rack-github_webhooks 0.2.0 → 0.5.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +24 -2
  3. data/lib/rack/github_webhooks/version.rb +1 -1
  4. data/lib/rack/github_webhooks.rb +27 -23
  5. data/rack-github_webhooks.gemspec +2 -2
  6. metadata +13 -14
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 356ef06d3434bd82cf6259402c287ac2d576f439
4
- data.tar.gz: fb0f199fc1c489350794c4545795bbd76f866e11
2
+ SHA256:
3
+ metadata.gz: 4e9bc4dec047a6c37f877852a93a65b18c9aadb80be3b2814ae1a5c938ccc5b0
4
+ data.tar.gz: 0ae119a01cf1ac2afbe6582645d2de9f6452b6231c8ce5b8ce27139b1223d565
5
5
  SHA512:
6
- metadata.gz: 6fb61aea03f0354d2a5f817064b2cf3f94cefefbb874d490291140a050535851ef50c18e7c7ce40091164b8ae7e6f1222f4b6865b04d928bfbd1e8424ba923b8
7
- data.tar.gz: 264cbf318764db94000244c4157780d35a905a82315493c16b4b39db39479423678e8afc415ad57350dcc5c4577b665b7ad0b7f4a6bce6586d4d8a8eb60d2243
6
+ metadata.gz: 1405789690a5345c9676e29e229bf4d1b4e1541b72506c7571ead31281f2ca14c79cd366fa08ed2d3c9d972061a97d102d313e76c40dd663a76c013854c23e4f
7
+ data.tar.gz: ff191f5ec6ad9c86a978f9a8d9f03792dcc929e9f1b39e600aa157da2971df2d13025d61b4ce17675a8bdcf148b41af3c6ea748bf118805c97bbaf6fdc4be634
data/CHANGELOG.md CHANGED
@@ -3,9 +3,23 @@
3
3
  All notable changes to this project will be documented in this file.
4
4
  This project adheres to [Semantic Versioning](http://semver.org/).
5
5
 
6
- ## 0.1.0 - 2015-11-29
6
+ ## [0.5.0] - 2022-03-09
7
7
 
8
- - Initial release
8
+ ### Changed
9
+
10
+ - Validate using SHA256 instead of SHA1 #3
11
+
12
+ ## [0.4.0] - 2016-03-25
13
+
14
+ ### Fixed
15
+
16
+ - Call `env['rack.input'].rewind` after reading from it. Thanks @ppworks for the patch.
17
+
18
+ ## [0.3.0] - 2015-11-29
19
+
20
+ ### Changed
21
+
22
+ - Internal refactor to separate out `Signature` class.
9
23
 
10
24
  ## [0.2.0] - 2015-11-29
11
25
 
@@ -13,4 +27,12 @@ This project adheres to [Semantic Versioning](http://semver.org/).
13
27
 
14
28
  - Don't error when there's no 'X-Hub-Signature' header.
15
29
 
30
+
31
+ ## 0.1.0 - 2015-11-29
32
+
33
+ - Initial release
34
+
16
35
  [0.2.0]: https://github.com/chrismytton/rack-github_webhooks/compare/v0.1.0...v0.2.0
36
+ [0.3.0]: https://github.com/chrismytton/rack-github_webhooks/compare/v0.2.0...v0.3.0
37
+ [0.4.0]: https://github.com/chrismytton/rack-github_webhooks/compare/v0.3.0...v0.4.0
38
+ [0.5.0]: https://github.com/chrismytton/rack-github_webhooks/compare/v0.4.0...v0.5.0
data/lib/rack/github_webhooks/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Rack
2
2
  class GithubWebhooks
3
- VERSION = '0.2.0'
3
+ VERSION = '0.5.0'
4
4
  end
5
5
  end
data/lib/rack/github_webhooks.rb CHANGED
@@ -4,11 +4,21 @@ require 'json'
4
4
 
5
5
  module Rack
6
6
  class GithubWebhooks
7
- HMAC_DIGEST = OpenSSL::Digest.new('sha1')
7
+ class Signature
8
+ HMAC_DIGEST = OpenSSL::Digest.new('sha256')
8
9
 
9
- attr_reader :app
10
- attr_reader :secret
11
- attr_reader :request
10
+ def initialize(secret, hub_signature, payload_body)
11
+ @secret = secret
12
+ @hub_signature = hub_signature
13
+ @signature = "sha256=#{OpenSSL::HMAC.hexdigest(HMAC_DIGEST, secret, payload_body)}"
14
+ end
15
+
16
+ def valid?
17
+ return true unless @secret
18
+ return false unless @hub_signature
19
+ Rack::Utils.secure_compare(@signature, @hub_signature)
20
+ end
21
+ end
12
22
 
13
23
  def initialize(app, opts = {})
14
24
  @app = app
@@ -16,29 +26,23 @@ module Rack
16
26
  end
17
27
 
18
28
  def call(env)
19
- @request = Rack::Request.new(env)
20
- return [400, {}, ["Signatures didn't match!"]] unless signature_valid?
21
- app.call(env)
29
+ rewind_body(env)
30
+ signature = Signature.new(
31
+ @secret,
32
+ env['HTTP_X_HUB_SIGNATURE_256'],
33
+ env['rack.input'].read
34
+ )
35
+ return [400, {}, ["Signatures didn't match!"]] unless signature.valid?
36
+
37
+ rewind_body(env)
38
+ @app.call(env)
22
39
  end
23
40
 
24
41
  private
25
42
 
26
- # Taken from https://developer.github.com/webhooks/securing/
27
- def signature_valid?
28
- return true unless secret
29
- return false unless request.env['HTTP_X_HUB_SIGNATURE']
30
- Rack::Utils.secure_compare(signature, request.env['HTTP_X_HUB_SIGNATURE'])
31
- end
32
-
33
- def signature
34
- "sha1=#{OpenSSL::HMAC.hexdigest(HMAC_DIGEST, secret, payload_body)}"
35
- end
36
-
37
- def payload_body
38
- @payload_body ||= begin
39
- request.body.rewind
40
- request.body.read
41
- end
43
+ def rewind_body(env)
44
+ env['rack.input'].rewind if env['rack.input'].respond_to?(:rewind)
45
+ rescue Errno::ESPIPE
42
46
  end
43
47
  end
44
48
  end
data/rack-github_webhooks.gemspec CHANGED
@@ -18,8 +18,8 @@ Gem::Specification.new do |spec|
18
18
  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
19
19
  spec.require_paths = ['lib']
20
20
 
21
- spec.add_development_dependency 'bundler', '~> 1.10'
22
- spec.add_development_dependency 'rake', '~> 10.0'
21
+ spec.add_development_dependency 'bundler', '>= 1.10'
22
+ spec.add_development_dependency 'rake'
23
23
  spec.add_development_dependency 'minitest'
24
24
  spec.add_development_dependency 'pry'
25
25
  spec.add_development_dependency 'rack-test'
metadata CHANGED
@@ -1,43 +1,43 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-github_webhooks
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.0
4
+ version: 0.5.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Chris Mytton
8
- autorequire:
8
+ autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2015-11-29 00:00:00.000000000 Z
11
+ date: 2022-03-09 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - "~>"
17
+ - - ">="
18
18
  - !ruby/object:Gem::Version
19
19
  version: '1.10'
20
20
  type: :development
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
- - - "~>"
24
+ - - ">="
25
25
  - !ruby/object:Gem::Version
26
26
  version: '1.10'
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: rake
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
- - - "~>"
31
+ - - ">="
32
32
  - !ruby/object:Gem::Version
33
- version: '10.0'
33
+ version: '0'
34
34
  type: :development
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - "~>"
38
+ - - ">="
39
39
  - !ruby/object:Gem::Version
40
- version: '10.0'
40
+ version: '0'
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: minitest
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -94,7 +94,7 @@ dependencies:
94
94
  - - ">="
95
95
  - !ruby/object:Gem::Version
96
96
  version: '0'
97
- description:
97
+ description:
98
98
  email:
99
99
  - chrismytton@gmail.com
100
100
  executables: []
@@ -117,7 +117,7 @@ homepage: https://github.com/chrismytton/rack-github_webhook
117
117
  licenses:
118
118
  - MIT
119
119
  metadata: {}
120
- post_install_message:
120
+ post_install_message:
121
121
  rdoc_options: []
122
122
  require_paths:
123
123
  - lib
@@ -132,9 +132,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
132
132
  - !ruby/object:Gem::Version
133
133
  version: '0'
134
134
  requirements: []
135
- rubyforge_project:
136
- rubygems_version: 2.4.5.1
137
- signing_key:
135
+ rubygems_version: 3.2.22
136
+ signing_key:
138
137
  specification_version: 4
139
138
  summary: Rack middleware to check GitHub webhooks are authentic
140
139
  test_files: []