RubyGems - shopify_api - Versions diffs - 4.0.2 → 4.0.3 - Mend

shopify_api 4.0.2 → 4.0.3

Files changed (13) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5e77deea6dfc797030a7a149f0cd566827158a3e
-  data.tar.gz: 5c12b55cdb182378441ca7599920f71236715828
+  metadata.gz: fd5fe880e2969fad40ac19852da5eb801ca3e4af
+  data.tar.gz: ae6b8c7e61139171bbf02cb5ac14552ea3c4319e
 SHA512:
-  metadata.gz: cff7626240f096796cd027a20b9afa8982e638ea19018943e429b1a9055587c3306f252be08becd64651853de25a0f4417615b74acaf3ae8a96a98b5af2f3338
-  data.tar.gz: 55f71dc3d02ba0c21e45921c9125c9efa34a6f8c98a1827361d6c7da0fc47f67cc07e3dba617d70a2c6fe37e9c50c3418dddc8d049ce04b66c7e02354d4d50d5
+  metadata.gz: 3e40036c3bfb41301aee1c74093cf991435b85764cfea3dcd828195a6cd404c74838cadefc1c84af4b3d03c6df92f3cd4957d84ed05a212e299c5608cf428edc
+  data.tar.gz: 13d1f0077ecad5dc2c45a680f066e4590d8fbb0c5e53040ce4e8e4ea5d837415e4ff63728e84fd246424a8a6a053fb95b7e79034037ca5c057d61b7d398cd35c

checksums.yaml.gz.sig ADDED Viewed

Binary file

data.tar.gz.sig ADDED Viewed

Binary file

data/.gitignore CHANGED Viewed

@@ -5,3 +5,4 @@ rdoc
 doc
 pkg
 .ruby-version
+*.lock

data/CHANGELOG CHANGED Viewed

@@ -1,3 +1,7 @@
+== Version 4.0.3
+* Fixed hmac signature validation for params with delimiters (`&`, `=` or `%`)
 == Version 4.0.2
 * Verify that the shop domain is a subdomain of .myshopify.com which creating the session

data/Gemfile CHANGED Viewed

@@ -3,3 +3,5 @@ source "https://rubygems.org"
 gemspec
 gem "activeresource", '~> 4.0.0'
+gem 'minitest', "~> 4.2"

data/lib/shopify_api/session.rb CHANGED Viewed

@@ -1,4 +1,5 @@
 require 'openssl'
+require 'rack'
 module ShopifyAPI
@@ -53,8 +54,16 @@ module ShopifyAPI
         params = params.with_indifferent_access
         return false unless signature = params[:hmac]
-        sorted_params = params.except(:signature, :hmac, :action, :controller).collect{|k,v|"#{k}=#{v}"}.sort.join('&')
-        OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new(), secret, sorted_params) == signature
+        calculated_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new(), secret, encoded_params_for_signature(params))
+        Rack::Utils.secure_compare(calculated_signature, signature)
+      end
+      private
+      def encoded_params_for_signature(params)
+        params = params.except(:signature, :hmac, :action, :controller)
+        params.map{|k,v| "#{URI.escape(k.to_s, '&=%')}=#{URI.escape(v.to_s, '&%')}"}.sort.join('&')
       end
     end

data/lib/shopify_api/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module ShopifyAPI
-  VERSION = "4.0.2"
+  VERSION = "4.0.3"
 end

data/shopify_api.gemspec CHANGED Viewed

@@ -25,6 +25,7 @@ Gem::Specification.new do |s|
   s.license = 'MIT'
   s.add_dependency("activeresource")
+  s.add_dependency("rack")
   dev_dependencies = [['mocha', '>= 0.9.8'],
                       ['fakeweb'],

data/test/session_test.rb CHANGED Viewed

@@ -171,6 +171,24 @@ class SessionTest < Test::Unit::TestCase
       assert_equal true, ShopifyAPI::Session.validate_signature(params)
     end
+    should "return true when validating signature of params with ampersand and equal sign characters" do
+      ShopifyAPI::Session.secret = 'secret'
+      params = {'a' => '1&b=2', 'c=3&d' => '4'}
+      to_sign = "a=1%26b=2&c%3D3%26d=4"
+      params['hmac'] = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), ShopifyAPI::Session.secret, to_sign)
+      assert_equal true, ShopifyAPI::Session.validate_signature(params)
+    end
+    test "return true when validating signature of params with percent sign characters" do
+      ShopifyAPI::Session.secret = 'secret'
+      params = {'a%3D1%26b' => '2%26c%3D3'}
+      to_sign = "a%253D1%2526b=2%2526c%253D3"
+      params['hmac'] = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), ShopifyAPI::Session.secret, to_sign)
+      assert_equal true, ShopifyAPI::Session.validate_signature(params)
+    end
     private
     def make_sorted_params(params)

metadata CHANGED Viewed

@@ -1,14 +1,36 @@
 --- !ruby/object:Gem::Specification
 name: shopify_api
 version: !ruby/object:Gem::Version
-  version: 4.0.2
+  version: 4.0.3
 platform: ruby
 authors:
 - Shopify
 autorequire:
 bindir: bin
-cert_chain: []
-date: 2015-05-05 00:00:00.000000000 Z
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDcDCCAligAwIBAgIBATANBgkqhkiG9w0BAQUFADA/MQ8wDQYDVQQDDAZhZG1p
+  bnMxFzAVBgoJkiaJk/IsZAEZFgdzaG9waWZ5MRMwEQYKCZImiZPyLGQBGRYDY29t
+  MB4XDTE0MDUxNTIwMzM0OFoXDTE1MDUxNTIwMzM0OFowPzEPMA0GA1UEAwwGYWRt
+  aW5zMRcwFQYKCZImiZPyLGQBGRYHc2hvcGlmeTETMBEGCgmSJomT8ixkARkWA2Nv
+  bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0/81O3e1vh5smcwp2G
+  MpLQ6q0kejQLa65bPYPxdzWA1SYOKyGfw+yR9LdFzsuKpwWzKq6zX35lj1IckWS4
+  bNBEQzxmufUxU0XPM02haFB8fOfDJzdXsWte9Ge4IFwahwn68gpMqN+BvxL+KMYz
+  Iut9YmN44d4LZdsENEIO5vmybuG2vYDz7R56qB0PA+Q2P2CdhymsBad2DQs69FBo
+  uico9V6VMYYctL9lCYdzu9IXrOYNTt88suKIVzzAlHOKeN0Ng5qdztFoTR8sfxDr
+  Ydg3KHl5n47wlpgd8R0f/4b5gGxW+v9pyJCgQnLlRu7DedVSvv7+GMtj3g9r3nhJ
+  KqECAwEAAaN3MHUwCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFI/o
+  maf34HXbUOQsdoLHacEKQgunMB0GA1UdEQQWMBSBEmFkbWluc0BzaG9waWZ5LmNv
+  bTAdBgNVHRIEFjAUgRJhZG1pbnNAc2hvcGlmeS5jb20wDQYJKoZIhvcNAQEFBQAD
+  ggEBADkK9aj5T0HPExsov4EoMWFnO+G7RQ28C30VAfKxnL2UxG6i4XMHVs6Xi94h
+  qXFw1ec9Y2eDUqaolT3bviOk9BB197+A8Vz/k7MC6ci2NE+yDDB7HAC8zU6LAx8Y
+  Iqvw7B/PSZ/pz4bUVFlTATif4mi1vO3lidRkdHRtM7UePSn2rUpOi0gtXBP3bLu5
+  YjHJN7wx5cugMEyroKITG5gL0Nxtu21qtOlHX4Hc4KdE2JqzCPOsS4zsZGhgwhPs
+  fl3hbtVFTqbOlwL9vy1fudXcolIE/ZTcxQ+er07ZFZdKCXayR9PPs64heamfn0fp
+  TConQSX2BnZdhIEYW+cKzEC/bLc=
+  -----END CERTIFICATE-----
+date: 2015-05-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activeresource
@@ -24,6 +46,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: mocha
   requirement: !ruby/object:Gem::Requirement
@@ -98,7 +134,6 @@ files:
 - CHANGELOG
 - CONTRIBUTORS
 - Gemfile
-- Gemfile.lock
 - Gemfile_ar30
 - Gemfile_ar31
 - Gemfile_ar32

metadata.gz.sig ADDED Viewed

Binary file

data/Gemfile.lock DELETED Viewed

@@ -1,46 +0,0 @@
-PATH
-  remote: .
-  specs:
-    shopify_api (4.0.1)
-      activeresource
-GEM
-  remote: https://rubygems.org/
-  specs:
-    activemodel (4.0.13)
-      activesupport (= 4.0.13)
-      builder (~> 3.1.0)
-    activeresource (4.0.0)
-      activemodel (~> 4.0)
-      activesupport (~> 4.0)
-      rails-observers (~> 0.1.1)
-    activesupport (4.0.13)
-      i18n (~> 0.6, >= 0.6.9)
-      minitest (~> 4.2)
-      multi_json (~> 1.3)
-      thread_safe (~> 0.1)
-      tzinfo (~> 0.3.37)
-    builder (3.1.4)
-    fakeweb (1.3.0)
-    i18n (0.7.0)
-    metaclass (0.0.1)
-    minitest (4.7.5)
-    mocha (0.14.0)
-      metaclass (~> 0.0.1)
-    multi_json (1.10.1)
-    rails-observers (0.1.2)
-      activemodel (~> 4.0)
-    rake (10.1.0)
-    thread_safe (0.3.4)
-    tzinfo (0.3.42)
-PLATFORMS
-  ruby
-DEPENDENCIES
-  activeresource (~> 4.0.0)
-  fakeweb
-  minitest (~> 4.0)
-  mocha (>= 0.9.8)
-  rake
-  shopify_api!