rest-client 1.7.2 → 1.7.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of rest-client might be problematic. Click here for more details.

@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 8807a06ea9680179c83ab3cc8e93c13b517c04a4
4
+ data.tar.gz: bdaa911803deedb6cc50870ecc438f98fbd6ba8f
5
+ SHA512:
6
+ metadata.gz: 40873fc7011e525bcec7460323c7256397783232d16f01eea880a45c6f7ad4c454edb0e28ac4150a76101f9ab48ca62ea63fb740297168760b75743bf565d896
7
+ data.tar.gz: 88be594b35a8c7eca659b553fd79c09ee6aec9411f1eaa176c9bf1bba95822c7283fb1cba78c5c9528ad97d7581475ee59d9dccd93cc06f5c2d1a53c4a8f3ecb
data/history.md CHANGED
@@ -1,3 +1,9 @@
1
+ # 1.7.3
2
+
3
+ - Security: redact password in URI from logs (#349 / OSVDB-117461)
4
+ - Drop monkey patch on MIME::Types (added `type_for_extension` method, use
5
+ the public interface instead.
6
+
1
7
  # 1.7.2
2
8
 
3
9
  - Ignore duplicate certificates in CA store on Windows
@@ -195,8 +195,8 @@ module RestClient
195
195
  end
196
196
  end
197
197
 
198
- # backwards compatibility
199
198
  class RestClient::Request
199
+ # backwards compatibility
200
200
  Redirect = RestClient::Redirect
201
201
  Unauthorized = RestClient::Unauthorized
202
202
  RequestFailed = RestClient::RequestFailed
@@ -4,7 +4,7 @@ module RestClient
4
4
  # be false for jruby even on OS X.
5
5
  #
6
6
  # @return [Boolean]
7
- def self.mac?
7
+ def self.mac_mri?
8
8
  RUBY_PLATFORM.include?('darwin')
9
9
  end
10
10
 
@@ -334,7 +334,7 @@ module RestClient
334
334
 
335
335
  def print_verify_callback_warnings
336
336
  warned = false
337
- if RestClient::Platform.mac?
337
+ if RestClient::Platform.mac_mri?
338
338
  warn('warning: ssl_verify_callback return code is ignored on OS X')
339
339
  warned = true
340
340
  end
@@ -519,7 +519,18 @@ module RestClient
519
519
  return unless RestClient.log
520
520
 
521
521
  out = []
522
- out << "RestClient.#{method} #{url.inspect}"
522
+ sanitized_url = begin
523
+ uri = URI.parse(url)
524
+ uri.password = "REDACTED" if uri.password
525
+ uri.to_s
526
+ rescue URI::InvalidURIError
527
+ # An attacker may be able to manipulate the URL to be
528
+ # invalid, which could force discloure of a password if
529
+ # we show any of the un-parsed URL here.
530
+ "[invalid uri]"
531
+ end
532
+
533
+ out << "RestClient.#{method} #{sanitized_url.inspect}"
523
534
  out << payload.short_inspect if payload
524
535
  out << processed_headers.to_a.sort.map { |(k, v)| [k.inspect, v.inspect].join("=>") }.join(", ")
525
536
  RestClient.log << out.join(', ') + "\n"
@@ -544,8 +555,7 @@ module RestClient
544
555
  key = key.to_s.split(/_/).map { |w| w.capitalize }.join('-')
545
556
  end
546
557
  if 'CONTENT-TYPE' == key.upcase
547
- target_value = value.to_s
548
- result[key] = MIME::Types.type_for_extension target_value
558
+ result[key] = maybe_convert_extension(value.to_s)
549
559
  elsif 'ACCEPT' == key.upcase
550
560
  # Accept can be composed of several comma-separated values
551
561
  if value.is_a? Array
@@ -553,7 +563,9 @@ module RestClient
553
563
  else
554
564
  target_values = value.to_s.split ','
555
565
  end
556
- result[key] = target_values.map { |ext| MIME::Types.type_for_extension(ext.to_s.strip) }.join(', ')
566
+ result[key] = target_values.map { |ext|
567
+ maybe_convert_extension(ext.to_s.strip)
568
+ }.join(', ')
557
569
  else
558
570
  result[key] = value.to_s
559
571
  end
@@ -571,21 +583,38 @@ module RestClient
571
583
  URI.const_defined?(:Parser) ? URI::Parser.new : URI
572
584
  end
573
585
 
574
- end
575
- end
576
-
577
- module MIME
578
- class Types
579
-
580
- # Return the first found content-type for a value considered as an extension or the value itself
581
- def type_for_extension ext
582
- candidates = @extension_index[ext]
583
- candidates.empty? ? ext : candidates[0].content_type
584
- end
586
+ # Given a MIME type or file extension, return either a MIME type or, if
587
+ # none is found, the input unchanged.
588
+ #
589
+ # >> maybe_convert_extension('json')
590
+ # => 'application/json'
591
+ #
592
+ # >> maybe_convert_extension('unknown')
593
+ # => 'unknown'
594
+ #
595
+ # >> maybe_convert_extension('application/xml')
596
+ # => 'application/xml'
597
+ #
598
+ # @param ext [String]
599
+ #
600
+ # @return [String]
601
+ #
602
+ def maybe_convert_extension(ext)
603
+ unless ext =~ /\A[a-zA-Z0-9_@-]+\z/
604
+ # Don't look up strings unless they look like they could be a file
605
+ # extension known to mime-types.
606
+ #
607
+ # There currently isn't any API public way to look up extensions
608
+ # directly out of MIME::Types, but the type_for() method only strips
609
+ # off after a period anyway.
610
+ return ext
611
+ end
585
612
 
586
- class << self
587
- def type_for_extension ext
588
- @__types__.type_for_extension ext
613
+ types = MIME::Types.type_for(ext)
614
+ if types.empty?
615
+ ext
616
+ else
617
+ types.first.content_type
589
618
  end
590
619
  end
591
620
  end
@@ -1,5 +1,5 @@
1
1
  module RestClient
2
- VERSION = '1.7.2' unless defined?(self::VERSION)
2
+ VERSION = '1.7.3' unless defined?(self::VERSION)
3
3
 
4
4
  def self.version
5
5
  VERSION
@@ -34,7 +34,7 @@ describe RestClient::Request do
34
34
  #
35
35
  # On OS X, this test fails since Apple has patched OpenSSL to always fall
36
36
  # back on the system CA store.
37
- it "is unsuccessful with an incorrect ca_file", :unless => RestClient::Platform.mac? do
37
+ it "is unsuccessful with an incorrect ca_file", :unless => RestClient::Platform.mac_mri? do
38
38
  request = RestClient::Request.new(
39
39
  :method => :get,
40
40
  :url => 'https://www.mozilla.org',
@@ -45,7 +45,7 @@ describe RestClient::Request do
45
45
 
46
46
  # On OS X, this test fails since Apple has patched OpenSSL to always fall
47
47
  # back on the system CA store.
48
- it "is unsuccessful with an incorrect ca_path", :unless => RestClient::Platform.mac? do
48
+ it "is unsuccessful with an incorrect ca_path", :unless => RestClient::Platform.mac_mri? do
49
49
  request = RestClient::Request.new(
50
50
  :method => :get,
51
51
  :url => 'https://www.mozilla.org',
@@ -79,7 +79,7 @@ describe RestClient::Request do
79
79
  end
80
80
 
81
81
  it "fails verification when the callback returns false",
82
- :unless => RestClient::Platform.mac? do
82
+ :unless => RestClient::Platform.mac_mri? do
83
83
  request = RestClient::Request.new(
84
84
  :method => :get,
85
85
  :url => 'https://www.mozilla.org',
@@ -90,7 +90,7 @@ describe RestClient::Request do
90
90
  end
91
91
 
92
92
  it "succeeds verification when the callback returns true",
93
- :unless => RestClient::Platform.mac? do
93
+ :unless => RestClient::Platform.mac_mri? do
94
94
  request = RestClient::Request.new(
95
95
  :method => :get,
96
96
  :url => 'https://www.mozilla.org',
@@ -414,6 +414,18 @@ describe RestClient::Request do
414
414
  @request.log_response res
415
415
  log[0].should eq "# => 200 OK | text/html 0 bytes\n"
416
416
  end
417
+
418
+ it 'does not log request password' do
419
+ log = RestClient.log = []
420
+ RestClient::Request.new(:method => :get, :url => 'http://user:password@url', :headers => {:user_agent => 'rest-client', :accept => '*/*'}).log_request
421
+ log[0].should eq %Q{RestClient.get "http://user:REDACTED@url", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "User-Agent"=>"rest-client"\n}
422
+ end
423
+
424
+ it 'logs invalid URIs, even though they will fail elsewhere' do
425
+ log = RestClient.log = []
426
+ RestClient::Request.new(:method => :get, :url => 'http://a@b:c', :headers => {:user_agent => 'rest-client', :accept => '*/*'}).log_request
427
+ log[0].should eq %Q{RestClient.get "[invalid uri]", "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "User-Agent"=>"rest-client"\n}
428
+ end
417
429
  end
418
430
 
419
431
  it "strips the charset from the response content type" do
metadata CHANGED
@@ -1,141 +1,126 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rest-client
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.7.2
5
- prerelease:
4
+ version: 1.7.3
6
5
  platform: ruby
7
6
  authors:
8
7
  - REST Client Team
9
8
  autorequire:
10
9
  bindir: bin
11
10
  cert_chain: []
12
- date: 2014-07-14 00:00:00.000000000 Z
11
+ date: 2015-02-20 00:00:00.000000000 Z
13
12
  dependencies:
14
13
  - !ruby/object:Gem::Dependency
15
14
  name: webmock
16
15
  requirement: !ruby/object:Gem::Requirement
17
- none: false
18
16
  requirements:
19
- - - ~>
17
+ - - "~>"
20
18
  - !ruby/object:Gem::Version
21
19
  version: '1.4'
22
20
  type: :development
23
21
  prerelease: false
24
22
  version_requirements: !ruby/object:Gem::Requirement
25
- none: false
26
23
  requirements:
27
- - - ~>
24
+ - - "~>"
28
25
  - !ruby/object:Gem::Version
29
26
  version: '1.4'
30
27
  - !ruby/object:Gem::Dependency
31
28
  name: rspec
32
29
  requirement: !ruby/object:Gem::Requirement
33
- none: false
34
30
  requirements:
35
- - - ~>
31
+ - - "~>"
36
32
  - !ruby/object:Gem::Version
37
33
  version: '2.4'
38
34
  type: :development
39
35
  prerelease: false
40
36
  version_requirements: !ruby/object:Gem::Requirement
41
- none: false
42
37
  requirements:
43
- - - ~>
38
+ - - "~>"
44
39
  - !ruby/object:Gem::Version
45
40
  version: '2.4'
46
41
  - !ruby/object:Gem::Dependency
47
42
  name: pry
48
43
  requirement: !ruby/object:Gem::Requirement
49
- none: false
50
44
  requirements:
51
- - - ! '>='
45
+ - - ">="
52
46
  - !ruby/object:Gem::Version
53
47
  version: '0'
54
48
  type: :development
55
49
  prerelease: false
56
50
  version_requirements: !ruby/object:Gem::Requirement
57
- none: false
58
51
  requirements:
59
- - - ! '>='
52
+ - - ">="
60
53
  - !ruby/object:Gem::Version
61
54
  version: '0'
62
55
  - !ruby/object:Gem::Dependency
63
56
  name: pry-doc
64
57
  requirement: !ruby/object:Gem::Requirement
65
- none: false
66
58
  requirements:
67
- - - ! '>='
59
+ - - ">="
68
60
  - !ruby/object:Gem::Version
69
61
  version: '0'
70
62
  type: :development
71
63
  prerelease: false
72
64
  version_requirements: !ruby/object:Gem::Requirement
73
- none: false
74
65
  requirements:
75
- - - ! '>='
66
+ - - ">="
76
67
  - !ruby/object:Gem::Version
77
68
  version: '0'
78
69
  - !ruby/object:Gem::Dependency
79
70
  name: rdoc
80
71
  requirement: !ruby/object:Gem::Requirement
81
- none: false
82
72
  requirements:
83
- - - ! '>='
73
+ - - ">="
84
74
  - !ruby/object:Gem::Version
85
75
  version: 2.4.2
86
- - - <
76
+ - - "<"
87
77
  - !ruby/object:Gem::Version
88
78
  version: '5.0'
89
79
  type: :development
90
80
  prerelease: false
91
81
  version_requirements: !ruby/object:Gem::Requirement
92
- none: false
93
82
  requirements:
94
- - - ! '>='
83
+ - - ">="
95
84
  - !ruby/object:Gem::Version
96
85
  version: 2.4.2
97
- - - <
86
+ - - "<"
98
87
  - !ruby/object:Gem::Version
99
88
  version: '5.0'
100
89
  - !ruby/object:Gem::Dependency
101
90
  name: mime-types
102
91
  requirement: !ruby/object:Gem::Requirement
103
- none: false
104
92
  requirements:
105
- - - ! '>='
93
+ - - ">="
106
94
  - !ruby/object:Gem::Version
107
95
  version: '1.16'
108
- - - <
96
+ - - "<"
109
97
  - !ruby/object:Gem::Version
110
98
  version: '3.0'
111
99
  type: :runtime
112
100
  prerelease: false
113
101
  version_requirements: !ruby/object:Gem::Requirement
114
- none: false
115
102
  requirements:
116
- - - ! '>='
103
+ - - ">="
117
104
  - !ruby/object:Gem::Version
118
105
  version: '1.16'
119
- - - <
106
+ - - "<"
120
107
  - !ruby/object:Gem::Version
121
108
  version: '3.0'
122
109
  - !ruby/object:Gem::Dependency
123
110
  name: netrc
124
111
  requirement: !ruby/object:Gem::Requirement
125
- none: false
126
112
  requirements:
127
- - - ~>
113
+ - - "~>"
128
114
  - !ruby/object:Gem::Version
129
115
  version: '0.7'
130
116
  type: :runtime
131
117
  prerelease: false
132
118
  version_requirements: !ruby/object:Gem::Requirement
133
- none: false
134
119
  requirements:
135
- - - ~>
120
+ - - "~>"
136
121
  - !ruby/object:Gem::Version
137
122
  version: '0.7'
138
- description: ! 'A simple HTTP and REST client for Ruby, inspired by the Sinatra microframework
123
+ description: 'A simple HTTP and REST client for Ruby, inspired by the Sinatra microframework
139
124
  style of specifying actions: get, put, post, delete.'
140
125
  email: rest.client@librelist.com
141
126
  executables:
@@ -145,9 +130,9 @@ extra_rdoc_files:
145
130
  - README.rdoc
146
131
  - history.md
147
132
  files:
148
- - .gitignore
149
- - .rspec
150
- - .travis.yml
133
+ - ".gitignore"
134
+ - ".rspec"
135
+ - ".travis.yml"
151
136
  - AUTHORS
152
137
  - Gemfile
153
138
  - LICENSE
@@ -198,30 +183,26 @@ files:
198
183
  homepage: https://github.com/rest-client/rest-client
199
184
  licenses:
200
185
  - MIT
186
+ metadata: {}
201
187
  post_install_message:
202
188
  rdoc_options: []
203
189
  require_paths:
204
190
  - lib
205
191
  required_ruby_version: !ruby/object:Gem::Requirement
206
- none: false
207
192
  requirements:
208
- - - ! '>='
193
+ - - ">="
209
194
  - !ruby/object:Gem::Version
210
195
  version: 1.9.2
211
196
  required_rubygems_version: !ruby/object:Gem::Requirement
212
- none: false
213
197
  requirements:
214
- - - ! '>='
198
+ - - ">="
215
199
  - !ruby/object:Gem::Version
216
200
  version: '0'
217
- segments:
218
- - 0
219
- hash: 1102817666116175326
220
201
  requirements: []
221
202
  rubyforge_project:
222
- rubygems_version: 1.8.23
203
+ rubygems_version: 2.2.2
223
204
  signing_key:
224
- specification_version: 3
205
+ specification_version: 4
225
206
  summary: Simple HTTP and REST client for Ruby, inspired by microframework syntax for
226
207
  specifying actions.
227
208
  test_files: