RubyGems - stripe - Versions diffs - 1.20.4 → 1.21.0 - Mend

stripe 1.20.4 → 1.21.0

Files changed (9) hide show

data/History.txt +5 -0
data/VERSION +1 -1
data/lib/stripe.rb +43 -33
data/lib/stripe/stripe_object.rb +5 -2
data/lib/stripe/version.rb +1 -1
data/stripe.gemspec +0 -1
metadata +3 -28
data/lib/stripe/certificate_blacklist.rb +0 -55
data/test/stripe/certificate_blacklist_test.rb +0 -18

data/History.txt CHANGED

@@ -1,3 +1,8 @@
+=== 1.21.0 2015-04-14
+* Remove TLS cert revocation check. (All pre-heartbleed certs have expired.)
+* Bugfix: don't unset keys when they don't exist on StripeObject.
 === 1.20.4 2015-03-26
 * Raise an error when explicitly passing nil as the API key on resource methods

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 1.20.4
1	+ 1.21.0

data/lib/stripe.rb CHANGED

@@ -1,9 +1,12 @@
 # Stripe Ruby bindings
 # API spec at https://stripe.com/docs/api
 require 'cgi'
-require 'set'
 require 'openssl'
-require 'rest_client'
+require 'rbconfig'
+require 'set'
+require 'socket'
+require 'rest-client'
 require 'json'
 # Version
@@ -26,7 +29,6 @@ require 'stripe/account'
 require 'stripe/balance'
 require 'stripe/balance_transaction'
 require 'stripe/customer'
-require 'stripe/certificate_blacklist'
 require 'stripe/invoice'
 require 'stripe/invoice_item'
 require 'stripe/charge'
@@ -62,7 +64,6 @@ module Stripe
   @ssl_bundle_path  = DEFAULT_CA_BUNDLE_PATH
   @verify_ssl_certs = true
-  @CERTIFICATE_VERIFIED = false
   class << self
@@ -91,15 +92,17 @@ module Stripe
         'email support@stripe.com if you have any questions.)')
     end
-    request_opts = { :verify_ssl => false }
-    if ssl_preflight_passed?
-      request_opts.update(:verify_ssl => OpenSSL::SSL::VERIFY_PEER,
-                          :ssl_ca_file => @ssl_bundle_path)
-    end
-    if @verify_ssl_certs and !@CERTIFICATE_VERIFIED
-      @CERTIFICATE_VERIFIED = CertificateBlacklist.check_ssl_cert(api_base_url, @ssl_bundle_path)
+    if verify_ssl_certs
+      request_opts = {:verify_ssl => OpenSSL::SSL::VERIFY_PEER,
+                      :ssl_ca_file => @ssl_bundle_path}
+    else
+      unless @verify_ssl_warned
+        @verify_ssl_warned = true
+        $stderr.puts("WARNING: Running without SSL cert verification. " \
+          "You should never do this in production. " \
+          "Execute 'Stripe.verify_ssl_certs = true' to enable verification.")
+        request_opts = {:verify_ssl => false}
+      end
     end
     params = Util.objects_to_ids(params)
@@ -149,23 +152,6 @@ module Stripe
   private
-  def self.ssl_preflight_passed?
-    if !verify_ssl_certs && !@no_verify
-      $stderr.puts "WARNING: Running without SSL cert verification. " \
-        "Execute 'Stripe.verify_ssl_certs = true' to enable verification."
-      @no_verify = true
-    elsif !Util.file_readable(@ssl_bundle_path) && !@no_bundle
-      $stderr.puts "WARNING: Running without SSL cert verification " \
-        "because #{@ssl_bundle_path} isn't readable"
-      @no_bundle = true
-    end
-    !(@no_verify || @no_bundle)
-  end
   def self.user_agent
     @uname ||= get_uname
     lang_version = "#{RUBY_VERSION} p#{RUBY_PATCHLEVEL} (#{RUBY_RELEASE_DATE})"
@@ -175,18 +161,42 @@ module Stripe
       :lang => 'ruby',
       :lang_version => lang_version,
       :platform => RUBY_PLATFORM,
+      :engine => defined?(RUBY_ENGINE) ? RUBY_ENGINE : '',
       :publisher => 'stripe',
-      :uname => @uname
+      :uname => @uname,
+      :hostname => Socket.gethostname,
     }
   end
   def self.get_uname
-    `uname -a 2>/dev/null`.strip if RUBY_PLATFORM =~ /linux|darwin/i
-  rescue Errno::ENOMEM => ex # couldn't create subprocess
+    if File.exist?('/proc/version')
+      File.read('/proc/version').strip
+    else
+      case RbConfig::CONFIG['host_os']
+      when /linux|darwin|bsd|sunos|solaris|cygwin/i
+        _uname_uname
+      when /mswin|mingw/i
+        _uname_ver
+      else
+        "unknown platform"
+      end
+    end
+  end
+  def self._uname_uname
+    (`uname -a 2>/dev/null` || '').strip
+  rescue Errno::ENOMEM # couldn't create subprocess
+    "uname lookup failed"
+  end
+  def self._uname_ver
+    (`ver` || '').strip
+  rescue Errno::ENOMEM # couldn't create subprocess
     "uname lookup failed"
   end
   def self.uri_encode(params)
     Util.flatten_params(params).
       map { |k,v| "#{k}=#{Util.url_encode(v)}" }.join('&')

data/lib/stripe/stripe_object.rb CHANGED

@@ -129,9 +129,12 @@ module Stripe
         # e.g. as object.key = {foo => bar}
         update = new_value
         new_keys = update.keys.map(&:to_sym)
         # remove keys at the server, but not known locally
-        keys_to_unset = @original_values[key].keys - new_keys
-        keys_to_unset.each {|key| update[key] = ''}
+        if @original_values.include?(key)
+          keys_to_unset = @original_values[key].keys - new_keys
+          keys_to_unset.each {|key| update[key] = ''}
+        end
         update
       else

data/lib/stripe/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Stripe
-  VERSION = '1.20.4'
+  VERSION = '1.21.0'
 end

data/stripe.gemspec CHANGED

@@ -13,7 +13,6 @@ spec = Gem::Specification.new do |s|
   s.license = 'MIT'
   s.add_dependency('rest-client', '~> 1.4')
-  s.add_dependency('mime-types', '>= 1.25', '< 3.0')
   s.add_dependency('json', '~> 1.8.1')
   s.add_development_dependency('mocha', '~> 0.13.2')

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stripe
 version: !ruby/object:Gem::Version
-  version: 1.20.4
+  version: 1.21.0
   prerelease:
 platform: ruby
 authors:
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-03-27 00:00:00.000000000 Z
+date: 2015-04-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rest-client
@@ -28,28 +28,6 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.4'
-- !ruby/object:Gem::Dependency
-  name: mime-types
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '1.25'
-    - - <
-      - !ruby/object:Gem::Version
-        version: '3.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '1.25'
-    - - <
-      - !ruby/object:Gem::Version
-        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: json
   requirement: !ruby/object:Gem::Requirement
@@ -169,7 +147,6 @@ files:
 - lib/stripe/bitcoin_receiver.rb
 - lib/stripe/bitcoin_transaction.rb
 - lib/stripe/card.rb
-- lib/stripe/certificate_blacklist.rb
 - lib/stripe/charge.rb
 - lib/stripe/coupon.rb
 - lib/stripe/customer.rb
@@ -202,7 +179,6 @@ files:
 - test/stripe/application_fee_test.rb
 - test/stripe/balance_test.rb
 - test/stripe/bitcoin_receiver_test.rb
-- test/stripe/certificate_blacklist_test.rb
 - test/stripe/charge_test.rb
 - test/stripe/coupon_test.rb
 - test/stripe/customer_card_test.rb
@@ -241,7 +217,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.23
+rubygems_version: 1.8.23.2
 signing_key:
 specification_version: 3
 summary: Ruby bindings for the Stripe API
@@ -252,7 +228,6 @@ test_files:
 - test/stripe/application_fee_test.rb
 - test/stripe/balance_test.rb
 - test/stripe/bitcoin_receiver_test.rb
-- test/stripe/certificate_blacklist_test.rb
 - test/stripe/charge_test.rb
 - test/stripe/coupon_test.rb
 - test/stripe/customer_card_test.rb

data/lib/stripe/certificate_blacklist.rb DELETED

@@ -1,55 +0,0 @@
-require 'uri'
-require 'digest/sha1'
-module Stripe
-  module CertificateBlacklist
-    BLACKLIST = {
-      "api.stripe.com" => [
-        '05c0b3643694470a888c6e7feb5c9e24e823dc53',
-      ],
-      "revoked.stripe.com" => [
-        '5b7dc7fbc98d78bf76d4d4fa6f597a0c901fad5c',
-      ]
-    }
-    # Preflight the SSL certificate presented by the backend. This isn't 100%
-    # bulletproof, in that we're not actually validating the transport used to
-    # communicate with Stripe, merely that the first attempt to does not use a
-    # revoked certificate.
-    # Unfortunately the interface to OpenSSL doesn't make it easy to check the
-    # certificate before sending potentially sensitive data on the wire. This
-    # approach raises the bar for an attacker significantly.
-    def self.check_ssl_cert(uri, ca_file)
-      uri = URI.parse(uri)
-      sock = TCPSocket.new(uri.host, uri.port)
-      ctx = OpenSSL::SSL::SSLContext.new
-      ctx.set_params(:verify_mode => OpenSSL::SSL::VERIFY_PEER,
-                     :ca_file => ca_file)
-      socket = OpenSSL::SSL::SSLSocket.new(sock, ctx)
-      socket.connect
-      certificate = socket.peer_cert.to_der
-      fingerprint = Digest::SHA1.hexdigest(certificate)
-      if blacklisted_certs = BLACKLIST[uri.host]
-        if blacklisted_certs.include?(fingerprint)
-          raise APIConnectionError.new(
-            "Invalid server certificate. You tried to connect to a server that" \
-            "has a revoked SSL certificate, which means we cannot securely send" \
-            "data to that server. Please email support@stripe.com if you need" \
-            "help connecting to the correct API server."
-          )
-        end
-      end
-      socket.close
-      return true
-    end
-  end
-end

data/test/stripe/certificate_blacklist_test.rb DELETED

@@ -1,18 +0,0 @@
-require File.expand_path('../../test_helper', __FILE__)
-module Stripe
-  class CertificateBlacklistTest < Test::Unit::TestCase
-    should "not trust revoked certificates" do
-      assert_raises(Stripe::APIConnectionError) {
-        Stripe::CertificateBlacklist.check_ssl_cert("https://revoked.stripe.com:444",
-                                                    Stripe::DEFAULT_CA_BUNDLE_PATH)
-      }
-    end
-    should "trust api.stripe.com" do
-      assert_true Stripe::CertificateBlacklist.check_ssl_cert("https://api.stripe.com",
-                                                              Stripe::DEFAULT_CA_BUNDLE_PATH)
-    end
-  end
-end