oauth2 2.0.18 → 2.0.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,6 +1,11 @@
1
1
  module OAuth2
2
2
  module FilteredAttributes
3
+ module InitializerMethods
4
+ def initialize: (*untyped args) { () -> untyped } -> untyped
5
+ end
6
+
3
7
  def self.included: (untyped) -> untyped
4
- def filtered_attributes: (*String) -> void
8
+ def filtered_attributes: (*(String | Symbol)) -> void
9
+ def thing_filter: () -> OAuth2::ThingFilter
5
10
  end
6
11
  end
@@ -0,0 +1,32 @@
1
+ module OAuth2
2
+ class SanitizedLogger
3
+ def initialize: (untyped logger) -> void
4
+
5
+ def add: (untyped severity, ?untyped message, ?untyped progname) { () -> untyped } -> untyped
6
+ def <<: (String message) -> untyped
7
+ def debug: (?untyped progname) { () -> untyped } -> untyped
8
+ def info: (?untyped progname) { () -> untyped } -> untyped
9
+ def warn: (?untyped progname) { () -> untyped } -> untyped
10
+ def error: (?untyped progname) { () -> untyped } -> untyped
11
+ def fatal: (?untyped progname) { () -> untyped } -> untyped
12
+ def unknown: (?untyped progname) { () -> untyped } -> untyped
13
+ def close: () -> void
14
+ def formatter: () -> untyped
15
+ def formatter=: (untyped formatter) -> void
16
+ def level: () -> untyped
17
+ def level=: (untyped level) -> void
18
+ def progname: () -> untyped
19
+ def progname=: (untyped progname) -> void
20
+ def respond_to_missing?: (Symbol method_name, ?bool include_private) -> bool
21
+ def method_missing: (Symbol method_name, *untyped args) { () -> untyped } -> untyped
22
+
23
+ private
24
+
25
+ def log: (Symbol level, ?untyped progname) { () -> untyped } -> untyped
26
+ def sanitize: (untyped message) -> untyped
27
+ def thing_filter: () -> OAuth2::ThingFilter
28
+ def sanitize_authorization_header: (String message) -> String
29
+ def sanitize_json_pairs: (String message) -> String
30
+ def sanitize_form_and_query_pairs: (String message) -> String
31
+ end
32
+ end
@@ -0,0 +1,10 @@
1
+ module OAuth2
2
+ class ThingFilter
3
+ attr_reader things: Array[String]
4
+ attr_reader label: String
5
+
6
+ def initialize: (Enumerable[untyped] things, label: String) -> void
7
+ def filtered?: (untyped thing_name) -> bool
8
+ def pattern_source: () -> String
9
+ end
10
+ end
@@ -2,4 +2,5 @@ module OAuth2
2
2
  module Version
3
3
  VERSION: String
4
4
  end
5
+ VERSION: String
5
6
  end
data.tar.gz.sig CHANGED
Binary file
metadata CHANGED
@@ -1,12 +1,10 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: oauth2
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.18
4
+ version: 2.0.23
5
5
  platform: ruby
6
6
  authors:
7
- - Peter Boling
8
- - Erik Michaels-Ober
9
- - Michael Bleigh
7
+ - Peter H. Boling
10
8
  bindir: exe
11
9
  cert_chain:
12
10
  - |
@@ -39,6 +37,26 @@ cert_chain:
39
37
  -----END CERTIFICATE-----
40
38
  date: 1980-01-02 00:00:00.000000000 Z
41
39
  dependencies:
40
+ - !ruby/object:Gem::Dependency
41
+ name: auth-sanitizer
42
+ requirement: !ruby/object:Gem::Requirement
43
+ requirements:
44
+ - - "~>"
45
+ - !ruby/object:Gem::Version
46
+ version: '0.2'
47
+ - - ">="
48
+ - !ruby/object:Gem::Version
49
+ version: 0.2.1
50
+ type: :runtime
51
+ prerelease: false
52
+ version_requirements: !ruby/object:Gem::Requirement
53
+ requirements:
54
+ - - "~>"
55
+ - !ruby/object:Gem::Version
56
+ version: '0.2'
57
+ - - ">="
58
+ - !ruby/object:Gem::Version
59
+ version: 0.2.1
42
60
  - !ruby/object:Gem::Dependency
43
61
  name: faraday
44
62
  requirement: !ruby/object:Gem::Requirement
@@ -136,7 +154,7 @@ dependencies:
136
154
  version: '2.0'
137
155
  - - ">="
138
156
  - !ruby/object:Gem::Version
139
- version: 2.0.3
157
+ version: 2.0.6
140
158
  type: :runtime
141
159
  prerelease: false
142
160
  version_requirements: !ruby/object:Gem::Requirement
@@ -146,7 +164,7 @@ dependencies:
146
164
  version: '2.0'
147
165
  - - ">="
148
166
  - !ruby/object:Gem::Version
149
- version: 2.0.3
167
+ version: 2.0.6
150
168
  - !ruby/object:Gem::Dependency
151
169
  name: version_gem
152
170
  requirement: !ruby/object:Gem::Requirement
@@ -156,7 +174,7 @@ dependencies:
156
174
  version: '1.1'
157
175
  - - ">="
158
176
  - !ruby/object:Gem::Version
159
- version: 1.1.9
177
+ version: 1.1.11
160
178
  type: :runtime
161
179
  prerelease: false
162
180
  version_requirements: !ruby/object:Gem::Requirement
@@ -166,139 +184,151 @@ dependencies:
166
184
  version: '1.1'
167
185
  - - ">="
168
186
  - !ruby/object:Gem::Version
169
- version: 1.1.9
187
+ version: 1.1.11
170
188
  - !ruby/object:Gem::Dependency
171
- name: addressable
189
+ name: kettle-dev
172
190
  requirement: !ruby/object:Gem::Requirement
173
191
  requirements:
174
192
  - - "~>"
175
193
  - !ruby/object:Gem::Version
176
- version: '2.8'
194
+ version: '2.2'
177
195
  - - ">="
178
196
  - !ruby/object:Gem::Version
179
- version: 2.8.7
197
+ version: 2.2.5
180
198
  type: :development
181
199
  prerelease: false
182
200
  version_requirements: !ruby/object:Gem::Requirement
183
201
  requirements:
184
202
  - - "~>"
185
203
  - !ruby/object:Gem::Version
186
- version: '2.8'
204
+ version: '2.2'
187
205
  - - ">="
188
206
  - !ruby/object:Gem::Version
189
- version: 2.8.7
207
+ version: 2.2.5
190
208
  - !ruby/object:Gem::Dependency
191
- name: nkf
209
+ name: bundler-audit
192
210
  requirement: !ruby/object:Gem::Requirement
193
211
  requirements:
194
212
  - - "~>"
195
213
  - !ruby/object:Gem::Version
196
- version: '0.2'
214
+ version: 0.9.3
197
215
  type: :development
198
216
  prerelease: false
199
217
  version_requirements: !ruby/object:Gem::Requirement
200
218
  requirements:
201
219
  - - "~>"
202
220
  - !ruby/object:Gem::Version
203
- version: '0.2'
221
+ version: 0.9.3
204
222
  - !ruby/object:Gem::Dependency
205
- name: rexml
223
+ name: rake
206
224
  requirement: !ruby/object:Gem::Requirement
207
225
  requirements:
208
226
  - - "~>"
209
227
  - !ruby/object:Gem::Version
210
- version: '3.2'
211
- - - ">="
212
- - !ruby/object:Gem::Version
213
- version: 3.2.5
228
+ version: '13.0'
214
229
  type: :development
215
230
  prerelease: false
216
231
  version_requirements: !ruby/object:Gem::Requirement
217
232
  requirements:
218
233
  - - "~>"
219
234
  - !ruby/object:Gem::Version
220
- version: '3.2'
221
- - - ">="
222
- - !ruby/object:Gem::Version
223
- version: 3.2.5
235
+ version: '13.0'
224
236
  - !ruby/object:Gem::Dependency
225
- name: kettle-dev
237
+ name: require_bench
226
238
  requirement: !ruby/object:Gem::Requirement
227
239
  requirements:
228
240
  - - "~>"
229
241
  - !ruby/object:Gem::Version
230
- version: '1.1'
242
+ version: '1.0'
243
+ - - ">="
244
+ - !ruby/object:Gem::Version
245
+ version: 1.0.4
231
246
  type: :development
232
247
  prerelease: false
233
248
  version_requirements: !ruby/object:Gem::Requirement
234
249
  requirements:
235
250
  - - "~>"
236
251
  - !ruby/object:Gem::Version
237
- version: '1.1'
252
+ version: '1.0'
253
+ - - ">="
254
+ - !ruby/object:Gem::Version
255
+ version: 1.0.4
238
256
  - !ruby/object:Gem::Dependency
239
- name: bundler-audit
257
+ name: appraisal2
240
258
  requirement: !ruby/object:Gem::Requirement
241
259
  requirements:
242
260
  - - "~>"
243
261
  - !ruby/object:Gem::Version
244
- version: 0.9.2
262
+ version: '3.1'
263
+ - - ">="
264
+ - !ruby/object:Gem::Version
265
+ version: 3.1.2
245
266
  type: :development
246
267
  prerelease: false
247
268
  version_requirements: !ruby/object:Gem::Requirement
248
269
  requirements:
249
270
  - - "~>"
250
271
  - !ruby/object:Gem::Version
251
- version: 0.9.2
272
+ version: '3.1'
273
+ - - ">="
274
+ - !ruby/object:Gem::Version
275
+ version: 3.1.2
252
276
  - !ruby/object:Gem::Dependency
253
- name: rake
277
+ name: kettle-test
254
278
  requirement: !ruby/object:Gem::Requirement
255
279
  requirements:
256
280
  - - "~>"
257
281
  - !ruby/object:Gem::Version
258
- version: '13.0'
282
+ version: '2.0'
283
+ - - ">="
284
+ - !ruby/object:Gem::Version
285
+ version: 2.0.5
259
286
  type: :development
260
287
  prerelease: false
261
288
  version_requirements: !ruby/object:Gem::Requirement
262
289
  requirements:
263
290
  - - "~>"
264
291
  - !ruby/object:Gem::Version
265
- version: '13.0'
292
+ version: '2.0'
293
+ - - ">="
294
+ - !ruby/object:Gem::Version
295
+ version: 2.0.5
266
296
  - !ruby/object:Gem::Dependency
267
- name: require_bench
297
+ name: turbo_tests2
268
298
  requirement: !ruby/object:Gem::Requirement
269
299
  requirements:
270
300
  - - "~>"
271
301
  - !ruby/object:Gem::Version
272
- version: '1.0'
302
+ version: '3.1'
273
303
  - - ">="
274
304
  - !ruby/object:Gem::Version
275
- version: 1.0.4
305
+ version: 3.1.2
276
306
  type: :development
277
307
  prerelease: false
278
308
  version_requirements: !ruby/object:Gem::Requirement
279
309
  requirements:
280
310
  - - "~>"
281
311
  - !ruby/object:Gem::Version
282
- version: '1.0'
312
+ version: '3.1'
283
313
  - - ">="
284
314
  - !ruby/object:Gem::Version
285
- version: 1.0.4
315
+ version: 3.1.2
286
316
  - !ruby/object:Gem::Dependency
287
- name: appraisal2
317
+ name: ruby-progressbar
288
318
  requirement: !ruby/object:Gem::Requirement
289
319
  requirements:
290
320
  - - "~>"
291
321
  - !ruby/object:Gem::Version
292
- version: '3.0'
322
+ version: '1.13'
293
323
  type: :development
294
324
  prerelease: false
295
325
  version_requirements: !ruby/object:Gem::Requirement
296
326
  requirements:
297
327
  - - "~>"
298
328
  - !ruby/object:Gem::Version
299
- version: '3.0'
329
+ version: '1.13'
300
330
  - !ruby/object:Gem::Dependency
301
- name: kettle-test
331
+ name: stone_checksums
302
332
  requirement: !ruby/object:Gem::Requirement
303
333
  requirements:
304
334
  - - "~>"
@@ -306,7 +336,7 @@ dependencies:
306
336
  version: '1.0'
307
337
  - - ">="
308
338
  - !ruby/object:Gem::Version
309
- version: 1.0.6
339
+ version: 1.0.3
310
340
  type: :development
311
341
  prerelease: false
312
342
  version_requirements: !ruby/object:Gem::Requirement
@@ -316,86 +346,105 @@ dependencies:
316
346
  version: '1.0'
317
347
  - - ">="
318
348
  - !ruby/object:Gem::Version
319
- version: 1.0.6
349
+ version: 1.0.3
320
350
  - !ruby/object:Gem::Dependency
321
- name: ruby-progressbar
351
+ name: gitmoji-regex
322
352
  requirement: !ruby/object:Gem::Requirement
323
353
  requirements:
324
354
  - - "~>"
325
355
  - !ruby/object:Gem::Version
326
- version: '1.13'
356
+ version: '2.0'
357
+ - - ">="
358
+ - !ruby/object:Gem::Version
359
+ version: 2.0.1
327
360
  type: :development
328
361
  prerelease: false
329
362
  version_requirements: !ruby/object:Gem::Requirement
330
363
  requirements:
331
364
  - - "~>"
332
365
  - !ruby/object:Gem::Version
333
- version: '1.13'
366
+ version: '2.0'
367
+ - - ">="
368
+ - !ruby/object:Gem::Version
369
+ version: 2.0.1
334
370
  - !ruby/object:Gem::Dependency
335
- name: stone_checksums
371
+ name: addressable
336
372
  requirement: !ruby/object:Gem::Requirement
337
373
  requirements:
338
374
  - - "~>"
339
375
  - !ruby/object:Gem::Version
340
- version: '1.0'
376
+ version: '2.8'
341
377
  - - ">="
342
378
  - !ruby/object:Gem::Version
343
- version: 1.0.2
379
+ version: 2.8.7
344
380
  type: :development
345
381
  prerelease: false
346
382
  version_requirements: !ruby/object:Gem::Requirement
347
383
  requirements:
348
384
  - - "~>"
349
385
  - !ruby/object:Gem::Version
350
- version: '1.0'
386
+ version: '2.8'
351
387
  - - ">="
352
388
  - !ruby/object:Gem::Version
353
- version: 1.0.2
389
+ version: 2.8.7
354
390
  - !ruby/object:Gem::Dependency
355
- name: gitmoji-regex
391
+ name: backports
356
392
  requirement: !ruby/object:Gem::Requirement
357
393
  requirements:
358
394
  - - "~>"
359
395
  - !ruby/object:Gem::Version
360
- version: '1.0'
396
+ version: '3.25'
361
397
  - - ">="
362
398
  - !ruby/object:Gem::Version
363
- version: 1.0.3
399
+ version: 3.25.1
364
400
  type: :development
365
401
  prerelease: false
366
402
  version_requirements: !ruby/object:Gem::Requirement
367
403
  requirements:
368
404
  - - "~>"
369
405
  - !ruby/object:Gem::Version
370
- version: '1.0'
406
+ version: '3.25'
371
407
  - - ">="
372
408
  - !ruby/object:Gem::Version
373
- version: 1.0.3
409
+ version: 3.25.1
374
410
  - !ruby/object:Gem::Dependency
375
- name: backports
411
+ name: nkf
376
412
  requirement: !ruby/object:Gem::Requirement
377
413
  requirements:
378
414
  - - "~>"
379
415
  - !ruby/object:Gem::Version
380
- version: '3.25'
416
+ version: '0.2'
417
+ type: :development
418
+ prerelease: false
419
+ version_requirements: !ruby/object:Gem::Requirement
420
+ requirements:
421
+ - - "~>"
422
+ - !ruby/object:Gem::Version
423
+ version: '0.2'
424
+ - !ruby/object:Gem::Dependency
425
+ name: rexml
426
+ requirement: !ruby/object:Gem::Requirement
427
+ requirements:
428
+ - - "~>"
429
+ - !ruby/object:Gem::Version
430
+ version: '3.2'
381
431
  - - ">="
382
432
  - !ruby/object:Gem::Version
383
- version: 3.25.1
433
+ version: 3.2.5
384
434
  type: :development
385
435
  prerelease: false
386
436
  version_requirements: !ruby/object:Gem::Requirement
387
437
  requirements:
388
438
  - - "~>"
389
439
  - !ruby/object:Gem::Version
390
- version: '3.25'
440
+ version: '3.2'
391
441
  - - ">="
392
442
  - !ruby/object:Gem::Version
393
- version: 3.25.1
443
+ version: 3.2.5
394
444
  description: "\U0001F510 A Ruby wrapper for the OAuth 2.0 Authorization Framework,
395
445
  including the OAuth 2.1 draft spec, and OpenID Connect (OIDC)"
396
446
  email:
397
447
  - floss@galtzo.com
398
- - oauth-ruby@googlegroups.com
399
448
  executables: []
400
449
  extensions: []
401
450
  extra_rdoc_files:
@@ -404,30 +453,24 @@ extra_rdoc_files:
404
453
  - CODE_OF_CONDUCT.md
405
454
  - CONTRIBUTING.md
406
455
  - FUNDING.md
407
- - IRP.md
408
- - LICENSE.txt
409
- - OIDC.md
456
+ - LICENSE.md
410
457
  - README.md
411
- - REEK
412
458
  - RUBOCOP.md
413
459
  - SECURITY.md
414
- - THREAT_MODEL.md
415
460
  files:
416
461
  - CHANGELOG.md
417
462
  - CITATION.cff
418
463
  - CODE_OF_CONDUCT.md
419
464
  - CONTRIBUTING.md
420
465
  - FUNDING.md
421
- - IRP.md
422
- - LICENSE.txt
423
- - OIDC.md
466
+ - LICENSE.md
424
467
  - README.md
425
- - REEK
426
468
  - RUBOCOP.md
427
469
  - SECURITY.md
428
- - THREAT_MODEL.md
470
+ - certs/pboling.pem
429
471
  - lib/oauth2.rb
430
472
  - lib/oauth2/access_token.rb
473
+ - lib/oauth2/auth_sanitizer.rb
431
474
  - lib/oauth2/authenticator.rb
432
475
  - lib/oauth2/client.rb
433
476
  - lib/oauth2/error.rb
@@ -447,49 +490,24 @@ files:
447
490
  - sig/oauth2/error.rbs
448
491
  - sig/oauth2/filtered_attributes.rbs
449
492
  - sig/oauth2/response.rbs
493
+ - sig/oauth2/sanitized_logger.rbs
450
494
  - sig/oauth2/strategy.rbs
495
+ - sig/oauth2/thing_filter.rbs
451
496
  - sig/oauth2/version.rbs
452
497
  homepage: https://github.com/ruby-oauth/oauth2
453
498
  licenses:
454
499
  - MIT
455
500
  metadata:
456
- homepage_uri: https://oauth2.galtzo.com/
457
- source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.18
458
- changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.18/CHANGELOG.md
501
+ homepage_uri: https://oauth2.galtzo.com
502
+ source_code_uri: https://github.com/ruby-oauth/oauth2/tree/v2.0.23
503
+ changelog_uri: https://github.com/ruby-oauth/oauth2/blob/v2.0.23/CHANGELOG.md
459
504
  bug_tracker_uri: https://github.com/ruby-oauth/oauth2/issues
460
- documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.18
461
- mailing_list_uri: https://groups.google.com/g/oauth-ruby
505
+ documentation_uri: https://www.rubydoc.info/gems/oauth2/2.0.23
462
506
  funding_uri: https://github.com/sponsors/pboling
463
- wiki_uri: https://gitlab.com/ruby-oauth/oauth2/-/wiki
507
+ wiki_uri: https://github.com/ruby-oauth/oauth2/wiki
464
508
  news_uri: https://www.railsbling.com/tags/oauth2
465
509
  discord_uri: https://discord.gg/3qme4XHNKN
466
510
  rubygems_mfa_required: 'true'
467
- post_install_message: |2
468
-
469
- ---+++--- oauth2 v2.0.18 ---+++---
470
-
471
- (minor) ⚠️ BREAKING CHANGES ⚠️ when upgrading from < v2
472
- • Summary of breaking changes: https://gitlab.com/ruby-oauth/oauth2#what-is-new-for-v20
473
- • Changes in this patch: https://gitlab.com/ruby-oauth/oauth2/-/blob/v2.0.18/CHANGELOG.md#2015-2025-09-08
474
-
475
- News:
476
- 1. New documentation website, including for OAuth 2.1 and OIDC: https://oauth2.galtzo.com
477
- 2. New official Discord for discussion and support: https://discord.gg/3qme4XHNKN
478
- 3. New org name "ruby-oauth" on Open Source Collective, GitHub, GitLab, Codeberg (update git remotes!)
479
- 4. Non-commercial support for the 2.x series will end by April, 2026. Please make a plan to upgrade to the next version prior to that date.
480
- Support will be dropped for Ruby 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 3.0, 3.1 and any other Ruby versions which will also have reached EOL by then.
481
- 5. Gem releases are cryptographically signed with a 20-year cert; SHA-256 & SHA-512 checksums by stone_checksums.
482
- 6. Please consider supporting this project:
483
- • https://opencollective.com/ruby-oauth (new!)
484
- • https://liberapay.com/pboling
485
- • https://github.com/sponsors/pboling
486
- • https://www.paypal.com/paypalme/peterboling
487
- • https://ko-fi.com/pboling
488
- • https://www.buymeacoffee.com/pboling
489
- • https://tidelift.com/funding/github/rubygems/oauth
490
- • Hire me - I can build anything
491
- • Report issues, and star the project
492
- Thanks, @pboling / @galtzo
493
511
  rdoc_options:
494
512
  - "--title"
495
513
  - "oauth2 - \U0001F510 OAuth 2.0, 2.1 & OIDC Core Ruby implementation"
@@ -513,7 +531,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
513
531
  - !ruby/object:Gem::Version
514
532
  version: '0'
515
533
  requirements: []
516
- rubygems_version: 3.7.2
534
+ rubygems_version: 4.0.10
517
535
  specification_version: 4
518
536
  summary: "\U0001F510 OAuth 2.0, 2.1 & OIDC Core Ruby implementation"
519
537
  test_files: []
metadata.gz.sig CHANGED
Binary file
data/IRP.md DELETED
@@ -1,107 +0,0 @@
1
- # Incident Response Plan (IRP)
2
-
3
- Status: Draft
4
-
5
- ## Purpose
6
-
7
- This Incident Response Plan (IRP) defines the steps the project maintainer(s) will follow when handling security incidents related to the `oauth2` gem. It is written for a small project with a single primary maintainer and is intended to be practical, concise, and actionable.
8
-
9
- ## Scope
10
-
11
- Applies to security incidents that affect the `oauth2` codebase, releases (gems), CI/CD infrastructure related to building and publishing the gem, repository credentials, or any compromise of project infrastructure that could impact users.
12
-
13
- ## Key assumptions
14
- - This project is maintained primarily by a single maintainer.
15
- - Public vulnerability disclosure is handled via Tidelift (see `SECURITY.md`).
16
- - The maintainer will act as incident commander unless otherwise delegated.
17
-
18
- ## Contact & Roles
19
-
20
- - Incident Commander: Primary maintainer (repo owner). Responsible for coordinating triage, remediation, and communications.
21
- - Secondary Contact: (optional) A trusted collaborator or organization contact if available.
22
-
23
- ### If you are an external reporter
24
- - Do not publicly disclose details of an active vulnerability before coordination via Tidelift.
25
- - See `SECURITY.md` for Tidelift disclosure instructions. If the reporter has questions and cannot use Tidelift, they may open a direct encrypted report as described in `SECURITY.md` (if available) or email the maintainer contact listed in the repository.
26
-
27
- ## Incident Handling Workflow (high level)
28
- 1. Identification & Reporting
29
- - Reports may arrive via Tidelift, issue tracker, direct email, or third-party advisories.
30
- - Immediately acknowledge receipt (within 24-72 hours) via the reporting channel.
31
-
32
- 2. Triage & Initial Assessment (first 72 hours)
33
- - Confirm the report is not duplicative and gather: reproducer, affected versions, attack surface, exploitability, and CVSS-like severity estimate.
34
- - Verify the issue against the codebase and reproduce locally if possible.
35
- - Determine scope: which versions are affected, whether the issue is in code paths executed in common setups, and whether a workaround exists.
36
-
37
- 3. Containment & Mitigation
38
- - If a simple mitigation or workaround (configuration change, safe default, or recommended upgrade) exists, document it clearly in the issue/Tidelift advisory.
39
- - If immediate removal of a release is required (rare), consult Tidelift for coordinated takedown and notify package hosts if applicable.
40
-
41
- 4. Remediation & Patch
42
- - Prepare a fix in a branch with tests and changelog entries. Prefer minimal, well-tested changes.
43
- - Include tests that reproduce the faulty behavior and demonstrate the fix.
44
- - Hardening: add fuzz tests, input validation, or additional checks as appropriate.
45
-
46
- 5. Release & Disclosure
47
- - Coordinate disclosure through Tidelift per `SECURITY.md` timelines. Aim for a coordinated disclosure and patch release to minimize risk to users.
48
- - Publish a patch release (increment gem version) and an advisory via Tidelift.
49
- - Update `CHANGELOG.md` and repository release notes with non-sensitive details.
50
-
51
- 6. Post-Incident
52
- - Produce a short postmortem: timeline, root cause, actions taken, and follow-ups.
53
- - Add/adjust tests and CI checks to prevent regressions.
54
- - If credentials or infrastructure were compromised, rotate secrets and audit access.
55
-
56
- ## Severity classification (guidance)
57
- - High/Critical: Remote code execution, data exfiltration, or any vulnerability that can be exploited without user interaction. Immediate action and prioritized patching.
58
- - Medium: Privilege escalation, sensitive information leaks that require specific conditions. Patch in the next release cycle with advisory.
59
- - Low: Minor information leaks, UI issues, or non-exploitable bugs. Fix normally and include in the next scheduled release.
60
-
61
- ## Preservation of evidence
62
- - Preserve all reporter-provided data, logs, and reproducer code in a secure location (local encrypted storage or private branch) for the investigation.
63
- - Do not publish evidence that would enable exploitation before coordinated disclosure.
64
-
65
- ## Communication templates
66
- Acknowledgement (to reporter)
67
-
68
- "Thank you for reporting this issue. I've received your report and will triage it within 72 hours. If you can, please provide reproduction steps, affected versions, and any exploit PoC. I will coordinate disclosure through Tidelift per the project's security policy."
69
-
70
- Public advisory (after patch is ready)
71
-
72
- "A security advisory for oauth2 (versions X.Y.Z) has been published via Tidelift. Please upgrade to version A.B.C which patches [brief description]. See the advisory for details and recommended mitigations."
73
-
74
- ## Runbook: Quick steps for a maintainer to patch and release
75
- 1. Create a branch: `git checkout -b fix/security-brief-description`
76
- 2. Reproduce the issue locally and add a regression spec in `spec/`.
77
- 3. Implement the fix and run the test suite: `bundle exec rspec` (or the project's preferred test command).
78
- 4. Bump version in `lib/oauth2/version.rb` following semantic versioning.
79
- 5. Update `CHANGELOG.md` with an entry describing the fix (avoid exploit details).
80
- 6. Commit and push the branch, open a PR, and merge after approvals.
81
- 7. Build and push the gem: `gem build oauth2.gemspec && gem push pkg/...` (coordinate with Tidelift before public push if disclosure is coordinated).
82
- 8. Publish a release on GitHub and ensure the Tidelift advisory is posted.
83
-
84
- ## Operational notes
85
- - Secrets: Use local encrypted storage for any sensitive reporter data. If repository or CI secrets may be compromised, rotate them immediately and update dependent services.
86
- - Access control: Limit who can publish gems and who has admin access to the repo. Keep an up-to-date list of collaborators in a secure place.
87
-
88
- ## Legal & regulatory
89
- - If the incident involves user data or has legal implications, consult legal counsel or the maintainers' employer as appropriate. The maintainer should document the timeline and all communications.
90
-
91
- ## Retrospective & continuous improvement
92
- After an incident, perform a brief post-incident review covering:
93
- - What happened and why
94
- - What was done to contain and remediate
95
- - What tests or process changes will prevent recurrence
96
- - Assign owners and deadlines for follow-up tasks
97
-
98
- ## References
99
- - See `SECURITY.md` for the project's official disclosure channel (Tidelift).
100
-
101
- ## Appendix: Example checklist for an incident
102
- - [ ] Acknowledge report to reporter (24-72 hours)
103
- - [ ] Reproduce and classify severity
104
- - [ ] Prepare and test a fix in a branch
105
- - [ ] Coordinate disclosure via Tidelift
106
- - [ ] Publish patch release and advisory
107
- - [ ] Postmortem and follow-up actions