Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to require PHP.serialize to be able to verify a webhook? (Ruby on Rails 5)

I'm using Ruby on Rails 5, and ruby -v 2.5.3. I'm trying to verify a webhook, and the example says:

require 'base64'
require 'php_serialize'
require 'openssl'


public_key = '-----BEGIN PUBLIC KEY-----
MIICIjANBgkqh...'

# 'data' represents all of the POST fields sent with the request.
# Get the p_signature parameter & base64 decode it.
signature = Base64.decode64(data['p_signature'])

# Remove the p_signature parameter
data.delete('p_signature')

# Ensure all the data fields are strings
data.each {|key, value|data[key] = String(value)}

# Sort the data
data_sorted = data.sort_by{|key, value| key}

# and serialize the fields
# serialization library is available here: https://github.com/jqr/php-serialize
data_serialized = PHP.serialize(data_sorted, true)

# verify the data
digest    = OpenSSL::Digest::SHA1.new
pub_key   = OpenSSL::PKey::RSA.new(public_key).public_key
verified  = pub_key.verify(digest, signature, data_serialized)

if verified
    puts "Yay! Signature is valid!"
else
    puts "The signature is invalid!"
end

My problem is the php.serialize, I tried to use the gem: https://github.com/jqr/php-serialize, but that doesn't support ruby -v 2.5.3. (For example due to: https://github.com/jqr/php-serialize/issues/16)

How can I require 'php_serialize' in my Rails app?

like image 608
userden Avatar asked Mar 03 '23 16:03

userden


2 Answers

It looks like the Fixnum deprecated warning was fixed in a PR here. The latest release 1.2 is behind master and doesn't contain a couple changes.

If you are worried about the warning, one option is that you can just get the latest by the ref in the gemfile.

How to Install gems from git repositories

   gem 'php-serialize', git: 'https://github.com/jqr/php-serialize.git', ref: '31dde87'

Other than that, I'm not seeing much wrong with the PHP-Serialize gem on some quick tests. Do you have any specific issues with the code snippet? Can you provide additional details/errors?

like image 106
Conor Avatar answered Apr 28 '23 18:04

Conor


The pull request which should fix the deprecation warning has been merged to master on September 4th, 2018 but the Gem release has not been updated which is pretty sad.

Connor explained well how to use a github source for a gem, but I would maybe use not the specific commit but the current master instead:

gem 'php-serialize', :github => 'jqr/php-serialize', :branch => 'master'`

If you wanna try another gem, try one of those, found by

gem search -r php|grep serial

php-serial (0.9.5)
php-serialization (1.0.0)
php-serialize (1.2.0)
php-serialize4ruby (0.0.0)
php-serialize_ryan (1.1.1)
php_serialize (1.2)
php_serializer (0.2.0)
viva-php_serialize (1.1.3)

The gem search trick has been found here. Some of the gems seem to have received updates in the meantime.

Not sure if any of them is rails 5 compatible but you can surely check them out yourself.

like image 28
Christian Avatar answered Apr 28 '23 18:04

Christian