better_errors 2.0.0 → 2.8.0

data/lib/better_errors/code_formatter.rb

@@ -11,9 +11,9 @@ module BetterErrors
       ".erb"  => :erb,
       ".haml" => :haml
     }
-    
+
     attr_reader :filename, :line, :context
-    
+
     def initialize(filename, line, context = 5)
       @filename = filename
       @line     = line
@@ -29,7 +29,7 @@ module BetterErrors
     def formatted_code
       formatted_lines.join
     end
-    
+
     def coderay_scanner
       ext = File.extname(filename)
       FILE_TYPES[ext] || :text
@@ -40,20 +40,20 @@ module BetterErrors
         yield (current_line == line), current_line, str
       }
     end
-    
+
     def highlighted_lines
       CodeRay.scan(context_lines.join, coderay_scanner).div(wrap: nil).lines
     end
-    
+
     def context_lines
       range = line_range
       source_lines[(range.begin - 1)..(range.end - 1)] or raise Errno::EINVAL
     end
-    
+
     def source_lines
       @source_lines ||= File.readlines(filename)
     end
-    
+
     def line_range
       min = [line - context, 1].max
       max = [line + context, source_lines.count].min

data/lib/better_errors/error_page.rb

@@ -10,7 +10,7 @@ module BetterErrors
     end
 
     def self.template(template_name)
-      Erubis::EscapedEruby.new(File.read(template_path(template_name)))
+      Erubi::Engine.new(File.read(template_path(template_name)), escape: true)
     end
 
     attr_reader :exception, :env, :repls
@@ -26,8 +26,13 @@ module BetterErrors
       @id ||= SecureRandom.hex(8)
     end
 
-    def render(template_name = "main")
-      self.class.template(template_name).result binding
+    def render(template_name = "main", csrf_token = nil)
+      binding.eval(self.class.template(template_name).src)
+    rescue => e
+      # Fix the backtrace, which doesn't identify the template that failed (within Better Errors).
+      # We don't know the line number, so just injecting the template path has to be enough.
+      e.backtrace.unshift "#{self.class.template_path(template_name)}:0"
+      raise
     end
 
     def do_variables(opts)
@@ -41,23 +46,39 @@ module BetterErrors
       index = opts["index"].to_i
       code = opts["source"]
 
-      unless binding = backtrace_frames[index].frame_binding
+      unless (binding = backtrace_frames[index].frame_binding)
         return { error: "REPL unavailable in this stack frame" }
       end
 
-      result, prompt, prefilled_input =
-        (@repls[index] ||= REPL.provider.new(binding)).send_input(code)
+      @repls[index] ||= REPL.provider.new(binding, exception)
 
-      { result: result,
-        prompt: prompt,
-        prefilled_input: prefilled_input,
-        highlighted_input: CodeRay.scan(code, :ruby).div(wrap: nil) }
+      eval_and_respond(index, code)
     end
 
     def backtrace_frames
       exception.backtrace
     end
 
+    def exception_type
+      exception.type
+    end
+
+    def exception_message
+      exception.message.strip.gsub(/(\r?\n\s*\r?\n)+/, "\n")
+    end
+
+    def active_support_actions
+      return [] unless defined?(ActiveSupport::ActionableError)
+
+      ActiveSupport::ActionableError.actions(exception.type)
+    end
+
+    def action_dispatch_action_endpoint
+      return unless defined?(ActionDispatch::ActionableExceptions)
+
+      ActionDispatch::ActionableExceptions.endpoint
+    end
+
     def application_frames
       backtrace_frames.select(&:application?)
     end
@@ -66,7 +87,8 @@ module BetterErrors
       application_frames.first || backtrace_frames.first
     end
 
-  private
+    private
+
     def editor_url(frame)
       BetterErrors.editor[frame.filename, frame.line]
     end
@@ -100,11 +122,30 @@ module BetterErrors
     end
 
     def inspect_value(obj)
-      CGI.escapeHTML(obj.inspect)
-    rescue NoMethodError
-      "<span class='unsupported'>(object doesn't support inspect)</span>"
+      if BetterErrors.ignored_classes.include? obj.class.name
+        "<span class='unsupported'>(Instance of ignored class. "\
+        "#{obj.class.name ? "Remove #{CGI.escapeHTML(obj.class.name)} from" : "Modify"}"\
+        " BetterErrors.ignored_classes if you need to see it.)</span>"
+      else
+        InspectableValue.new(obj).to_html
+      end
+    rescue BetterErrors::ValueLargerThanConfiguredMaximum
+      "<span class='unsupported'>(Object too large. "\
+        "#{obj.class.name ? "Modify #{CGI.escapeHTML(obj.class.name)}#inspect or a" : "A"}"\
+        "djust BetterErrors.maximum_variable_inspect_size if you need to see it.)</span>"
     rescue Exception => e
-      "<span class='unsupported'>(exception was raised in inspect)</span>"
+      "<span class='unsupported'>(exception #{CGI.escapeHTML(e.class.to_s)} was raised in inspect)</span>"
+    end
+
+    def eval_and_respond(index, code)
+      result, prompt, prefilled_input = @repls[index].send_input(code)
+
+      {
+        highlighted_input: CodeRay.scan(code, :ruby).div(wrap: nil),
+        prefilled_input:   prefilled_input,
+        prompt:            prompt,
+        result:            result
+      }
     end
   end
 end

data/lib/better_errors/inspectable_value.rb

@@ -0,0 +1,45 @@
+require "cgi"
+require "objspace" rescue nil
+
+module BetterErrors
+  class ValueLargerThanConfiguredMaximum < StandardError; end
+
+  class InspectableValue
+    def initialize(value)
+      @original_value = value
+    end
+
+    def to_html
+      raise ValueLargerThanConfiguredMaximum unless value_small_enough_to_inspect?
+      value_as_html
+    end
+
+    private
+
+    attr_reader :original_value
+
+    def value_as_html
+      @value_as_html ||= CGI.escapeHTML(value)
+    end
+
+    def value
+      @value ||= begin
+        if original_value.respond_to? :inspect
+          original_value.inspect
+        else
+          original_value
+        end
+      end
+    end
+
+    def value_small_enough_to_inspect?
+      return true if BetterErrors.maximum_variable_inspect_size.nil?
+
+      if defined?(ObjectSpace) && defined?(ObjectSpace.memsize_of) && ObjectSpace.memsize_of(value)
+        ObjectSpace.memsize_of(value) <= BetterErrors.maximum_variable_inspect_size
+      else
+        value_as_html.length <= BetterErrors.maximum_variable_inspect_size
+      end
+    end
+  end
+end

data/lib/better_errors/middleware.rb

@@ -1,5 +1,6 @@
 require "json"
 require "ipaddr"
+require "securerandom"
 require "set"
 require "rack"
 
@@ -33,12 +34,14 @@ module BetterErrors
     # Adds an address to the set of IP addresses allowed to access Better
     # Errors.
     def self.allow_ip!(addr)
-      ALLOWED_IPS << IPAddr.new(addr)
+      ALLOWED_IPS << (addr.is_a?(IPAddr) ? addr : IPAddr.new(addr))
     end
 
     allow_ip! "127.0.0.0/8"
     allow_ip! "::1/128" rescue nil # windows ruby doesn't have ipv6 support
 
+    CSRF_TOKEN_COOKIE_NAME = 'BetterErrors-CSRF-Token'
+
     # A new instance of BetterErrors::Middleware
     #
     # @param app      The Rack app/middleware to wrap with Better Errors
@@ -72,7 +75,7 @@ module BetterErrors
     def better_errors_call(env)
       case env["PATH_INFO"]
       when %r{/__better_errors/(?<id>.+?)/(?<method>\w+)\z}
-        internal_call env, $~
+        internal_call(env, $~[:id], $~[:method])
       when %r{/__better_errors/?\z}
         show_error_page env
       else
@@ -89,53 +92,130 @@ module BetterErrors
     end
 
     def show_error_page(env, exception=nil)
+      request = Rack::Request.new(env)
+      csrf_token = request.cookies[CSRF_TOKEN_COOKIE_NAME] || SecureRandom.uuid
+
       type, content = if @error_page
         if text?(env)
           [ 'plain', @error_page.render('text') ]
         else
-          [ 'html', @error_page.render ]
+          [ 'html', @error_page.render('main', csrf_token) ]
         end
       else
         [ 'html', no_errors_page ]
       end
 
       status_code = 500
-      if defined? ActionDispatch::ExceptionWrapper
+      if defined?(ActionDispatch::ExceptionWrapper) && exception
         status_code = ActionDispatch::ExceptionWrapper.new(env, exception).status_code
       end
 
-      [status_code, { "Content-Type" => "text/#{type}; charset=utf-8" }, [content]]
+      response = Rack::Response.new(content, status_code, { "Content-Type" => "text/#{type}; charset=utf-8" })
+
+      unless request.cookies[CSRF_TOKEN_COOKIE_NAME]
+        response.set_cookie(CSRF_TOKEN_COOKIE_NAME, value: csrf_token, httponly: true, same_site: :strict)
+      end
+
+      # In older versions of Rack, the body returned here is actually a Rack::BodyProxy which seems to be a bug.
+      # (It contains status, headers and body and does not act like an array of strings.)
+      # Since we already have status code and body here, there's no need to use the ones in the Rack::Response.
+      (_status_code, headers, _body) = response.finish
+      [status_code, headers, [content]]
     end
 
     def text?(env)
       env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" ||
-      !env["HTTP_ACCEPT"].to_s.include?('html')
+        !env["HTTP_ACCEPT"].to_s.include?('html')
     end
 
     def log_exception
       return unless BetterErrors.logger
 
-      message = "\n#{@error_page.exception.type} - #{@error_page.exception.message}:\n"
-      @error_page.backtrace_frames.each do |frame|
-        message << "  #{frame}\n"
-      end
+      message = "\n#{@error_page.exception_type} - #{@error_page.exception_message}:\n"
+      message += backtrace_frames.map { |frame| "  #{frame}\n" }.join
 
       BetterErrors.logger.fatal message
     end
 
-    def internal_call(env, opts)
-      if opts[:id] != @error_page.id
-        return [200, { "Content-Type" => "text/plain; charset=utf-8" }, [JSON.dump(error: "Session expired")]]
+    def backtrace_frames
+      if defined?(Rails) && defined?(Rails.backtrace_cleaner)
+        Rails.backtrace_cleaner.clean @error_page.backtrace_frames.map(&:to_s)
+      else
+        @error_page.backtrace_frames
       end
+    end
+
+    def internal_call(env, id, method)
+      return not_found_json_response unless %w[variables eval].include?(method)
+      return no_errors_json_response unless @error_page
+      return invalid_error_json_response if id != @error_page.id
+
+      request = Rack::Request.new(env)
+      return invalid_csrf_token_json_response unless request.cookies[CSRF_TOKEN_COOKIE_NAME]
+
+      request.body.rewind
+      body = JSON.parse(request.body.read)
+      return invalid_csrf_token_json_response unless request.cookies[CSRF_TOKEN_COOKIE_NAME] == body['csrfToken']
 
-      env["rack.input"].rewind
-      response = @error_page.send("do_#{opts[:method]}", JSON.parse(env["rack.input"].read))
-      [200, { "Content-Type" => "text/plain; charset=utf-8" }, [JSON.dump(response)]]
+      return not_acceptable_json_response unless request.content_type == 'application/json'
+
+      response = @error_page.send("do_#{method}", body)
+      [200, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(response)]]
     end
 
     def no_errors_page
       "<h1>No errors</h1><p>No errors have been recorded yet.</p><hr>" +
       "<code>Better Errors v#{BetterErrors::VERSION}</code>"
     end
+
+    def no_errors_json_response
+      explanation = if defined? Middleman
+        "Middleman reloads all dependencies for each request, " +
+          "which breaks Better Errors."
+      elsif defined?(Shotgun) && defined?(Hanami)
+        "Hanami is likely running with code-reloading enabled, which is the default. " +
+          "You can disable this by running hanami with the `--no-code-reloading` option."
+      elsif defined? Shotgun
+        "The shotgun gem causes everything to be reloaded for every request. " +
+          "You can disable shotgun in the Gemfile temporarily to use Better Errors."
+      else
+        "The application has been restarted since this page loaded, " +
+          "or the framework is reloading all gems before each request "
+      end
+      [200, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
+        error: 'No exception information available',
+        explanation: explanation,
+      )]]
+    end
+
+    def invalid_error_json_response
+      [200, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
+        error: "Session expired",
+        explanation: "This page was likely opened from a previous exception, " +
+          "and the exception is no longer available in memory.",
+      )]]
+    end
+
+    def invalid_csrf_token_json_response
+      [200, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
+        error: "Invalid CSRF Token",
+        explanation: "The browser session might have been cleared, " +
+          "or something went wrong.",
+      )]]
+    end
+
+    def not_found_json_response
+      [404, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
+        error: "Not found",
+        explanation: "Not a recognized internal call.",
+      )]]
+    end
+
+    def not_acceptable_json_response
+      [406, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
+        error: "Request not acceptable",
+        explanation: "The internal request did not match an acceptable content type.",
+      )]]
+    end
   end
 end

data/lib/better_errors/raised_exception.rb

@@ -5,6 +5,7 @@ module BetterErrors
 
     def initialize(exception)
       if exception.respond_to?(:original_exception) && exception.original_exception
+        # This supports some specific Rails exceptions, and is not intended to act the same as `#cause`.
         exception = exception.original_exception
       end
 
@@ -34,8 +35,13 @@ module BetterErrors
 
     def setup_backtrace_from_bindings
       @backtrace = exception.__better_errors_bindings_stack.map { |binding|
-        file = binding.eval "__FILE__"
-        line = binding.eval "__LINE__"
+        if binding.respond_to?(:source_location) # Ruby >= 2.6
+          file = binding.source_location[0]
+          line = binding.source_location[1]
+        else
+          file = binding.eval "__FILE__"
+          line = binding.eval "__LINE__"
+        end
         name = binding.frame_description
         StackFrame.new(file, line, name, binding)
       }
@@ -51,7 +57,11 @@ module BetterErrors
 
     def massage_syntax_error
       case exception.class.to_s
-      when "Haml::SyntaxError"
+      when "ActionView::Template::Error"
+        if exception.respond_to?(:file_name) && exception.respond_to?(:line_number)
+          backtrace.unshift(StackFrame.new(exception.file_name, exception.line_number.to_i, "view template"))
+        end
+      when "Haml::SyntaxError", "Sprockets::Coffeelint::Error"
         if /\A(.+?):(\d+)/ =~ exception.backtrace.first
           backtrace.unshift(StackFrame.new($1, $2.to_i, ""))
         end

data/lib/better_errors/repl/basic.rb

@@ -1,14 +1,14 @@
 module BetterErrors
   module REPL
     class Basic
-      def initialize(binding)
+      def initialize(binding, _exception)
         @binding = binding
       end
-    
+
       def send_input(str)
         [execute(str), ">>", ""]
       end
-    
+
     private
       def execute(str)
         "=> #{@binding.eval(str).inspect}\n"

data/lib/better_errors/repl/pry.rb

@@ -9,30 +9,34 @@ module BetterErrors
           Fiber.yield
         end
       end
-      
+
       class Output
         def initialize
           @buffer = ""
         end
-        
+
         def puts(*args)
           args.each do |arg|
             @buffer << "#{arg.chomp}\n"
           end
         end
-        
+
         def tty?
           false
         end
-        
+
         def read_buffer
           @buffer
         ensure
           @buffer = ""
         end
+
+        def print(*args)
+          @buffer << args.join(' ')
+        end
       end
-      
-      def initialize(binding)
+
+      def initialize(binding, exception)
         @fiber = Fiber.new do
           @pry.repl binding
         end
@@ -40,9 +44,15 @@ module BetterErrors
         @output = BetterErrors::REPL::Pry::Output.new
         @pry = ::Pry.new input: @input, output: @output
         @pry.hooks.clear_all if defined?(@pry.hooks.clear_all)
+        store_last_exception exception
         @fiber.resume
       end
-    
+
+      def store_last_exception(exception)
+        return unless defined? ::Pry::LastException
+        @pry.instance_variable_set(:@last_exception, ::Pry::LastException.new(exception.exception))
+      end
+
       def send_input(str)
         local ::Pry.config, color: false, pager: false do
           @fiber.resume "#{str}\n"
@@ -59,7 +69,7 @@ module BetterErrors
       rescue
         [">>", ""]
       end
-      
+
     private
       def local(obj, attrs)
         old_attrs = {}

data/lib/better_errors/repl.rb

@@ -9,19 +9,21 @@ module BetterErrors
     def self.provider
       @provider ||= const_get detect[:const]
     end
-    
+
     def self.provider=(prov)
       @provider = prov
     end
-    
+
     def self.detect
       PROVIDERS.find { |prov|
         test_provider prov
       }
     end
-    
+
     def self.test_provider(provider)
-      require provider[:impl]
+      # We must load this file instead of `require`ing it, since during our tests we want the file
+      # to be reloaded. In practice, this will only be called once, so `require` is not necessary.
+      load "#{provider[:impl]}.rb"
       true
     rescue LoadError
       false

data/lib/better_errors/stack_frame.rb

@@ -33,7 +33,7 @@ module BetterErrors
     end
 
     def gem_path
-      if path = Gem.path.detect { |path| filename.index(path) == 0 }
+      if path = Gem.path.detect { |p| filename.index(p) == 0 }
         gem_name_and_version, path = filename.sub("#{path}/gems/", "").split("/", 2)
         /(?<gem_name>.+)-(?<gem_version>[\w.]+)/ =~ gem_name_and_version
         "#{gem_name} (#{gem_version}) #{path}"
@@ -68,15 +68,27 @@ module BetterErrors
 
     def local_variables
       return {} unless frame_binding
-      frame_binding.eval("local_variables").each_with_object({}) do |name, hash|
-        if defined?(frame_binding.local_variable_get)
-          hash[name] = frame_binding.local_variable_get(name)
-        else
-          hash[name] = frame_binding.eval(name.to_s)
-        end
+
+      lv = frame_binding.eval("local_variables")
+      return {} unless lv
+
+      lv.each_with_object({}) do |name, hash|
+        # Ruby 2.2's local_variables will include the hidden #$! variable if
+        # called from within a rescue context. This is not a valid variable name,
+        # so the local_variable_get method complains. This should probably be
+        # considered a bug in Ruby itself, but we need to work around it.
+        next if name == :"\#$!"
+
+        hash[name] = local_variable(name)
       end
     end
 
+    def local_variable(name)
+      get_local_variable(name) || eval_local_variable(name)
+    rescue NameError => ex
+      "#{ex.class}: #{ex.message}"
+    end
+
     def instance_variables
       return {} unless frame_binding
       Hash[visible_instance_variables.map { |x|
@@ -85,7 +97,10 @@ module BetterErrors
     end
 
     def visible_instance_variables
-      frame_binding.eval("instance_variables") - BetterErrors.ignored_instance_variables
+      iv = frame_binding.eval("instance_variables")
+      return {} unless iv
+
+      iv - BetterErrors.ignored_instance_variables
     end
 
     def to_s
@@ -107,5 +122,15 @@ module BetterErrors
         @method_name = "##{method_name}"
       end
     end
+
+    def get_local_variable(name)
+      if defined?(frame_binding.local_variable_get)
+        frame_binding.local_variable_get(name)
+      end
+    end
+
+    def eval_local_variable(name)
+      frame_binding.eval(name.to_s)
+    end
   end
 end