From b2ee1bd22a135eff33222e4d7638809a1ffdb9fe Mon Sep 17 00:00:00 2001 From: Samuel Williams Date: Sat, 4 Jan 2025 20:35:31 +1300 Subject: [PATCH] Support UTF-8 data when using the JSON serializer (#39) * Replace all instance of 'BINARY' with `Encoding::BINARY` --- lib/rack/session/encryptor.rb | 8 ++++---- test/spec_session_cookie.rb | 2 +- test/spec_session_encryptor.rb | 12 ++++++++++++ 3 files changed, 17 insertions(+), 5 deletions(-) diff --git a/lib/rack/session/encryptor.rb b/lib/rack/session/encryptor.rb index a7f041a..8d861d5 100644 --- a/lib/rack/session/encryptor.rb +++ b/lib/rack/session/encryptor.rb @@ -32,12 +32,12 @@ module Serializable def serialize_payload(message) serialized_data = serializer.dump(message) - return "#{[0].pack('v')}#{serialized_data}" if @options[:pad_size].nil? + return "#{[0].pack('v')}#{serialized_data.force_encoding(Encoding::BINARY)}" if @options[:pad_size].nil? padding_bytes = @options[:pad_size] - (2 + serialized_data.size) % @options[:pad_size] padding_data = SecureRandom.random_bytes(padding_bytes) - "#{[padding_bytes].pack('v')}#{padding_data}#{serialized_data}" + "#{[padding_bytes].pack('v')}#{padding_data}#{serialized_data.force_encoding(Encoding::BINARY)}" end # Return the deserialized message. The first 2 bytes will be read as the @@ -103,7 +103,7 @@ def initialize(secret, opts = {}) serialize_json: false, pad_size: 32, purpose: nil }.update(opts) - @hmac_secret = secret.dup.force_encoding('BINARY') + @hmac_secret = secret.dup.force_encoding(Encoding::BINARY) @cipher_secret = @hmac_secret.slice!(0, 32) @hmac_secret.freeze @@ -250,7 +250,7 @@ def initialize(secret, opts = {}) }.update(opts) @options[:serialize_json] = true # Enforce JSON serialization - @cipher_secret = secret.dup.force_encoding('BINARY').slice!(0, 32) + @cipher_secret = secret.dup.force_encoding(Encoding::BINARY).slice!(0, 32) @cipher_secret.freeze end diff --git a/test/spec_session_cookie.rb b/test/spec_session_cookie.rb index f990da7..0e4094b 100644 --- a/test/spec_session_cookie.rb +++ b/test/spec_session_cookie.rb @@ -212,7 +212,7 @@ def decode(str); @calls << :decode; JSON.parse(str); end response.body.must_equal ({"counter"=>1}.to_s) identity.calls.must_equal [:encode] - response = response_for(app: [incrementor, { coder: identity }], :cookie=>response["Set-Cookie"].split(';', 2).first) + response_for(app: [incrementor, { coder: identity }], cookie: response["Set-Cookie"].split(';', 2).first) identity.calls.must_equal [:encode, :decode, :encode] end diff --git a/test/spec_session_encryptor.rb b/test/spec_session_encryptor.rb index 2288120..bc19373 100644 --- a/test/spec_session_encryptor.rb +++ b/test/spec_session_encryptor.rb @@ -58,6 +58,18 @@ def self.included(_base) encryptor.decrypt(message).must_equal({ 'foo' => 'bar' }) end + # The V1 encryptor defaults to the Marshal serializer, while the V2 + # encryptor always uses the JSON serializer. This means that we are + # indirectly covering both serializers. + it 'decrypts an encrypted message with UTF-8 data' do + encryptor = encryptor_class.new(@secret) + + encrypted_message = encryptor.encrypt({ 'foo' => 'bar 😀' }) + decrypted_message = encryptor.decrypt(encrypted_message) + + decrypted_message.must_equal({ 'foo' => 'bar 😀' }) + end + it 'decrypts raises InvalidSignature without purpose' do encryptor = encryptor_class.new(@secret, purpose: 'testing') other_encryptor = encryptor_class.new(@secret)