Skip to content

Security fixes for CBOR parser, TLS default, and URI logging#177

Open
jguz-pubnub wants to merge 1 commit into
masterfrom
ruby-sec-fixes
Open

Security fixes for CBOR parser, TLS default, and URI logging#177
jguz-pubnub wants to merge 1 commit into
masterfrom
ruby-sec-fixes

Conversation

@jguz-pubnub

Copy link
Copy Markdown
Contributor

fix: bound CBOR decoder against DoS via untrusted tokens

Pubnub::Cbor now enforces a recursion-depth cap, a per-container length cap, and a total input size cap. Malformed or attacker-crafted tokens reaching Pubnub::Client#parse_token raise Pubnub::Cbor::DecodeError instead of hanging the caller or triggering SystemStackError.

fix: default DEFAULT_SSL to true so requests use https by default

Pubnub::Constants::DEFAULT_SSL flipped from false to true. Integrators must now opt out explicitly to send traffic in cleartext.

fix: redact signature and pnsig values from Requested URI debug log

The Requested URI debug entry in Pubnub::Event#uri now masks the signature and pnsig query parameter values, per the SDK log practices ADR. auth and token remain visible at DEBUG since they are permitted URL parameters.

test: rewrite recorded VCR cassette URIs from http to https so requests match under the new TLS default

@pubnub-ops-terraform

pubnub-ops-terraform commented Jul 15, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Comment thread features/support/hooks.rb
@pn_configuration = {
origin: ENV['SERVER_HOST'] + ":" + ENV['SERVER_PORT'],
isSecure: false,
ssl: false,

@jguz-pubnub jguz-pubnub Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default setting for production is TLS-on. Regarding the test suite, currently recorded VCR cassettes are linked to http://ps.pndsn.com, and VCR matches the full URI, including the http: scheme. This update is to avoid editing over 10,000 .yaml fixture files, which would be overwhelming for reviewers and make it harder to notice changes in the source code under lib/pubnub

The new PR removing ssl: false and fixing all the VCR cassettes should follow the current one.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻

@mohitpubnub mohitpubnub left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants