onfido 0.8.4 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 9b8943db59807d0aca9c9e8caa5b5509878432d6
-  data.tar.gz: 0c12bf449f543db534205f3944ee69251408b025
+SHA256:
+  metadata.gz: 02ec5c2316de975b17ee9818699d45f47eff8e9f93bb89400e7ef4dd9d6b5170
+  data.tar.gz: ed1a1accb7575b5483eb17cd5631d0abe98641a5c34922b79a9c26bce13eab53
 SHA512:
-  metadata.gz: d7eeae37b53e98a3d46e4e8a4fa4ec20ff0dc0d77fdf79be49f7c1d2a9f50466d61503a00db7fef9d3c7b39216095ab6e2340f4577d989b6e305c8167cbd7d0c
-  data.tar.gz: 64e81f488051a276972cb3476e540bb6fae1d2a9b19699a6512b7184b66fc7a808ed8ccb13f34cf767b12cfb434501084e08bb6bb18661454a8277f37724dc9d
+  metadata.gz: b51ceca16f8c19c95234e8ba5b5e5e86c3cca098273a79e3880c46175861c6efd9d97858bc463d6a8ad029268d66866306792b5dea822473cd89100c5f4a9b75
+  data.tar.gz: 0f149d1be7d19d1c3f4edbef29d80d0ac5ebfd4ed26e17a29b66e44afbc2e9aa4d473e5ce770d7247284d993a054e6349f043cce62f6d7c9315525b1b6558b92

data/.rubocop.yml

@@ -9,6 +9,7 @@ AllCops:
     - vendor/**/*
     - .*/**
     - spec/fixtures/**/*
+  TargetRubyVersion: 2.2.0
 
 Style/StringLiterals:
   Enabled: false

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## v0.9.0, 8 March 2018
+
+- Remove the ability to create Documents and Live Photos from a remote URL or local path, mitigating a potential security vulnerability (see #45 for details) (@timrogers)
+- Drop support for Ruby versions earlier than 2.2.0, since they have [reached end-of-life](https://www.ruby-lang.org/en/news/2017/04/01/support-of-ruby-2-1-has-ended/) (@timrogers)
+
 ## v0.8.4, 29 January 2018
 
 - Replace use of `method_missing` with explicitly-defined accessors when accessing

data/README.md

@@ -12,9 +12,11 @@ This gem supports both `v1` and `v2` of the Onfido API. Refer to Onfido's [API d
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'onfido', '~> 0.8.4'
+gem 'onfido', '~> 0.9.0'
 ```
 
+The gem is compatible with Ruby 2.2.0 and onwards. Earlier versions of Ruby have [reached end-of-life](https://www.ruby-lang.org/en/news/2017/04/01/support-of-ruby-2-1-has-ended/), are no longer supported and no longer receive security fixes.
+
 ## Configuration
 
 There are 5 configuration options:
@@ -72,7 +74,10 @@ api.document.download('applicant_id', 'document_id') # => Downloads a document a
 api.document.all('applicant_id') # => Returns all applicant's documents
 ```
 
-**Note:** The file parameter can be either a `File` object or a link to an image.
+**Note:** The file parameter must be a `File`-like object which responds to `#read` and `#path`.
+Previous versions of this gem supported providing a URL to a file accessible over HTTP or a path
+to a file in the local filesystem. You should instead load the file yourself and then pass it in
+to `#create`.
 
 #### Live Photos
 
@@ -83,7 +88,10 @@ They can only be created - the Onfido does not support finding or listing them.
 api.live_photo.create('applicant_id', file: 'http://example.com')
 ```
 
-**Note:** The file parameter can be either a `File` object or a link to an image.
+**Note:** The file parameter must be a `File`-like object which responds to `#read` and `#path`.
+Previous versions of this gem supported providing a URL to a file accessible over HTTP or a path
+to a file in the local filesystem. You should instead load the file yourself and then pass it in
+to `#create`.
 
 #### Checks
 

data/lib/onfido.rb

@@ -1,7 +1,6 @@
 require 'json'
 require 'rack'
 require 'rest-client'
-require 'open-uri'
 require 'openssl'
 
 require 'onfido/version'

data/lib/onfido/resource.rb

@@ -144,5 +144,12 @@ module Onfido
 
       raise ConnectionError.new(full_message)
     end
+
+    def validate_file!(file)
+      return if file.respond_to?(:read) && file.respond_to?(:path)
+
+      raise ArgumentError, "File must be a `File`-like object which responds to " \
+                           "`#read` and `#path`"
+    end
   end
 end

data/lib/onfido/resources/document.rb

@@ -3,7 +3,8 @@ module Onfido
     # with open-uri the file can be a link or an actual file
 
     def create(applicant_id, payload)
-      payload[:file] = open(payload.fetch(:file), 'r')
+      validate_file!(payload.fetch(:file))
+
       post(
         url: url_for("applicants/#{applicant_id}/documents"),
         payload: payload

data/lib/onfido/resources/live_photo.rb

@@ -3,8 +3,9 @@ module Onfido
     # with open-uri the file can be a link or an actual file
 
     def create(applicant_id, payload)
+      validate_file!(payload.fetch(:file))
       payload[:applicant_id] = applicant_id
-      payload[:file] = open(payload.fetch(:file), 'r')
+
       post(
         url: url_for("/live_photos"),
         payload: payload

data/lib/onfido/version.rb

@@ -1,3 +1,3 @@
 module Onfido
-  VERSION = '0.8.4'.freeze
+  VERSION = '0.9.0'.freeze
 end

data/onfido.gemspec

@@ -21,6 +21,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
+  spec.required_ruby_version = ">= 2.2.0"
 
   spec.add_development_dependency 'bundler', '~> 1.7'
   spec.add_development_dependency 'rake', '~> 12.0'

data/spec/integrations/document_spec.rb

@@ -4,13 +4,6 @@ describe Onfido::Document do
   subject(:document) { described_class.new }
 
   describe '#create' do
-    after do
-      file.close
-      file.unlink
-    end
-
-    let(:file) { Tempfile.new(['passport', '.jpg']) }
-    before { allow(document).to receive(:open).and_return(:file) }
     let(:params) do
       {
         type: 'passport',
@@ -20,9 +13,27 @@ describe Onfido::Document do
     end
     let(:applicant_id) { '1030303-123123-123123' }
 
-    it 'creates a new document' do
-      response = document.create('foobar', params)
-      expect(response['id']).not_to be_nil
+    context 'with a File-like object to upload' do
+      let(:file) { Tempfile.new(['passport', '.jpg']) }
+
+      after do
+        file.close
+        file.unlink
+      end
+
+      it 'creates a new document' do
+        response = document.create('foobar', params)
+        expect(response['id']).not_to be_nil
+      end
+    end
+
+    context 'passing in a non-File-like file to upload' do
+      let(:file) { 'https://onfido.com/images/logo.png' }
+
+      it 'raises an ArgumentError' do
+        expect { document.create('foobar', params) }.
+          to raise_error(ArgumentError, /must be a `File`-like object/)
+      end
     end
   end
 

data/spec/integrations/live_photo_spec.rb

@@ -4,19 +4,29 @@ describe Onfido::LivePhoto do
   subject(:live_photo) { described_class.new }
 
   describe '#create' do
-    after do
-      file.close
-      file.unlink
+    let(:params) { { file: file } }
+
+    context 'with a File-like object to upload' do
+      let(:file) { Tempfile.new(['passport', '.jpg']) }
+
+      after do
+        file.close
+        file.unlink
+      end
+
+      it 'creates a new photo' do
+        response = live_photo.create('foobar', params)
+        expect(response['id']).not_to be_nil
+      end
     end
 
-    let(:file) { Tempfile.new(['photo', '.jpg']) }
-    before { allow(live_photo).to receive(:open).and_return(:file) }
-    let(:params) { { file: file } }
-    let(:applicant_id) { '1030303-123123-123123' }
+    context 'passing in a non-File-like file to upload' do
+      let(:file) { 'https://onfido.com/images/photo.jpg' }
 
-    it 'creates a new photo' do
-      response = live_photo.create('foobar', params)
-      expect(response['id']).not_to be_nil
+      it 'raises an ArgumentError' do
+        expect { live_photo.create('foobar', params) }.
+          to raise_error(ArgumentError, /must be a `File`-like object/)
+      end
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: onfido
 version: !ruby/object:Gem::Version
-  version: 0.8.4
+  version: 0.9.0
 platform: ruby
 authors:
 - Pericles Theodorou
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-01-29 00:00:00.000000000 Z
+date: 2018-03-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -224,7 +224,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -232,7 +232,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 2.7.4
 signing_key: 
 specification_version: 4
 summary: A wrapper for Onfido API