Browse Source

fix: remove use of URI.escape in HMAC signature validation

Replace it with similar methods from WEBrick::HTTPUtils.

Note that this introduces webrick as an explicit dependency because
webrick is available as a separate gem, and because Ruby 3.0 ships
without it in the standard library.
Mike Dalessio 3 years ago
parent
commit
5549949fd4
3 changed files with 6 additions and 2 deletions
  1. 2 0
      Gemfile.lock
  2. 3 2
      lib/shopify_api/hmac_params.rb
  3. 1 0
      shopify_api.gemspec

+ 2 - 0
Gemfile.lock

@@ -5,6 +5,7 @@ PATH
       activeresource (>= 4.1.0, < 6.0.0)
       graphql-client
       rack
+      webrick
 
 GEM
   remote: https://rubygems.org/
@@ -129,6 +130,7 @@ GEM
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
+    webrick (1.7.0)
     zeitwerk (2.3.0)
 
 PLATFORMS

+ 3 - 2
lib/shopify_api/hmac_params.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'webrick/httputils'
 
 module ShopifyAPI
@@ -12,11 +13,11 @@ module ShopifyAPI
     end
 
     def self.encode_key(key)
-      URI.escape(key.to_s, '&=%')
+      _escape(key.to_s, _make_regex('&=%'))
     end
 
     def self.encode_value(value)
-      URI.escape(value.to_s, '&%')
+      _escape(value.to_s, _make_regex('&%'))
     end
   end
 end

+ 1 - 0
shopify_api.gemspec

@@ -35,6 +35,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency("activeresource", ">= 4.1.0", "< 6.0.0")
   s.add_runtime_dependency("rack")
   s.add_runtime_dependency("graphql-client")
+  s.add_runtime_dependency("webrick")
 
   s.add_development_dependency("mocha", ">= 1.4.0")
   s.add_development_dependency("webmock")