signature 0.1.7 → 0.1.8

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/.gitignore +2 -0
  3. data/.travis.yml +5 -2
  4. data/CHANGELOG.md +5 -0
  5. data/Gemfile.lock +1 -1
  6. data/README.md +1 -1
  7. data/lib/signature.rb +7 -1
  8. data/lib/signature/version.rb +1 -1
  9. metadata +12 -11
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 45dfb9bf73deb5b9c3961cad306a604054c86f8e
4
- data.tar.gz: f04bbaf672ca9f8e283639f42c909d0646e435fd
3
+ metadata.gz: 39b2250d70f97d089486041724cc1c550d5472ef
4
+ data.tar.gz: 9bd71807a08401cb9309bceaa56b8b951f173f9b
5
5
  SHA512:
6
- metadata.gz: a04b5b87253ae99c85bc67867f3114f5f6477a0089ea7ac0790da6f20b12f303c85a97c5c5211b82e01482820f96c021654d09b87f879793349b6bc700f49a1f
7
- data.tar.gz: 1f657808c67898b40c9dcb476a23bab3787c3f237db4e888968c577064a7fe544ec140c89cd3f70daad94fd9b9a3e9c060a3d43502a490bdfbc7cbfc4647545e
6
+ metadata.gz: 3f5b1b5b66df41a44ca5b2b42c47f1f060140f30fa38a614cd276b9d6a8e7170c3700ebd06a8e2b98ac0ac1047249e2e3d4b180e3587b42be191e9afd000ade4
7
+ data.tar.gz: 2066ce0c53e2778299f33d2a713f3fc5aa9770ff271d9b073f759e6f2f12aae5c1302ba9d3d94bd1be2e4907b56d14f29e9cb56284e2019e83a75ae6ad99c9fc
data/.gitignore CHANGED
@@ -19,3 +19,5 @@ rdoc
19
19
  pkg
20
20
 
21
21
  ## PROJECT::SPECIFIC
22
+ .rbx
23
+ .rspec
data/.travis.yml CHANGED
@@ -3,12 +3,15 @@ rvm:
3
3
  - 1.8.7
4
4
  - 1.9.2
5
5
  - 1.9.3
6
- - jruby-18mode # JRuby in 1.8 mode
7
- - jruby-19mode # JRuby in 1.9 mode
6
+ - 2.0.0
7
+ - jruby-18mode
8
+ - jruby-19mode
8
9
  - rbx-18mode
9
10
  - rbx-19mode
10
11
  matrix:
11
12
  allow_failures:
13
+ - rvm: jruby-18mode
14
+ - rvm: jruby-19mode
12
15
  - rvm: rbx-18mode
13
16
  - rvm: rbx-19mode
14
17
 
data/CHANGELOG.md ADDED
@@ -0,0 +1,5 @@
1
+
2
+ 0.1.8 / 2015-01-16
3
+ ==================
4
+
5
+ * SECURITY: Perform constant time string comparison when validating signatures
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- signature (0.1.7)
4
+ signature (0.1.8)
5
5
 
6
6
  GEM
7
7
  remote: https://rubygems.org/
data/README.md CHANGED
@@ -16,7 +16,7 @@ auth_hash = request.sign(token)
16
16
  query_params = params.merge(auth_hash)
17
17
 
18
18
  HTTParty.post('http://myservice/api/thing', {
19
- :query => query_params
19
+ :body => query_params
20
20
  })
21
21
  ```
22
22
 
data/lib/signature.rb CHANGED
@@ -213,12 +213,18 @@ module Signature
213
213
  end
214
214
 
215
215
  def validate_signature!(token)
216
- unless @auth_hash["auth_signature"] == signature(token)
216
+ unless identical? @auth_hash["auth_signature"], signature(token)
217
217
  raise AuthenticationError, "Invalid signature: you should have "\
218
218
  "sent HmacSHA256Hex(#{string_to_sign.inspect}, your_secret_key)"\
219
219
  ", but you sent #{@auth_hash["auth_signature"].inspect}"
220
220
  end
221
221
  return true
222
222
  end
223
+
224
+ # Constant time string comparison
225
+ def identical?(a, b)
226
+ return false unless a.bytesize == b.bytesize
227
+ a.bytes.zip(b.bytes).reduce(0) { |memo, (a, b)| memo += a ^ b } == 0
228
+ end
223
229
  end
224
230
  end
data/lib/signature/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Signature
2
- VERSION = "0.1.7"
2
+ VERSION = "0.1.8"
3
3
  end
metadata CHANGED
@@ -1,41 +1,41 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: signature
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.7
4
+ version: 0.1.8
5
5
  platform: ruby
6
6
  authors:
7
7
  - Martyn Loughran
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2013-04-22 00:00:00.000000000 Z
11
+ date: 2015-01-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rspec
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - '>='
17
+ - - ">="
18
18
  - !ruby/object:Gem::Version
19
19
  version: '0'
20
20
  type: :development
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
- - - '>='
24
+ - - ">="
25
25
  - !ruby/object:Gem::Version
26
26
  version: '0'
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: em-spec
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
- - - '>='
31
+ - - ">="
32
32
  - !ruby/object:Gem::Version
33
33
  version: '0'
34
34
  type: :development
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
- - - '>='
38
+ - - ">="
39
39
  - !ruby/object:Gem::Version
40
40
  version: '0'
41
41
  description: Simple key/secret based authentication for apis
@@ -45,8 +45,9 @@ executables: []
45
45
  extensions: []
46
46
  extra_rdoc_files: []
47
47
  files:
48
- - .gitignore
49
- - .travis.yml
48
+ - ".gitignore"
49
+ - ".travis.yml"
50
+ - CHANGELOG.md
50
51
  - Gemfile
51
52
  - Gemfile.lock
52
53
  - LICENSE
@@ -67,17 +68,17 @@ require_paths:
67
68
  - lib
68
69
  required_ruby_version: !ruby/object:Gem::Requirement
69
70
  requirements:
70
- - - '>='
71
+ - - ">="
71
72
  - !ruby/object:Gem::Version
72
73
  version: '0'
73
74
  required_rubygems_version: !ruby/object:Gem::Requirement
74
75
  requirements:
75
- - - '>='
76
+ - - ">="
76
77
  - !ruby/object:Gem::Version
77
78
  version: '0'
78
79
  requirements: []
79
80
  rubyforge_project:
80
- rubygems_version: 2.0.0
81
+ rubygems_version: 2.2.2
81
82
  signing_key:
82
83
  specification_version: 4
83
84
  summary: Simple key/secret based authentication for apis