better_errors 2.4.0 → 2.9.1

data/lib/better_errors/exception_hint.rb

@@ -0,0 +1,29 @@
+module BetterErrors
+  class ExceptionHint
+    def initialize(exception)
+      @exception = exception
+    end
+
+    def hint
+      case exception
+      when NoMethodError
+        /\Aundefined method `(?<method>[^']+)' for (?<val>[^:]+):(?<klass>\w+)/.match(exception.message) do |match|
+          if match[:val] == "nil"
+            return "Something is `nil` when it probably shouldn't be."
+          elsif !match[:klass].start_with? '0x'
+            return "`#{match[:method]}` is being called on a `#{match[:klass]}` object, "\
+              "which might not be the type of object you were expecting."
+          end
+        end
+      when NameError
+        /\Aundefined local variable or method `(?<method>[^']+)' for/.match(exception.message) do |match|
+          return "`#{match[:method]}` is probably misspelled."
+        end
+      end
+    end
+
+    private
+
+    attr_reader :exception
+  end
+end

data/lib/better_errors/inspectable_value.rb

@@ -0,0 +1,45 @@
+require "cgi"
+require "objspace" rescue nil
+
+module BetterErrors
+  class ValueLargerThanConfiguredMaximum < StandardError; end
+
+  class InspectableValue
+    def initialize(value)
+      @original_value = value
+    end
+
+    def to_html
+      raise ValueLargerThanConfiguredMaximum unless value_small_enough_to_inspect?
+      value_as_html
+    end
+
+    private
+
+    attr_reader :original_value
+
+    def value_as_html
+      @value_as_html ||= CGI.escapeHTML(value)
+    end
+
+    def value
+      @value ||= begin
+        if original_value.respond_to? :inspect
+          original_value.inspect
+        else
+          original_value
+        end
+      end
+    end
+
+    def value_small_enough_to_inspect?
+      return true if BetterErrors.maximum_variable_inspect_size.nil?
+
+      if defined?(ObjectSpace) && defined?(ObjectSpace.memsize_of) && ObjectSpace.memsize_of(value)
+        ObjectSpace.memsize_of(value) <= BetterErrors.maximum_variable_inspect_size
+      else
+        value_as_html.length <= BetterErrors.maximum_variable_inspect_size
+      end
+    end
+  end
+end

data/lib/better_errors/middleware.rb

@@ -1,5 +1,6 @@
 require "json"
 require "ipaddr"
+require "securerandom"
 require "set"
 require "rack"
 
@@ -33,12 +34,14 @@ module BetterErrors
     # Adds an address to the set of IP addresses allowed to access Better
     # Errors.
     def self.allow_ip!(addr)
-      ALLOWED_IPS << IPAddr.new(addr)
+      ALLOWED_IPS << (addr.is_a?(IPAddr) ? addr : IPAddr.new(addr))
     end
 
     allow_ip! "127.0.0.0/8"
     allow_ip! "::1/128" rescue nil # windows ruby doesn't have ipv6 support
 
+    CSRF_TOKEN_COOKIE_NAME = "BetterErrors-#{BetterErrors::VERSION}-CSRF-Token"
+
     # A new instance of BetterErrors::Middleware
     #
     # @param app      The Rack app/middleware to wrap with Better Errors
@@ -72,7 +75,7 @@ module BetterErrors
     def better_errors_call(env)
       case env["PATH_INFO"]
       when %r{/__better_errors/(?<id>.+?)/(?<method>\w+)\z}
-        internal_call env, $~
+        internal_call(env, $~[:id], $~[:method])
       when %r{/__better_errors/?\z}
         show_error_page env
       else
@@ -89,11 +92,14 @@ module BetterErrors
     end
 
     def show_error_page(env, exception=nil)
+      request = Rack::Request.new(env)
+      csrf_token = request.cookies[CSRF_TOKEN_COOKIE_NAME] || SecureRandom.uuid
+
       type, content = if @error_page
         if text?(env)
           [ 'plain', @error_page.render('text') ]
         else
-          [ 'html', @error_page.render ]
+          [ 'html', @error_page.render('main', csrf_token) ]
         end
       else
         [ 'html', no_errors_page ]
@@ -104,12 +110,22 @@ module BetterErrors
         status_code = ActionDispatch::ExceptionWrapper.new(env, exception).status_code
       end
 
-      [status_code, { "Content-Type" => "text/#{type}; charset=utf-8" }, [content]]
+      response = Rack::Response.new(content, status_code, { "Content-Type" => "text/#{type}; charset=utf-8" })
+
+      unless request.cookies[CSRF_TOKEN_COOKIE_NAME]
+        response.set_cookie(CSRF_TOKEN_COOKIE_NAME, value: csrf_token, path: "/", httponly: true, same_site: :strict)
+      end
+
+      # In older versions of Rack, the body returned here is actually a Rack::BodyProxy which seems to be a bug.
+      # (It contains status, headers and body and does not act like an array of strings.)
+      # Since we already have status code and body here, there's no need to use the ones in the Rack::Response.
+      (_status_code, headers, _body) = response.finish
+      [status_code, headers, [content]]
     end
 
     def text?(env)
       env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" ||
-      !env["HTTP_ACCEPT"].to_s.include?('html')
+        !env["HTTP_ACCEPT"].to_s.include?('html')
     end
 
     def log_exception
@@ -129,13 +145,22 @@ module BetterErrors
       end
     end
 
-    def internal_call(env, opts)
+    def internal_call(env, id, method)
+      return not_found_json_response unless %w[variables eval].include?(method)
       return no_errors_json_response unless @error_page
-      return invalid_error_json_response if opts[:id] != @error_page.id
+      return invalid_error_json_response if id != @error_page.id
+
+      request = Rack::Request.new(env)
+      return invalid_csrf_token_json_response unless request.cookies[CSRF_TOKEN_COOKIE_NAME]
+
+      request.body.rewind
+      body = JSON.parse(request.body.read)
+      return invalid_csrf_token_json_response unless request.cookies[CSRF_TOKEN_COOKIE_NAME] == body['csrfToken']
+
+      return not_acceptable_json_response unless request.content_type == 'application/json'
 
-      env["rack.input"].rewind
-      response = @error_page.send("do_#{opts[:method]}", JSON.parse(env["rack.input"].read))
-      [200, { "Content-Type" => "text/plain; charset=utf-8" }, [JSON.dump(response)]]
+      response = @error_page.send("do_#{method}", body)
+      [200, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(response)]]
     end
 
     def no_errors_page
@@ -157,18 +182,40 @@ module BetterErrors
         "The application has been restarted since this page loaded, " +
           "or the framework is reloading all gems before each request "
       end
-      [200, { "Content-Type" => "text/plain; charset=utf-8" }, [JSON.dump(
+      [200, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
         error: 'No exception information available',
         explanation: explanation,
       )]]
     end
 
     def invalid_error_json_response
-      [200, { "Content-Type" => "text/plain; charset=utf-8" }, [JSON.dump(
+      [200, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
         error: "Session expired",
         explanation: "This page was likely opened from a previous exception, " +
           "and the exception is no longer available in memory.",
       )]]
     end
+
+    def invalid_csrf_token_json_response
+      [200, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
+        error: "Invalid CSRF Token",
+        explanation: "The browser session might have been cleared, " +
+          "or something went wrong.",
+      )]]
+    end
+
+    def not_found_json_response
+      [404, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
+        error: "Not found",
+        explanation: "Not a recognized internal call.",
+      )]]
+    end
+
+    def not_acceptable_json_response
+      [406, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
+        error: "Request not acceptable",
+        explanation: "The internal request did not match an acceptable content type.",
+      )]]
+    end
   end
 end

data/lib/better_errors/raised_exception.rb

@@ -1,12 +1,23 @@
+require 'better_errors/exception_hint'
+
 # @private
 module BetterErrors
   class RaisedException
-    attr_reader :exception, :message, :backtrace
+    attr_reader :exception, :message, :backtrace, :hint
 
     def initialize(exception)
-      if exception.respond_to?(:cause)
+      if exception.class.name == "ActionView::Template::Error" && exception.respond_to?(:cause)
+        # Rails 6+ exceptions of this type wrap the "real" exception, and the real exception
+        # is actually more useful than the ActionView-provided wrapper. Once Better Errors
+        # supports showing all exceptions in the cause stack, this should go away. Or perhaps
+        # this can be changed to provide guidance by showing the second error in the cause stack
+        # under this condition.
         exception = exception.cause if exception.cause
       elsif exception.respond_to?(:original_exception) && exception.original_exception
+        # This supports some specific Rails exceptions, and this is not intended to act the same as
+        # the Ruby's {Exception#cause}.
+        # It's possible this should only support ActionView::Template::Error, but by not changing
+        # this we're preserving longstanding behavior of Better Errors with Rails < 6.
         exception = exception.original_exception
       end
 
@@ -14,6 +25,7 @@ module BetterErrors
       @message = exception.message
 
       setup_backtrace
+      setup_hint
       massage_syntax_error
     end
 
@@ -36,8 +48,13 @@ module BetterErrors
 
     def setup_backtrace_from_bindings
       @backtrace = exception.__better_errors_bindings_stack.map { |binding|
-        file = binding.eval "__FILE__"
-        line = binding.eval "__LINE__"
+        if binding.respond_to?(:source_location) # Ruby >= 2.6
+          file = binding.source_location[0]
+          line = binding.source_location[1]
+        else
+          file = binding.eval "__FILE__"
+          line = binding.eval "__LINE__"
+        end
         name = binding.frame_description
         StackFrame.new(file, line, name, binding)
       }
@@ -64,5 +81,9 @@ module BetterErrors
         end
       end
     end
+
+    def setup_hint
+      @hint = ExceptionHint.new(exception).hint
+    end
   end
 end

data/lib/better_errors/stack_frame.rb

@@ -69,21 +69,26 @@ module BetterErrors
     def local_variables
       return {} unless frame_binding
 
-      frame_binding.eval("local_variables").each_with_object({}) do |name, hash|
+      lv = frame_binding.eval("local_variables")
+      return {} unless lv
+
+      lv.each_with_object({}) do |name, hash|
         # Ruby 2.2's local_variables will include the hidden #$! variable if
         # called from within a rescue context. This is not a valid variable name,
         # so the local_variable_get method complains. This should probably be
         # considered a bug in Ruby itself, but we need to work around it.
         next if name == :"\#$!"
 
-        if defined?(frame_binding.local_variable_get)
-          hash[name] = frame_binding.local_variable_get(name)
-        else
-          hash[name] = frame_binding.eval(name.to_s)
-        end
+        hash[name] = local_variable(name)
       end
     end
 
+    def local_variable(name)
+      get_local_variable(name) || eval_local_variable(name)
+    rescue NameError => ex
+      "#{ex.class}: #{ex.message}"
+    end
+
     def instance_variables
       return {} unless frame_binding
       Hash[visible_instance_variables.map { |x|
@@ -92,7 +97,10 @@ module BetterErrors
     end
 
     def visible_instance_variables
-      frame_binding.eval("instance_variables") - BetterErrors.ignored_instance_variables
+      iv = frame_binding.eval("instance_variables")
+      return {} unless iv
+
+      iv - BetterErrors.ignored_instance_variables
     end
 
     def to_s
@@ -114,5 +122,15 @@ module BetterErrors
         @method_name = "##{method_name}"
       end
     end
+
+    def get_local_variable(name)
+      if defined?(frame_binding.local_variable_get)
+        frame_binding.local_variable_get(name)
+      end
+    end
+
+    def eval_local_variable(name)
+      frame_binding.eval(name.to_s)
+    end
   end
 end

data/lib/better_errors/templates/main.erb

@@ -90,7 +90,7 @@
         nav.sidebar,
         .frame_info {
             position: fixed;
-            top: 95px;
+            top: 102px;
             bottom: 0;
 
             box-sizing: border-box;
@@ -102,7 +102,7 @@
         nav.sidebar {
             width: 40%;
             left: 20px;
-            top: 115px;
+            top: 122px;
             bottom: 20px;
         }
 
@@ -131,7 +131,7 @@
     header.exception {
         padding: 18px 20px;
 
-        height: 59px;
+        height: 66px;
         min-height: 59px;
 
         overflow: hidden;
@@ -146,6 +146,14 @@
     }
 
     /* Heading */
+    header.exception .fix-actions {
+        margin-top: .5em;
+    }
+
+    header.exception .fix-actions input[type=submit] {
+        font-weight: bold;
+    }
+
     header.exception h2 {
         font-weight: 200;
         font-size: 11pt;
@@ -153,7 +161,7 @@
 
     header.exception h2,
     header.exception p {
-        line-height: 1.4em;
+        line-height: 1.5em;
         overflow: hidden;
         white-space: pre;
         text-overflow: ellipsis;
@@ -166,7 +174,7 @@
 
     header.exception p {
         font-weight: 200;
-        font-size: 20pt;
+        font-size: 17pt;
         color: white;
     }
 
@@ -587,6 +595,9 @@
         color: #8080a0;
         padding-left: 20px;
     }
+    .console-has-been-used .live-console-hint {
+        display: none;
+    }
 
     .hint:before {
         content: '\25b2';
@@ -603,17 +614,6 @@
         margin: 10px 0;
     }
 
-    .sub:before {
-        content: '';
-        display: block;
-        width: 100%;
-        height: 4px;
-
-        border-radius: 2px;
-        background: rgba(0, 150, 200, 0.05);
-        box-shadow: 1px 1px 0 rgba(255, 255, 255, 0.7), inset 0 0 0 1px rgba(0, 0, 0, 0.04), inset 2px 2px 2px rgba(0, 0, 0, 0.07);
-    }
-
     .sub h3 {
         color: #39a;
         font-size: 1.1em;
@@ -721,12 +721,22 @@
               if(document.styleSheets[i].href)
                   document.styleSheets[i].disabled = true;
           }
-          document.addEventListener("page:restore", function restoreCSS(e) {
-              for(var i=0; i < document.styleSheets.length; i++) {
-                  document.styleSheets[i].disabled = false;
-              }
-              document.removeEventListener("page:restore", restoreCSS, false);
-          });
+          if (window.Turbolinks.controller) {
+              // Turbolinks > 5 (see https://github.com/turbolinks/turbolinks/issues/6)
+              document.addEventListener("turbolinks:load", function restoreCSS(e) {
+                  for(var i=0; i < document.styleSheets.length; i++) {
+                      document.styleSheets[i].disabled = false;
+                  }
+                  document.removeEventListener("turbolinks:load", restoreCSS, false);
+              });
+          } else {
+              document.addEventListener("page:restore", function restoreCSS(e) {
+                  for(var i=0; i < document.styleSheets.length; i++) {
+                      document.styleSheets[i].disabled = false;
+                  }
+                  document.removeEventListener("page:restore", restoreCSS, false);
+              });
+          }
       }
     </script>
 
@@ -734,6 +744,21 @@
         <header class="exception">
             <h2><strong><%= exception_type %></strong> <span>at <%= request_path %></span></h2>
             <p><%= exception_message %></p>
+            <% unless active_support_actions.empty? %>
+                <div class='fix-actions'>
+                    <% active_support_actions.each do |action, _| %>
+                        <form class="button_to" method="post" action="<%= action_dispatch_action_endpoint %>">
+                            <input type="submit" value="<%= action %>">
+                            <input type="hidden" name="action" value="<%= action %>">
+                            <input type="hidden" name="error" value="<%= exception_type %>">
+                            <input type="hidden" name="location" value="<%= request_path %>">
+                        </form>
+                    <% end %>
+                </div>
+            <% end %>
+            <% if exception_hint %>
+              <h2>Hint: <%= exception_hint %></h2>
+            <% end %>
         </header>
     </div>
 
@@ -770,6 +795,7 @@
 (function() {
 
     var OID = "<%= id %>";
+    var csrfToken = "<%= csrf_token %>";
 
     var previousFrame = null;
     var previousFrameInfo = null;
@@ -780,6 +806,7 @@
         var req = new XMLHttpRequest();
         req.open("POST", "//" + window.location.host + <%== uri_prefix.gsub("<", "&lt;").inspect %> + "/__better_errors/" + OID + "/" + method, true);
         req.setRequestHeader("Content-Type", "application/json");
+        opts.csrfToken = csrfToken;
         req.send(JSON.stringify(opts));
         req.onreadystatechange = function() {
             if(req.readyState == 4) {
@@ -793,6 +820,28 @@
         return html.replace(/&/, "&amp;").replace(/</g, "&lt;");
     }
 
+    function hasConsoleBeenUsedPreviously() {
+      return !!document.cookie.split('; ').find(function(cookie) {
+          return cookie.startsWith('BetterErrors-has-used-console=');
+      });
+    }
+
+    var consoleHasBeenUsed = hasConsoleBeenUsedPreviously();
+
+    function consoleWasJustUsed() {
+        if (consoleHasBeenUsed) {
+            return;
+        }
+
+        hideConsoleHint();
+        consoleHasBeenUsed = true;
+        document.cookie = "BetterErrors-has-used-console=true;path=/;max-age=31536000;samesite"
+    }
+
+    function hideConsoleHint() {
+        document.querySelector('body').className += " console-has-been-used";
+    }
+
     function REPL(index) {
         this.index = index;
 
@@ -814,15 +863,20 @@
         this.inputElement   = this.container.querySelector("input");
         this.outputElement  = this.container.querySelector("pre");
 
+        if (consoleHasBeenUsed) {
+            hideConsoleHint();
+        }
+
         var self = this;
         this.inputElement.onkeydown = function(ev) {
             self.onKeyDown(ev);
+            consoleWasJustUsed();
         };
 
         this.setPrompt(">>");
 
         REPL.all[this.index] = this;
-    }
+    };
 
     REPL.prototype.focus = function() {
         this.inputElement.focus();
@@ -943,7 +997,7 @@
                     if(response.explanation) {
                       el.innerHTML += "<p class='explanation'>" + escapeHTML(response.explanation) + "</p>";
                     }
-                    el.innerHTML += "<p><a target='_new' href='https://github.com/charliesome/better_errors'>More about Better Errors</a></p>";
+                    el.innerHTML += "<p><a target='_new' href='https://github.com/BetterErrors/better_errors'>More about Better Errors</a></p>";
                 } else {
                     el.innerHTML = response.html;