razorpay 3.2.3 → 3.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 378791c954dc8fd9cd1b32fac1f61e4955bb8cf0e0df081f6be872ca22d26da8
-  data.tar.gz: dced052941fccf512cbbffaa2ca4e36949c96f12456908bea790e7511f4062ab
+  metadata.gz: 20c9fe5dd27329aceee373510059552808b2ed481fb59da923f2dca95d857156
+  data.tar.gz: d58229258c2df81882fea1bdb99a136e34f458f3170f0df4ab2b5f7123a827a5
 SHA512:
-  metadata.gz: e0c9d0ceec3e76d8e996ea56e3032f615891278c37c511b3f6e777508e6525b9eaddecb11fd02ecf09cd7845562680d085f13a14f6591cfe88b692e496d52a01
-  data.tar.gz: 1513933a083dbb5df97ad56e5cb898c3538ca51186a9118818c4bc6c05838f29bf6e3af1c0dc836b65d260152ba6ad85dfde26b9877ef0830868f2f8b1521c04
+  metadata.gz: fd7ecba7866f08006fc27b7d5a4b5cb4d9ccf7f5fdf39ca833e60988b46b0fded9afdea31bc7679b256a150fac525eeb2ca77985043143073d52471490919f67
+  data.tar.gz: 1d5747bf39b762bdbfd010fd212d07a78ab94c5cd712a121f8b6592e5850aa1bd8a0913ad8d26bce50f390631b94376088af78163574578f3b2e62a1e15f983d

data/.cursorignore

@@ -0,0 +1,174 @@
+# Distribution and Environment
+dist/*
+build/*
+venv/*
+env/*
+*.env
+.env.*
+virtualenv/*
+.python-version
+.ruby-version
+.node-version
+
+# Logs and Temporary Files
+*.log
+*.tsv
+*.csv
+*.txt
+tmp/*
+temp/*
+.tmp/*
+*.temp
+*.cache
+.cache/*
+logs/*
+
+# Sensitive Data
+*.sqlite
+*.sqlite3
+*.dbsql
+secrets.*
+.npmrc
+.yarnrc
+.aws/*
+.config/*
+
+# Credentials and Keys
+*.pem
+*.ppk
+*.key
+*.pub
+*.p12
+*.pfx
+*.htpasswd
+*.keystore
+*.jks
+*.truststore
+*.cer
+id_rsa*
+known_hosts
+authorized_keys
+.ssh/*
+.gnupg/*
+.pgpass
+
+# Config Files
+*.conf
+*.toml
+*.ini
+.env.local
+.env.development
+.env.test
+.env.production
+config/*
+
+# Database Files
+*.sql
+*.db
+*.dmp
+*.dump
+*.backup
+*.restore
+*.mdb
+*.accdb
+*.realm*
+
+# Backup and Archive Files
+*.bak
+*.backup
+*.swp
+*.swo
+*.swn
+*~
+*.old
+*.orig
+*.archive
+*.gz
+*.zip
+*.tar
+*.rar
+*.7z
+
+# Compiled and Binary Files
+*.pyc
+*.pyo
+**/__pycache__/**
+*.class
+*.jar
+*.war
+*.ear
+*.dll
+*.exe
+*.so
+*.dylib
+*.bin
+*.obj
+
+# IDE and Editor Files
+.idea/*
+*.iml
+.vscode/*
+.project
+.classpath
+.settings/*
+*.sublime-*
+.atom/*
+.eclipse/*
+*.code-workspace
+.history/*
+
+# Build and Dependency Directories
+node_modules/*
+bower_components/*
+vendor/*
+packages/*
+jspm_packages/*
+.gradle/*
+target/*
+out/*
+
+# Testing and Coverage Files
+coverage/*
+.coverage
+htmlcov/*
+.pytest_cache/*
+.tox/*
+junit.xml
+test-results/*
+
+# Mobile Development
+*.apk
+*.aab
+*.ipa
+*.xcarchive
+*.provisionprofile
+google-services.json
+GoogleService-Info.plist
+
+# Certificate and Security Files
+*.crt
+*.csr
+*.ovpn
+*.p7b
+*.p7s
+*.pfx
+*.spc
+*.stl
+*.pem.crt
+ssl/*
+
+# Container and Infrastructure
+*.tfstate
+*.tfstate.backup
+.terraform/*
+.vagrant/*
+docker-compose.override.yml
+kubernetes/*
+
+# Design and Media Files (often large and binary)
+*.psd
+*.ai
+*.sketch
+*.fig
+*.xd
+assets/raw/*

data/.github/workflows/ci.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - master
+      - fix/upgrade-github-actions-v4
     tags:
       - v[0-9]+.[0-9]+.[0-9]+*
   pull_request:
@@ -14,7 +15,7 @@ jobs:
   runs-on: ubuntu-latest
 
   steps:
-  - uses: actions/checkout@v3
+  - uses: actions/checkout@v4
   - name: Set up Ruby
     uses: ruby/setup-ruby@v1
     with:
@@ -24,7 +25,7 @@ jobs:
   - name: Build
     run: gem build *.gemspec
   - name: 'Upload Artifact'
-    uses: actions/upload-artifact@v3
+    uses: actions/upload-artifact@v4
     with:
       name: gems
       path: '*.gem'
@@ -37,7 +38,7 @@ jobs:
 
   steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
     - name: Set up Ruby latest
       uses: ruby/setup-ruby@v1
       with:
@@ -48,19 +49,19 @@ jobs:
       run: bundle exec rake
     - name: Upload coverage to Codecov
       if: ${{ matrix.ruby-version == 3.1 }}
-      uses: codecov/codecov-action@v3
+      uses: codecov/codecov-action@v4
       with:
         files: ${{ github.workspace }}/coverage/coverage.xml
  publish:      
     name: Publish
-    if: startsWith(github.ref, 'refs/tags/v')
+    # if: startsWith(github.ref, 'refs/tags/v')
     needs: [build, test]
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - run: sudo apt-get install -y oathtool
     - name: Download all workflow run artifacts
-      uses: actions/download-artifact@v3
+      uses: actions/download-artifact@v4
       with:
         name: gems
         path: gems

data/CHANGELOG.md

@@ -4,6 +4,12 @@ Changelog for Razorpay-Ruby SDK.
 
 ## Unreleased
 
+## [3.2.4] - 2026-06-08
+
+fix: Security fix for AES-GCM onboarding signature
+* Fixed nonce reuse vulnerability in `generate_onboarding_signature` by using a random nonce per call instead of a static IV derived from the secret key
+* New output format: `hex(iv[12] || ciphertext || tag[16])` — the receiver reads the first 24 hex chars as the IV before decrypting
+
 ## [3.2.3] - 2024-05-27
 
 feat: Added new API endpoints

data/lib/razorpay/constants.rb

@@ -2,7 +2,7 @@
 module Razorpay
   BASE_URI = 'https://api.razorpay.com'.freeze
   TEST_URL = 'https://api.razorpay.com/'.freeze
-  VERSION  = '3.2.3'.freeze
+  VERSION  = '3.2.4'.freeze
   AUTH_URL = 'https://auth.razorpay.com'.freeze
   API_HOST = 'API'.freeze
   AUTH_HOST    = 'AUTH'.freeze

data/lib/razorpay/utility.rb

@@ -59,9 +59,13 @@ module Razorpay
       end
 
       def encrypt(data, secret)
-        iv = secret[0, 12]
         key = secret[0, 16]
 
+        # Generate a fresh random 12-byte nonce per call (fixes AES-GCM nonce reuse).
+        # A static IV derived from the secret allows keystream recovery and tag forgery
+        # (NIST SP 800-38D §8.3 Forbidden Attack) using only two captured ciphertexts.
+        iv = OpenSSL::Random.random_bytes(12)
+
         cipher = OpenSSL::Cipher.new('aes-128-gcm')
         cipher.encrypt
         cipher.key = key
@@ -72,9 +76,10 @@ module Razorpay
         encrypted = cipher.update(data) + cipher.final
 
         tag = cipher.auth_tag
-        combined_encrypted_data = encrypted + tag
 
-        encrypted_data_hex = combined_encrypted_data.unpack1("H*")
+        # Output format: iv (12 bytes) || ciphertext || tag (16 bytes), hex-encoded.
+        # Receiver must read the first 24 hex chars as the IV before decrypting.
+        (iv + encrypted + tag).unpack1("H*")
       end
     end
   end

data/test/razorpay/test_utility.rb

@@ -99,11 +99,11 @@ module Razorpay
     def decrypt(data, secret)
       combined_encrypted_data = [data].pack("H*")
 
-      iv = secret[0, 12]
+      iv = combined_encrypted_data[0, 12]
       key = secret[0, 16]
       tag = combined_encrypted_data[-16..]
 
-      encrypted_data = combined_encrypted_data[0...-16]
+      encrypted_data = combined_encrypted_data[12...-16]
 
       cipher = OpenSSL::Cipher.new('aes-128-gcm')
       cipher.decrypt

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: razorpay
 version: !ruby/object:Gem::Version
-  version: 3.2.3
+  version: 3.2.4
 platform: ruby
 authors:
 - Abhay Rana
 - Harman Singh
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-05-27 00:00:00.000000000 Z
+date: 2026-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: httparty
@@ -117,6 +117,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".cursorignore"
 - ".editorconfig"
 - ".github/dependabot.yml"
 - ".github/pull_request_template.md"
@@ -351,7 +352,7 @@ homepage: https://razorpay.com/
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -367,7 +368,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.3.27
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Razorpay's Ruby API
 test_files: