RubyGems - blazer - Versions diffs - 2.0.2 → 2.1.0 - Mend

blazer 2.0.2 → 2.1.0

This version of blazer might be problematic. Click here for more details.

Files changed (10) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4a6731164b551f139951303884ca6531d336249299f5ff6e295160348540a687
-  data.tar.gz: 784d957116c412f9ac526661e0ca7252d62c43ffd51a67bb106d1a401da44f25
+  metadata.gz: d30135b6a6bfd6aa1bc940afff2c6e58ba3a4fec00a5e6cf4c34573acadc08ef
+  data.tar.gz: 925787073e4b0f161ab974875ba7df666c3bc6cd99d87f93052a0a54e4b94663
 SHA512:
-  metadata.gz: be8f6f7713953e505d76170f1e0e81284f0dd99b35ed28d42932542de702fd0e541e1a8b86e6428c47324d66f58ae98df2732221ad49ac512db221d0c664de07
-  data.tar.gz: 0e3c7202af0c73b9070e81c922167d46f387aea34d47797333aa3a1d89f8f6a7710a47f1a1eb61fe7d20e880d7183e2e7019263547b78d01124ebd80cd849d13
+  metadata.gz: 245b6001c927c3c592afd6aaed930e11a35bdb56c39c165c5f4b318ce095b17937c25dc71efcf0b0cdca5a1a2c7139ad0f917903d429a228cafd9ab86d24c1d2
+  data.tar.gz: afc5184b13e8ee2537b16b81f75a3ba703d357999dea851c887596b3daaf92a1bd486c1825129f15c93a72e6f23c16f5cc4d306c11346344ba560085e6ec5861

data/CHANGELOG.md CHANGED

@@ -1,3 +1,7 @@
+## 2.1.0
+- Fixed XSS vulnerability due to Chartkick - see [#245](https://github.com/ankane/blazer/issues/245)
 ## 2.0.2
 - Added support for variable transformation for blind indexing

@@ -29,25 +29,11 @@ module Blazer
     end
     def blazer_maps?
-      ENV["MAPBOX_ACCESS_TOKEN"].present?
+      Blazer.mapbox_access_token.present?
     end
     def blazer_js_var(name, value)
-      "var #{name} = #{blazer_json_escape(value.to_json(root: false))};".html_safe
-    end
-    JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003e', '<' => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' }
-    JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
-    # Prior to version 4.1 of rails double quotes were inadventently removed in json_escape.
-    # This adds the correct json_escape functionality to rails versions < 4.1
-    def blazer_json_escape(s)
-      if Rails::VERSION::STRING < "4.1"
-        result = s.to_s.gsub(JSON_ESCAPE_REGEXP, JSON_ESCAPE)
-        s.html_safe? ? result.html_safe : result
-      else
-        json_escape(s)
-      end
+      "var #{name} = #{json_escape(value.to_json(root: false))};".html_safe
     end
     def blazer_series_name(k)

@@ -32,7 +32,9 @@
     <thead>
       <tr>
         <th>Name</th>
-        <th style="width: 20%; text-align: right;">Mastermind</th>
+        <% if Blazer.user_class %>
+          <th style="width: 20%; text-align: right;">Mastermind</th>
+        <% end%>
       </tr>
     </thead>
     <tbody class="list" v-cloak>
@@ -41,7 +43,9 @@
           <a :href="itemPath(query)" :class="{ dashboard: query.dashboard }">{{ query.name }}</a>
           <span class="vars">{{ query.vars }}</span>
         </td>
-        <td class="creator">{{ query.creator }}</td>
+        <% if Blazer.user_class %>
+          <td class="creator">{{ query.creator }}</td>
+        <% end %>
       </tr>
     </tbody>
   </table>

@@ -76,9 +76,10 @@
     <% if blazer_maps? && @markers.any? %>
       <div id="map" style="height: <%= @only_chart ? 300 : 500 %>px;"></div>
       <script>
-        L.mapbox.accessToken = '<%= ENV["MAPBOX_ACCESS_TOKEN"] %>';
-        var map = L.mapbox.map('map', 'ankane.ioo8nki0');
+        <%= blazer_js_var "mapboxAccessToken", Blazer.mapbox_access_token %>
         <%= blazer_js_var "markers", @markers %>
+        L.mapbox.accessToken = mapboxAccessToken;
+        var map = L.mapbox.map('map', 'ankane.ioo8nki0');
         var featureLayer = L.mapbox.featureLayer().addTo(map);
         var geojson = [];
         for (var i = 0; i < markers.length; i++) {

data/lib/blazer.rb CHANGED

@@ -52,6 +52,7 @@ module Blazer
     attr_accessor :query_editable
     attr_accessor :override_csp
     attr_accessor :slack_webhook_url
+    attr_accessor :mapbox_access_token
   end
   self.audit = true
   self.user_name = :name

data/lib/blazer/engine.rb CHANGED

@@ -26,6 +26,7 @@ module Blazer
       Blazer.images = Blazer.settings["images"] || false
       Blazer.override_csp = Blazer.settings["override_csp"] || false
       Blazer.slack_webhook_url = Blazer.settings["slack_webhook_url"] || ENV["BLAZER_SLACK_WEBHOOK_URL"]
+      Blazer.mapbox_access_token = Blazer.settings["mapbox_access_token"] || ENV["MAPBOX_ACCESS_TOKEN"]
     end
   end
 end

data/lib/blazer/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Blazer
-  VERSION = "2.0.2"
+  VERSION = "2.1.0"
 end

@@ -68,3 +68,6 @@ check_schedules:
 # enable forecasting
 # note: with trend, time series are sent to https://trendapi.org
 # forecasting: trend
+# enable map
+# mapbox_access_token: <%%= ENV["MAPBOX_ACCESS_TOKEN"] %>

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: blazer
 version: !ruby/object:Gem::Version
-  version: 2.0.2
+  version: 2.1.0
 platform: ruby
 authors:
 - Andrew Kane
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-05-27 00:00:00.000000000 Z
+date: 2019-06-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.2'
 - !ruby/object:Gem::Dependency
   name: safely_block
   requirement: !ruby/object:Gem::Requirement