consul 1.0.2 → 1.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 354c035304ffa8887ff031f0cc898aaab38da8b2
-  data.tar.gz: c9ec6a1775deb257c429277a66c254a7c2796ca8
+SHA256:
+  metadata.gz: 49583154c64138e64a0fa47a0e85be855a0a54b05e906ca5ca0da4e6fa39ee16
+  data.tar.gz: 149f14959bc7e8ef2a3dc90a9d446f4840229d1f022f164534f23b099275ac6a
 SHA512:
-  metadata.gz: '07596f0e3957b6e3bca2881c9eedf940514ec25b45a2390a9583ff85a2807824bd389d25e8893ed2b53855ffc27bb27ea7faf776293fecbc9bc0b47abb792b5d'
-  data.tar.gz: 48f3fcab23fa832628c8b6a34f55446cd97e6b4852c093bdd6fdd700eb52248ed91911877a80ec02118596c4c7243dfa4d6d8e3a7e29be96f930ca2c44759c4f
+  metadata.gz: 3877afeee641f47702f2951e9b1609220b96c85df245d2a0a0f91c301823fce9e878a8b7e39d8b90f34a7104dd4ce8c3027afa41c76731003ae0ab137fbbb991
+  data.tar.gz: d96bf2a79ef26bf7e8567b02bb306d76f8d1314fd1ba0179ad85f1a0fd51cbaecb573365dd645815d4b82445a92ea030fd29786c2eff67c33238e8c770510284

data/.gitignore

@@ -6,4 +6,4 @@ pkg
 *.log
 .bundle
 spec/support/database.yml
-
+.byebug_history

data/.travis.yml

@@ -1,5 +1,7 @@
 language: ruby
 
+dist: trusty
+
 sudo: false
 
 cache: bundler
@@ -35,6 +37,3 @@ install:
 
 script: bundle exec rake current_rspec
 
-notifications:
-  email:
-    - fail@makandra.de

data/CHANGELOG.md

@@ -13,6 +13,45 @@ This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html
 
 -
 
+
+## 1.0.3 - 2019-09-23
+
+### Security fix
+
+This releases fix a security issue where in a controller with multiple `power` directives, the `:only` and `:except` options of the last directive was applied to all directives.
+
+Affected code looks like this:
+
+```ruby
+class UsersController < ApplicationController
+  power :foo
+  power :bar, only: :index
+
+  ...
+end
+```
+
+In this example both the powers `:foo` and `:bar` were only checked for the `#index` action. Other actions were left unprotected by powers checks.
+
+Controllers with a single `power` directive are unaffected.
+Contollers where neither `power` uses `:only` or `:except` options are unaffected.
+
+This vulnerability has been assigned the CVE identifier CVE-2019-16377.
+
+
+### Compatible changes
+
+- The RSpec matcher `check_power` now also sees powers inherited by a parent controller.
+
+
+## 1.0.2 - 2019-05-22
+
+### Compatible changes
+
+- The `#arity` of power methods with optional arguments is now preserved.
+
+
+
 ## 1.0.1 - 2019-02-27
 
 ### Compatible changes

data/Gemfile

@@ -1 +1 @@
-Gemfile.5-2
+./Gemfile.5-2

data/Gemfile.3-2.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    consul (1.0.1)
+    consul (1.0.3)
       edge_rider (>= 0.3.0)
       memoized (>= 1.0.2)
       rails (>= 3.2)
@@ -45,7 +45,7 @@ GEM
     concurrent-ruby (1.1.4)
     database_cleaner (1.4.1)
     diff-lcs (1.3)
-    edge_rider (0.3.3)
+    edge_rider (1.0.0)
       activerecord
     erubis (2.7.0)
     gemika (0.3.4)

data/Gemfile.4-2.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    consul (1.0.1)
+    consul (1.0.3)
       edge_rider (>= 0.3.0)
       memoized (>= 1.0.2)
       rails (>= 3.2)
@@ -51,7 +51,7 @@ GEM
     crass (1.0.4)
     database_cleaner (1.7.0)
     diff-lcs (1.2.5)
-    edge_rider (0.3.3)
+    edge_rider (1.0.0)
       activerecord
     erubis (2.7.0)
     gemika (0.3.4)

data/Gemfile.5-2

@@ -12,6 +12,7 @@ gem 'shoulda-matchers'
 gem 'sqlite3'
 gem 'database_cleaner'
 gem 'gemika'
+gem 'byebug'
 
 # Gem under test
 gem 'consul', :path => '.'

data/Gemfile.5-2.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    consul (1.0.1)
+    consul (1.0.3)
       edge_rider (>= 0.3.0)
       memoized (>= 1.0.2)
       rails (>= 3.2)
@@ -54,6 +54,7 @@ GEM
     assignable_values (0.12.1)
       activerecord (>= 2.3)
     builder (3.2.3)
+    byebug (11.0.1)
     concurrent-ruby (1.1.4)
     crass (1.0.4)
     database_cleaner (1.7.0)
@@ -159,6 +160,7 @@ PLATFORMS
 
 DEPENDENCIES
   assignable_values
+  byebug
   consul!
   database_cleaner
   gemika

data/Gemfile.6-0

@@ -1,7 +1,7 @@
 source 'https://rubygems.org'
 
 # Runtime dependencies
-gem 'rails', '~> 6.0.0beta'
+gem 'rails', '~> 6.0.0'
 gem 'assignable_values'
 
 # Development dependencies

data/Gemfile.6-0.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    consul (1.0.1)
+    consul (1.0.2)
       edge_rider (>= 0.3.0)
       memoized (>= 1.0.2)
       rails (>= 3.2)
@@ -9,68 +9,69 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (6.0.0.beta3)
-      actionpack (= 6.0.0.beta3)
+    actioncable (6.0.0)
+      actionpack (= 6.0.0)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.0.beta3)
-      actionpack (= 6.0.0.beta3)
-      activejob (= 6.0.0.beta3)
-      activerecord (= 6.0.0.beta3)
-      activestorage (= 6.0.0.beta3)
-      activesupport (= 6.0.0.beta3)
+    actionmailbox (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       mail (>= 2.7.1)
-    actionmailer (6.0.0.beta3)
-      actionpack (= 6.0.0.beta3)
-      actionview (= 6.0.0.beta3)
-      activejob (= 6.0.0.beta3)
+    actionmailer (6.0.0)
+      actionpack (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.0.beta3)
-      actionview (= 6.0.0.beta3)
-      activesupport (= 6.0.0.beta3)
+    actionpack (6.0.0)
+      actionview (= 6.0.0)
+      activesupport (= 6.0.0)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actiontext (6.0.0.beta3)
-      actionpack (= 6.0.0.beta3)
-      activerecord (= 6.0.0.beta3)
-      activestorage (= 6.0.0.beta3)
-      activesupport (= 6.0.0.beta3)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actiontext (6.0.0)
+      actionpack (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       nokogiri (>= 1.8.5)
-    actionview (6.0.0.beta3)
-      activesupport (= 6.0.0.beta3)
+    actionview (6.0.0)
+      activesupport (= 6.0.0)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activejob (6.0.0.beta3)
-      activesupport (= 6.0.0.beta3)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (6.0.0)
+      activesupport (= 6.0.0)
       globalid (>= 0.3.6)
-    activemodel (6.0.0.beta3)
-      activesupport (= 6.0.0.beta3)
-    activerecord (6.0.0.beta3)
-      activemodel (= 6.0.0.beta3)
-      activesupport (= 6.0.0.beta3)
-    activestorage (6.0.0.beta3)
-      actionpack (= 6.0.0.beta3)
-      activerecord (= 6.0.0.beta3)
+    activemodel (6.0.0)
+      activesupport (= 6.0.0)
+    activerecord (6.0.0)
+      activemodel (= 6.0.0)
+      activesupport (= 6.0.0)
+    activestorage (6.0.0)
+      actionpack (= 6.0.0)
+      activejob (= 6.0.0)
+      activerecord (= 6.0.0)
       marcel (~> 0.3.1)
-    activesupport (6.0.0.beta3)
+    activesupport (6.0.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-      zeitwerk (~> 1.3, >= 1.3.1)
-    assignable_values (0.12.1)
+      zeitwerk (~> 2.1, >= 2.1.8)
+    assignable_values (0.16.1)
       activerecord (>= 2.3)
     builder (3.2.3)
     concurrent-ruby (1.1.5)
     crass (1.0.4)
     database_cleaner (1.7.0)
     diff-lcs (1.3)
-    edge_rider (0.3.3)
+    edge_rider (1.0.0)
       activerecord
     erubi (1.8.0)
     gemika (0.3.4)
@@ -88,42 +89,42 @@ GEM
     memoized (1.0.2)
     method_source (0.9.2)
     mimemagic (0.3.3)
-    mini_mime (1.0.1)
+    mini_mime (1.0.2)
     mini_portile2 (2.4.0)
     minitest (5.11.3)
-    nio4r (2.3.1)
-    nokogiri (1.10.2)
+    nio4r (2.5.1)
+    nokogiri (1.10.4)
       mini_portile2 (~> 2.4.0)
     rack (2.0.7)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.0.0.beta3)
-      actioncable (= 6.0.0.beta3)
-      actionmailbox (= 6.0.0.beta3)
-      actionmailer (= 6.0.0.beta3)
-      actionpack (= 6.0.0.beta3)
-      actiontext (= 6.0.0.beta3)
-      actionview (= 6.0.0.beta3)
-      activejob (= 6.0.0.beta3)
-      activemodel (= 6.0.0.beta3)
-      activerecord (= 6.0.0.beta3)
-      activestorage (= 6.0.0.beta3)
-      activesupport (= 6.0.0.beta3)
+    rails (6.0.0)
+      actioncable (= 6.0.0)
+      actionmailbox (= 6.0.0)
+      actionmailer (= 6.0.0)
+      actionpack (= 6.0.0)
+      actiontext (= 6.0.0)
+      actionview (= 6.0.0)
+      activejob (= 6.0.0)
+      activemodel (= 6.0.0)
+      activerecord (= 6.0.0)
+      activestorage (= 6.0.0)
+      activesupport (= 6.0.0)
       bundler (>= 1.3.0)
-      railties (= 6.0.0.beta3)
+      railties (= 6.0.0)
       sprockets-rails (>= 2.0.0)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.4)
+    rails-html-sanitizer (1.2.0)
       loofah (~> 2.2, >= 2.2.2)
-    railties (6.0.0.beta3)
-      actionpack (= 6.0.0.beta3)
-      activesupport (= 6.0.0.beta3)
+    railties (6.0.0)
+      actionpack (= 6.0.0)
+      activesupport (= 6.0.0)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
-    rake (12.3.2)
+    rake (12.3.3)
     rspec (3.6.0)
       rspec-core (~> 3.6.0)
       rspec-expectations (~> 3.6.0)
@@ -159,15 +160,15 @@ GEM
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
-    sqlite3 (1.3.13)
+    sqlite3 (1.4.1)
     thor (0.20.3)
     thread_safe (0.3.6)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    websocket-driver (0.7.0)
+    websocket-driver (0.7.1)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.3)
-    zeitwerk (1.4.3)
+    websocket-extensions (0.1.4)
+    zeitwerk (2.1.9)
 
 PLATFORMS
   ruby
@@ -177,7 +178,7 @@ DEPENDENCIES
   consul!
   database_cleaner
   gemika
-  rails (~> 6.0.0beta)
+  rails (~> 6.0.0)
   rspec
   rspec-rails
   rspec_candy

data/Gemfile.lock

@@ -1 +1 @@
-Gemfile.5-2.lock
+./Gemfile.5-2.lock

data/README.md

@@ -547,7 +547,9 @@ class ApplicationController < ActionController::Base
 end
 ```
 
-Should you for some obscure reason want to forego the power check:
+Note that this check is satisfied by *any* `.power` directive in the controller class or its ancestors, even if that `.power` directive has `:only` or `:except` options that do not apply to the current action.
+
+Should you want to forego the power check (e.g. to remove authorization checks from an entirely public controller):
 
 ```rb
 class ApiController < ApplicationController

data/lib/consul/controller.rb

@@ -5,11 +5,7 @@ module Consul
       base.send :include, InstanceMethods
       base.send :extend, ClassMethods
       if ensure_power_initializer_present?
-        if Rails.version.to_i < 4
-          base.before_filter :ensure_power_initializer_present
-        else
-          base.before_action :ensure_power_initializer_present
-        end
+        Util.before_action(base, :ensure_power_initializer_present)
       end
     end
 
@@ -32,68 +28,35 @@ module Consul
       private
 
       def require_power_check(options = {})
-        if Rails.version.to_i < 4
-          before_filter :unchecked_power, options
-        else
-          before_action :unchecked_power, options
-        end
+        Util.before_action(self, :unchecked_power, options)
       end
 
       # This is badly named, since it doesn't actually skip the :check_power filter
       def skip_power_check(options = {})
-        if Rails.version.to_i < 4
-          skip_before_filter :unchecked_power, options
-        elsif Rails.version.to_i < 5
-          skip_before_action :unchecked_power, options
-        else
-          # Every `power` in a controller will skip the power check filter. After the 1st time, Rails 5+ will raise
-          # an error because there is no `unchecked_power` action to skip any more.
-          # To avoid this, we add the following extra option. Note that it must not be added in Rails 4 to avoid errors.
-          # See http://api.rubyonrails.org/classes/ActiveSupport/Callbacks/ClassMethods.html#method-i-skip_callback
-          skip_before_action :unchecked_power, { :raise => false }.merge!(options)
-        end
+        Util.skip_before_action(self, :unchecked_power, options)
       end
 
       def current_power(&initializer)
         self.current_power_initializer = initializer
-        if Rails.version.to_i < 4
-          around_filter :with_current_power
-        else
-          around_action :with_current_power
-        end
+        Util.around_action(self, :with_current_power)
 
         if respond_to?(:helper_method)
           helper_method :current_power
         end
       end
 
-      attr_writer :consul_guards
-
-      def consul_guards
-        unless @consul_guards_initialized
-          if superclass && superclass.respond_to?(:consul_guards, true)
-            @consul_guards = superclass.send(:consul_guards).dup
-          else
-            @consul_guards = []
-          end
-          @consul_guards_initialized = true
-        end
-        @consul_guards
-      end
-
       def power(*args)
-
         guard = Consul::Guard.new(*args)
-        consul_guards << guard
-        skip_power_check guard.filter_options
+
+        # One .power directive will skip the check for all actions, even
+        # if that .power directive has :only or :except options.
+        skip_power_check
 
         # Store arguments for testing
-        (@consul_power_args ||= []) << args
+        consul_power_args << args
 
-        if Rails.version.to_i < 4
-          before_filter :check_power, guard.filter_options
-        else
-          before_action :check_power, guard.filter_options
+        Util.before_action(self, guard.filter_options) do |controller|
+          guard.ensure!(controller, controller.action_name)
         end
 
         if guard.direct_access_method
@@ -105,18 +68,26 @@ module Consul
 
       end
 
+      # On first access we inherit .consul_power_args from our ancestor classes.
+      # We also copy inherited args so we don't change our parent's .consul_power_args
+      def consul_power_args
+        unless @consul_power_args_initialized
+          if superclass && superclass.respond_to?(:consul_power_args, true)
+            @consul_power_args = superclass.send(:consul_power_args).dup
+          else
+            @consul_power_args = []
+          end
+          @consul_power_args_initialized = true
+        end
+        @consul_power_args
+      end
+
     end
 
     module InstanceMethods
 
       private
 
-      define_method :check_power do
-        self.class.send(:consul_guards).each do |guard|
-          guard.ensure!(self, action_name)
-        end
-      end
-
       def unchecked_power
         raise Consul::UncheckedPower, "This controller does not check against a power"
       end

data/lib/consul/spec/matchers.rb

@@ -10,7 +10,7 @@ module Consul
 
         def matches?(controller)
           @controller_class = controller.class
-          @actual_args = @controller_class.instance_variable_get('@consul_power_args')
+          @actual_args = @controller_class.send(:consul_power_args)
           @actual_args.present? && @actual_args.include?(@expected_args)
         end
 

data/lib/consul/util.rb

@@ -57,6 +57,36 @@ module Consul
       [adjective, record]
     end
 
+    def skip_before_action(controller_class, name, options)
+      if Rails.version.to_i < 4
+        controller_class.skip_before_filter name, options
+      elsif Rails.version.to_i < 5
+        controller_class.skip_before_action name, options
+      else
+        # Every `power` in a controller will skip the power check filter. After the 1st time, Rails 5+ will raise
+        # an error because there is no `unchecked_power` action to skip any more.
+        # To avoid this, we add the following extra option. Note that it must not be added in Rails 4 to avoid errors.
+        # See http://api.rubyonrails.org/classes/ActiveSupport/Callbacks/ClassMethods.html#method-i-skip_callback
+        controller_class.skip_before_action name, { :raise => false }.merge!(options)
+      end
+    end
+
+    def before_action(controller_class, *args, &block)
+      if Rails.version.to_i < 4
+        controller_class.before_filter *args, &block
+      else
+        controller_class.before_action *args, &block
+      end
+    end
+
+    def around_action(controller_class, *args, &block)
+      if Rails.version.to_i < 4
+        controller_class.around_filter *args, &block
+      else
+        controller_class.around_action *args, &block
+      end
+    end
+
   end
 end
 

data/lib/consul/version.rb

@@ -1,3 +1,3 @@
 module Consul
-  VERSION = '1.0.2'
+  VERSION = '1.0.3'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: consul
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.0.3
 platform: ruby
 authors:
 - Henning Koch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-05-22 00:00:00.000000000 Z
+date: 2019-09-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: memoized
@@ -108,7 +108,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2.3
+rubygems_version: 2.7.8
 signing_key: 
 specification_version: 4
 summary: A scope-based authorization solution for Ruby on Rails.