bullet 6.1.0 → 7.0.7

data/lib/bullet/detector/base.rb

@@ -2,6 +2,7 @@
 
 module Bullet
   module Detector
-    class Base; end
+    class Base
+    end
   end
 end

data/lib/bullet/detector/counter_cache.rb

@@ -20,7 +20,7 @@ module Bullet
           return unless Bullet.start?
           return unless Bullet.counter_cache_enable?
 
-          objects = Array(object_or_objects)
+          objects = Array.wrap(object_or_objects)
           return if objects.map(&:bullet_primary_key_value).compact.empty?
 
           Bullet.debug(
@@ -54,7 +54,7 @@ module Bullet
         private
 
         def create_notification(klazz, associations)
-          notify_associations = Array(associations) - Bullet.get_whitelist_associations(:counter_cache, klazz)
+          notify_associations = Array.wrap(associations) - Bullet.get_safelist_associations(:counter_cache, klazz)
 
           if notify_associations.present?
             notice = Bullet::Notification::CounterCache.new klazz, notify_associations

data/lib/bullet/detector/n_plus_one_query.rb

@@ -7,7 +7,7 @@ module Bullet
       extend StackTraceFilter
 
       class << self
-        # executed when object.assocations is called.
+        # executed when object.associations is called.
         # first, it keeps this method call for object.association.
         # then, it checks if this associations call is unpreload.
         #   if it is, keeps this unpreload associations and caller.
@@ -25,7 +25,7 @@ module Bullet
           )
           if !excluded_stacktrace_path? && conditions_met?(object, associations)
             Bullet.debug('detect n + 1 query', "object: #{object.bullet_key}, associations: #{associations}")
-            create_notification caller_in_project, object.class.to_s, associations
+            create_notification caller_in_project(object.bullet_key), object.class.to_s, associations
           end
         end
 
@@ -33,14 +33,26 @@ module Bullet
           return unless Bullet.start?
           return unless Bullet.n_plus_one_query_enable?
 
-          objects = Array(object_or_objects)
-          return if objects.map(&:bullet_primary_key_value).compact.empty?
-
-          Bullet.debug(
-            'Detector::NPlusOneQuery#add_possible_objects',
-            "objects: #{objects.map(&:bullet_key).join(', ')}"
-          )
-          objects.each { |object| possible_objects.add object.bullet_key }
+          objects = Array.wrap(object_or_objects)
+          class_names_match_regex = true
+          primary_key_values_are_empty = true
+          keys_joined = ""
+          objects.each do |obj|
+            unless obj.class.name =~ /^HABTM_/
+              class_names_match_regex = false
+            end
+            unless obj.bullet_primary_key_value.nil?
+              primary_key_values_are_empty = false
+            end
+            keys_joined += "#{(keys_joined.empty?? '' : ', ')}#{obj.bullet_key}"
+          end
+          unless class_names_match_regex || primary_key_values_are_empty
+            Bullet.debug(
+              'Detector::NPlusOneQuery#add_possible_objects',
+              "objects: #{keys_joined}"
+            )
+            objects.each { |object| possible_objects.add object.bullet_key }
+          end
         end
 
         def add_impossible_object(object)
@@ -84,8 +96,7 @@ module Bullet
             # associations == v comparison order is important here because
             # v variable might be a squeel node where :== method is redefined,
             # so it does not compare values at all and return unexpected results
-            result =
-              v.is_a?(Hash) ? v.key?(associations) : associations == v
+            result = v.is_a?(Hash) ? v.key?(associations) : associations == v
             return true if result
           end
 
@@ -95,7 +106,7 @@ module Bullet
         private
 
         def create_notification(callers, klazz, associations)
-          notify_associations = Array(associations) - Bullet.get_whitelist_associations(:n_plus_one_query, klazz)
+          notify_associations = Array.wrap(associations) - Bullet.get_safelist_associations(:n_plus_one_query, klazz)
 
           if notify_associations.present?
             notice = Bullet::Notification::NPlusOneQuery.new(callers, klazz, notify_associations)

data/lib/bullet/detector/unused_eager_loading.rb

@@ -10,7 +10,7 @@ module Bullet
         # check if there are unused preload associations.
         #   get related_objects from eager_loadings associated with object and associations
         #   get call_object_association from associations of call_object_associations whose object is in related_objects
-        #   if association not in call_object_association, then the object => association - call_object_association is ununsed preload assocations
+        #   if association not in call_object_association, then the object => association - call_object_association is ununsed preload associations
         def check_unused_preload_associations
           return unless Bullet.start?
           return unless Bullet.unused_eager_loading_enable?
@@ -20,7 +20,7 @@ module Bullet
             next if object_association_diff.empty?
 
             Bullet.debug('detect unused preload', "object: #{bullet_key}, associations: #{object_association_diff}")
-            create_notification(caller_in_project, bullet_key.bullet_class_name, object_association_diff)
+            create_notification(caller_in_project(bullet_key), bullet_key.bullet_class_name, object_association_diff)
           end
         end
 
@@ -65,7 +65,7 @@ module Bullet
         private
 
         def create_notification(callers, klazz, associations)
-          notify_associations = Array(associations) - Bullet.get_whitelist_associations(:unused_eager_loading, klazz)
+          notify_associations = Array.wrap(associations) - Bullet.get_safelist_associations(:unused_eager_loading, klazz)
 
           if notify_associations.present?
             notice = Bullet::Notification::UnusedEagerLoading.new(callers, klazz, notify_associations)

data/lib/bullet/mongoid4x.rb

@@ -23,7 +23,7 @@ module Bullet
         end
 
         def each(&block)
-          return to_enum unless block_given?
+          return to_enum unless block
 
           records = []
           origin_each { |record| records << record }

data/lib/bullet/mongoid5x.rb

@@ -23,7 +23,7 @@ module Bullet
         end
 
         def each(&block)
-          return to_enum unless block_given?
+          return to_enum unless block
 
           records = []
           origin_each { |record| records << record }

data/lib/bullet/mongoid6x.rb

@@ -23,7 +23,7 @@ module Bullet
         end
 
         def each(&block)
-          return to_enum unless block_given?
+          return to_enum unless block
 
           records = []
           origin_each { |record| records << record }

data/lib/bullet/mongoid7x.rb

@@ -4,35 +4,50 @@ module Bullet
   module Mongoid
     def self.enable
       require 'mongoid'
+      require 'rubygems'
       ::Mongoid::Contextual::Mongo.class_eval do
         alias_method :origin_first, :first
         alias_method :origin_last, :last
         alias_method :origin_each, :each
         alias_method :origin_eager_load, :eager_load
 
-        def first(opts = {})
-          result = origin_first(opts)
-          Bullet::Detector::NPlusOneQuery.add_impossible_object(result) if result
-          result
-        end
-
-        def last(opts = {})
-          result = origin_last(opts)
-          Bullet::Detector::NPlusOneQuery.add_impossible_object(result) if result
-          result
+        %i[first last].each do |context|
+          default = Gem::Version.new(::Mongoid::VERSION) >= Gem::Version.new('7.5') ? nil : {}
+          define_method(context) do |opts = default|
+            result = send(:"origin_#{context}", opts)
+            Bullet::Detector::NPlusOneQuery.add_impossible_object(result) if result
+            result
+          end
         end
 
         def each(&block)
           return to_enum unless block_given?
 
-          records = []
-          origin_each { |record| records << record }
-          if records.length > 1
-            Bullet::Detector::NPlusOneQuery.add_possible_objects(records)
-          elsif records.size == 1
-            Bullet::Detector::NPlusOneQuery.add_impossible_object(records.first)
+          first_document = nil
+          document_count = 0
+
+          origin_each do |document|
+            document_count += 1
+
+            if document_count == 1
+              first_document = document
+            elsif document_count == 2
+              Bullet::Detector::NPlusOneQuery.add_possible_objects([first_document, document])
+              yield(first_document)
+              first_document = nil
+              yield(document)
+            else
+              Bullet::Detector::NPlusOneQuery.add_possible_objects(document)
+              yield(document)
+            end
           end
-          records.each(&block)
+
+          if document_count == 1
+            Bullet::Detector::NPlusOneQuery.add_impossible_object(first_document)
+            yield(first_document)
+          end
+
+          self
         end
 
         def eager_load(docs)

data/lib/bullet/notification.rb

@@ -7,6 +7,7 @@ module Bullet
     autoload :NPlusOneQuery, 'bullet/notification/n_plus_one_query'
     autoload :CounterCache, 'bullet/notification/counter_cache'
 
-    class UnoptimizedQueryError < StandardError; end
+    class UnoptimizedQueryError < StandardError
+    end
   end
 end

data/lib/bullet/rack.rb

@@ -4,6 +4,8 @@ module Bullet
   class Rack
     include Dependency
 
+    NONCE_MATCHER = /script-src .*'nonce-(?<nonce>[A-Za-z0-9+\/]+={0,2})'/
+
     def initialize(app)
       @app = app
     end
@@ -17,14 +19,20 @@ module Bullet
       response_body = nil
 
       if Bullet.notification?
-        if !Bullet.skip_html_injection? && !file?(headers) && !sse?(headers) && !empty?(response) && status == 200
+        if Bullet.inject_into_page? && !file?(headers) && !sse?(headers) && !empty?(response) && status == 200
           if html_request?(headers, response)
             response_body = response_body(response)
-            response_body = append_to_html_body(response_body, footer_note) if Bullet.add_footer
-            response_body = append_to_html_body(response_body, Bullet.gather_inline_notifications)
-            response_body = append_to_html_body(response_body, xhr_script)
+
+            with_security_policy_nonce(headers) do |nonce|
+              response_body = append_to_html_body(response_body, footer_note) if Bullet.add_footer
+              response_body = append_to_html_body(response_body, Bullet.gather_inline_notifications)
+              if Bullet.add_footer && !Bullet.skip_http_headers
+                response_body = append_to_html_body(response_body, xhr_script(nonce))
+              end
+            end
+
             headers['Content-Length'] = response_body.bytesize.to_s
-          else
+          elsif !Bullet.skip_http_headers
             set_header(headers, 'X-bullet-footer-text', Bullet.footer_info.uniq) if Bullet.add_footer
             set_header(headers, 'X-bullet-console-text', Bullet.text_notifications) if Bullet.console_enabled?
           end
@@ -40,12 +48,14 @@ module Bullet
     def empty?(response)
       # response may be ["Not Found"], ["Move Permanently"], etc, but
       # those should not happen if the status is 200
+      return true if !response.respond_to?(:body) && !response.respond_to?(:first)
       body = response_body(response)
       body.nil? || body.empty?
     end
 
     def append_to_html_body(response_body, content)
       body = response_body.dup
+      content = content.html_safe if content.respond_to?(:html_safe)
       if body.include?('</body>')
         position = body.rindex('</body>')
         body.insert(position, content)
@@ -55,14 +65,14 @@ module Bullet
     end
 
     def footer_note
-      "<div #{footer_div_attributes}>" + footer_header + '<br>' + Bullet.footer_info.uniq.join('<br>') + '</div>'
+      "<details #{details_attributes}><summary #{summary_attributes}>Bullet Warnings</summary><div #{footer_content_attributes}>#{Bullet.footer_info.uniq.join('<br>')}#{footer_console_message}</div></details>"
     end
 
     def set_header(headers, header_name, header_array)
       # Many proxy applications such as Nginx and AWS ELB limit
       # the size a header to 8KB, so truncate the list of reports to
       # be under that limit
-      header_array.pop while header_array.to_json.length > 8 * 1_024
+      header_array.pop while header_array.to_json.length > 8 * 1024
       headers[header_name] = header_array.to_json
     end
 
@@ -75,42 +85,73 @@ module Bullet
     end
 
     def html_request?(headers, response)
-      headers['Content-Type']&.include?('text/html') && response_body(response).include?('<html')
+      headers['Content-Type']&.include?('text/html')
     end
 
     def response_body(response)
       if response.respond_to?(:body)
         Array === response.body ? response.body.first : response.body
-      else
+      elsif response.respond_to?(:first)
         response.first
       end
     end
 
     private
 
-    def footer_div_attributes
+    def details_attributes
+      <<~EOF
+        id="bullet-footer" data-is-bullet-footer
+        style="cursor: pointer; position: fixed; left: 0px; bottom: 0px; z-index: 9999; background: #fdf2f2; color: #9b1c1c; font-size: 12px; border-radius: 0px 8px 0px 0px; border: 1px solid #9b1c1c;"
+      EOF
+    end
+
+    def summary_attributes
+      <<~EOF
+        style="font-weight: 600; padding: 2px 8px"
+      EOF
+    end
+
+    def footer_content_attributes
       <<~EOF
-        id="bullet-footer" data-is-bullet-footer ondblclick="this.parentNode.removeChild(this);" style="position: fixed; bottom: 0pt; left: 0pt; cursor: pointer; border-style: solid; border-color: rgb(153, 153, 153);
-         -moz-border-top-colors: none; -moz-border-right-colors: none; -moz-border-bottom-colors: none;
-         -moz-border-left-colors: none; -moz-border-image: none; border-width: 2pt 2pt 0px 0px;
-         padding: 3px 5px; border-radius: 0pt 10pt 0pt 0px; background: none repeat scroll 0% 0% rgba(200, 200, 200, 0.8);
-         color: rgb(119, 119, 119); font-size: 16px; font-family: 'Arial', sans-serif; z-index:9999;"
+        style="padding: 8px; border-top: 1px solid #9b1c1c;"
       EOF
     end
 
-    def footer_header
-      cancel_button =
-        "<span onclick='this.parentNode.remove()' style='position:absolute; right: 10px; top: 0px; font-weight: bold; color: #333;'>&times;</span>"
+    def footer_console_message
       if Bullet.console_enabled?
-        "<span>See 'Uniform Notifier' in JS Console for Stacktrace</span>#{cancel_button}"
-      else
-        cancel_button
+        "<br/><span style='font-style: italic;'>See 'Uniform Notifier' in JS Console for Stacktrace</span>"
       end
     end
 
     # Make footer work for XHR requests by appending data to the footer
-    def xhr_script
-      "<script type='text/javascript'>#{File.read("#{__dir__}/bullet_xhr.js")}</script>"
+    def xhr_script(nonce = nil)
+      script = File.read("#{__dir__}/bullet_xhr.js")
+
+      if nonce
+        "<script type='text/javascript' nonce='#{nonce}'>#{script}</script>"
+      else
+        "<script type='text/javascript'>#{script}</script>"
+      end
+    end
+
+    def with_security_policy_nonce(headers)
+      matched = (headers['Content-Security-Policy'] || '').match(NONCE_MATCHER)
+      nonce = matched[:nonce] if matched
+
+      if nonce
+        console_enabled = UniformNotifier.console
+        alert_enabled = UniformNotifier.alert
+
+        UniformNotifier.console = { attributes: { nonce: nonce } } if console_enabled
+        UniformNotifier.alert = { attributes: { nonce: nonce } } if alert_enabled
+
+        yield nonce
+
+        UniformNotifier.console = console_enabled
+        UniformNotifier.alert = alert_enabled
+      else
+        yield
+      end
     end
   end
 end

data/lib/bullet/registry/call_stack.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Bullet
+  module Registry
+    class CallStack < Base
+      # remembers found association backtrace
+      def add(key)
+        @registry[key] = Thread.current.backtrace
+      end
+    end
+  end
+end

data/lib/bullet/registry.rb

@@ -5,5 +5,6 @@ module Bullet
     autoload :Base, 'bullet/registry/base'
     autoload :Object, 'bullet/registry/object'
     autoload :Association, 'bullet/registry/association'
+    autoload :CallStack, 'bullet/registry/call_stack'
   end
 end

data/lib/bullet/stack_trace_filter.rb

@@ -1,17 +1,21 @@
 # frozen_string_literal: true
+require "bundler"
 
 module Bullet
   module StackTraceFilter
     VENDOR_PATH = '/vendor'
+    IS_RUBY_19 = Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.0.0')
 
-    def caller_in_project
+    # @param bullet_key[String] - use this to get stored call stack from call_stacks object.
+    def caller_in_project(bullet_key = nil)
       vendor_root = Bullet.app_root + VENDOR_PATH
       bundler_path = Bundler.bundle_path.to_s
-      select_caller_locations do |location|
+      select_caller_locations(bullet_key) do |location|
         caller_path = location_as_path(location)
         caller_path.include?(Bullet.app_root) && !caller_path.include?(vendor_root) &&
-          !caller_path.include?(bundler_path) ||
-          Bullet.stacktrace_includes.any? { |include_pattern| pattern_matches?(location, include_pattern) }
+          !caller_path.include?(bundler_path) || Bullet.stacktrace_includes.any? { |include_pattern|
+          pattern_matches?(location, include_pattern)
+        }
       end
     end
 
@@ -47,20 +51,16 @@ module Bullet
     end
 
     def location_as_path(location)
-      ruby_19? ? location : location.absolute_path.to_s
-    end
+      return location if location.is_a?(String)
 
-    def select_caller_locations
-      if ruby_19?
-        caller.select { |caller_path| yield caller_path }
-      else
-        caller_locations.select { |location| yield location }
-      end
+      IS_RUBY_19 ? location : location.absolute_path.to_s
     end
 
-    def ruby_19?
-      @ruby_19 = Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.0.0') if @ruby_19.nil?
-      @ruby_19
+    def select_caller_locations(bullet_key = nil)
+      return caller.select { |caller_path| yield caller_path } if IS_RUBY_19
+
+      call_stack = bullet_key ? call_stacks[bullet_key] : caller_locations
+      call_stack.select { |location| yield location }
     end
   end
 end

data/lib/bullet/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bullet
-  VERSION = '6.1.0'
+  VERSION = '7.0.7'
 end

data/lib/bullet.rb

@@ -20,13 +20,14 @@ module Bullet
   autoload :Registry, 'bullet/registry'
   autoload :NotificationCollector, 'bullet/notification_collector'
 
-  BULLET_DEBUG = 'BULLET_DEBUG'
-  TRUE = 'true'
-
   if defined?(Rails::Railtie)
     class BulletRailtie < Rails::Railtie
       initializer 'bullet.configure_rails_initialization' do |app|
-        app.middleware.use Bullet::Rack
+        if defined?(ActionDispatch::ContentSecurityPolicy::Middleware) && Rails.application.config.content_security_policy
+          app.middleware.insert_before ActionDispatch::ContentSecurityPolicy::Middleware, Bullet::Rack
+        else
+          app.middleware.use Bullet::Rack
+        end
       end
     end
   end
@@ -38,10 +39,11 @@ module Bullet
                 :stacktrace_includes,
                 :stacktrace_excludes,
                 :skip_html_injection
-    attr_reader :whitelist
-    attr_accessor :add_footer, :orm_patches_applied
+    attr_reader :safelist
+    attr_accessor :add_footer, :orm_patches_applied, :skip_http_headers
 
-    available_notifiers = UniformNotifier::AVAILABLE_NOTIFIERS.map { |notifier| "#{notifier}=" }
+    available_notifiers =
+      UniformNotifier::AVAILABLE_NOTIFIERS.select { |notifier| notifier != :raise }.map { |notifier| "#{notifier}=" }
     available_notifiers_options = { to: UniformNotifier }
     delegate(*available_notifiers, **available_notifiers_options)
 
@@ -59,7 +61,7 @@ module Bullet
       @enable = @n_plus_one_query_enable = @unused_eager_loading_enable = @counter_cache_enable = enable
 
       if enable?
-        reset_whitelist
+        reset_safelist
         unless orm_patches_applied
           self.orm_patches_applied = true
           Bullet::Mongoid.enable if mongoid?
@@ -72,8 +74,9 @@ module Bullet
       !!@enable
     end
 
+    # Rails.root might be nil if `railties` is a dependency on a project that does not use Rails
     def app_root
-      (defined?(::Rails.root) ? Rails.root.to_s : Dir.pwd).to_s
+      @app_root ||= (defined?(::Rails.root) && !::Rails.root.nil? ? Rails.root.to_s : Dir.pwd).to_s
     end
 
     def n_plus_one_query_enable?
@@ -89,36 +92,36 @@ module Bullet
     end
 
     def stacktrace_includes
-      @stacktrace_includes || []
+      @stacktrace_includes ||= []
     end
 
     def stacktrace_excludes
-      @stacktrace_excludes || []
+      @stacktrace_excludes ||= []
     end
 
-    def add_whitelist(options)
-      reset_whitelist
-      @whitelist[options[:type]][options[:class_name]] ||= []
-      @whitelist[options[:type]][options[:class_name]] << options[:association].to_sym
+    def add_safelist(options)
+      reset_safelist
+      @safelist[options[:type]][options[:class_name]] ||= []
+      @safelist[options[:type]][options[:class_name]] << options[:association].to_sym
     end
 
-    def delete_whitelist(options)
-      reset_whitelist
-      @whitelist[options[:type]][options[:class_name]] ||= []
-      @whitelist[options[:type]][options[:class_name]].delete(options[:association].to_sym)
-      @whitelist[options[:type]].delete_if { |_key, val| val.empty? }
+    def delete_safelist(options)
+      reset_safelist
+      @safelist[options[:type]][options[:class_name]] ||= []
+      @safelist[options[:type]][options[:class_name]].delete(options[:association].to_sym)
+      @safelist[options[:type]].delete_if { |_key, val| val.empty? }
     end
 
-    def get_whitelist_associations(type, class_name)
-      Array(@whitelist[type][class_name])
+    def get_safelist_associations(type, class_name)
+      Array.wrap(@safelist[type][class_name])
     end
 
-    def reset_whitelist
-      @whitelist ||= { n_plus_one_query: {}, unused_eager_loading: {}, counter_cache: {} }
+    def reset_safelist
+      @safelist ||= { n_plus_one_query: {}, unused_eager_loading: {}, counter_cache: {} }
     end
 
-    def clear_whitelist
-      @whitelist = nil
+    def clear_safelist
+      @safelist = nil
     end
 
     def bullet_logger=(active)
@@ -132,7 +135,7 @@ module Bullet
     end
 
     def debug(title, message)
-      puts "[Bullet][#{title}] #{message}" if ENV[BULLET_DEBUG] == TRUE
+      puts "[Bullet][#{title}] #{message}" if ENV['BULLET_DEBUG'] == 'true'
     end
 
     def start_request
@@ -145,6 +148,7 @@ module Bullet
       Thread.current[:bullet_impossible_objects] = Bullet::Registry::Object.new
       Thread.current[:bullet_inversed_objects] = Bullet::Registry::Base.new
       Thread.current[:bullet_eager_loadings] = Bullet::Registry::Association.new
+      Thread.current[:bullet_call_stacks] = Bullet::Registry::CallStack.new
 
       Thread.current[:bullet_counter_possible_objects] ||= Bullet::Registry::Object.new
       Thread.current[:bullet_counter_impossible_objects] ||= Bullet::Registry::Object.new
@@ -240,8 +244,10 @@ module Bullet
       UniformNotifier.active_notifiers.include?(UniformNotifier::JavascriptConsole)
     end
 
-    def skip_html_injection?
-      @skip_html_injection || false
+    def inject_into_page?
+      return false if defined?(@skip_html_injection) && @skip_html_injection
+
+      console_enabled? || add_footer
     end
 
     private