sdk-reforge 1.11.1 → 1.11.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 035df48e2bfb88f49415f5bac3cc8472c1941d7aa75b2d5adeaaa9b181249566
-  data.tar.gz: 40bcb2f2d07df80308082a732852a1f3c3aca0a6e978d0fe80c022a7cd030c79
+  metadata.gz: de9767c4803726a6881d27e59b026d4a1e23d5592effae2f72908f44aed56e23
+  data.tar.gz: 16ab3c79d14b20136bb15cafd76b641f3dcced86c160a16681cf7666a564ec41
 SHA512:
-  metadata.gz: bcea0460ea869dfc1f82563c531425d63191a929dab7558d47093802a03d7d07e752c7750b308848c64e9facc1e8e6afcbff53748585604bbc5e77f72432ae14
-  data.tar.gz: 381cae539cebf7e540af04be3d332c20af0256d27b42cabbab7698297f4a96e1d56dc3f3aae99aba50636b80ba323f2d2327cdcf7ab87cce27a30f6394f09925
+  metadata.gz: c5e8a05f5f01014d9605c68648de26784d9190fdb3ab61d2c3ea55687a35feea851c5f50fbe86a3d21dfd8a0795df4644a656db04098988f8f3e7e030b117ae8
+  data.tar.gz: fe44f02ea0fffa0982732a4c581b50440ce174e2cd3798208820ca96b4ee2cfebe90e866d8566588c2d795b39bd505234bbd56340a2155869f740cdc60b8b15f

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 1.11.2 - 2025-10-07
+
+- Address OpenSSL issue with vulnerability to truncation attack
+
 ## 1.11.1 - 2025-10-06
 
 - quiet logging for SSE reconnections

data/VERSION

@@ -1 +1 @@
-1.11.1
+1.11.2

data/lib/reforge/encryption.rb

@@ -4,6 +4,7 @@ module Reforge
   class Encryption
     CIPHER_TYPE = "aes-256-gcm" # 32/12
     SEPARATOR = "--"
+    AUTH_TAG_LENGTH = 16
 
     # Hexadecimal format ensures that generated keys are representable with
     # plain text
@@ -32,22 +33,30 @@ module Reforge
       encrypted = cipher.update(clear_text)
       encrypted << cipher.final
       tag = cipher.auth_tag
-
+      
       # pack and join
       [encrypted, iv, tag].map { |p| p.unpack("H*")[0] }.join(SEPARATOR)
     end
 
     def decrypt(encrypted_string)
-      unpacked_parts = encrypted_string.split(SEPARATOR).map { |p| [p].pack("H*") }
+      encrypted_data, iv, auth_tag = encrypted_string.split(SEPARATOR).map { |p| [p].pack("H*") }
+      
+      # Currently the OpenSSL bindings do not raise an error if auth_tag is
+      # truncated, which would allow an attacker to easily forge it. See
+      # https://github.com/ruby/openssl/issues/63
+      if auth_tag.bytesize != AUTH_TAG_LENGTH
+        raise "truncated auth_tag"
+      end
 
       cipher = OpenSSL::Cipher.new(CIPHER_TYPE)
       cipher.decrypt
       cipher.key = @key
-      cipher.iv = unpacked_parts[1]
-      cipher.auth_tag = unpacked_parts[2]
-
+      cipher.iv = iv
+  
+      cipher.auth_tag = auth_tag
+     
       # and decrypt it
-      decrypted = cipher.update(unpacked_parts[0])
+      decrypted = cipher.update(encrypted_data)
       decrypted << cipher.final
       decrypted
     end

data/sdk-reforge.gemspec

@@ -2,16 +2,16 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Juwelier::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: sdk-reforge 1.11.1 ruby lib
+# stub: sdk-reforge 1.11.2 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "sdk-reforge".freeze
-  s.version = "1.11.1"
+  s.version = "1.11.2"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib".freeze]
   s.authors = ["Jeff Dwyer".freeze]
-  s.date = "2025-10-06"
+  s.date = "2025-10-07"
   s.description = "Feature Flags, Live Config as a service".freeze
   s.email = "jeff.dwyer@reforge.com.cloud".freeze
   s.extra_rdoc_files = [

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: sdk-reforge
 version: !ruby/object:Gem::Version
-  version: 1.11.1
+  version: 1.11.2
 platform: ruby
 authors:
 - Jeff Dwyer
 bindir: bin
 cert_chain: []
-date: 2025-10-06 00:00:00.000000000 Z
+date: 2025-10-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby