) hide show

checksums.yaml +4 -4
data/.rubocop.yml +1 -1
data/CHANGES.md +7 -0
data/Gemfile +1 -0
data/lib/http/client.rb +7 -2
data/lib/http/version.rb +1 -1
data/spec/lib/http/client_spec.rb +36 -0
data/spec/spec_helper.rb +7 -0
data/spec/support/black_hole.rb +5 -0
data/spec/support/create_certs.rb +57 -0
data/spec/support/dummy_server.rb +52 -0
data/spec/support/dummy_server/servlet.rb +100 -0
data/spec/support/servers/config.rb +13 -0
data/spec/support/servers/runner.rb +17 -0
metadata +40 -4

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f805ef1ff977da3de5e63d6f83d4f8bca9acef53
-  data.tar.gz: c2cfbb035716d369fd9374029b277c414ac32280
+  metadata.gz: cb95fe4445c50c6c1af546a7bb70ece6eccb1f78
+  data.tar.gz: e5b2eb9695d742302e54f46f222d81c8921f13c0
 SHA512:
-  metadata.gz: d2fb7cf922b2154d82b1446046e79bfffae11bff2ac9315d140859c85bc52f66bbc91b70e580fbd28d620b889c7fcb72053e27ba15d01ca3fb804add736b1ce0
-  data.tar.gz: b999027d340c9dc7a48192253b59f08066e0b0f15ec0087648bbdfaefa2939578481201dc70fad0c2b8712741c70ed6625b6a13e3f37a7b71b13473df92a9ea7
+  metadata.gz: 267033f1a355e9023d4f62c1978a275f26f67313c0702036ceed2332d585e33c42e91f2bf2318c4631b157e8c1f9f2b1cd486d44c1d084e39c8792f06f735893
+  data.tar.gz: d20251b75cc74fec4643f31c27401f833b6eec2ba1e65d47c7edc9326525ccda4c27c8cad34e2d53f88707361446df6bd1eca6f37d6a9f0c6b2ae4ba0b1e6c80

data/.rubocop.yml CHANGED

@@ -3,7 +3,7 @@ Metrics/BlockNesting:
 Metrics/ClassLength:
   CountComments: false
-  Max: 100
+  Max: 110
 Metrics/CyclomaticComplexity:
   Max: 8 # TODO: Lower to 6

data/CHANGES.md CHANGED

@@ -1,3 +1,10 @@
+## 0.7.3 (2015-03-24)
+* SECURITY FIX: http.rb failed to call the #post_connection_check method
+  on SSL connections. This method implements hostname verification, and
+  without it http.rb was vulnerable to MitM attacks. The problem was
+  corrected by calling #post_connection_check (CVE-2015-1828)
 ## 0.7.2 (2015-03-02)
 * Swap from `form_data` to `http-form_data` (changed gem name).

data/Gemfile CHANGED

@@ -26,6 +26,7 @@ group :test do
   gem 'rubocop',      '~> 0.25.0'
   gem 'simplecov',    '>= 0.9'
   gem 'yardstick'
+  gem 'certificate_authority'
 end
 group :doc do

data/lib/http/client.rb CHANGED

@@ -52,7 +52,7 @@ module HTTP
       # TODO: keep-alive support
       @socket = options[:socket_class].open(req.socket_host, req.socket_port)
-      @socket = start_tls(@socket, options) if uri.is_a?(URI::HTTPS) && !req.using_proxy?
+      @socket = start_tls(@socket, uri.host, options) if uri.is_a?(URI::HTTPS) && !req.using_proxy?
       req.stream @socket
@@ -90,12 +90,17 @@ module HTTP
   private
     # Initialize TLS connection
-    def start_tls(socket, options)
+    def start_tls(socket, host, options)
       # TODO: abstract away SSLContexts so we can use other TLS libraries
       context = options[:ssl_context] || OpenSSL::SSL::SSLContext.new
       socket  = options[:ssl_socket_class].new(socket, context)
       socket.connect
+      if context.verify_mode == OpenSSL::SSL::VERIFY_PEER
+        socket.post_connection_check(host)
+      end
       socket
     end

data/lib/http/version.rb CHANGED

@@ -1,3 +1,3 @@
 module HTTP
-  VERSION = '0.7.2'
+  VERSION = '0.7.3'
 end

data/spec/lib/http/client_spec.rb CHANGED

@@ -1,5 +1,9 @@
+require 'support/dummy_server'
 RSpec.describe HTTP::Client do
   let(:test_endpoint)  { "http://#{ExampleServer::ADDR}" }
+  run_server(:dummy) { DummyServer.new }
+  run_server(:dummy_ssl) { DummyServer.new(:ssl => true) }
   StubbedClient = Class.new(HTTP::Client) do
     def perform(request, options)
@@ -142,6 +146,38 @@ RSpec.describe HTTP::Client do
     end
   end
+  describe 'SSL' do
+    let(:client) do
+      described_class.new(
+        :ssl_context => OpenSSL::SSL::SSLContext.new.tap do |context|
+          context.options = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options]
+          context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          context.ca_file = File.join(certs_dir, 'ca.crt')
+          context.cert = OpenSSL::X509::Certificate.new(
+            File.read(File.join(certs_dir, 'client.crt'))
+          )
+          context.key = OpenSSL::PKey::RSA.new(
+            File.read(File.join(certs_dir, 'client.key'))
+          )
+          context
+        end
+      )
+    end
+    it 'works via SSL' do
+      response = client.get(dummy_ssl.endpoint)
+      expect(response.body.to_s).to eq('<!doctype html>')
+    end
+    context 'with a mismatch host' do
+      it 'errors' do
+        expect { client.get(dummy_ssl.endpoint.gsub('127.0.0.1', 'localhost')) }
+          .to raise_error(OpenSSL::SSL::SSLError, /does not match/)
+      end
+    end
+  end
   describe '#perform' do
     let(:client) { described_class.new }

data/spec/spec_helper.rb CHANGED

@@ -19,6 +19,13 @@ require 'support/example_server'
 require 'support/proxy_server'
 require 'support/capture_warning'
+# Allow testing against a SSL server
+def certs_dir
+  Pathname.new File.expand_path('../../tmp/certs', __FILE__)
+end
+require 'support/create_certs'
 # See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
 RSpec.configure do |config|
   config.expect_with :rspec do |expectations|

data/spec/support/black_hole.rb ADDED

@@ -0,0 +1,5 @@
+module BlackHole
+  def self.method_missing(*)
+    self
+  end
+end

data/spec/support/create_certs.rb ADDED

@@ -0,0 +1,57 @@
+require 'fileutils'
+require 'certificate_authority'
+FileUtils.mkdir_p(certs_dir)
+#
+# Certificate Authority
+#
+ca = CertificateAuthority::Certificate.new
+ca.subject.common_name  = 'honestachmed.com'
+ca.serial_number.number = 1
+ca.key_material.generate_key
+ca.signing_entity = true
+ca.sign! 'extensions' => {'keyUsage' => {'usage' => %w(critical keyCertSign)}}
+ca_cert_path = File.join(certs_dir, 'ca.crt')
+ca_key_path  = File.join(certs_dir, 'ca.key')
+File.write ca_cert_path, ca.to_pem
+File.write ca_key_path,  ca.key_material.private_key.to_pem
+#
+# Server Certificate
+#
+server_cert = CertificateAuthority::Certificate.new
+server_cert.subject.common_name  = '127.0.0.1'
+server_cert.serial_number.number = 1
+server_cert.key_material.generate_key
+server_cert.parent = ca
+server_cert.sign!
+server_cert_path = File.join(certs_dir, 'server.crt')
+server_key_path  = File.join(certs_dir, 'server.key')
+File.write server_cert_path, server_cert.to_pem
+File.write server_key_path,  server_cert.key_material.private_key.to_pem
+#
+# Client Certificate
+#
+client_cert = CertificateAuthority::Certificate.new
+client_cert.subject.common_name  = '127.0.0.1'
+client_cert.serial_number.number = 1
+client_cert.key_material.generate_key
+client_cert.parent = ca
+client_cert.sign!
+client_cert_path = File.join(certs_dir, 'client.crt')
+client_key_path  = File.join(certs_dir, 'client.key')
+File.write client_cert_path, client_cert.to_pem
+File.write client_key_path,  client_cert.key_material.private_key.to_pem

data/spec/support/dummy_server.rb ADDED

@@ -0,0 +1,52 @@
+require 'webrick'
+require 'webrick/ssl'
+require 'support/black_hole'
+require 'support/dummy_server/servlet'
+require 'support/servers/config'
+require 'support/servers/runner'
+class DummyServer < WEBrick::HTTPServer
+  include ServerConfig
+  CONFIG = {
+    :BindAddress  => '127.0.0.1',
+    :Port         => 0,
+    :AccessLog    => BlackHole,
+    :Logger       => BlackHole
+  }.freeze
+  def initialize(options = {})
+    if options[:ssl]
+      override_config = {
+        :SSLEnable            => true,
+        :SSLStartImmediately  => true
+      }
+    else
+      override_config = {}
+    end
+    super CONFIG.merge(override_config)
+    mount('/', Servlet)
+  end
+  def endpoint
+    "#{ssl? ? 'https' : 'http'}://#{addr}:#{port}"
+  end
+  def ssl_context
+    @ssl_context ||= begin
+      context = OpenSSL::SSL::SSLContext.new
+      context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      context.key = OpenSSL::PKey::RSA.new(
+        File.read(File.join(certs_dir, 'server.key'))
+      )
+      context.cert = OpenSSL::X509::Certificate.new(
+        File.read(File.join(certs_dir, 'server.crt'))
+      )
+      context.ca_file = File.join(certs_dir, 'ca.crt')
+      context
+    end
+  end
+end

data/spec/support/dummy_server/servlet.rb ADDED

@@ -0,0 +1,100 @@
+class DummyServer < WEBrick::HTTPServer
+  class Servlet < WEBrick::HTTPServlet::AbstractServlet
+    def not_found(_req, res)
+      res.status = 404
+      res.body   = 'Not Found'
+    end
+    def self.handlers
+      @handlers ||= {}
+    end
+    %w(get post head).each do |method|
+      class_eval <<-RUBY, __FILE__, __LINE__
+        def self.#{method}(path, &block)
+          handlers["#{method}:\#{path}"] = block
+        end
+        def do_#{method.upcase}(req, res)
+          handler = self.class.handlers["#{method}:\#{req.path}"]
+          return instance_exec(req, res, &handler) if handler
+          not_found
+        end
+      RUBY
+    end
+    get '/' do |req, res|
+      res.status = 200
+      case req['Accept']
+      when 'application/json'
+        res['Content-Type'] = 'application/json'
+        res.body = '{"json": true}'
+      else
+        res['Content-Type'] = 'text/html'
+        res.body   = '<!doctype html>'
+      end
+    end
+    get '/params' do |req, res|
+      next not_found unless 'foo=bar' == req.query_string
+      res.status = 200
+      res.body   = 'Params!'
+    end
+    get '/multiple-params' do |req, res|
+      params = CGI.parse req.query_string
+      next not_found unless {'foo' => ['bar'], 'baz' => ['quux']} == params
+      res.status = 200
+      res.body   = 'More Params!'
+    end
+    get '/proxy' do |_req, res|
+      res.status = 200
+      res.body   = 'Proxy!'
+    end
+    get '/not-found' do |_req, res|
+      res.status = 404
+      res.body   = 'not found'
+    end
+    get '/redirect-301' do |_req, res|
+      res.status      = 301
+      res['Location'] = "http://#{@server.config[:BindAddress]}:#{@server.config[:Port]}/"
+    end
+    get '/redirect-302' do |_req, res|
+      res.status      = 302
+      res['Location'] = "http://#{@server.config[:BindAddress]}:#{@server.config[:Port]}/"
+    end
+    post '/form' do |req, res|
+      if 'testing-form' == req.query['example']
+        res.status = 200
+        res.body   = 'passed :)'
+      else
+        res.status = 400
+        res.body   = 'invalid! >:E'
+      end
+    end
+    post '/body' do |req, res|
+      if 'testing-body' == req.body
+        res.status = 200
+        res.body   = 'passed :)'
+      else
+        res.status = 400
+        res.body   = 'invalid! >:E'
+      end
+    end
+    head '/' do |_req, res|
+      res.status          = 200
+      res['Content-Type'] = 'text/html'
+    end
+  end
+end

data/spec/support/servers/config.rb ADDED

@@ -0,0 +1,13 @@
+module ServerConfig
+  def ssl?
+    !!config[:SSLEnable]
+  end
+  def addr
+    config[:BindAddress]
+  end
+  def port
+    config[:Port]
+  end
+end

data/spec/support/servers/runner.rb ADDED

@@ -0,0 +1,17 @@
+module ServerRunner
+  def run_server(name, &block)
+    let! name do
+      server = block.call
+      Thread.new { server.start }
+      server
+    end
+    after do
+      send(name).shutdown
+    end
+  end
+end
+RSpec.configure { |c| c.extend ServerRunner }

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: http
 version: !ruby/object:Gem::Version
-  version: 0.7.2
+  version: 0.7.3
 platform: ruby
 authors:
 - Tony Arcieri
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-03-02 00:00:00.000000000 Z
+date: 2015-03-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: http_parser.rb
@@ -117,10 +117,16 @@ files:
 - spec/lib/http/response_spec.rb
 - spec/lib/http_spec.rb
 - spec/spec_helper.rb
+- spec/support/black_hole.rb
 - spec/support/capture_warning.rb
+- spec/support/create_certs.rb
+- spec/support/dummy_server.rb
+- spec/support/dummy_server/servlet.rb
 - spec/support/example_server.rb
 - spec/support/example_server/servlet.rb
 - spec/support/proxy_server.rb
+- spec/support/servers/config.rb
+- spec/support/servers/runner.rb
 homepage: https://github.com/httprb/http.rb
 licenses:
 - MIT
@@ -141,9 +147,39 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.2.2
+rubygems_version: 2.4.6
 signing_key:
 specification_version: 4
 summary: HTTP should be easy
-test_files: []
+test_files:
+- spec/lib/http/client_spec.rb
+- spec/lib/http/content_type_spec.rb
+- spec/lib/http/headers/mixin_spec.rb
+- spec/lib/http/headers_spec.rb
+- spec/lib/http/options/body_spec.rb
+- spec/lib/http/options/form_spec.rb
+- spec/lib/http/options/headers_spec.rb
+- spec/lib/http/options/json_spec.rb
+- spec/lib/http/options/merge_spec.rb
+- spec/lib/http/options/new_spec.rb
+- spec/lib/http/options/proxy_spec.rb
+- spec/lib/http/options_spec.rb
+- spec/lib/http/redirector_spec.rb
+- spec/lib/http/request/writer_spec.rb
+- spec/lib/http/request_spec.rb
+- spec/lib/http/response/body_spec.rb
+- spec/lib/http/response/status_spec.rb
+- spec/lib/http/response_spec.rb
+- spec/lib/http_spec.rb
+- spec/spec_helper.rb
+- spec/support/black_hole.rb
+- spec/support/capture_warning.rb
+- spec/support/create_certs.rb
+- spec/support/dummy_server.rb
+- spec/support/dummy_server/servlet.rb
+- spec/support/example_server.rb
+- spec/support/example_server/servlet.rb
+- spec/support/proxy_server.rb
+- spec/support/servers/config.rb
+- spec/support/servers/runner.rb
 has_rdoc: