sdk-reforge 1.10.0 → 1.11.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a8f8071f99c74c0f8b10bebefcb3a15042b2276797e3696be3e8dbf16b0ce446
-  data.tar.gz: d51548a473a3fced6a34ca2f66453572c11c376c209178a5bdcfc3c3581a92b5
+  metadata.gz: de9767c4803726a6881d27e59b026d4a1e23d5592effae2f72908f44aed56e23
+  data.tar.gz: 16ab3c79d14b20136bb15cafd76b641f3dcced86c160a16681cf7666a564ec41
 SHA512:
-  metadata.gz: 92a6bbc060c11f39c99c28d6b5577049a8b7a379d6edf29408bdd40a5d78c9c6527922bc62970127cff4d3ad6373109672e4305229f0edd155aaaf5b75debc78
-  data.tar.gz: 4ce7e08d5789756af12148ef0921674f8c5d1bebca92b33100c888d0ee646a87de47fa5ca68a50b0543b76dab69a054eb81bc244bf64e70cda3197fae17544b9
+  metadata.gz: c5e8a05f5f01014d9605c68648de26784d9190fdb3ab61d2c3ea55687a35feea851c5f50fbe86a3d21dfd8a0795df4644a656db04098988f8f3e7e030b117ae8
+  data.tar.gz: fe44f02ea0fffa0982732a4c581b50440ce174e2cd3798208820ca96b4ee2cfebe90e866d8566588c2d795b39bd505234bbd56340a2155869f740cdc60b8b15f

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 1.11.2 - 2025-10-07
+
+- Address OpenSSL issue with vulnerability to truncation attack
+
+## 1.11.1 - 2025-10-06
+
+- quiet logging for SSE reconnections
+- let the SSE::Client handle the Last-Event-ID header
+
 ## 1.10.0 - 2025-10-02
 
 - require `base64` for newest ruby versions

data/VERSION

@@ -1 +1 @@
-1.10.0
+1.11.2

data/lib/reforge/encryption.rb

@@ -4,6 +4,7 @@ module Reforge
   class Encryption
     CIPHER_TYPE = "aes-256-gcm" # 32/12
     SEPARATOR = "--"
+    AUTH_TAG_LENGTH = 16
 
     # Hexadecimal format ensures that generated keys are representable with
     # plain text
@@ -32,22 +33,30 @@ module Reforge
       encrypted = cipher.update(clear_text)
       encrypted << cipher.final
       tag = cipher.auth_tag
-
+      
       # pack and join
       [encrypted, iv, tag].map { |p| p.unpack("H*")[0] }.join(SEPARATOR)
     end
 
     def decrypt(encrypted_string)
-      unpacked_parts = encrypted_string.split(SEPARATOR).map { |p| [p].pack("H*") }
+      encrypted_data, iv, auth_tag = encrypted_string.split(SEPARATOR).map { |p| [p].pack("H*") }
+      
+      # Currently the OpenSSL bindings do not raise an error if auth_tag is
+      # truncated, which would allow an attacker to easily forge it. See
+      # https://github.com/ruby/openssl/issues/63
+      if auth_tag.bytesize != AUTH_TAG_LENGTH
+        raise "truncated auth_tag"
+      end
 
       cipher = OpenSSL::Cipher.new(CIPHER_TYPE)
       cipher.decrypt
       cipher.key = @key
-      cipher.iv = unpacked_parts[1]
-      cipher.auth_tag = unpacked_parts[2]
-
+      cipher.iv = iv
+  
+      cipher.auth_tag = auth_tag
+     
       # and decrypt it
-      decrypted = cipher.update(unpacked_parts[0])
+      decrypted = cipher.update(encrypted_data)
       decrypted << cipher.final
       decrypted
     end

data/lib/reforge/sse_config_client.rb

@@ -72,6 +72,7 @@ module Reforge
                       headers: headers,
                       read_timeout: @options.sse_read_timeout,
                       reconnect_time: @options.sse_default_reconnect_time,
+                      last_event_id: (@config_loader.highwater_mark&.positive? ? @config_loader.highwater_mark.to_s : nil),
                       logger: Reforge::InternalLogger.new(SSE::Client)) do |client|
         client.on_event do |event|
           if event.data.nil? || event.data.empty?
@@ -92,7 +93,12 @@ module Reforge
         end
 
         client.on_error do |error|
-          @logger.error "SSE Streaming Error: #{error.inspect} for url #{url}"
+          # SSL "unexpected eof" is expected when SSE sessions timeout normally
+          if error.is_a?(OpenSSL::SSL::SSLError) && error.message.include?('unexpected eof')
+            @logger.debug "SSE Streaming: Connection closed (expected timeout) for url #{url}"
+          else
+            @logger.error "SSE Streaming Error: #{error.inspect} for url #{url}"
+          end
 
           if @options.errors_to_close_connection.any? { |klass| error.is_a?(klass) }
             @logger.debug "Closing SSE connection for url #{url}"
@@ -106,7 +112,6 @@ module Reforge
       auth = "#{AUTH_USER}:#{@prefab_options.sdk_key}"
       auth_string = Base64.strict_encode64(auth)
       return {
-        'Last-Event-ID' => @config_loader.highwater_mark,
         'Authorization' => "Basic #{auth_string}",
         'Accept' => 'text/event-stream',
         'X-Reforge-SDK-Version' => "sdk-ruby-#{Reforge::VERSION}"

data/sdk-reforge.gemspec

@@ -2,16 +2,16 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Juwelier::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: sdk-reforge 1.10.0 ruby lib
+# stub: sdk-reforge 1.11.2 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "sdk-reforge".freeze
-  s.version = "1.10.0"
+  s.version = "1.11.2"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib".freeze]
   s.authors = ["Jeff Dwyer".freeze]
-  s.date = "2025-10-02"
+  s.date = "2025-10-07"
   s.description = "Feature Flags, Live Config as a service".freeze
   s.email = "jeff.dwyer@reforge.com.cloud".freeze
   s.extra_rdoc_files = [

data/test/test_sse_config_client.rb

@@ -16,7 +16,6 @@ class TestSSEConfigClient < Minitest::Test
 
     client = Reforge::SSEConfigClient.new(options, config_loader)
 
-    assert_equal 4, client.headers['Last-Event-ID']
     assert_equal "https://stream.goatsofreforge.com", client.source
 
     result = nil
@@ -48,8 +47,6 @@ class TestSSEConfigClient < Minitest::Test
 
     client = Reforge::SSEConfigClient.new(prefab_options, config_loader, sse_options)
 
-    assert_equal 4, client.headers['Last-Event-ID']
-
     result = nil
 
     # fake our load_configs block
@@ -247,4 +244,41 @@ class TestSSEConfigClient < Minitest::Test
            'Expected to have logged an error about empty data for nil'
     mock_client.verify
   end
+
+  def test_last_event_id_initialization
+    # Test with positive highwater_mark
+    config_loader = OpenStruct.new(highwater_mark: 42)
+    prefab_options = OpenStruct.new(sse_sources: ['http://localhost:4567'], sdk_key: 'test')
+    client = Reforge::SSEConfigClient.new(prefab_options, config_loader)
+
+    # Mock SSE::Client.new to capture the last_event_id argument
+    SSE::Client.stub :new, ->(*args, **kwargs, &block) {
+      assert_equal '42', kwargs[:last_event_id], 'Expected last_event_id to be "42"'
+      OpenStruct.new(closed?: false, close: nil)
+    } do
+      client.connect { |_configs, _event, _source| }
+    end
+
+    # Test with nil highwater_mark
+    config_loader = OpenStruct.new(highwater_mark: nil)
+    client = Reforge::SSEConfigClient.new(prefab_options, config_loader)
+
+    SSE::Client.stub :new, ->(*args, **kwargs, &block) {
+      assert_nil kwargs[:last_event_id], 'Expected last_event_id to be nil when highwater_mark is nil'
+      OpenStruct.new(closed?: false, close: nil)
+    } do
+      client.connect { |_configs, _event, _source| }
+    end
+
+    # Test with zero highwater_mark
+    config_loader = OpenStruct.new(highwater_mark: 0)
+    client = Reforge::SSEConfigClient.new(prefab_options, config_loader)
+
+    SSE::Client.stub :new, ->(*args, **kwargs, &block) {
+      assert_nil kwargs[:last_event_id], 'Expected last_event_id to be nil when highwater_mark is 0'
+      OpenStruct.new(closed?: false, close: nil)
+    } do
+      client.connect { |_configs, _event, _source| }
+    end
+  end
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: sdk-reforge
 version: !ruby/object:Gem::Version
-  version: 1.10.0
+  version: 1.11.2
 platform: ruby
 authors:
 - Jeff Dwyer
 bindir: bin
 cert_chain: []
-date: 2025-10-02 00:00:00.000000000 Z
+date: 2025-10-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby