stripe 3.3.0 → 3.3.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/History.txt +5 -0
  3. data/VERSION +1 -1
  4. data/lib/stripe/version.rb +1 -1
  5. data/lib/stripe/webhook.rb +7 -4
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 93c701571b0b8167fe9a2816d458715fe646e0fa
4
- data.tar.gz: 27a4af6cf8afca19384f7d9901b2980ac8da0d93
3
+ metadata.gz: bae6f0ad07bc976943ede420d50734662a18dece
4
+ data.tar.gz: fb0a6559f1a927cb2fc5092159572b86badbb0e6
5
5
  SHA512:
6
- metadata.gz: f8ebb06861148fe8e40b2737cf5f65f00e11921e6b6d4ddd790126da4d3dfa5be3ed01353a5538bfaccfc8d0fa2027d96b2ae40659e22f8b88a99f897928640f
7
- data.tar.gz: 1971744e0adf6616d472967740b8bd321cd1dc6d639ec582d436560eca093446021435f702c8662632ece248eff119019322a7e327f8b79bb025877ca589bc89
6
+ metadata.gz: 6ef3f38ac0b0e0fdbf2beb1519f2242f9268461a86be79f00a481d7a4ab841d1f7f0bde63e2f58acafc9c97d2e429a687dc492264b1d8b5b014fa5599dd585f9
7
+ data.tar.gz: af934590bfb40438ecc031f5ea17c81f6832debac19ead3b7a186887bcc41a1b7addb5f45b730c538dc413fa37beb0b6e3074588b53c5bc7f32953a1ae861ae8
data/History.txt CHANGED
@@ -1,3 +1,8 @@
1
+ === 3.3.1 2017-08-18
2
+
3
+ * Only parse webhook payload after verification to decrease likelihood of
4
+ attack
5
+
1
6
  === 3.3.0 2017-08-11
2
7
 
3
8
  * Add support for standard library logger interface with `Stripe.logger`
data/VERSION CHANGED
@@ -1 +1 @@
1
- 3.3.0
1
+ 3.3.1
data/lib/stripe/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Stripe
2
- VERSION = '3.3.0'
2
+ VERSION = '3.3.1'
3
3
  end
data/lib/stripe/webhook.rb CHANGED
@@ -7,12 +7,15 @@ module Stripe
7
7
  # This may raise JSON::ParserError if the payload is not valid JSON, or
8
8
  # SignatureVerificationError if the signature verification fails.
9
9
  def self.construct_event(payload, sig_header, secret, tolerance: DEFAULT_TOLERANCE)
10
- data = JSON.parse(payload, symbolize_names: true)
11
- event = Event.construct_from(data)
12
-
13
10
  Signature.verify_header(payload, sig_header, secret, tolerance: tolerance)
14
11
 
15
- event
12
+ # It's a good idea to parse the payload only after verifying it. We use
13
+ # `symbolize_names` so it would otherwise be technically possible to
14
+ # flood a target's memory if they were on an older version of Ruby that
15
+ # doesn't GC symbols. It also decreases the likelihood that we receive a
16
+ # bad payload that fails to parse and throws an exception.
17
+ data = JSON.parse(payload, symbolize_names: true)
18
+ Event.construct_from(data)
16
19
  end
17
20
 
18
21
  module Signature
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: stripe
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.3.0
4
+ version: 3.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Stripe
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-08-11 00:00:00.000000000 Z
11
+ date: 2017-08-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: faraday