RubyGems - better_errors - Versions diffs - 0.6.0 → 0.7.0 - Mend

better_errors 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of better_errors might be problematic. Click here for more details.

Files changed (9) hide show

data/.travis.yml +3 -0
data/README.md +22 -2
data/Rakefile +3 -0
data/better_errors.gemspec +2 -0
data/lib/better_errors.rb +2 -0
data/lib/better_errors/middleware.rb +31 -18
data/lib/better_errors/version.rb +1 -1
data/spec/better_errors/middleware_spec.rb +17 -11
metadata +8 -3

data/.travis.yml ADDED

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+    - 2.0.0-rc2

data/README.md CHANGED

@@ -21,8 +21,6 @@ group :development do
 end
 ```
-**NOTE:** It is *critical* you put better\_errors in the **development** section. **Do NOT run better_errors in production, or on Internet facing hosts.**
 If you would like to use Better Errors' **advanced features** (REPL, local/instance variable inspection, pretty stack frame names), you need to add the [`binding_of_caller`](https://github.com/banister/binding_of_caller) gem by [@banisterfiend](http://twitter.com/banisterfiend) to your Gemfile:
 ```ruby
@@ -31,6 +29,28 @@ gem "binding_of_caller"
 This is an optional dependency however, and Better Errors will work without it.
+## Security
+**NOTE:** It is *critical* you put better\_errors in the **development** section. **Do NOT run better_errors in production, or on Internet facing hosts.**
+You will notice that the only machine that gets the Better Errors page is localhost, which means you get the default error page if you are developing on a remote host (or a virtually remote host, such as a Vagrant box). Obviously, the REPL is not something you want to expose to the public, but there may also be other pieces of sensitive information available in the backtrace.
+To poke selective holes in this security mechanism, you can add a line like this to your startup (for example, on Rails it would be `config/environments/development.rb`)
+```ruby
+BetterErrors::Middleware.allow_ip! ENV['TRUSTED_IP'] if ENV['TRUSTED_IP']
+```
+Then run Rails like this:
+```shell
+TRUSTED_IP=66.68.96.220 rails s
+```
+Note that the `allow_ip!` is actually backed by a `Set`, so you can add more than one IP address or subnet.
+**Tip:** You can find your apparent IP by hitting the old error page's "Show env dump" and looking at "REMOTE_ADDR".
 ## Usage
 If you're using Rails, there's nothing else you need to do.

data/Rakefile CHANGED

@@ -1 +1,4 @@
 require "bundler/gem_tasks"
+task :default => :spec
+task :test => :spec
+task :spec do sh 'bundle exec rspec' end

data/better_errors.gemspec CHANGED

@@ -17,6 +17,8 @@ Gem::Specification.new do |s|
   s.test_files    = s.files.grep(%r{^(test|spec|features)/})
   s.require_paths = ["lib"]
+  s.required_ruby_version = ">= 1.9.2"
   s.add_development_dependency "rake"
   s.add_development_dependency "rspec", "~> 2.12.0"
   s.add_development_dependency "binding_of_caller"

data/lib/better_errors.rb CHANGED

@@ -91,6 +91,8 @@ module BetterErrors
       self.editor = "subl://open?url=file://%{file}&line=%{line}"
     when :macvim, :mvim
       self.editor = proc { |file, line| "mvim://open?url=file://#{file}&line=#{line}" }
+    when :emacs
+      self.editor = "emacs://open?url=file://%{file}&line=%{line}"
     when String
       self.editor = proc { |file, line| editor % { file: URI.encode_www_form_component(file), line: line } }
     else

data/lib/better_errors/middleware.rb CHANGED

@@ -1,17 +1,18 @@
 require "json"
 require "ipaddr"
+require "set"
 module BetterErrors
   # Better Errors' error handling middleware. Including this in your middleware
   # stack will show a Better Errors error page for exceptions raised below this
   # middleware.
-  #
-  # If you are using Ruby on Rails, you do not need to manually insert this
+  #
+  # If you are using Ruby on Rails, you do not need to manually insert this
   # middleware into your middleware stack.
-  #
+  #
   # @example Sinatra
   #   require "better_errors"
-  #
+  #
   #   if development?
   #     use BetterErrors::Middleware
   #   end
@@ -21,39 +22,51 @@ module BetterErrors
   #   if ENV["RACK_ENV"] == "development"
   #     use BetterErrors::Middleware
   #   end
-  #
+  #
   class Middleware
+    # The set of IP addresses that are allowed to access Better Errors.
+    #
+    # Set to `{ "127.0.0.1/8", "::1/128" }` by default.
+    ALLOWED_IPS = Set.new
+    # Adds an address to the set of IP addresses allowed to access Better
+    # Errors.
+    def self.allow_ip!(addr)
+      ALLOWED_IPS << IPAddr.new(addr)
+    end
+    allow_ip! "127.0.0.0/8"
+    allow_ip! "::1/128"
     # A new instance of BetterErrors::Middleware
-    #
+    #
     # @param app      The Rack app/middleware to wrap with Better Errors
     # @param handler  The error handler to use.
     def initialize(app, handler = ErrorPage)
       @app      = app
       @handler  = handler
     end
     # Calls the Better Errors middleware
-    #
+    #
     # @param [Hash] env
     # @return [Array]
     def call(env)
-      if local_request? env
+      if allow_ip? env
         better_errors_call env
       else
         @app.call env
       end
     end
   private
-    IPV4_LOCAL = IPAddr.new("127.0.0.0/8")
-    IPV6_LOCAL = IPAddr.new("::1/128")
-    def local_request?(env)
+    def allow_ip?(env)
       # REMOTE_ADDR is not in the rack spec, so some application servers do
       # not provide it.
       return true unless env["REMOTE_ADDR"]
       ip = IPAddr.new env["REMOTE_ADDR"]
-      IPV4_LOCAL.include? ip or IPV6_LOCAL.include? ip
+      ALLOWED_IPS.any? { |subnet| subnet.include? ip }
     end
     def better_errors_call(env)
@@ -93,18 +106,18 @@ module BetterErrors
       env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" ||
       !env["HTTP_ACCEPT"].to_s.include?('html')
     end
     def log_exception
       return unless BetterErrors.logger
       message = "\n#{@error_page.exception.class} - #{@error_page.exception.message}:\n"
       @error_page.backtrace_frames.each do |frame|
         message << "  #{frame}\n"
       end
       BetterErrors.logger.fatal message
     end
     def internal_call(env, opts)
       if opts[:oid].to_i != @error_page.object_id
         return [200, { "Content-Type" => "text/plain; charset=utf-8" }, [JSON.dump(error: "Session expired")]]

data/lib/better_errors/version.rb CHANGED

@@ -1,3 +1,3 @@
 module BetterErrors
-  VERSION = "0.6.0"
+  VERSION = "0.7.0"
 end

data/spec/better_errors/middleware_spec.rb CHANGED

@@ -23,48 +23,54 @@ module BetterErrors
       app.call("REMOTE_ADDR" => "1.2.3.4")
     end
+    it "should show to a whitelisted IP" do
+      BetterErrors::Middleware.allow_ip! '77.55.33.11'
+      app.should_receive :better_errors_call
+      app.call("REMOTE_ADDR" => "77.55.33.11")
+    end
     context "when requesting the /__better_errors manually" do
       let(:app) { Middleware.new(->env { ":)" }) }
       it "should show that no errors have been recorded" do
         status, headers, body = app.call("PATH_INFO" => "/__better_errors")
         body.join.should match /No errors have been recorded yet./
       end
     end
     context "when handling an error" do
       let(:app) { Middleware.new(->env { raise "oh no :(" }) }
       it "should return status 500" do
         status, headers, body = app.call({})
         status.should == 500
       end
       it "should return UTF-8 error pages" do
         status, headers, body = app.call({})
         headers["Content-Type"].should match /charset=utf-8/
       end
       it "should return text pages by default" do
         status, headers, body = app.call({})
         headers["Content-Type"].should match /text\/plain/
       end
       it "should return HTML pages by default" do
         # Chrome's 'Accept' header looks similar this.
         status, headers, body = app.call("HTTP_ACCEPT" => "text/html,application/xhtml+xml;q=0.9,*/*")
         headers["Content-Type"].should match /text\/html/
       end
       it "should log the exception" do
         logger = Object.new
         logger.should_receive :fatal
         BetterErrors.stub!(:logger).and_return(logger)
         app.call({})
       end
     end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: better_errors
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-02-14 00:00:00.000000000 Z
+date: 2013-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -165,6 +165,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
+- .travis.yml
 - .yardopts
 - CONTRIBUTING.md
 - Gemfile
@@ -211,13 +212,16 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - '>='
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.9.2
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -156735969867517913
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.25
@@ -235,3 +239,4 @@ test_files:
 - spec/better_errors/support/my_source.rb
 - spec/better_errors_spec.rb
 - spec/spec_helper.rb
+has_rdoc: