rack-github_webhooks 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: a873ebafec269872d3abb639f944a479adf2546f
-  data.tar.gz: 717c16e2efcc488894a7bdb40aea1166d52d1851
+SHA256:
+  metadata.gz: 4e9bc4dec047a6c37f877852a93a65b18c9aadb80be3b2814ae1a5c938ccc5b0
+  data.tar.gz: 0ae119a01cf1ac2afbe6582645d2de9f6452b6231c8ce5b8ce27139b1223d565
 SHA512:
-  metadata.gz: 9dc3c67e962e3866178dee129c2d2fe33bb0cf3ade812a4b615c8d25cd99fc129c553cfdd5dffa07d722962589908ee05a39b0d1dd538fe3036d4bc7c01d2b51
-  data.tar.gz: f4649ebce4d107ce3baa0d057aa97df7341b73d393c2f06da1a7c05e904654e5d78ea8d15c1a94718d28c0074e5dbc694c1f2b813886e9664bc9e73e1f991b7d
+  metadata.gz: 1405789690a5345c9676e29e229bf4d1b4e1541b72506c7571ead31281f2ca14c79cd366fa08ed2d3c9d972061a97d102d313e76c40dd663a76c013854c23e4f
+  data.tar.gz: ff191f5ec6ad9c86a978f9a8d9f03792dcc929e9f1b39e600aa157da2971df2d13025d61b4ce17675a8bdcf148b41af3c6ea748bf118805c97bbaf6fdc4be634

data/CHANGELOG.md

@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## [0.5.0] - 2022-03-09
+
+### Changed
+
+- Validate using SHA256 instead of SHA1 #3
+
 ## [0.4.0] - 2016-03-25
 
 ### Fixed
@@ -29,3 +35,4 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 [0.2.0]: https://github.com/chrismytton/rack-github_webhooks/compare/v0.1.0...v0.2.0
 [0.3.0]: https://github.com/chrismytton/rack-github_webhooks/compare/v0.2.0...v0.3.0
 [0.4.0]: https://github.com/chrismytton/rack-github_webhooks/compare/v0.3.0...v0.4.0
+[0.5.0]: https://github.com/chrismytton/rack-github_webhooks/compare/v0.4.0...v0.5.0

data/lib/rack/github_webhooks/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class GithubWebhooks
-    VERSION = '0.4.0'
+    VERSION = '0.5.0'
   end
 end

data/lib/rack/github_webhooks.rb

@@ -5,13 +5,12 @@ require 'json'
 module Rack
   class GithubWebhooks
     class Signature
-      HMAC_DIGEST = OpenSSL::Digest.new('sha1')
+      HMAC_DIGEST = OpenSSL::Digest.new('sha256')
 
       def initialize(secret, hub_signature, payload_body)
         @secret = secret
         @hub_signature = hub_signature
-        @signature = 'sha1=' +
-                     OpenSSL::HMAC.hexdigest(HMAC_DIGEST, secret, payload_body)
+        @signature = "sha256=#{OpenSSL::HMAC.hexdigest(HMAC_DIGEST, secret, payload_body)}"
       end
 
       def valid?
@@ -27,20 +26,23 @@ module Rack
     end
 
     def call(env)
-      env['rack.input'].rewind
+      rewind_body(env)
       signature = Signature.new(
         @secret,
-        env['HTTP_X_HUB_SIGNATURE'],
+        env['HTTP_X_HUB_SIGNATURE_256'],
         env['rack.input'].read
       )
       return [400, {}, ["Signatures didn't match!"]] unless signature.valid?
 
-      begin
-        env['rack.input'].rewind if env['rack.input'].respond_to?(:rewind)
-      rescue Errno::ESPIPE
-      end
-
+      rewind_body(env)
       @app.call(env)
     end
+
+    private
+
+    def rewind_body(env)
+      env['rack.input'].rewind if env['rack.input'].respond_to?(:rewind)
+    rescue Errno::ESPIPE
+    end
   end
 end

data/rack-github_webhooks.gemspec

@@ -18,8 +18,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_development_dependency 'bundler', '~> 1.10'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'bundler', '>= 1.10'
+  spec.add_development_dependency 'rake'
   spec.add_development_dependency 'minitest'
   spec.add_development_dependency 'pry'
   spec.add_development_dependency 'rack-test'

metadata

@@ -1,43 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: rack-github_webhooks
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Chris Mytton
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-03-25 00:00:00.000000000 Z
+date: 2022-03-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.10'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -94,7 +94,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email:
 - chrismytton@gmail.com
 executables: []
@@ -117,7 +117,7 @@ homepage: https://github.com/chrismytton/rack-github_webhook
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -132,9 +132,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
-signing_key: 
+rubygems_version: 3.2.22
+signing_key:
 specification_version: 4
 summary: Rack middleware to check GitHub webhooks are authentic
 test_files: []