webhookr 0.1.0 → 0.2.0

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2012 2167961 Ontario Inc., Zoocasa <code@zoocasa.com>
+Copyright (c) 2013 2167961 Ontario Inc., Zoocasa <code@zoocasa.com>
 
 Permission is hereby granted, free of charge, to any person
 obtaining a copy of this software and associated documentation
@@ -19,4 +19,4 @@ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
 WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
-OTHER DEALINGS IN THE SOFTWARE.
+OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -99,6 +99,13 @@ rake webhookr:services
 
 ## <a name="security"></a>Webhookr Security
 
+### Important security note
+
+A timing attack vulnerability was discovered in versions of webhookr prior to 0.2.0.
+It is recommended that you upgrade to as soon as possible to at least version 0.2.0.
+
+Please see revision ccafc8248559a09e090cf824c8454c9824555a06 for details.
+
 ### General security issues with webhooks
 
 A webhook is by design, a http post to your application that results in code execution.
@@ -130,7 +137,7 @@ If you are sending sensitive data via webhooks, it is recommended you use HTTPS.
 
 ## <a name="works_with"></a>Works with:
 
-webhookr works with Rails 4.0 and 3.1, and has been tested on the following Ruby
+webhookr works with Rails 4.0 and 3.1+, and has been tested on the following Ruby
 implementations:
 
 * JRuby 1.7.4
@@ -165,5 +172,5 @@ webhookr is released under the [MIT license](http://www.opensource.org/licenses/
 ## Author
 
 * [Gerry Power](https://github.com/gerrypower)
+* [J Smith](https://github.com/dark-panda)
 
-## <a name="Version History"></a>Version History

data/lib/webhookr.rb

@@ -1,3 +1,4 @@
+require "securecompare"
 require "webhookr/engine"
 
 module Webhookr

data/lib/webhookr/service.rb

@@ -37,7 +37,7 @@ module Webhookr
     end
 
     def validate_security_token(token)
-      raise Webhookr::InvalidSecurityTokenError if token.nil? || token != configured_security_token
+      raise Webhookr::InvalidSecurityTokenError if token.nil? || !SecureCompare.compare(token, configured_security_token)
     end
 
     def service_adapter

data/lib/webhookr/version.rb

@@ -1,3 +1,3 @@
 module Webhookr
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/webhookr.gemspec

@@ -19,4 +19,5 @@ Gem::Specification.new do |s|
   s.require_paths = ["lib"]
 
   s.add_dependency "rails", [">= 3.1"]
+  s.add_dependency "securecompare"
 end

metadata

@@ -2,14 +2,14 @@
 name: webhookr
 version: !ruby/object:Gem::Version
   prerelease: 
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Gerry Power
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-29 00:00:00.000000000 Z
+date: 2013-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -27,6 +27,22 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: securecompare
+  type: :runtime
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Webhookr - easily and securely add webhooks to your Rails app.
 email:
 - code@zoocasa.com