RubyGems - webhookr - Versions diffs - 0.1.0 → 0.2.0 - Mend

webhookr 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

data/MIT-LICENSE CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright (c) 2012 2167961 Ontario Inc., Zoocasa <code@zoocasa.com>
+Copyright (c) 2013 2167961 Ontario Inc., Zoocasa <code@zoocasa.com>
 Permission is hereby granted, free of charge, to any person
 obtaining a copy of this software and associated documentation
@@ -19,4 +19,4 @@ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
 WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
-OTHER DEALINGS IN THE SOFTWARE.
+OTHER DEALINGS IN THE SOFTWARE.

data/README.md CHANGED Viewed

@@ -99,6 +99,13 @@ rake webhookr:services
 ## <a name="security"></a>Webhookr Security
+### Important security note
+A timing attack vulnerability was discovered in versions of webhookr prior to 0.2.0.
+It is recommended that you upgrade to as soon as possible to at least version 0.2.0.
+Please see revision ccafc8248559a09e090cf824c8454c9824555a06 for details.
 ### General security issues with webhooks
 A webhook is by design, a http post to your application that results in code execution.
@@ -130,7 +137,7 @@ If you are sending sensitive data via webhooks, it is recommended you use HTTPS.
 ## <a name="works_with"></a>Works with:
-webhookr works with Rails 4.0 and 3.1, and has been tested on the following Ruby
+webhookr works with Rails 4.0 and 3.1+, and has been tested on the following Ruby
 implementations:
 * JRuby 1.7.4
@@ -165,5 +172,5 @@ webhookr is released under the [MIT license](http://www.opensource.org/licenses/
 ## Author
 * [Gerry Power](https://github.com/gerrypower)
+* [J Smith](https://github.com/dark-panda)
-## <a name="Version History"></a>Version History

data/lib/webhookr.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require "securecompare"
 require "webhookr/engine"
 module Webhookr

data/lib/webhookr/service.rb CHANGED Viewed

@@ -37,7 +37,7 @@ module Webhookr
     end
     def validate_security_token(token)
-      raise Webhookr::InvalidSecurityTokenError if token.nil? || token != configured_security_token
+      raise Webhookr::InvalidSecurityTokenError if token.nil? || !SecureCompare.compare(token, configured_security_token)
     end
     def service_adapter

data/lib/webhookr/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Webhookr
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/webhookr.gemspec CHANGED Viewed

@@ -19,4 +19,5 @@ Gem::Specification.new do |s|
   s.require_paths = ["lib"]
   s.add_dependency "rails", [">= 3.1"]
+  s.add_dependency "securecompare"
 end

metadata CHANGED Viewed

@@ -2,14 +2,14 @@
 name: webhookr
 version: !ruby/object:Gem::Version
   prerelease:
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Gerry Power
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-07-29 00:00:00.000000000 Z
+date: 2013-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -27,6 +27,22 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: securecompare
+  type: :runtime
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Webhookr - easily and securely add webhooks to your Rails app.
 email:
 - code@zoocasa.com