Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supply access token through Authorization header #308

Merged
merged 1 commit into from
Feb 5, 2020
Merged

Supply access token through Authorization header #308

merged 1 commit into from
Feb 5, 2020

Conversation

keynslug
Copy link
Contributor

@keynslug keynslug commented Feb 4, 2020

ConradIrwin
ConradIrwin reviewed Feb 4, 2020
View reviewed changes
lib/gist.rb

request = Net::HTTP::Post.new(url)
request['Authorization'] = "token #{access_token}" if access_token.to_s != ''
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@keynslug thanks for this change!

In general it's unsafe to echo user-provided input into HTTP headers (as if the input contains \r\n then they can control more than just one header). The risk is very low in this context (as the access token is already assumed to be trusted), but as good practice I think we should do something like:

"token #{header_safe access_token}" where

def header_safe(x) 
   raise "invalid access_token" if x =~ /[\r\n]/
   x
end

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As Conrad notes, this is probably needed, but the input reader presently stops this anyway, so it's only an extra security step (a very good one).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh. I had an impression that it's already taken care of by these lines of code from Net::HTTPHeader:

https://github.com/ruby/ruby/blob/v2_7_0/lib/net/http/header.rb#L84-L86

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfect, I was not aware of that!

@ConradIrwin ConradIrwin merged commit 9bd97ca into defunkt:master Feb 5, 2020
@mgmarino
Copy link

mgmarino commented Feb 6, 2020

Thanks for this! Will this be released soon, or should we rather install from the repo?

@ConradIrwin
Copy link
Collaborator

ConradIrwin commented Feb 7, 2020 via email

@keynslug
Copy link
Contributor Author

keynslug commented Feb 7, 2020

Published as v5.1.0

Wonderful! Would be great to have it tagged and provided as a release also.

gentoo-bot pushed a commit to gentoo/gentoo that referenced this pull request Feb 20, 2020
@robbat2
dev-ruby/gist: bump for service requirements change
034d9bc 
GitHub has changed the authentication method slightly, discontining
support for the old access_token query parameter. All consumers should
move to headers [1] instead. Support for the old method ends 2020/07/01.

[1] https://developer.github.com/changes/2019-11-05-deprecated-passwords-and-authorizations-api/#authenticating-using-query-parameters

Fixes: defunkt/gist#308
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
@typebrook typebrook mentioned this pull request Apr 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robbat2 robbat2 robbat2 approved these changes

@ConradIrwin ConradIrwin ConradIrwin left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@keynslug @mgmarino @ConradIrwin @robbat2