better_errors 2.7.1 → 2.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +22 -0
- data/lib/better_errors/error_page.rb +19 -2
- data/lib/better_errors/middleware.rb +58 -11
- data/lib/better_errors/templates/main.erb +24 -2
- data/lib/better_errors/templates/variable_info.erb +8 -1
- data/lib/better_errors/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 10f7411145be495cf17cbebdf087e1bb21fe8c6fc8c07397fa406e7fc1f9f917
|
4
|
+
data.tar.gz: 3b14b75eaa97285c3ad5f685671348694aa7174cc43e52826e49e21a2f139b0d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 141e1056c402ed7b0aa0965278018096ca1d2bc4032072692c1f146ad09d6848d87792d665ecc6dcb41322594e91d9a5e27955edc560bb665a2995f150c0be4e
|
7
|
+
data.tar.gz: 03a94aa9fdcd0340b1fdf913a52978437692587efabe196ebb119087712086cc304289ec1c684ab4efbdece115a4bd1298b57bf58699a0d672f76f6aa196793b
|
data/README.md
CHANGED
@@ -35,6 +35,28 @@ end
|
|
35
35
|
|
36
36
|
_Note: If you discover that Better Errors isn't working - particularly after upgrading from version 0.5.0 or less - be sure to set `config.consider_all_requests_local = true` in `config/environments/development.rb`._
|
37
37
|
|
38
|
+
### Optional: Set `EDITOR`
|
39
|
+
|
40
|
+
For many reasons outside of Better Errors, you should have the `EDITOR` environment variable set to your preferred
|
41
|
+
editor.
|
42
|
+
Better Errors, like many other tools, will use that environment variable to show a link that opens your
|
43
|
+
editor to the file and line from the console.
|
44
|
+
|
45
|
+
By default the links will open TextMate-protocol links.
|
46
|
+
|
47
|
+
To see if your editor is supported or to set up a different editor, see [the wiki](https://github.com/BetterErrors/better_errors/wiki/Link-to-your-editor).
|
48
|
+
|
49
|
+
### Optional: Set `BETTER_ERRORS_INSIDE_FRAME`
|
50
|
+
|
51
|
+
If your application is running inside of an iframe, or if you have a Content Security Policy that disallows links
|
52
|
+
to other protocols, the editor links will not work.
|
53
|
+
|
54
|
+
To work around this set `BETTER_ERRORS_INSIDE_FRAME=1` in the environment, and the links will include `target=_blank`,
|
55
|
+
allowing the link to open regardless of the policy.
|
56
|
+
|
57
|
+
_This works because it opens the editor from a new browser tab, escaping from the restrictions of your site._
|
58
|
+
_Unfortunately it leaves behind an empty tab each time, so only use this if needed._
|
59
|
+
|
38
60
|
## Security
|
39
61
|
|
40
62
|
**NOTE:** It is *critical* you put better\_errors only in the **development** section of your Gemfile.
|
@@ -26,8 +26,13 @@ module BetterErrors
|
|
26
26
|
@id ||= SecureRandom.hex(8)
|
27
27
|
end
|
28
28
|
|
29
|
-
def render(template_name = "main")
|
29
|
+
def render(template_name = "main", csrf_token = nil)
|
30
30
|
binding.eval(self.class.template(template_name).src)
|
31
|
+
rescue => e
|
32
|
+
# Fix the backtrace, which doesn't identify the template that failed (within Better Errors).
|
33
|
+
# We don't know the line number, so just injecting the template path has to be enough.
|
34
|
+
e.backtrace.unshift "#{self.class.template_path(template_name)}:0"
|
35
|
+
raise
|
31
36
|
end
|
32
37
|
|
33
38
|
def do_variables(opts)
|
@@ -59,7 +64,19 @@ module BetterErrors
|
|
59
64
|
end
|
60
65
|
|
61
66
|
def exception_message
|
62
|
-
exception.message.
|
67
|
+
exception.message.strip.gsub(/(\r?\n\s*\r?\n)+/, "\n")
|
68
|
+
end
|
69
|
+
|
70
|
+
def active_support_actions
|
71
|
+
return [] unless defined?(ActiveSupport::ActionableError)
|
72
|
+
|
73
|
+
ActiveSupport::ActionableError.actions(exception.type)
|
74
|
+
end
|
75
|
+
|
76
|
+
def action_dispatch_action_endpoint
|
77
|
+
return unless defined?(ActionDispatch::ActionableExceptions)
|
78
|
+
|
79
|
+
ActionDispatch::ActionableExceptions.endpoint
|
63
80
|
end
|
64
81
|
|
65
82
|
def application_frames
|
@@ -1,5 +1,6 @@
|
|
1
1
|
require "json"
|
2
2
|
require "ipaddr"
|
3
|
+
require "securerandom"
|
3
4
|
require "set"
|
4
5
|
require "rack"
|
5
6
|
|
@@ -39,6 +40,8 @@ module BetterErrors
|
|
39
40
|
allow_ip! "127.0.0.0/8"
|
40
41
|
allow_ip! "::1/128" rescue nil # windows ruby doesn't have ipv6 support
|
41
42
|
|
43
|
+
CSRF_TOKEN_COOKIE_NAME = 'BetterErrors-CSRF-Token'
|
44
|
+
|
42
45
|
# A new instance of BetterErrors::Middleware
|
43
46
|
#
|
44
47
|
# @param app The Rack app/middleware to wrap with Better Errors
|
@@ -72,7 +75,7 @@ module BetterErrors
|
|
72
75
|
def better_errors_call(env)
|
73
76
|
case env["PATH_INFO"]
|
74
77
|
when %r{/__better_errors/(?<id>.+?)/(?<method>\w+)\z}
|
75
|
-
internal_call
|
78
|
+
internal_call(env, $~[:id], $~[:method])
|
76
79
|
when %r{/__better_errors/?\z}
|
77
80
|
show_error_page env
|
78
81
|
else
|
@@ -89,11 +92,14 @@ module BetterErrors
|
|
89
92
|
end
|
90
93
|
|
91
94
|
def show_error_page(env, exception=nil)
|
95
|
+
request = Rack::Request.new(env)
|
96
|
+
csrf_token = request.cookies[CSRF_TOKEN_COOKIE_NAME] || SecureRandom.uuid
|
97
|
+
|
92
98
|
type, content = if @error_page
|
93
99
|
if text?(env)
|
94
100
|
[ 'plain', @error_page.render('text') ]
|
95
101
|
else
|
96
|
-
[ 'html', @error_page.render ]
|
102
|
+
[ 'html', @error_page.render('main', csrf_token) ]
|
97
103
|
end
|
98
104
|
else
|
99
105
|
[ 'html', no_errors_page ]
|
@@ -104,12 +110,22 @@ module BetterErrors
|
|
104
110
|
status_code = ActionDispatch::ExceptionWrapper.new(env, exception).status_code
|
105
111
|
end
|
106
112
|
|
107
|
-
|
113
|
+
response = Rack::Response.new(content, status_code, { "Content-Type" => "text/#{type}; charset=utf-8" })
|
114
|
+
|
115
|
+
unless request.cookies[CSRF_TOKEN_COOKIE_NAME]
|
116
|
+
response.set_cookie(CSRF_TOKEN_COOKIE_NAME, value: csrf_token, httponly: true, same_site: :strict)
|
117
|
+
end
|
118
|
+
|
119
|
+
# In older versions of Rack, the body returned here is actually a Rack::BodyProxy which seems to be a bug.
|
120
|
+
# (It contains status, headers and body and does not act like an array of strings.)
|
121
|
+
# Since we already have status code and body here, there's no need to use the ones in the Rack::Response.
|
122
|
+
(_status_code, headers, _body) = response.finish
|
123
|
+
[status_code, headers, [content]]
|
108
124
|
end
|
109
125
|
|
110
126
|
def text?(env)
|
111
127
|
env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest" ||
|
112
|
-
|
128
|
+
!env["HTTP_ACCEPT"].to_s.include?('html')
|
113
129
|
end
|
114
130
|
|
115
131
|
def log_exception
|
@@ -129,13 +145,22 @@ module BetterErrors
|
|
129
145
|
end
|
130
146
|
end
|
131
147
|
|
132
|
-
def internal_call(env,
|
148
|
+
def internal_call(env, id, method)
|
149
|
+
return not_found_json_response unless %w[variables eval].include?(method)
|
133
150
|
return no_errors_json_response unless @error_page
|
134
|
-
return invalid_error_json_response if
|
151
|
+
return invalid_error_json_response if id != @error_page.id
|
152
|
+
|
153
|
+
request = Rack::Request.new(env)
|
154
|
+
return invalid_csrf_token_json_response unless request.cookies[CSRF_TOKEN_COOKIE_NAME]
|
155
|
+
|
156
|
+
request.body.rewind
|
157
|
+
body = JSON.parse(request.body.read)
|
158
|
+
return invalid_csrf_token_json_response unless request.cookies[CSRF_TOKEN_COOKIE_NAME] == body['csrfToken']
|
159
|
+
|
160
|
+
return not_acceptable_json_response unless request.content_type == 'application/json'
|
135
161
|
|
136
|
-
|
137
|
-
|
138
|
-
[200, { "Content-Type" => "text/plain; charset=utf-8" }, [JSON.dump(response)]]
|
162
|
+
response = @error_page.send("do_#{method}", body)
|
163
|
+
[200, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(response)]]
|
139
164
|
end
|
140
165
|
|
141
166
|
def no_errors_page
|
@@ -157,18 +182,40 @@ module BetterErrors
|
|
157
182
|
"The application has been restarted since this page loaded, " +
|
158
183
|
"or the framework is reloading all gems before each request "
|
159
184
|
end
|
160
|
-
[200, { "Content-Type" => "
|
185
|
+
[200, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
|
161
186
|
error: 'No exception information available',
|
162
187
|
explanation: explanation,
|
163
188
|
)]]
|
164
189
|
end
|
165
190
|
|
166
191
|
def invalid_error_json_response
|
167
|
-
[200, { "Content-Type" => "
|
192
|
+
[200, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
|
168
193
|
error: "Session expired",
|
169
194
|
explanation: "This page was likely opened from a previous exception, " +
|
170
195
|
"and the exception is no longer available in memory.",
|
171
196
|
)]]
|
172
197
|
end
|
198
|
+
|
199
|
+
def invalid_csrf_token_json_response
|
200
|
+
[200, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
|
201
|
+
error: "Invalid CSRF Token",
|
202
|
+
explanation: "The browser session might have been cleared, " +
|
203
|
+
"or something went wrong.",
|
204
|
+
)]]
|
205
|
+
end
|
206
|
+
|
207
|
+
def not_found_json_response
|
208
|
+
[404, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
|
209
|
+
error: "Not found",
|
210
|
+
explanation: "Not a recognized internal call.",
|
211
|
+
)]]
|
212
|
+
end
|
213
|
+
|
214
|
+
def not_acceptable_json_response
|
215
|
+
[406, { "Content-Type" => "application/json; charset=utf-8" }, [JSON.dump(
|
216
|
+
error: "Request not acceptable",
|
217
|
+
explanation: "The internal request did not match an acceptable content type.",
|
218
|
+
)]]
|
219
|
+
end
|
173
220
|
end
|
174
221
|
end
|
@@ -146,6 +146,14 @@
|
|
146
146
|
}
|
147
147
|
|
148
148
|
/* Heading */
|
149
|
+
header.exception .fix-actions {
|
150
|
+
margin-top: .5em;
|
151
|
+
}
|
152
|
+
|
153
|
+
header.exception .fix-actions input[type=submit] {
|
154
|
+
font-weight: bold;
|
155
|
+
}
|
156
|
+
|
149
157
|
header.exception h2 {
|
150
158
|
font-weight: 200;
|
151
159
|
font-size: 11pt;
|
@@ -153,7 +161,7 @@
|
|
153
161
|
|
154
162
|
header.exception h2,
|
155
163
|
header.exception p {
|
156
|
-
line-height: 1.
|
164
|
+
line-height: 1.5em;
|
157
165
|
overflow: hidden;
|
158
166
|
white-space: pre;
|
159
167
|
text-overflow: ellipsis;
|
@@ -166,7 +174,7 @@
|
|
166
174
|
|
167
175
|
header.exception p {
|
168
176
|
font-weight: 200;
|
169
|
-
font-size:
|
177
|
+
font-size: 17pt;
|
170
178
|
color: white;
|
171
179
|
}
|
172
180
|
|
@@ -744,6 +752,18 @@
|
|
744
752
|
<header class="exception">
|
745
753
|
<h2><strong><%= exception_type %></strong> <span>at <%= request_path %></span></h2>
|
746
754
|
<p><%= exception_message %></p>
|
755
|
+
<% unless active_support_actions.empty? %>
|
756
|
+
<div class='fix-actions'>
|
757
|
+
<% active_support_actions.each do |action, _| %>
|
758
|
+
<form class="button_to" method="post" action="<%= action_dispatch_action_endpoint %>">
|
759
|
+
<input type="submit" value="<%= action %>">
|
760
|
+
<input type="hidden" name="action" value="<%= action %>">
|
761
|
+
<input type="hidden" name="error" value="<%= exception_type %>">
|
762
|
+
<input type="hidden" name="location" value="<%= request_path %>">
|
763
|
+
</form>
|
764
|
+
<% end %>
|
765
|
+
</div>
|
766
|
+
<% end %>
|
747
767
|
</header>
|
748
768
|
</div>
|
749
769
|
|
@@ -780,6 +800,7 @@
|
|
780
800
|
(function() {
|
781
801
|
|
782
802
|
var OID = "<%= id %>";
|
803
|
+
var csrfToken = "<%= csrf_token %>";
|
783
804
|
|
784
805
|
var previousFrame = null;
|
785
806
|
var previousFrameInfo = null;
|
@@ -790,6 +811,7 @@
|
|
790
811
|
var req = new XMLHttpRequest();
|
791
812
|
req.open("POST", "//" + window.location.host + <%== uri_prefix.gsub("<", "<").inspect %> + "/__better_errors/" + OID + "/" + method, true);
|
792
813
|
req.setRequestHeader("Content-Type", "application/json");
|
814
|
+
opts.csrfToken = csrfToken;
|
793
815
|
req.send(JSON.stringify(opts));
|
794
816
|
req.onreadystatechange = function() {
|
795
817
|
if(req.readyState == 4) {
|
@@ -1,7 +1,14 @@
|
|
1
1
|
<header class="trace_info clearfix">
|
2
2
|
<div class="title">
|
3
3
|
<h2 class="name"><%= @frame.name %></h2>
|
4
|
-
<div class="location"
|
4
|
+
<div class="location">
|
5
|
+
<span class="filename">
|
6
|
+
<a
|
7
|
+
href="<%= editor_url(@frame) %>"
|
8
|
+
<%= ENV.key?('BETTER_ERRORS_INSIDE_FRAME') ? "target=_blank" : '' %>
|
9
|
+
><%= @frame.pretty_path %></a>
|
10
|
+
</span>
|
11
|
+
</div>
|
5
12
|
</div>
|
6
13
|
<div class="code_block clearfix">
|
7
14
|
<%== html_formatted_code_block @frame %>
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: better_errors
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.8.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Charlie Somerville
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-09-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|