stripe 3.3.0 → 3.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/History.txt +5 -0
  3. data/VERSION +1 -1
  4. data/lib/stripe/version.rb +1 -1
  5. data/lib/stripe/webhook.rb +7 -4
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 93c701571b0b8167fe9a2816d458715fe646e0fa
4
- data.tar.gz: 27a4af6cf8afca19384f7d9901b2980ac8da0d93
3
+ metadata.gz: bae6f0ad07bc976943ede420d50734662a18dece
4
+ data.tar.gz: fb0a6559f1a927cb2fc5092159572b86badbb0e6
5
5
  SHA512:
6
- metadata.gz: f8ebb06861148fe8e40b2737cf5f65f00e11921e6b6d4ddd790126da4d3dfa5be3ed01353a5538bfaccfc8d0fa2027d96b2ae40659e22f8b88a99f897928640f
7
- data.tar.gz: 1971744e0adf6616d472967740b8bd321cd1dc6d639ec582d436560eca093446021435f702c8662632ece248eff119019322a7e327f8b79bb025877ca589bc89
6
+ metadata.gz: 6ef3f38ac0b0e0fdbf2beb1519f2242f9268461a86be79f00a481d7a4ab841d1f7f0bde63e2f58acafc9c97d2e429a687dc492264b1d8b5b014fa5599dd585f9
7
+ data.tar.gz: af934590bfb40438ecc031f5ea17c81f6832debac19ead3b7a186887bcc41a1b7addb5f45b730c538dc413fa37beb0b6e3074588b53c5bc7f32953a1ae861ae8
data/History.txt CHANGED
@@ -1,3 +1,8 @@
1
+ === 3.3.1 2017-08-18
2
+
3
+ * Only parse webhook payload after verification to decrease likelihood of
4
+ attack
5
+
1
6
  === 3.3.0 2017-08-11
2
7
 
3
8
  * Add support for standard library logger interface with `Stripe.logger`
data/VERSION CHANGED
@@ -1 +1 @@
1
- 3.3.0
1
+ 3.3.1
data/lib/stripe/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Stripe
2
- VERSION = '3.3.0'
2
+ VERSION = '3.3.1'
3
3
  end
data/lib/stripe/webhook.rb CHANGED
@@ -7,12 +7,15 @@ module Stripe
7
7
  # This may raise JSON::ParserError if the payload is not valid JSON, or
8
8
  # SignatureVerificationError if the signature verification fails.
9
9
  def self.construct_event(payload, sig_header, secret, tolerance: DEFAULT_TOLERANCE)
10
- data = JSON.parse(payload, symbolize_names: true)
11
- event = Event.construct_from(data)
12
-
13
10
  Signature.verify_header(payload, sig_header, secret, tolerance: tolerance)
14
11
 
15
- event
12
+ # It's a good idea to parse the payload only after verifying it. We use
13
+ # `symbolize_names` so it would otherwise be technically possible to
14
+ # flood a target's memory if they were on an older version of Ruby that
15
+ # doesn't GC symbols. It also decreases the likelihood that we receive a
16
+ # bad payload that fails to parse and throws an exception.
17
+ data = JSON.parse(payload, symbolize_names: true)
18
+ Event.construct_from(data)
16
19
  end
17
20
 
18
21
  module Signature
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: stripe
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.3.0
4
+ version: 3.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Stripe
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-08-11 00:00:00.000000000 Z
11
+ date: 2017-08-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: faraday