httpigeon 2.4.1 → 2.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '090d2d11a0dc542c742b3dfa9d1b48781b2e98e9ab429f5394f73326ec3c9126'
-  data.tar.gz: 8e9ec0bf8db8dba662faae9120aaa926941e58b8612d3dc9f6e669bb7ef66d02
+  metadata.gz: 634475756f1a58d6586feccfcd2dd7bc9fcbf02fce50a3a9eca04b79d3cc5380
+  data.tar.gz: b762c69ed489b18e50b818dea741c2584c15d409e5e61af51c5155a6a226bc41
 SHA512:
-  metadata.gz: 1abb70d5917a870cd0e09f7dc663ae183e8099af486f55783cbb3ead6adbb01d99ed8026aea9d29a9a8f96ee1d864a83ad599839d70a05889fcc10f26de3d0c3
-  data.tar.gz: dc1fd96c9839cf17763ab74e250414a5b6736425f8678ca3ed6d62f37867ccdaccfe87e56c099282b0608df182ed59555286fb80c3d23f5d3d22b7bf33708b40
+  metadata.gz: 101f7f013bb4a0d0ef22139027e69b6778419afc0c6ab4ab415e5a8e20873b9814ecd25f25da3932207acf29f531dd76f22ddddbf11f94e675a3c15b6367d2e9
+  data.tar.gz: 4dcdaedcb617d073dfc75ce7ef1c80a1199f78bb7cf0d244c87cb48ecaccba3170123311cb1b5667b1db20adcecab3921e5d67403ae6b815a9221b82c104c24c

data/.github/workflows/reviewdog.yaml

@@ -25,5 +25,5 @@ jobs:
       - name: Auto Commit
         uses: stefanzweifel/git-auto-commit-action@v5
         with:
-          commit_message: chore: Rubocop Auto Corrections
-          commit_user_name: Rubocop
+          commit_message: 'chore: Rubocop Auto Corrections'
+          commit_user_name: 'Rubocop bot'

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## [2.4.2](https://github.com/dailypay/httpigeon/compare/v2.4.1...v2.4.2) (2026-02-18)
+
+
+### Bug Fixes
+
+* **MIMO-3352:** Address RCE vulnerability ([#56](https://github.com/dailypay/httpigeon/issues/56)) ([43577ce](https://github.com/dailypay/httpigeon/commit/43577ce579e56a92388f7e9b70b0425e7fc8fcd8))
+
 ## [2.4.1](https://github.com/dailypay/httpigeon/compare/v2.4.0...v2.4.1) (2026-02-11)
 
 

data/lib/httpigeon/request.rb

@@ -7,6 +7,7 @@ require_relative "middleware/httpigeon_logger"
 module HTTPigeon
   class Request
     REQUEST_ID_HEADER = 'X-Request-Id'.freeze
+    ALLOWED_METHODS = %i[get post put patch delete head options].freeze
 
     class << self
       def get(endpoint, query = {}, headers = {}, event_type = nil, log_filters = [])
@@ -45,7 +46,7 @@ module HTTPigeon
     def initialize(base_url:, options: nil, headers: nil, adapter: nil, logger: nil, event_type: nil, log_filters: nil, fuse_config: nil)
       @base_url = URI.parse(base_url)
 
-      request_headers = default_headers.merge(headers.to_h)
+      request_headers = default_headers(request_id: SecureRandom.uuid).merge(headers.to_h)
       fuse_config_opts = { service_id: @base_url.host }.merge(fuse_config.to_h)
       @fuse = CircuitBreaker::Fuse.from_options(fuse_config_opts)
 
@@ -70,7 +71,11 @@ module HTTPigeon
     end
 
     def run(method: :get, path: '/', payload: {})
-      unless method.to_sym == :get || method.to_sym == :delete
+      sym_method = method.to_sym
+
+      raise ArgumentError, "Invalid or unsupported HTTP method: #{method}" unless ALLOWED_METHODS.include?(sym_method)
+
+      unless [:get, :delete].include?(sym_method)
         payload = payload.presence&.to_json
         connection.headers['Content-Type'] = 'application/json'
       end
@@ -100,8 +105,8 @@ module HTTPigeon
       HTTPigeon::Logger.new(event_type: event_type, log_filters: log_filters)
     end
 
-    def default_headers
-      { 'Accept' => 'application/json' }
+    def default_headers(request_id: nil)
+      { 'Accept' => 'application/json', REQUEST_ID_HEADER => request_id }.compact
     end
   end
 end

data/lib/httpigeon/version.rb

@@ -1,3 +1,3 @@
 module HTTPigeon
-  VERSION = "2.4.1".freeze
+  VERSION = "2.4.2".freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: httpigeon
 version: !ruby/object:Gem::Version
-  version: 2.4.1
+  version: 2.4.2
 platform: ruby
 authors:
 - 2k-joker
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-02-11 00:00:00.000000000 Z
+date: 2026-02-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday