bullet 7.0.1 → 7.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 823bcc1af2be934ec4f10df71ea2951223834d3146e9c323afada99ba4ae4254
-  data.tar.gz: 4cda048b45bd219d62bee22e0041027561c943d283ee262ea71686a15e6e4345
+  metadata.gz: 0f47e147f5df074217ee7a65123f54a1918f98bde162c7d4bf1f76bffc9f15a6
+  data.tar.gz: e05e48b96a5e68bfbcac63f4dce4601d717ec1a32ee83a5c45aad738e1bfc48b
 SHA512:
-  metadata.gz: 9a2398eb23da7201bb8ab3fb1dbea3d48089d6c51d4a0e473d25009841aab41c68a5b0c27fb6ac6b77084e2465a836a5b848ffda63a2ea3b457a9571b04d428f
-  data.tar.gz: ab3debd03dc9cafbbd8ef9237f747c67d14bf3d8bf116b7dbed4e145176cf3f10045862b32641036e9bb00caca6eee841c75f9b3defad83ca681d0d70a5c6f0d
+  metadata.gz: 87bf095754befedb8f1137ae039191807baa1f1bcadb09c923b4f1a6abd385e73e4143e50077358a8f7155e3bf367edb1b405e3b0b260c8de5dd572699b7bafc
+  data.tar.gz: fd692ae67a1695ee4598b24d3cd030a7f091deb42f30df0f92085b3c54f765960c0b5eabaace7b306fadf8539b514fe77076cff825c27a292c5e36f56916646b

data/.github/workflows/main.yml

@@ -9,9 +9,9 @@ name: CI
 
 on:
   push:
-    branches: [ master ]
+    branches: [ main ]
   pull_request:
-    branches: [ master ]
+    branches: [ main ]
 
 jobs:
   test_rails_4:

data/CHANGELOG.md

@@ -1,5 +1,35 @@
 ## Next Release
 
+## 7.0.7 (03/01/2023)
+
+* Check `Rails.application.config.content_security_policy` before insert `Bullet::Rack`
+
+## 7.0.6 (03/01/2023)
+
+* Better way to check if `ActionDispatch::ContentSecurityPolicy::Middleware` exists
+
+## 7.0.5 (01/01/2023)
+
+* Fix n+1 false positives in AR 7.0
+* Fix eager_load nested has_many :through false positives
+* Respect Content-Security-Policy nonces
+* Added CallStacks support for avoid eager loading
+* Iterate fewer times over objects
+
+## 7.0.4 (11/28/2022)
+
+* Fix `eager_load` `has_many :through` false positives
+* mongoid7x: add dynamic methods
+
+## 7.0.3 (08/13/2022)
+
+* Replace `Array()` with `Array.wrap()`
+
+## 7.0.2 (05/31/2022)
+
+* Drop growl support
+* Do not check html tag in Bullet::Rack anymore
+
 ## 7.0.1 (01/15/2022)
 
 * Get rid of *_whitelist methods

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2009 - 2010 Richard Huang (flyerhzm@gmail.com)
+Copyright (c) 2009 - 2022 Richard Huang (flyerhzm@gmail.com)
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -49,7 +49,7 @@ mongoid.
 
 ## Configuration
 
-Bullet won't do ANYTHING unless you tell it to explicitly. Append to
+Bullet won't enable any notification systems unless you tell it to explicitly. Append to
 `config/environments/development.rb` initializer with the following code:
 
 ```ruby
@@ -59,7 +59,6 @@ config.after_initialize do
   Bullet.alert = true
   Bullet.bullet_logger = true
   Bullet.console = true
-  Bullet.growl = true
   Bullet.xmpp = { :account  => 'bullets_account@jabber.org',
                   :password => 'bullets_password_for_jabber',
                   :receiver => 'your_account@jabber.org',
@@ -85,7 +84,6 @@ The code above will enable all of the Bullet notification systems:
 * `Bullet.alert`: pop up a JavaScript alert in the browser
 * `Bullet.bullet_logger`: log to the Bullet log file (Rails.root/log/bullet.log)
 * `Bullet.console`: log warnings to your browser's console.log (Safari/Webkit browsers or Firefox w/Firebug installed)
-* `Bullet.growl`: pop up Growl warnings if your system has Growl installed. Requires a little bit of configuration
 * `Bullet.xmpp`: send XMPP/Jabber notifications to the receiver indicated. Note that the code will currently not handle the adding of contacts, so you will need to make both accounts indicated know each other manually before you will receive any notifications. If you restart the development server frequently, the 'coming online' sound for the Bullet account may start to annoy - in this case set :show_online_status to false; you will still get notifications, but the Bullet account won't announce it's online status anymore.
 * `Bullet.rails_logger`: add warnings directly to the Rails log
 * `Bullet.honeybadger`: add notifications to Honeybadger
@@ -156,25 +154,26 @@ The Bullet log `log/bullet.log` will look something like this:
 * N+1 Query:
 
 ```
-2009-08-25 20:40:17[INFO] N+1 Query: PATH_INFO: /posts;    model: Post => associations: [comments]·
-Add to your finder: :include => [:comments]
-2009-08-25 20:40:17[INFO] N+1 Query: method call stack:·
-/Users/richard/Downloads/test/app/views/posts/index.html.erb:11:in `_run_erb_app47views47posts47index46html46erb'
-/Users/richard/Downloads/test/app/views/posts/index.html.erb:8:in `each'
-/Users/richard/Downloads/test/app/views/posts/index.html.erb:8:in `_run_erb_app47views47posts47index46html46erb'
-/Users/richard/Downloads/test/app/controllers/posts_controller.rb:7:in `index'
+2009-08-25 20:40:17[INFO] USE eager loading detected:
+  Post => [:comments]·
+  Add to your query: .includes([:comments])
+2009-08-25 20:40:17[INFO] Call stack
+  /Users/richard/Downloads/test/app/views/posts/index.html.erb:8:in `each'
+  /Users/richard/Downloads/test/app/controllers/posts_controller.rb:7:in `index'
 ```
 
-The first two lines are notifications that N+1 queries have been encountered. The remaining lines are stack traces so you can find exactly where the queries were invoked in your code, and fix them.
+The first log entry is a notification that N+1 queries have been encountered. The remaining entry is a stack trace so you can find exactly where the queries were invoked in your code, and fix them.
 
 * Unused eager loading:
 
 ```
-2009-08-25 20:53:56[INFO] Unused eager loadings: PATH_INFO: /posts;    model: Post => associations: [comments]·
-Remove from your finder: :include => [:comments]
+2009-08-25 20:53:56[INFO] AVOID eager loading detected
+  Post => [:comments]·
+  Remove from your query: .includes([:comments])
+2009-08-25 20:53:56[INFO] Call stack
 ```
 
-These two lines are notifications that unused eager loadings have been encountered.
+These lines are notifications that unused eager loadings have been encountered.
 
 * Need counter cache:
 
@@ -183,10 +182,14 @@ These two lines are notifications that unused eager loadings have been encounter
   Post => [:comments]
 ```
 
-## Growl, XMPP/Jabber and Airbrake Support
+## XMPP/Jabber and Airbrake Support
 
 see [https://github.com/flyerhzm/uniform_notifier](https://github.com/flyerhzm/uniform_notifier)
 
+## Growl Support
+
+Growl support is dropped from uniform_notifier 1.16.0, if you still want it, please use uniform_notifier 1.15.0.
+
 ## Important
 
 If you find Bullet does not work for you, *please disable your browser's cache*.
@@ -219,7 +222,7 @@ end
 
 ### Work with sinatra
 
-Configure and use `Bullet::Rack`
+Configure and use `Bullet::Rack`.
 
 ```ruby
 configure :development do
@@ -229,6 +232,8 @@ configure :development do
 end
 ```
 
+If your application generates a Content-Security-Policy via a separate middleware, ensure that `Bullet::Rack` is loaded _before_ that middleware.
+
 ### Run in tests
 
 First you need to enable Bullet in test environment.
@@ -282,7 +287,7 @@ $ rails g scaffold comment name:string post_id:integer
 $ bundle exec rake db:migrate
 ```
 
-2\. Change `app/model/post.rb` and `app/model/comment.rb`
+2\. Change `app/models/post.rb` and `app/models/comment.rb`
 
 ```ruby
 class Post < ActiveRecord::Base

data/lib/bullet/active_record5.rb

@@ -177,16 +177,18 @@ module Bullet
             if Bullet.start?
               if is_a? ::ActiveRecord::Associations::ThroughAssociation
                 refl = reflection.through_reflection
-                Bullet::Detector::NPlusOneQuery.call_association(owner, refl.name)
-                association = owner.association refl.name
-                Array(association.target).each do |through_record|
-                  Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
-                end
+                association = owner.association(refl.name)
+                if association.loaded?
+                  Bullet::Detector::NPlusOneQuery.call_association(owner, refl.name)
+                  Array.wrap(association.target).each do |through_record|
+                    Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
+                  end
 
-                if refl.through_reflection?
-                  refl = refl.through_reflection while refl.through_reflection?
+                  if refl.through_reflection?
+                    refl = refl.through_reflection while refl.through_reflection?
 
-                  Bullet::Detector::NPlusOneQuery.call_association(owner, refl.name)
+                    Bullet::Detector::NPlusOneQuery.call_association(owner, refl.name)
+                  end
                 end
               end
               Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.name) unless @inversed

data/lib/bullet/active_record52.rb

@@ -150,14 +150,16 @@ module Bullet
 
             if Bullet.start?
               if is_a? ::ActiveRecord::Associations::ThroughAssociation
-                Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.through_reflection.name)
-                association = owner.association reflection.through_reflection.name
-                Array(association.target).each do |through_record|
-                  Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
-                end
+                association = owner.association(reflection.through_reflection.name)
+                if association.loaded?
+                  Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.through_reflection.name)
+                  Array.wrap(association.target).each do |through_record|
+                    Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
+                  end
 
-                if reflection.through_reflection != through_reflection
-                  Bullet::Detector::NPlusOneQuery.call_association(owner, through_reflection.name)
+                  if reflection.through_reflection != through_reflection
+                    Bullet::Detector::NPlusOneQuery.call_association(owner, through_reflection.name)
+                  end
                 end
               end
               Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.name) unless @inversed
@@ -199,7 +201,7 @@ module Bullet
                 if is_a? ::ActiveRecord::Associations::ThroughAssociation
                   Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.through_reflection.name)
                   association = owner.association reflection.through_reflection.name
-                  Array(association.target).each do |through_record|
+                  Array.wrap(association.target).each do |through_record|
                     Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
                   end
 

data/lib/bullet/active_record60.rb

@@ -177,14 +177,16 @@ module Bullet
 
             if Bullet.start?
               if is_a? ::ActiveRecord::Associations::ThroughAssociation
-                Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.through_reflection.name)
                 association = owner.association(reflection.through_reflection.name)
-                Array(association.target).each do |through_record|
-                  Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
-                end
+                if association.loaded?
+                  Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.through_reflection.name)
+                  Array.wrap(association.target).each do |through_record|
+                    Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
+                  end
 
-                if reflection.through_reflection != through_reflection
-                  Bullet::Detector::NPlusOneQuery.call_association(owner, through_reflection.name)
+                  if reflection.through_reflection != through_reflection
+                    Bullet::Detector::NPlusOneQuery.call_association(owner, through_reflection.name)
+                  end
                 end
               end
               Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.name) unless @inversed
@@ -226,7 +228,7 @@ module Bullet
                 if is_a? ::ActiveRecord::Associations::ThroughAssociation
                   Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.through_reflection.name)
                   association = owner.association(reflection.through_reflection.name)
-                  Array(association.target).each do |through_record|
+                  Array.wrap(association.target).each do |through_record|
                     Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
                   end
 

data/lib/bullet/active_record61.rb

@@ -177,14 +177,16 @@ module Bullet
 
             if Bullet.start?
               if is_a? ::ActiveRecord::Associations::ThroughAssociation
-                Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.through_reflection.name)
                 association = owner.association(reflection.through_reflection.name)
-                Array(association.target).each do |through_record|
-                  Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
-                end
+                if association.loaded?
+                  Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.through_reflection.name)
+                  Array.wrap(association.target).each do |through_record|
+                    Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
+                  end
 
-                if reflection.through_reflection != through_reflection
-                  Bullet::Detector::NPlusOneQuery.call_association(owner, through_reflection.name)
+                  if reflection.through_reflection != through_reflection
+                    Bullet::Detector::NPlusOneQuery.call_association(owner, through_reflection.name)
+                  end
                 end
               end
               Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.name) unless @inversed
@@ -226,7 +228,7 @@ module Bullet
                 if is_a? ::ActiveRecord::Associations::ThroughAssociation
                   Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.through_reflection.name)
                   association = owner.association(reflection.through_reflection.name)
-                  Array(association.target).each do |through_record|
+                  Array.wrap(association.target).each do |through_record|
                     Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
                   end
 

data/lib/bullet/active_record70.rb

@@ -170,6 +170,13 @@ module Bullet
             end
             super
           end
+
+          def inversed_from_queries(record)
+            if Bullet.start? && inversable?(record)
+              Bullet::Detector::NPlusOneQuery.add_inversed_object(owner, reflection.name)
+            end
+            super
+          end
         end
       )
 
@@ -180,14 +187,16 @@ module Bullet
 
             if Bullet.start?
               if is_a? ::ActiveRecord::Associations::ThroughAssociation
-                Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.through_reflection.name)
                 association = owner.association(reflection.through_reflection.name)
-                Array(association.target).each do |through_record|
-                  Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
-                end
+                if association.loaded?
+                  Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.through_reflection.name)
+                  Array.wrap(association.target).each do |through_record|
+                    Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
+                  end
 
-                if reflection.through_reflection != through_reflection
-                  Bullet::Detector::NPlusOneQuery.call_association(owner, through_reflection.name)
+                  if reflection.through_reflection != through_reflection
+                    Bullet::Detector::NPlusOneQuery.call_association(owner, through_reflection.name)
+                  end
                 end
               end
               Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.name)
@@ -229,7 +238,7 @@ module Bullet
                 if is_a? ::ActiveRecord::Associations::ThroughAssociation
                   Bullet::Detector::NPlusOneQuery.call_association(owner, reflection.through_reflection.name)
                   association = owner.association(reflection.through_reflection.name)
-                  Array(association.target).each do |through_record|
+                  Array.wrap(association.target).each do |through_record|
                     Bullet::Detector::NPlusOneQuery.call_association(through_record, source_reflection.name)
                   end
 

data/lib/bullet/bullet_xhr.js

@@ -20,7 +20,7 @@
     if (this.onload) {
       this._storedOnload = this.onload;
     }
-    this.onload = null
+    this.onload = null;
     this.addEventListener("load", bulletXHROnload);
     return Reflect.apply(oldSend, this, arguments);
   }
@@ -31,7 +31,7 @@
     ) {
       var bulletFooterText = this.getResponseHeader("X-bullet-footer-text");
       if (bulletFooterText) {
-        setTimeout(function() {
+        setTimeout(function () {
           var oldHtml = document.querySelector("#bullet-footer").innerHTML.split("<br>");
           var header = oldHtml[0];
           oldHtml = oldHtml.slice(1, oldHtml.length);
@@ -42,7 +42,7 @@
       }
       var bulletConsoleText = this.getResponseHeader("X-bullet-console-text");
       if (bulletConsoleText && typeof console !== "undefined" && console.log) {
-        setTimeout(function() {
+        setTimeout(function () {
           JSON.parse(bulletConsoleText).forEach((message) => {
             if (console.groupCollapsed && console.groupEnd) {
               console.groupCollapsed("Uniform Notifier");

data/lib/bullet/detector/association.rb

@@ -13,6 +13,7 @@ module Bullet
             'Detector::Association#add_object_associations',
             "object: #{object.bullet_key}, associations: #{associations}"
           )
+          call_stacks.add(object.bullet_key)
           object_associations.add(object.bullet_key, associations)
         end
 
@@ -25,6 +26,7 @@ module Bullet
             'Detector::Association#add_call_object_associations',
             "object: #{object.bullet_key}, associations: #{associations}"
           )
+          call_stacks.add(object.bullet_key)
           call_object_associations.add(object.bullet_key, associations)
         end
 
@@ -76,6 +78,12 @@ module Bullet
         def eager_loadings
           Thread.current[:bullet_eager_loadings]
         end
+
+        # cal_stacks keeps stacktraces where querie-objects were called from.
+        # e.g. { 'Object:111' => [SomeProject/app/controllers/...] }
+        def call_stacks
+          Thread.current[:bullet_call_stacks]
+        end
       end
     end
   end

data/lib/bullet/detector/counter_cache.rb

@@ -20,7 +20,7 @@ module Bullet
           return unless Bullet.start?
           return unless Bullet.counter_cache_enable?
 
-          objects = Array(object_or_objects)
+          objects = Array.wrap(object_or_objects)
           return if objects.map(&:bullet_primary_key_value).compact.empty?
 
           Bullet.debug(
@@ -54,7 +54,7 @@ module Bullet
         private
 
         def create_notification(klazz, associations)
-          notify_associations = Array(associations) - Bullet.get_safelist_associations(:counter_cache, klazz)
+          notify_associations = Array.wrap(associations) - Bullet.get_safelist_associations(:counter_cache, klazz)
 
           if notify_associations.present?
             notice = Bullet::Notification::CounterCache.new klazz, notify_associations

data/lib/bullet/detector/n_plus_one_query.rb

@@ -7,7 +7,7 @@ module Bullet
       extend StackTraceFilter
 
       class << self
-        # executed when object.assocations is called.
+        # executed when object.associations is called.
         # first, it keeps this method call for object.association.
         # then, it checks if this associations call is unpreload.
         #   if it is, keeps this unpreload associations and caller.
@@ -25,7 +25,7 @@ module Bullet
           )
           if !excluded_stacktrace_path? && conditions_met?(object, associations)
             Bullet.debug('detect n + 1 query', "object: #{object.bullet_key}, associations: #{associations}")
-            create_notification caller_in_project, object.class.to_s, associations
+            create_notification caller_in_project(object.bullet_key), object.class.to_s, associations
           end
         end
 
@@ -33,15 +33,26 @@ module Bullet
           return unless Bullet.start?
           return unless Bullet.n_plus_one_query_enable?
 
-          objects = Array(object_or_objects)
-          return if objects.map(&:bullet_primary_key_value).compact.empty?
-          return if objects.all? { |obj| obj.class.name =~ /^HABTM_/ }
-
-          Bullet.debug(
-            'Detector::NPlusOneQuery#add_possible_objects',
-            "objects: #{objects.map(&:bullet_key).join(', ')}"
-          )
-          objects.each { |object| possible_objects.add object.bullet_key }
+          objects = Array.wrap(object_or_objects)
+          class_names_match_regex = true
+          primary_key_values_are_empty = true
+          keys_joined = ""
+          objects.each do |obj|
+            unless obj.class.name =~ /^HABTM_/
+              class_names_match_regex = false
+            end
+            unless obj.bullet_primary_key_value.nil?
+              primary_key_values_are_empty = false
+            end
+            keys_joined += "#{(keys_joined.empty?? '' : ', ')}#{obj.bullet_key}"
+          end
+          unless class_names_match_regex || primary_key_values_are_empty
+            Bullet.debug(
+              'Detector::NPlusOneQuery#add_possible_objects',
+              "objects: #{keys_joined}"
+            )
+            objects.each { |object| possible_objects.add object.bullet_key }
+          end
         end
 
         def add_impossible_object(object)
@@ -95,7 +106,7 @@ module Bullet
         private
 
         def create_notification(callers, klazz, associations)
-          notify_associations = Array(associations) - Bullet.get_safelist_associations(:n_plus_one_query, klazz)
+          notify_associations = Array.wrap(associations) - Bullet.get_safelist_associations(:n_plus_one_query, klazz)
 
           if notify_associations.present?
             notice = Bullet::Notification::NPlusOneQuery.new(callers, klazz, notify_associations)

data/lib/bullet/detector/unused_eager_loading.rb

@@ -10,7 +10,7 @@ module Bullet
         # check if there are unused preload associations.
         #   get related_objects from eager_loadings associated with object and associations
         #   get call_object_association from associations of call_object_associations whose object is in related_objects
-        #   if association not in call_object_association, then the object => association - call_object_association is ununsed preload assocations
+        #   if association not in call_object_association, then the object => association - call_object_association is ununsed preload associations
         def check_unused_preload_associations
           return unless Bullet.start?
           return unless Bullet.unused_eager_loading_enable?
@@ -20,7 +20,7 @@ module Bullet
             next if object_association_diff.empty?
 
             Bullet.debug('detect unused preload', "object: #{bullet_key}, associations: #{object_association_diff}")
-            create_notification(caller_in_project, bullet_key.bullet_class_name, object_association_diff)
+            create_notification(caller_in_project(bullet_key), bullet_key.bullet_class_name, object_association_diff)
           end
         end
 
@@ -65,7 +65,7 @@ module Bullet
         private
 
         def create_notification(callers, klazz, associations)
-          notify_associations = Array(associations) - Bullet.get_safelist_associations(:unused_eager_loading, klazz)
+          notify_associations = Array.wrap(associations) - Bullet.get_safelist_associations(:unused_eager_loading, klazz)
 
           if notify_associations.present?
             notice = Bullet::Notification::UnusedEagerLoading.new(callers, klazz, notify_associations)

data/lib/bullet/mongoid7x.rb

@@ -4,22 +4,20 @@ module Bullet
   module Mongoid
     def self.enable
       require 'mongoid'
+      require 'rubygems'
       ::Mongoid::Contextual::Mongo.class_eval do
         alias_method :origin_first, :first
         alias_method :origin_last, :last
         alias_method :origin_each, :each
         alias_method :origin_eager_load, :eager_load
 
-        def first(opts = {})
-          result = origin_first(opts)
-          Bullet::Detector::NPlusOneQuery.add_impossible_object(result) if result
-          result
-        end
-
-        def last(opts = {})
-          result = origin_last(opts)
-          Bullet::Detector::NPlusOneQuery.add_impossible_object(result) if result
-          result
+        %i[first last].each do |context|
+          default = Gem::Version.new(::Mongoid::VERSION) >= Gem::Version.new('7.5') ? nil : {}
+          define_method(context) do |opts = default|
+            result = send(:"origin_#{context}", opts)
+            Bullet::Detector::NPlusOneQuery.add_impossible_object(result) if result
+            result
+          end
         end
 
         def each(&block)

data/lib/bullet/rack.rb

@@ -4,6 +4,8 @@ module Bullet
   class Rack
     include Dependency
 
+    NONCE_MATCHER = /script-src .*'nonce-(?<nonce>[A-Za-z0-9+\/]+={0,2})'/
+
     def initialize(app)
       @app = app
     end
@@ -20,11 +22,15 @@ module Bullet
         if Bullet.inject_into_page? && !file?(headers) && !sse?(headers) && !empty?(response) && status == 200
           if html_request?(headers, response)
             response_body = response_body(response)
-            response_body = append_to_html_body(response_body, footer_note) if Bullet.add_footer
-            response_body = append_to_html_body(response_body, Bullet.gather_inline_notifications)
-            if Bullet.add_footer && !Bullet.skip_http_headers
-              response_body = append_to_html_body(response_body, xhr_script)
+
+            with_security_policy_nonce(headers) do |nonce|
+              response_body = append_to_html_body(response_body, footer_note) if Bullet.add_footer
+              response_body = append_to_html_body(response_body, Bullet.gather_inline_notifications)
+              if Bullet.add_footer && !Bullet.skip_http_headers
+                response_body = append_to_html_body(response_body, xhr_script(nonce))
+              end
             end
+
             headers['Content-Length'] = response_body.bytesize.to_s
           elsif !Bullet.skip_http_headers
             set_header(headers, 'X-bullet-footer-text', Bullet.footer_info.uniq) if Bullet.add_footer
@@ -79,7 +85,7 @@ module Bullet
     end
 
     def html_request?(headers, response)
-      headers['Content-Type']&.include?('text/html') && response_body(response).include?('<html')
+      headers['Content-Type']&.include?('text/html')
     end
 
     def response_body(response)
@@ -118,8 +124,34 @@ module Bullet
     end
 
     # Make footer work for XHR requests by appending data to the footer
-    def xhr_script
-      "<script type='text/javascript'>#{File.read("#{__dir__}/bullet_xhr.js")}</script>"
+    def xhr_script(nonce = nil)
+      script = File.read("#{__dir__}/bullet_xhr.js")
+
+      if nonce
+        "<script type='text/javascript' nonce='#{nonce}'>#{script}</script>"
+      else
+        "<script type='text/javascript'>#{script}</script>"
+      end
+    end
+
+    def with_security_policy_nonce(headers)
+      matched = (headers['Content-Security-Policy'] || '').match(NONCE_MATCHER)
+      nonce = matched[:nonce] if matched
+
+      if nonce
+        console_enabled = UniformNotifier.console
+        alert_enabled = UniformNotifier.alert
+
+        UniformNotifier.console = { attributes: { nonce: nonce } } if console_enabled
+        UniformNotifier.alert = { attributes: { nonce: nonce } } if alert_enabled
+
+        yield nonce
+
+        UniformNotifier.console = console_enabled
+        UniformNotifier.alert = alert_enabled
+      else
+        yield
+      end
     end
   end
 end

data/lib/bullet/registry/call_stack.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Bullet
+  module Registry
+    class CallStack < Base
+      # remembers found association backtrace
+      def add(key)
+        @registry[key] = Thread.current.backtrace
+      end
+    end
+  end
+end

data/lib/bullet/registry.rb

@@ -5,5 +5,6 @@ module Bullet
     autoload :Base, 'bullet/registry/base'
     autoload :Object, 'bullet/registry/object'
     autoload :Association, 'bullet/registry/association'
+    autoload :CallStack, 'bullet/registry/call_stack'
   end
 end

data/lib/bullet/stack_trace_filter.rb

@@ -6,10 +6,11 @@ module Bullet
     VENDOR_PATH = '/vendor'
     IS_RUBY_19 = Gem::Version.new(RUBY_VERSION) < Gem::Version.new('2.0.0')
 
-    def caller_in_project
+    # @param bullet_key[String] - use this to get stored call stack from call_stacks object.
+    def caller_in_project(bullet_key = nil)
       vendor_root = Bullet.app_root + VENDOR_PATH
       bundler_path = Bundler.bundle_path.to_s
-      select_caller_locations do |location|
+      select_caller_locations(bullet_key) do |location|
         caller_path = location_as_path(location)
         caller_path.include?(Bullet.app_root) && !caller_path.include?(vendor_root) &&
           !caller_path.include?(bundler_path) || Bullet.stacktrace_includes.any? { |include_pattern|
@@ -50,15 +51,16 @@ module Bullet
     end
 
     def location_as_path(location)
+      return location if location.is_a?(String)
+
       IS_RUBY_19 ? location : location.absolute_path.to_s
     end
 
-    def select_caller_locations
-      if IS_RUBY_19
-        caller.select { |caller_path| yield caller_path }
-      else
-        caller_locations.select { |location| yield location }
-      end
+    def select_caller_locations(bullet_key = nil)
+      return caller.select { |caller_path| yield caller_path } if IS_RUBY_19
+
+      call_stack = bullet_key ? call_stacks[bullet_key] : caller_locations
+      call_stack.select { |location| yield location }
     end
   end
 end

data/lib/bullet/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Bullet
-  VERSION = '7.0.1'
+  VERSION = '7.0.7'
 end

data/lib/bullet.rb

@@ -23,7 +23,11 @@ module Bullet
   if defined?(Rails::Railtie)
     class BulletRailtie < Rails::Railtie
       initializer 'bullet.configure_rails_initialization' do |app|
-        app.middleware.use Bullet::Rack
+        if defined?(ActionDispatch::ContentSecurityPolicy::Middleware) && Rails.application.config.content_security_policy
+          app.middleware.insert_before ActionDispatch::ContentSecurityPolicy::Middleware, Bullet::Rack
+        else
+          app.middleware.use Bullet::Rack
+        end
       end
     end
   end
@@ -109,7 +113,7 @@ module Bullet
     end
 
     def get_safelist_associations(type, class_name)
-      Array(@safelist[type][class_name])
+      Array.wrap(@safelist[type][class_name])
     end
 
     def reset_safelist
@@ -144,6 +148,7 @@ module Bullet
       Thread.current[:bullet_impossible_objects] = Bullet::Registry::Object.new
       Thread.current[:bullet_inversed_objects] = Bullet::Registry::Base.new
       Thread.current[:bullet_eager_loadings] = Bullet::Registry::Association.new
+      Thread.current[:bullet_call_stacks] = Bullet::Registry::CallStack.new
 
       Thread.current[:bullet_counter_possible_objects] ||= Bullet::Registry::Object.new
       Thread.current[:bullet_counter_impossible_objects] ||= Bullet::Registry::Object.new

data/lib/generators/bullet/install_generator.rb

@@ -16,7 +16,6 @@ module Bullet
               Bullet.alert         = true
               Bullet.bullet_logger = true
               Bullet.console       = true
-            # Bullet.growl         = true
               Bullet.rails_logger  = true
               Bullet.add_footer    = true
             end

data/spec/bullet/detector/n_plus_one_query_spec.rb

@@ -39,7 +39,7 @@ module Bullet
 
         it 'should be false if object, association pair is not existed' do
           NPlusOneQuery.add_object_associations(@post, :association1)
-          expect(NPlusOneQuery.association?(@post, :associatio2)).to eq false
+          expect(NPlusOneQuery.association?(@post, :association2)).to eq false
         end
       end
 
@@ -127,38 +127,6 @@ module Bullet
         end
       end
 
-      context '.caller_in_project' do
-        it 'should include only paths that are in the project' do
-          in_project = OpenStruct.new(absolute_path: File.join(Dir.pwd, 'abc', 'abc.rb'))
-          not_in_project = OpenStruct.new(absolute_path: '/def/def.rb')
-
-          expect(NPlusOneQuery).to receive(:caller_locations).and_return([in_project, not_in_project])
-          expect(NPlusOneQuery).to receive(:conditions_met?).with(@post, :association).and_return(true)
-          expect(NPlusOneQuery).to receive(:create_notification).with([in_project], 'Post', :association)
-          NPlusOneQuery.call_association(@post, :association)
-        end
-
-        context 'stacktrace_includes' do
-          before { Bullet.stacktrace_includes = ['def', /xyz/] }
-          after { Bullet.stacktrace_includes = nil }
-
-          it 'should include paths that are in the stacktrace_include list' do
-            in_project = OpenStruct.new(absolute_path: File.join(Dir.pwd, 'abc', 'abc.rb'))
-            included_gems = [OpenStruct.new(absolute_path: '/def/def.rb'), OpenStruct.new(absolute_path: 'xyz/xyz.rb')]
-            excluded_gem = OpenStruct.new(absolute_path: '/ghi/ghi.rb')
-
-            expect(NPlusOneQuery).to receive(:caller_locations).and_return([in_project, *included_gems, excluded_gem])
-            expect(NPlusOneQuery).to receive(:conditions_met?).with(@post, :association).and_return(true)
-            expect(NPlusOneQuery).to receive(:create_notification).with(
-              [in_project, *included_gems],
-              'Post',
-              :association
-            )
-            NPlusOneQuery.call_association(@post, :association)
-          end
-        end
-      end
-
       context '.add_possible_objects' do
         it 'should add possible objects' do
           NPlusOneQuery.add_possible_objects([@post, @post2])

data/spec/bullet/detector/unused_eager_loading_spec.rb

@@ -65,6 +65,11 @@ module Bullet
           expect(UnusedEagerLoading).not_to receive(:create_notification).with('Post', [:association])
           UnusedEagerLoading.check_unused_preload_associations
         end
+
+        it 'should create call stack for notification' do
+          UnusedEagerLoading.add_object_associations(@post, :association)
+          expect(UnusedEagerLoading.send(:call_stacks).registry).not_to be_empty
+        end
       end
 
       context '.add_eager_loadings' do

data/spec/bullet/notification/base_spec.rb

@@ -74,8 +74,8 @@ module Bullet
         it 'should send full_notice to notifier' do
           notifier = double
           allow(subject).to receive(:notifier).and_return(notifier)
-          allow(subject).to receive(:notification_data).and_return(foo: :bar)
-          expect(notifier).to receive(:inline_notify).with(foo: :bar)
+          allow(subject).to receive(:notification_data).and_return({ foo: :bar })
+          expect(notifier).to receive(:inline_notify).with({ foo: :bar })
           subject.notify_inline
         end
       end
@@ -84,8 +84,8 @@ module Bullet
         it 'should send full_out_of_channel to notifier' do
           notifier = double
           allow(subject).to receive(:notifier).and_return(notifier)
-          allow(subject).to receive(:notification_data).and_return(foo: :bar)
-          expect(notifier).to receive(:out_of_channel_notify).with(foo: :bar)
+          allow(subject).to receive(:notification_data).and_return({ foo: :bar })
+          expect(notifier).to receive(:out_of_channel_notify).with({ foo: :bar })
           subject.notify_out_of_channel
         end
       end

data/spec/bullet/rack_spec.rb

@@ -31,12 +31,6 @@ module Bullet
         response = double(body: '<html><head></head><body></body></html>')
         expect(middleware).not_to be_html_request(headers, response)
       end
-
-      it "should be false if response body doesn't contain html tag" do
-        headers = { 'Content-Type' => 'text/html' }
-        response = double(body: '<div>Partial</div>')
-        expect(middleware).not_to be_html_request(headers, response)
-      end
     end
 
     context 'empty?' do
@@ -56,7 +50,7 @@ module Bullet
       end
 
       it 'should be true if no response body' do
-        response = double()
+        response = double
         expect(middleware).to be_empty(response)
       end
     end
@@ -135,6 +129,23 @@ module Bullet
             expect(response).to eq(%w[<html><head></head><body><bullet></bullet></body></html>])
           end
 
+          it 'should include CSP nonce in inline script if console_enabled and a CSP is applied' do
+            allow(Bullet).to receive(:add_footer).at_least(:once).and_return(true)
+            expect(Bullet).to receive(:console_enabled?).and_return(true)
+            allow(middleware).to receive(:xhr_script).and_call_original
+
+            nonce = '+t9/wTlgG6xbHxXYUaDNzQ=='
+            app.headers = {
+              'Content-Type' => 'text/html',
+              'Content-Security-Policy' => "default-src 'self' https:; script-src 'self' https: 'nonce-#{nonce}'"
+            }
+
+            _, headers, response = middleware.call('Content-Type' => 'text/html')
+
+            size = 56 + middleware.send(:footer_note).length + middleware.send(:xhr_script, nonce).length
+            expect(headers['Content-Length']).to eq(size.to_s)
+          end
+
           it 'should change response body for html safe string if console_enabled is true' do
             expect(Bullet).to receive(:console_enabled?).and_return(true)
             app.response =

data/spec/bullet/stack_trace_filter_spec.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+module Bullet
+  RSpec.describe StackTraceFilter do
+    let(:dummy_class) { Class.new { extend StackTraceFilter } }
+    let(:root_path) { Dir.pwd }
+    let(:bundler_path) { Bundler.bundle_path }
+
+    describe '#caller_in_project' do
+      it 'gets the caller in the project' do
+        expect(dummy_class).to receive(:call_stacks).and_return({
+          'Post:1' => [
+            File.join(root_path, 'lib/bullet.rb'),
+            File.join(root_path, 'vendor/uniform_notifier.rb'),
+            File.join(bundler_path, 'rack.rb')
+          ]
+        })
+        expect(dummy_class.caller_in_project('Post:1')).to eq([
+          File.join(root_path, 'lib/bullet.rb')
+        ])
+      end
+    end
+  end
+end

data/spec/integration/active_record/association_spec.rb

@@ -58,6 +58,19 @@ if active_record?
         expect(Bullet::Detector::Association).to be_completely_preloading_associations
       end
 
+      it 'should detect non preload comment => post with inverse_of from a query' do
+        Post.first.comments.find_each do |comment|
+          comment.name
+          comment.post.name
+        end
+
+        Bullet::Detector::UnusedEagerLoading.check_unused_preload_associations
+        expect(Post.first.comments.count).not_to eq(0)
+        expect(Bullet::Detector::Association).not_to be_has_unused_preload_associations
+
+        expect(Bullet::Detector::Association).to be_completely_preloading_associations
+      end
+
       it 'should detect non preload post => comments with empty?' do
         Post.all.each { |post| post.comments.empty? }
         Bullet::Detector::UnusedEagerLoading.check_unused_preload_associations
@@ -474,7 +487,15 @@ if active_record?
       end
 
       it 'should detect preload associations' do
-        Firm.includes(:clients).each { |firm| firm.clients.map(&:name) }
+        Firm.preload(:clients).each { |firm| firm.clients.map(&:name) }
+        Bullet::Detector::UnusedEagerLoading.check_unused_preload_associations
+        expect(Bullet::Detector::Association).not_to be_has_unused_preload_associations
+
+        expect(Bullet::Detector::Association).to be_completely_preloading_associations
+      end
+
+      it 'should detect eager load association' do
+        Firm.eager_load(:clients).each { |firm| firm.clients.map(&:name) }
         Bullet::Detector::UnusedEagerLoading.check_unused_preload_associations
         expect(Bullet::Detector::Association).not_to be_has_unused_preload_associations
 
@@ -508,7 +529,15 @@ if active_record?
       end
 
       it 'should detect preload associations' do
-        Firm.includes(:groups).each { |firm| firm.groups.map(&:name) }
+        Firm.preload(:groups).each { |firm| firm.groups.map(&:name) }
+        Bullet::Detector::UnusedEagerLoading.check_unused_preload_associations
+        expect(Bullet::Detector::Association).not_to be_has_unused_preload_associations
+
+        expect(Bullet::Detector::Association).to be_completely_preloading_associations
+      end
+
+      it 'should detect eager load associations' do
+        Firm.eager_load(:groups).each { |firm| firm.groups.map(&:name) }
         Bullet::Detector::UnusedEagerLoading.check_unused_preload_associations
         expect(Bullet::Detector::Association).not_to be_has_unused_preload_associations
 

data/spec/support/sqlite_seed.rb

@@ -92,7 +92,7 @@ module Support
       page3 = Page.create(name: 'page3', parent_id: folder2.id, author_id: author2.id)
       page4 = Page.create(name: 'page4', parent_id: folder2.id, author_id: author2.id)
 
-      role1 = Role.create(name: 'Amdin')
+      role1 = Role.create(name: 'Admin')
       role2 = Role.create(name: 'User')
 
       user1 = User.create(name: 'user1', category: category1)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bullet
 version: !ruby/object:Gem::Version
-  version: 7.0.1
+  version: 7.0.7
 platform: ruby
 authors:
 - Richard Huang
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-01-15 00:00:00.000000000 Z
+date: 2023-01-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -104,6 +104,7 @@ files:
 - lib/bullet/registry.rb
 - lib/bullet/registry/association.rb
 - lib/bullet/registry/base.rb
+- lib/bullet/registry/call_stack.rb
 - lib/bullet/registry/object.rb
 - lib/bullet/stack_trace_filter.rb
 - lib/bullet/version.rb
@@ -126,6 +127,7 @@ files:
 - spec/bullet/registry/association_spec.rb
 - spec/bullet/registry/base_spec.rb
 - spec/bullet/registry/object_spec.rb
+- spec/bullet/stack_trace_filter_spec.rb
 - spec/bullet_spec.rb
 - spec/integration/active_record/association_spec.rb
 - spec/integration/counter_cache_spec.rb
@@ -195,7 +197,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.6
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.4.1
 signing_key:
 specification_version: 4
 summary: help to kill N+1 queries and unused eager loading.
@@ -216,6 +218,7 @@ test_files:
 - spec/bullet/registry/association_spec.rb
 - spec/bullet/registry/base_spec.rb
 - spec/bullet/registry/object_spec.rb
+- spec/bullet/stack_trace_filter_spec.rb
 - spec/bullet_spec.rb
 - spec/integration/active_record/association_spec.rb
 - spec/integration/counter_cache_spec.rb