RubyGems - better_errors - Versions diffs - 0.6.0 → 0.7.0 - Diffend - OSS supply chain security and management platform

better_errors 0.6.0 → 0.7.0

Potentially problematic release.

This version of better_errors might be problematic. Click here for more details.

Files changed (9) hide show

data/.travis.yml +3 -0
data/README.md +22 -2
data/Rakefile +3 -0
data/better_errors.gemspec +2 -0
data/lib/better_errors.rb +2 -0
data/lib/better_errors/middleware.rb +31 -18
data/lib/better_errors/version.rb +1 -1
data/spec/better_errors/middleware_spec.rb +17 -11
metadata +8 -3

data/.travis.yml ADDED

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+    - 2.0.0-rc2

data/README.md CHANGED

@@ -21,8 +21,6 @@ group :development do
 end
 ```
-**NOTE:** It is *critical* you put better\_errors in the **development** section. **Do NOT run better_errors in production, or on Internet facing hosts.**
 If you would like to use Better Errors' **advanced features** (REPL, local/instance variable inspection, pretty stack frame names), you need to add the [`binding_of_caller`](https://github.com/banister/binding_of_caller) gem by [@banisterfiend](http://twitter.com/banisterfiend) to your Gemfile:
 ```ruby
@@ -31,6 +29,28 @@ gem "binding_of_caller"
 This is an optional dependency however, and Better Errors will work without it.
+## Security
+**NOTE:** It is *critical* you put better\_errors in the **development** section. **Do NOT run better_errors in production, or on Internet facing hosts.**
+You will notice that the only machine that gets the Better Errors page is localhost, which means you get the default error page if you are developing on a remote host (or a virtually remote host, such as a Vagrant box). Obviously, the REPL is not something you want to expose to the public, but there may also be other pieces of sensitive information available in the backtrace.
+To poke selective holes in this security mechanism, you can add a line like this to your startup (for example, on Rails it would be `config/environments/development.rb`)
+```ruby
+BetterErrors::Middleware.allow_ip! ENV['TRUSTED_IP'] if ENV['TRUSTED_IP']
+```
+Then run Rails like this:
+```shell
+TRUSTED_IP=66.68.96.220 rails s
+```
+Note that the `allow_ip!` is actually backed by a `Set`, so you can add more than one IP address or subnet.
+**Tip:** You can find your apparent IP by hitting the old error page's "Show env dump" and looking at "REMOTE_ADDR".
 ## Usage
 If you're using Rails, there's nothing else you need to do.

data/Rakefile CHANGED

@@ -1 +1,4 @@
 require "bundler/gem_tasks"
+task :default => :spec
+task :test => :spec
+task :spec do sh 'bundle exec rspec' end

data/better_errors.gemspec CHANGED

@@ -17,6 +17,8 @@ Gem::Specification.new do |s|
   s.test_files    = s.files.grep(%r{^(test|spec|features)/})
   s.require_paths = ["lib"]
+  s.required_ruby_version = ">= 1.9.2"
   s.add_development_dependency "rake"
   s.add_development_dependency "rspec", "~> 2.12.0"
   s.add_development_dependency "binding_of_caller"

data/lib/better_errors.rb CHANGED

@@ -91,6 +91,8 @@ module BetterErrors
       self.editor = "subl://open?url=file://%{file}&line=%{line}"
     when :macvim, :mvim
       self.editor = proc { |file, line| "mvim://open?url=file://#{file}&line=#{line}" }
+    when :emacs
+      self.editor = "emacs://open?url=file://%{file}&line=%{line}"
     when String
       self.editor = proc { |file, line| editor % { file: URI.encode_www_form_component(file), line: line } }
     else

data/lib/better_errors/middleware.rb CHANGED

@@ -1,17 +1,18 @@
 require "json"
 require "ipaddr"
+require "set"
 module BetterErrors
   # Better Errors' error handling middleware. Including this in your middleware
   # stack will show a Better Errors error page for exceptions raised below this
   # middleware.
-  #
-  # If you are using Ruby on Rails, you do not need to manually insert this
+  #
+  # If you are using Ruby on Rails, you do not need to manually insert this
   # middleware into your middleware stack.
-  #
+  #
   # @example Sinatra
   #   require "better_errors"
-  #
+  #
   #   if development?
   #     use BetterErrors::Middleware
   #   end
@@ -21,39 +22,51 @@ module BetterErrors
   #   if ENV["RACK_ENV"] == "development"
   #     use BetterErrors::Middleware
   #   end
-  #
+  #
   class Middleware
+    # The set of IP addresses that are allowed to access Better Errors.
+    #
+    # Set to `{ "127.0.0.1/8", "::1/128" }` by default.
+    ALLOWED_IPS = Set.new
+    # Adds an address to the set of IP addresses allowed to access Better
+    # Errors.
+    def self.allow_ip!(addr)
+      ALLOWED_IPS << IPAddr.new(addr)
+    end
+    allow_ip! "127.0.0.0/8"
+    allow_ip! "::1/128"
     # A new instance of BetterErrors::Middleware
-    #
+    #
     # @param app      The Rack app/middleware to wrap with Better Errors
     # @param handler  The error handler to use.
     def initialize(app, handler = ErrorPage)
       @app      = app
       @handler  = handler
     end
     # Calls the Better Errors middleware
-    #
+    #
     # @param [Hash] env
     # @return [Array]
     def call(env)
-      if local_request? env
+      if allow_ip? env
         better_errors_call env
       else
         @app.call env
       end
     end
   private
-    IPV4_LOCAL = IPAddr.new("127.0.0.0/8")
-    IPV6_LOCAL = IPAddr.new("::1/128")
-    def local_request?(env)
+    def allow_ip?(env)
       # REMOTE_ADDR is not in the rack spec, so some application servers do
       # not provide it.
       return true unless env["REMOTE_ADDR"]
       ip = IPAddr.new env["REMOTE_ADDR"]
-      IPV4_LOCAL.include? ip or IPV6_LOCAL.include? ip
+      ALLOWED_IPS.any? { |subnet| subnet.include? ip }
     end
     def better_errors_call(env)
@@ -93,18 +106,18 @@ module BetterErrors
       env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" ||
       !env["HTTP_ACCEPT"].to_s.include?('html')
     end
     def log_exception
       return unless BetterErrors.logger
       message = "\n#{@error_page.exception.class} - #{@error_page.exception.message}:\n"
       @error_page.backtrace_frames.each do |frame|
         message << "  #{frame}\n"
       end
       BetterErrors.logger.fatal message
     end
     def internal_call(env, opts)
       if opts[:oid].to_i != @error_page.object_id
         return [200, { "Content-Type" => "text/plain; charset=utf-8" }, [JSON.dump(error: "Session expired")]]

data/lib/better_errors/version.rb CHANGED

@@ -1,3 +1,3 @@
 module BetterErrors
-  VERSION = "0.6.0"
+  VERSION = "0.7.0"
 end

data/spec/better_errors/middleware_spec.rb CHANGED

@@ -23,48 +23,54 @@ module BetterErrors
       app.call("REMOTE_ADDR" => "1.2.3.4")
     end
+    it "should show to a whitelisted IP" do
+      BetterErrors::Middleware.allow_ip! '77.55.33.11'
+      app.should_receive :better_errors_call
+      app.call("REMOTE_ADDR" => "77.55.33.11")
+    end
     context "when requesting the /__better_errors manually" do
       let(:app) { Middleware.new(->env { ":)" }) }
       it "should show that no errors have been recorded" do
         status, headers, body = app.call("PATH_INFO" => "/__better_errors")
         body.join.should match /No errors have been recorded yet./
       end
     end
     context "when handling an error" do
       let(:app) { Middleware.new(->env { raise "oh no :(" }) }
       it "should return status 500" do
         status, headers, body = app.call({})
         status.should == 500
       end
       it "should return UTF-8 error pages" do
         status, headers, body = app.call({})
         headers["Content-Type"].should match /charset=utf-8/
       end
       it "should return text pages by default" do
         status, headers, body = app.call({})
         headers["Content-Type"].should match /text\/plain/
       end
       it "should return HTML pages by default" do
         # Chrome's 'Accept' header looks similar this.
         status, headers, body = app.call("HTTP_ACCEPT" => "text/html,application/xhtml+xml;q=0.9,*/*")
         headers["Content-Type"].should match /text\/html/
       end
       it "should log the exception" do
         logger = Object.new
         logger.should_receive :fatal
         BetterErrors.stub!(:logger).and_return(logger)
         app.call({})
       end
     end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: better_errors
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-02-14 00:00:00.000000000 Z
+date: 2013-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -165,6 +165,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
+- .travis.yml
 - .yardopts
 - CONTRIBUTING.md
 - Gemfile
@@ -211,13 +212,16 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - '>='
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.9.2
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -156735969867517913
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.25
@@ -235,3 +239,4 @@ test_files:
 - spec/better_errors/support/my_source.rb
 - spec/better_errors_spec.rb
 - spec/spec_helper.rb
+has_rdoc: