Skip to content
Permalink
Browse files Browse the repository at this point in the history
bump version, handle invalid API key DC
  • Loading branch information
amro committed Feb 24, 2022
1 parent 6933225 commit cade20c
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 8 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
@@ -1,5 +1,7 @@
## [Unreleased][unreleased]

## [3.4.4] - 2022-02-24
- Remove non-alpha characters when parsing datacenter from API keys to prevent potential attackers from injecting a domain via the API key. This would only be possible if one were using user-provided API keys (e.g. from a form, etc.).

## [3.4.3] - 2022-01-19
- Support for Faraday 2.0, which requires new syntax for basic auth
Expand Down
2 changes: 0 additions & 2 deletions lib/gibbon/api_request.rb
Expand Up @@ -194,8 +194,6 @@ def api_url

def base_api_url
computed_api_endpoint = "https://#{get_data_center_from_api_key(self.api_key)}api.mailchimp.com"
raise Gibbon::GibbonError, "SSRF attempt" unless URI(computed_api_endpoint).host.include?("api.mailchimp.com")

"#{self.api_endpoint || computed_api_endpoint}/3.0/"
end
end
Expand Down
8 changes: 6 additions & 2 deletions lib/gibbon/gibbon_helpers.rb
Expand Up @@ -5,8 +5,12 @@ def get_data_center_from_api_key(api_key)
data_center = ""

if api_key && api_key["-"]
# Add a period since the data_center is a subdomain and it keeps things dry
data_center = "#{api_key.split('-').last}."
# Remove all non-alphanumberic characters in case someone attempts to inject
# a different domain into the API key (e.g. when consuming user form-provided keys)
# This approach avoids assuming a 3 letter prefix (e.g. is MC were to create
# a us10 DC, this would continue to work), and will continue to hit MC's server
# rather than a would-be attacker's servers.
data_center = "#{api_key.split('-').last.gsub(/[^0-9a-z ]/i, '')}."
end

data_center
Expand Down
2 changes: 1 addition & 1 deletion lib/gibbon/version.rb
@@ -1,3 +1,3 @@
module Gibbon
VERSION = "3.4.3"
VERSION = "3.4.4"
end
9 changes: 6 additions & 3 deletions spec/gibbon/gibbon_spec.rb
Expand Up @@ -14,6 +14,7 @@
@gibbon = Gibbon::Request.new
expect(@gibbon.api_key).to be_nil
end

it "sets an API key in the constructor" do
@gibbon = Gibbon::Request.new(api_key: @api_key)
expect(@gibbon.api_key).to eq(@api_key)
Expand Down Expand Up @@ -163,10 +164,12 @@
expect {@request.validate_api_key}.not_to raise_error
end

it "raises with a valid SSRF attack" do
@api_key = "-attacker.net/test/?"
it "removes non-alpha characters from datacenter prefix" do
@api_key = "123-attacker.net/test/?"
@gibbon.api_key = @api_key
expect {@gibbon.try.retrieve}.to raise_error(Gibbon::MailChimpError, /SSRF attempt/)
@gibbon.try
@request = Gibbon::APIRequest.new(builder: @gibbon)
expect(@request.api_url).to eq("https://attackernettest.api.mailchimp.com/3.0/try")
end
end

Expand Down

0 comments on commit cade20c

Please sign in to comment.