RubyGems - kwtsms - Versions diffs - 0.3.0 → 0.3.1 - Mend

kwtsms 0.3.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 30bcbad536b8b98f9bbf6c3612d5f01de9d8d14d8133746b1a493aa9c49ae7e4
-  data.tar.gz: 6bd53db09b4acdd136779c1a1c8a032814a0472ac9e564d00347b99070e5b5c1
+  metadata.gz: 93dfa6c3d929f5f5767a1dd561078bf3d2e099dfbc8aea04e9d5f0ffa81fbf6a
+  data.tar.gz: 4b0c380d47b356060cbc976a1d035c167b03718572f88e2417cbd9f74d5137cd
 SHA512:
-  metadata.gz: '0876d1fff5adf4ae9175b841aa434453d7cfd7ff771b915390411edc54f31697b770740580c3c9129f8b7459c4bf09ba04580380457aa0527e75361c63fced61'
-  data.tar.gz: 5aceda9bda7fbf0a94a2f78f75238b9fcf7e82ac3d6f2a9574b2612228058a894cd31b4f2160702d3648f7469c95c0442a75dee5380987b2bc706858a040ec59
+  metadata.gz: 02ef8c6d2c00049be8195aab4b359cbbd0d567c42d77f092ac50d31cb66cd021479b95ad51d46c8fae5205a0bd62b82756f6a6fd11bec40248639974a5dc7a29
+  data.tar.gz: 35bf19319f4548a648d96c2802d1176b1e5ed1c2279d4b5d29dcbcedc155b25d94fc50464165aa1c9cf4d6756566b7a0314785efd28c3e6cc36d01445e096976

data/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.3.1] - 2026-03-15
+### Fixed
+- Password no longer visible in `Client#inspect` or `#to_s` output (redacted)
+- Sanitize raw input in phone validation errors to prevent log injection
+- Command injection risk in dependabot auto-merge workflow (use PR number not URL)
+- Explicit SSL `VERIFY_PEER` on all HTTP connections
+- Log file path traversal protection: rejects `..`, absolute paths, null bytes, pipes
+- `.env` parser now handles `export KEY=VALUE` syntax
+- CI workflow scoped to `permissions: contents: read`
+- Missing error codes ERR019-ERR023 added to `API_ERRORS`
+- Em dashes replaced with commas/colons per style rules
+- SECURITY.md updated to reflect 0.3.x support
+- CONTRIBUTING.md expanded with all required sections
+- Error code test coverage includes ERR019-ERR023
 ## [0.3.0] - 2026-03-15
 ### Added
@@ -31,7 +48,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
-- Raw API example (`examples/00_raw_api.rb`) — call all 7 kwtSMS endpoints using only Ruby stdlib, no gem needed
+- Raw API example (`examples/00_raw_api.rb`): call all 7 kwtSMS endpoints using only Ruby stdlib, no gem needed
 - Step-by-step guide (`examples/00_raw_api.md`) with helper function reference, endpoints table, key rules, and going-live checklist
 ### Removed
@@ -69,6 +86,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Comprehensive test suite: unit tests, mocked API tests, and real integration tests
 - Examples: basic usage, OTP flow, bulk SMS, Rails endpoint, error handling, production OTP
+[0.3.1]: https://github.com/boxlinknet/kwtsms-ruby/releases/tag/v0.3.1
 [0.3.0]: https://github.com/boxlinknet/kwtsms-ruby/releases/tag/v0.3.0
 [0.2.0]: https://github.com/boxlinknet/kwtsms-ruby/releases/tag/v0.2.0
 [0.1.0]: https://github.com/boxlinknet/kwtsms-ruby/releases/tag/v0.1.0

data/README.md CHANGED Viewed

@@ -344,7 +344,7 @@ See the [examples/](examples/) directory:
 | # | Example | Description |
 |---|---------|-------------|
-| 00 | [Raw API](examples/00_raw_api.rb) | Call all 7 endpoints directly — no gem needed |
+| 00 | [Raw API](examples/00_raw_api.rb) | Call all 7 endpoints directly, no gem needed |
 | 01 | [Basic Usage](examples/01_basic_usage.rb) | Connect, verify, send SMS, validate |
 | 02 | [OTP Flow](examples/02_otp_flow.rb) | Send OTP codes |
 | 03 | [Bulk SMS](examples/03_bulk_sms.rb) | Send to many recipients |

data/lib/kwtsms/client.rb CHANGED Viewed

@@ -43,6 +43,13 @@ module KwtSMS
       @cached_purchased = nil
     end
+    # Redact password from inspect/to_s output to prevent accidental exposure
+    # in logs, error trackers (Sentry, Bugsnag), or REPL sessions.
+    def inspect
+      "#<#{self.class} @username=#{@username.inspect} @sender_id=#{@sender_id.inspect} @test_mode=#{@test_mode}>"
+    end
+    alias_method :to_s, :inspect
     # Load credentials from environment variables, falling back to .env file.
     #
     # Required env vars:

data/lib/kwtsms/env_loader.rb CHANGED Viewed

@@ -9,6 +9,7 @@ module KwtSMS
       File.foreach(env_file, encoding: "utf-8") do |line|
         line = line.strip
         next if line.empty? || line.start_with?("#")
+        line = line.sub(/\Aexport\s+/, "")
         next unless line.include?("=")
         key, _, value = line.partition("=")

data/lib/kwtsms/errors.rb CHANGED Viewed

@@ -17,6 +17,11 @@ module KwtSMS
     "ERR011" => "Insufficient balance for this send. Buy more credits at kwtsms.com.",
     "ERR012" => "Message is too long (over 6 SMS pages). Shorten your message.",
     "ERR013" => "Send queue is full (1000 messages). Wait a moment and try again.",
+    "ERR019" => "No delivery reports found for this message.",
+    "ERR020" => "Message ID does not exist. Make sure you saved the msg-id from the send response.",
+    "ERR021" => "No delivery report available for this message yet.",
+    "ERR022" => "Delivery reports are not ready yet. Try again after 24 hours.",
+    "ERR023" => "Unknown delivery report error. Contact kwtSMS support.",
     "ERR024" => "Your IP address is not in the API whitelist. Add it at kwtsms.com > Account > API > IP Lockdown, or disable IP lockdown.",
     "ERR025" => "Invalid phone number. Make sure the number includes the country code (e.g., 96598765432 for Kuwait, not 98765432).",
     "ERR026" => "This country is not activated on your account. Contact kwtSMS support to enable the destination country.",

data/lib/kwtsms/logger.rb CHANGED Viewed

@@ -4,10 +4,27 @@ require "json"
 require "time"
 module KwtSMS
+  # Validate a log file path. Returns [valid, error].
+  # Rejects path traversal, absolute paths outside CWD, and device paths.
+  def self.validate_log_path(log_file)
+    return [false, "log_file must be a String"] unless log_file.is_a?(String)
+    return [false, "log_file must not be empty"] if log_file.strip.empty?
+    return [false, "log_file must not contain '..'"] if log_file.include?("..")
+    return [false, "log_file must not contain null bytes"] if log_file.include?("\0")
+    return [false, "log_file must not start with /"] if log_file.start_with?("/")
+    return [false, "log_file must not start with ~"] if log_file.start_with?("~")
+    return [false, "log_file must not be a pipe or device"] if log_file.start_with?("|") || log_file.match?(%r{\A/dev/})
+    [true, nil]
+  end
   # Append a JSONL log entry. Never raises. Logging must not break main flow.
   def self.write_log(log_file, entry)
     return if log_file.nil? || log_file.empty?
+    valid, = validate_log_path(log_file)
+    return unless valid
     begin
       File.open(log_file, "a", encoding: "utf-8") do |f|
         f.puts(JSON.generate(entry))

data/lib/kwtsms/phone.rb CHANGED Viewed

@@ -222,24 +222,28 @@ module KwtSMS
     # 1. Empty / blank
     return [false, "Phone number is required", ""] if raw.empty?
+    # Sanitize raw input for safe interpolation in error messages:
+    # strip control chars and truncate to prevent log injection
+    safe = raw.gsub(/[[:cntrl:]]/, "")[0, 50]
     # 2. Email address entered by mistake
-    return [false, "'#{raw}' is an email address, not a phone number", ""] if raw.include?("@")
+    return [false, "'#{safe}' is an email address, not a phone number", ""] if raw.include?("@")
     # 3. Normalize
     normalized = normalize_phone(raw)
     # 4. No digits survived normalization
-    return [false, "'#{raw}' is not a valid phone number, no digits found", ""] if normalized.empty?
+    return [false, "'#{safe}' is not a valid phone number, no digits found", ""] if normalized.empty?
     # 5. Too short
     if normalized.length < 7
       digit_word = normalized.length == 1 ? "digit" : "digits"
-      return [false, "'#{raw}' is too short to be a valid phone number (#{normalized.length} #{digit_word}, minimum is 7)", normalized]
+      return [false, "'#{safe}' is too short to be a valid phone number (#{normalized.length} #{digit_word}, minimum is 7)", normalized]
     end
     # 6. Too long
     if normalized.length > 15
-      return [false, "'#{raw}' is too long to be a valid phone number (#{normalized.length} digits, maximum is 15)", normalized]
+      return [false, "'#{safe}' is too long to be a valid phone number (#{normalized.length} digits, maximum is 15)", normalized]
     end
     # 7. Country-specific format validation

data/lib/kwtsms/request.rb CHANGED Viewed

@@ -37,6 +37,7 @@ module KwtSMS
     begin
       http = Net::HTTP.new(url.host, url.port)
       http.use_ssl = true
+      http.verify_mode = OpenSSL::SSL::VERIFY_PEER
       http.open_timeout = 15
       http.read_timeout = 15

data/lib/kwtsms/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module KwtSMS
-  VERSION = "0.3.0"
+  VERSION = "0.3.1"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kwtsms
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - boxlink