Security fixes for CBOR parser, TLS default, and URI logging#177
Open
jguz-pubnub wants to merge 1 commit into
Open
Security fixes for CBOR parser, TLS default, and URI logging#177jguz-pubnub wants to merge 1 commit into
jguz-pubnub wants to merge 1 commit into
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
jguz-pubnub
force-pushed
the
ruby-sec-fixes
branch
from
July 15, 2026 08:55
6ef1112 to
09b7821
Compare
jguz-pubnub
force-pushed
the
ruby-sec-fixes
branch
from
July 15, 2026 09:01
09b7821 to
ab602cf
Compare
jguz-pubnub
commented
Jul 15, 2026
| @pn_configuration = { | ||
| origin: ENV['SERVER_HOST'] + ":" + ENV['SERVER_PORT'], | ||
| isSecure: false, | ||
| ssl: false, |
Contributor
Author
There was a problem hiding this comment.
The default setting for production is TLS-on. Regarding the test suite, currently recorded VCR cassettes are linked to http://ps.pndsn.com, and VCR matches the full URI, including the http: scheme. This update is to avoid editing over 10,000 .yaml fixture files, which would be overwhelming for reviewers and make it harder to notice changes in the source code under lib/pubnub
The new PR removing ssl: false and fixing all the VCR cassettes should follow the current one.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix: bound CBOR decoder against DoS via untrusted tokens
Pubnub::Cbornow enforces a recursion-depth cap, a per-container length cap, and a total input size cap. Malformed or attacker-crafted tokens reachingPubnub::Client#parse_tokenraisePubnub::Cbor::DecodeErrorinstead of hanging the caller or triggeringSystemStackError.fix: default
DEFAULT_SSLto true so requests use https by defaultPubnub::Constants::DEFAULT_SSLflipped fromfalsetotrue. Integrators must now opt out explicitly to send traffic in cleartext.fix: redact signature and pnsig values from Requested URI debug log
The Requested URI debug entry in
Pubnub::Event#urinow masks thesignatureandpnsigquery parameter values, per the SDK log practices ADR.authandtokenremain visible at DEBUG since they are permitted URL parameters.test: rewrite recorded VCR cassette URIs from http to https so requests match under the new TLS default