pusher 0.14.4 → 0.14.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3b01f88da67dca16b39dbf8294f56a38d9737e13
-  data.tar.gz: 56b1a23bc74b234a487319a22138323463f0271e
+  metadata.gz: 9bd67ccabffeb24e369e09b592b06a9991c4795d
+  data.tar.gz: 035e6c2def599b1ce8a6cd12897a908a011fc1fa
 SHA512:
-  metadata.gz: 8c95993afb1e953a5c6b0ea21e3ee26db91c0b89ba7e77bbb41965304dc81ed77810eafdffefc0da92347f977e374a710d5a0baa2e1f17c827eebd7d5540210f
-  data.tar.gz: a730e0e7f0285d0b522a5fb42e903a6ef42aee479037269f742b4a56d132392664220d6aca748cb840b32f9476f000fee782dd6c752dc0b1a3db959cfdc4b78c
+  metadata.gz: da4f65dc4b9cbd5d37020d26bde929381413b3285346f5a9979d664967fc1a1a606ee84572dd1acf8bd9fb70aa5626f996383aa20ff91949dc6120242c35e8bc
+  data.tar.gz: 63ddd45053e53489dcc2759eabf4ae76b7732cc37fb0ad72866716aba87473971702f43d036fffde82d220abf87890b83395c2e09ce07c52c67f414173fcab35

data/.travis.yml

@@ -1,12 +1,12 @@
 language: ruby
-
+sudo: false
 rvm:
   - 1.8.7
   - 1.9.2
   - 1.9.3
   - 2.0.0
-  - 2.1.1
-  - 2.1.2
+  - 2.1
+  - 2.2
   - jruby-18mode
   - jruby-19mode
   - rbx-2

data/CHANGELOG.md

@@ -1,4 +1,9 @@
 
+0.14.5 / 2015-05-11
+==================
+
+  * SECURITY: Prevent auth delegation trough crafted socket IDs
+
 0.14.4 / 2015-01-20
 ==================
 

data/README.md

@@ -1,17 +1,21 @@
 Pusher gem
 ==========
 
-[![Build Status](https://secure.travis-ci.org/pusher/pusher-gem.svg?branch=master)](http://travis-ci.org/pusher/pusher-gem)
+[![Build Status](https://secure.travis-ci.org/pusher/pusher-http-ruby.svg?branch=master)](http://travis-ci.org/pusher/pusher-http-ruby)
 
 ## Installation & Configuration
 
 Add pusher to your Gemfile, and then run `bundle install`
 
-    gem 'pusher'
+``` ruby
+gem 'pusher'
+```
 
 or install via gem
 
-    gem install pusher
+``` bash
+gem install pusher
+```
 
 After registering at <http://pusher.com> configure your app with the security credentials.
 
@@ -19,33 +23,43 @@ After registering at <http://pusher.com> configure your app with the security cr
 
 The most standard way of configuring Pusher is to do it globally on the Pusher class.
 
-    Pusher.app_id = 'your-pusher-app-id'
-    Pusher.key = 'your-pusher-key'
-    Pusher.secret = 'your-pusher-secret'
+``` ruby
+Pusher.app_id = 'your-pusher-app-id'
+Pusher.key = 'your-pusher-key'
+Pusher.secret = 'your-pusher-secret'
+```
 
 Global configuration will automatically be set from the `PUSHER_URL` environment variable if it exists. This should be in the form  `http://KEY:SECRET@api.pusherapp.com/apps/APP_ID`. On Heroku this environment variable will already be set.
 
 If you need to make requests via a HTTP proxy then it can be configured
 
-    Pusher.http_proxy = 'http://(user):(password)@(host):(port)'
+``` ruby
+Pusher.http_proxy = 'http://(user):(password)@(host):(port)'
+```
 
 By default API requests are made over HTTP. HTTPS can be used by setting
 
-    Pusher.encrypted = true
+``` ruby
+Pusher.encrypted = true
+```
 
 As of version 0.12, SSL certificates are verified when using the synchronous http client. If you need to disable this behaviour for any reason use:
 
-    Pusher.default_client.sync_http_client.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+``` ruby
+Pusher.default_client.sync_http_client.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
+```
 
 ### Instantiating a Pusher client
 
 Sometimes you may have multiple sets of API keys, or want different configuration in different parts of your application. In these scenarios, a pusher `client` may be configured:
 
-    pusher_client = Pusher::Client.new({
-      app_id: 'your-pusher-app-id',
-      key: 'your-pusher-key',
-      secret: 'your-pusher-secret'
-    })
+``` ruby
+pusher_client = Pusher::Client.new({
+  app_id: 'your-pusher-app-id',
+  key: 'your-pusher-key',
+  secret: 'your-pusher-secret'
+})
+```
 
 This `client` will have all the functionality listed on the main Pusher class (which proxies to a client internally).
 
@@ -59,34 +73,44 @@ The Pusher gem contains a number of helpers for interacting with the service. As
 
 Handle errors by rescuing `Pusher::Error` (all errors are descendants of this error)
 
-    begin
-      Pusher.trigger('a_channel', 'an_event', {:some => 'data'})
-    rescue Pusher::Error => e
-      # (Pusher::AuthenticationError, Pusher::HTTPError, or Pusher::Error)
-    end
+``` ruby
+begin
+  Pusher.trigger('a_channel', 'an_event', {:some => 'data'})
+rescue Pusher::Error => e
+  # (Pusher::AuthenticationError, Pusher::HTTPError, or Pusher::Error)
+end
+```
 
 ### Logging
 
 Errors are logged to `Pusher.logger`. It will by default log at info level to STDOUT using `Logger` from the standard library, however you can assign any logger:
 
-    Pusher.logger = Rails.logger
+``` ruby
+Pusher.logger = Rails.logger
+```
 
 ### Publishing events
 
 An event can be published to one or more channels (limited to 10) in one API call:
 
-    Pusher.trigger('channel', 'event', {foo: 'bar'})
-    Pusher.trigger(['channel_1', 'channel_2'], 'event_name', {foo: 'bar'})
+``` ruby
+Pusher.trigger('channel', 'event', {foo: 'bar'})
+Pusher.trigger(['channel_1', 'channel_2'], 'event_name', {foo: 'bar'})
+```
 
 An optional fourth argument may be used to send additional parameters to the API, for example to [exclude a single connection from receiving the event](http://pusher.com/docs/publisher_api_guide/publisher_excluding_recipients).
 
-    Pusher.trigger('channel', 'event', {foo: 'bar'}, {socket_id: '123.456'})
+``` ruby
+Pusher.trigger('channel', 'event', {foo: 'bar'}, {socket_id: '123.456'})
+```
 
 #### Deprecated publisher API
 
 Most examples and documentation will refer to the following syntax for triggering an event:
 
-    Pusher['a_channel'].trigger('an_event', {:some => 'data'})
+``` ruby
+Pusher['a_channel'].trigger('an_event', {:some => 'data'})
+```
 
 This will continue to work, but has been replaced by `Pusher.trigger` which supports one or multiple channels.
 
@@ -96,11 +120,13 @@ Aside from triggering events, the REST API also supports a number of operations
 
 All requests must be signed by using your secret key, which is handled automatically using these methods:
 
-    # using the Pusher class
-    Pusher.get('url_without_app_id', params)
+``` ruby
+# using the Pusher class
+Pusher.get('url_without_app_id', params)
 
-    # using a client
-    pusher_client.post('url_without_app_id', params)
+# using a client
+pusher_client.post('url_without_app_id', params)
+```
 
 Note that you don't need to specify your app_id in the URL, as this is inferred from your credentials.
 
@@ -128,11 +154,13 @@ It is of course also possible to make calls to pusher via a job queue. This appr
 
 The `_async` methods return an `EM::Deferrable` which you can bind callbacks to:
 
-    Pusher.get_async("/channels").callback { |response|
-      # use reponse[:channels]
-    }.errback { |error|
-      # error is an instance of Pusher::Error
-    }
+``` ruby
+Pusher.get_async("/channels").callback { |response|
+  # use reponse[:channels]
+}.errback { |error|
+  # error is an instance of Pusher::Error
+}
+```
 
 A HTTP error or an error response from pusher will cause the errback to be called with an appropriate error object.
 
@@ -149,34 +177,38 @@ It's possible to use the gem to authenticate subscription requests to private or
 
 ### Private channels
 
-    Pusher['private-my_channel'].authenticate(params[:socket_id])
+``` ruby
+Pusher['private-my_channel'].authenticate(params[:socket_id])
+```
 
 ### Presence channels
 
 These work in a very similar way, but require a unique identifier for the user being authenticated, and optionally some attributes that are provided to clients via presence events:
 
-    Pusher['presence-my_channel'].authenticate(params[:socket_id], {
-      user_id: 'user_id',
-      user_info: {} # optional
-    })
-
-
+``` ruby
+Pusher['presence-my_channel'].authenticate(params[:socket_id], {
+  user_id: 'user_id',
+  user_info: {} # optional
+})
+```
 
 ## Receiving WebHooks
 
 A WebHook object may be created to validate received WebHooks against your app credentials, and to extract events. It should be created with the `Rack::Request` object (available as `request` in Rails controllers or Sinatra handlers for example).
 
-    webhook = Pusher.webhook(request)
-    if webhook.valid?
-      webhook.events.each do |event|
-        case event["name"]
-        when 'channel_occupied'
-          puts "Channel occupied: #{event["channel"]}"
-        when 'channel_vacated'
-          puts "Channel vacated: #{event["channel"]}"
-        end
-      end
-      render text: 'ok'
-    else
-      render text: 'invalid', status: 401
+``` ruby
+webhook = Pusher.webhook(request)
+if webhook.valid?
+  webhook.events.each do |event|
+    case event["name"]
+    when 'channel_occupied'
+      puts "Channel occupied: #{event["channel"]}"
+    when 'channel_vacated'
+      puts "Channel vacated: #{event["channel"]}"
     end
+  end
+  render text: 'ok'
+else
+  render text: 'invalid', status: 401
+end
+```

data/lib/pusher/channel.rb

@@ -34,7 +34,10 @@ module Pusher
     #
     def trigger_async(event_name, data, socket_id = nil)
       params = {}
-      params[:socket_id] = socket_id if socket_id
+      if socket_id
+        validate_socket_id(socket_id)
+        params[:socket_id] = socket_id
+      end
       @client.trigger_async(name, event_name, data, params)
     end
 
@@ -60,7 +63,10 @@ module Pusher
     #
     def trigger!(event_name, data, socket_id = nil)
       params = {}
-      params[:socket_id] = socket_id if socket_id
+      if socket_id
+        validate_socket_id(socket_id)
+        params[:socket_id] = socket_id
+      end
       @client.trigger(name, event_name, data, params)
     end
 
@@ -115,9 +121,7 @@ module Pusher
     # @return [String]
     #
     def authentication_string(socket_id, custom_string = nil)
-      if socket_id.nil? || socket_id.empty?
-        raise Error, "Invalid socket_id #{socket_id}"
-      end
+      validate_socket_id(socket_id)
 
       unless custom_string.nil? || custom_string.kind_of?(String)
         raise Error, 'Custom argument must be a string'
@@ -162,5 +166,13 @@ module Pusher
       r[:channel_data] = custom_data if custom_data
       r
     end
+
+    private
+
+    def validate_socket_id(socket_id)
+      unless socket_id && /\A\d+\.\d+\z/.match(socket_id)
+        raise Pusher::Error, "Invalid socket ID #{socket_id.inspect}"
+      end
+    end
   end
 end

data/pusher.gemspec

@@ -3,11 +3,11 @@ $:.push File.expand_path("../lib", __FILE__)
 
 Gem::Specification.new do |s|
   s.name        = "pusher"
-  s.version     = "0.14.4"
+  s.version     = "0.14.5"
   s.platform    = Gem::Platform::RUBY
   s.authors     = ["Pusher"]
   s.email       = ["support@pusher.com"]
-  s.homepage    = "http://github.com/pusher/pusher-gem"
+  s.homepage    = "http://github.com/pusher/pusher-http-ruby"
   s.summary     = %q{Pusher API client}
   s.description = %q{Wrapper for pusher.com REST api}
   s.license     = "MIT"

data/spec/channel_spec.rb

@@ -99,9 +99,9 @@ describe Pusher::Channel do
     end
 
     it "should return an authentication string given a socket id" do
-      auth = @channel.authentication_string('socketid')
+      auth = @channel.authentication_string('1.1')
 
-      auth.should == '12345678900000001:827076f551e22451357939e4c7bb1200de29f921d5bf80b40d71668f9cd61c40'
+      auth.should == '12345678900000001:02259dff9a2a3f71ea8ab29ac0c0c0ef7996c8f3fd3702be5533f30da7d7fed4'
     end
 
     it "should raise error if authentication is invalid" do
@@ -112,17 +112,17 @@ describe Pusher::Channel do
 
     describe 'with extra string argument' do
       it 'should be a string or nil' do
-        authentication_string('socketid', 123).should raise_error Pusher::Error
-        authentication_string('socketid', {}).should raise_error Pusher::Error
+        authentication_string('1.1', 123).should raise_error Pusher::Error
+        authentication_string('1.1', {}).should raise_error Pusher::Error
 
-        authentication_string('socketid', 'boom').should_not raise_error
-        authentication_string('socketid', nil).should_not raise_error
+        authentication_string('1.1', 'boom').should_not raise_error
+        authentication_string('1.1', nil).should_not raise_error
       end
 
       it "should return an authentication string given a socket id and custom args" do
-        auth = @channel.authentication_string('socketid', 'foobar')
+        auth = @channel.authentication_string('1.1', 'foobar')
 
-        auth.should == "12345678900000001:#{hmac(@client.secret, "socketid:test_channel:foobar")}"
+        auth.should == "12345678900000001:#{hmac(@client.secret, "1.1:test_channel:foobar")}"
       end
     end
   end
@@ -135,12 +135,34 @@ describe Pusher::Channel do
     it 'should return a hash with signature including custom data and data as json string' do
       MultiJson.stub(:encode).with(@custom_data).and_return 'a json string'
 
-      response = @channel.authenticate('socketid', @custom_data)
+      response = @channel.authenticate('1.1', @custom_data)
 
       response.should == {
-        :auth => "12345678900000001:#{hmac(@client.secret, "socketid:test_channel:a json string")}",
+        :auth => "12345678900000001:#{hmac(@client.secret, "1.1:test_channel:a json string")}",
         :channel_data => 'a json string'
       }
     end
+
+    it 'should fail on invalid socket_ids' do
+      lambda {
+        @channel.authenticate('1.1:')
+      }.should raise_error Pusher::Error
+
+      lambda {
+        @channel.authenticate('1.1foo', 'channel')
+      }.should raise_error Pusher::Error
+
+      lambda {
+        @channel.authenticate(':1.1')
+      }.should raise_error Pusher::Error
+
+      lambda {
+        @channel.authenticate('foo1.1', 'channel')
+      }.should raise_error Pusher::Error
+
+      lambda {
+        @channel.authenticate('foo', 'channel')
+      }.should raise_error Pusher::Error
+    end
   end
 end

data/spec/client_spec.rb

@@ -225,19 +225,19 @@ describe Pusher do
           lambda {
             @client.trigger((0..11).map{|i| 'mychannel#{i}'},
               'event', {'some' => 'data'}, {
-                :socket_id => "1234"
+                :socket_id => "12.34"
               })}.should raise_error(Pusher::Error)
         end
 
         it "should pass any parameters in the body of the request" do
           @client.trigger(['mychannel', 'c2'], 'event', {'some' => 'data'}, {
-            :socket_id => "1234"
+            :socket_id => "12.34"
           })
           WebMock.should have_requested(:post, @api_path).with { |req|
             parsed = MultiJson.decode(req.body)
             parsed["name"].should == 'event'
             parsed["channels"].should == ["mychannel", "c2"]
-            parsed["socket_id"].should == '1234'
+            parsed["socket_id"].should == '12.34'
           }
         end
 
@@ -277,10 +277,10 @@ describe Pusher do
         it "should pass any parameters in the body of the request" do
           EM.run {
             @client.trigger_async('mychannel', 'event', {'some' => 'data'}, {
-              :socket_id => "1234"
+              :socket_id => "12.34"
             }).callback {
               WebMock.should have_requested(:post, @api_path).with { |req|
-                MultiJson.decode(req.body)["socket_id"].should == '1234'
+                MultiJson.decode(req.body)["socket_id"].should == '12.34'
               }
               EM.stop
             }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pusher
 version: !ruby/object:Gem::Version
-  version: 0.14.4
+  version: 0.14.5
 platform: ruby
 authors:
 - Pusher
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-01-20 00:00:00.000000000 Z
+date: 2015-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json
@@ -150,7 +150,7 @@ files:
 - spec/client_spec.rb
 - spec/spec_helper.rb
 - spec/web_hook_spec.rb
-homepage: http://github.com/pusher/pusher-gem
+homepage: http://github.com/pusher/pusher-http-ruby
 licenses:
 - MIT
 metadata: {}
@@ -170,7 +170,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.2
+rubygems_version: 2.4.6
 signing_key: 
 specification_version: 4
 summary: Pusher API client