gon 6.3.2 → 6.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a4be940f45c3dff8c909d94552a81b3240ccea1dd42d5c442c18400278564286
-  data.tar.gz: 86efc334a694c3a9825ec909f34bd5138b601de0108172863adb4d651eccdb28
+  metadata.gz: 764e0fdc60fe7b018d593c4f10ac5da1b27c117b6c2f0bcd62eea6d04a91a571
+  data.tar.gz: 037f1aa29e3e2865c576dfd3dc70e4931b96ca59732d1067ef1c72bad53d8006
 SHA512:
-  metadata.gz: 9adb780569a41eb32cf547f7ffebf22b184fdda8c63aa6d7c2e5e9b0efe789e2ec5a187cec83d4ca4ef0bc068148708adf1a7541752dcad83228dc4c5cf08920
-  data.tar.gz: da49fd8d8e2b683bd69fa2e5f37e8f912faa4496a3f81739022b68f2bea5cd1762c0b3b54c25426756499e8096c9822ff36ce7e854e771db28237988c5e4385b
+  metadata.gz: c1de2c9a8f8c3d571fe8d9eff0cf742e23b8f5be0ff133e59fbd3dc1157ec108c1cf4ea0a00b486e6f2be4e883cb5405af1857ba345002b4c647222698e5471f
+  data.tar.gz: ac19fa38ca794c863ede248e6a6a581f9417f5a59f5f4d836760280933c2f656a43e8048cd801f3fb1587c4d79bf86a7f00c21c711f264cd83d09aa05d9a3405

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [Unreleased]
 
+## [6.4.0] - 2020-09-18
+### Security
+- CVE-2020-25739: Enforce HTML entities escaping in gon output
+
 ## [6.3.2] - 2019-11-18
 ### Security
 - Restrict possibility of vulnerable i18n legacy verision (0.3.6.pre)
@@ -226,7 +230,9 @@
 ### Changed
 - Don't really remember what was before this version
 
-[Unreleased]: https://github.com/gazay/gon/compare/v6.3.1...master
+[Unreleased]: https://github.com/gazay/gon/compare/v6.4.0...master
+[6.4.0]: https://github.com/gazay/gon/compare/v6.3.2...v6.4.0
+[6.3.2]: https://github.com/gazay/gon/compare/v6.3.1...v6.3.2
 [6.3.1]: https://github.com/gazay/gon/compare/v6.2.1...v6.3.1
 [6.2.1]: https://github.com/gazay/gon/compare/v6.2.0...v6.2.1
 [6.2.0]: https://github.com/gazay/gon/compare/v6.1.0...v6.2.0

data/README.md

@@ -1,11 +1,7 @@
 # Gon gem — get your Rails variables in your js
 
-[![Join the chat at https://gitter.im/gazay/gon](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/gazay/gon?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
-
 ![Gon. You should try this. If you look closer - you will see an elephant.](https://github.com/gazay/gon/raw/master/doc/logo_small.png)
 
-[![Build Status](https://travis-ci.org/gazay/gon.svg?branch=master)](https://travis-ci.org/gazay/gon) [![CodeClimate](https://codeclimate.com/github/gazay/gon/badges/gpa.svg)](https://codeclimate.com/github/gazay/gon)
-
 If you need to send some data to your js files and you don't want to do this with long way through views and parsing - use this force!
 
 Now you can easily renew data in your variables through ajax with [gon.watch](https://github.com/gazay/gon/wiki/Usage-gon-watch)!
@@ -224,7 +220,7 @@ usage gon.global.
 
 ## Speed up Gon
 
-You can use any [JSON Engine](https://github.com/intridea/multi_json#supported-json-engines) you want.
+You can use any [JSON Engine](https://github.com/sferik/multi_json#supported-json-engines) you want.
 Gon uses `MultiJson` with autodetect mode, so all you need is just require your JSON library.
 
 ## Contributors

data/lib/gon/base.rb

@@ -1,4 +1,4 @@
-require 'ostruct'
+# frozen_string_literal: true
 
 class Gon
   module Base
@@ -16,6 +16,9 @@ class Gon
         nonce: nil
     }
 
+    Option = Struct.new(:cameled, *VALID_OPTION_DEFAULTS.keys)
+    private_constant :Option
+
     class << self
 
       def render_data(options = {})
@@ -31,7 +34,7 @@ class Gon
       private
 
       def define_options(options)
-        _o = OpenStruct.new
+        _o = Option.new
 
         VALID_OPTION_DEFAULTS.each do |opt_name, default|
           _o.send("#{opt_name}=", options.fetch(opt_name, default))
@@ -43,7 +46,7 @@ class Gon
       end
 
       def formatted_data(_o)
-        script = ''
+        script = +''
         before, after = render_wrap(_o)
         script << before
 

data/lib/gon/compatibility/old_rails.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'securerandom'
 
 class Gon

data/lib/gon/env_finder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Gon
   module EnvFinder
     ENV_CONTROLLER_KEY = 'action_controller.instance'

data/lib/gon/escaper.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Gon
   module Escaper
     extend ActionView::Helpers::JavaScriptHelper

data/lib/gon/global.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Gon
   class Global < Gon
     class << self

data/lib/gon/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Gon
   module ViewHelpers
     def include_gon(options = {})

data/lib/gon/jbuilder/parser.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Gon
   module Jbuilder
     class Parser
@@ -91,7 +93,7 @@ class Gon
       end
 
       def parse_path(path)
-        return path if File.exists?(path)
+        return path if File.exist?(path)
         if (splitted = path.split('/')).blank?
             raise 'Something wrong with partial path in your jbuilder templates'
         elsif splitted.size == 1
@@ -108,9 +110,9 @@ class Gon
       end
 
       def path_with_ext(path)
-        return path if File.exists?(path)
-        return "#{path}.jbuilder" if File.exists?("#{path}.jbuilder")
-        return "#{path}.json.jbuilder" if File.exists?("#{path}.json.jbuilder")
+        return path if File.exist?(path)
+        return "#{path}.jbuilder" if File.exist?("#{path}.jbuilder")
+        return "#{path}.json.jbuilder" if File.exist?("#{path}.json.jbuilder")
       end
 
       def find_partials(lines = [])

data/lib/gon/jbuilder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Gon
   module Jbuilder
     class << self
@@ -30,7 +32,7 @@ class Gon
 
       def parse_options_from(args)
         if old_api? args
-          text =  "[DEPRECATION] view_path argument is now optional. "
+          text =  +"[DEPRECATION] view_path argument is now optional. "
           text << "If you need to specify it, "
           text << "please use gon.jbuilder(:template => 'path')"
           warn text

data/lib/gon/json_dumper.rb

@@ -1,8 +1,25 @@
+# frozen_string_literal: true
+
 class Gon
   module JsonDumper
+    # Taken from ERB::Util
+    JSON_ESCAPE_REGEXP	=	/[\u2028\u2029&><]/u
+    JSON_ESCAPE	=	{
+      "&" => '\u0026',
+      ">" => '\u003e',
+      "<" => '\u003c',
+      "\u2028" => '\u2028',
+      "\u2029" => '\u2029'
+    }
+
     def self.dump(object)
-      MultiJson.dump object,
+      dumped_json = MultiJson.dump object,
         mode: :compat, escape_mode: :xss_safe, time_format: :ruby
+      escape(dumped_json)
+    end
+
+    def self.escape(json)
+      json.gsub(JSON_ESCAPE_REGEXP, JSON_ESCAPE)
     end
   end
 end

data/lib/gon/rabl.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'action_view'
 
 begin
@@ -63,7 +65,7 @@ class Gon
       def parse_options_from(args, global)
         if old_api? args
           unless global
-            text =  "[DEPRECATION] view_path argument is now optional. "
+            text =  +"[DEPRECATION] view_path argument is now optional. "
             text << "If you need to specify it, "
             text << "please use gon.rabl(:template => 'path')"
             warn text

data/lib/gon/request.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Gon
   class Request
     attr_reader :env, :gon

data/lib/gon/spec_helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Gon
   module SpecHelper
     module Rails
@@ -5,7 +7,7 @@ class Gon
 
       module ClassMethods
         module GonSession
-          def process(*)
+          def process(*, **)
             # preload threadlocal & store controller instance
             if controller.is_a? ActionController::Base
               controller.gon

data/lib/gon/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Gon
-  VERSION = '6.3.2'
+  VERSION = '6.5.0'
 end

data/lib/gon/watch.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 class Gon
   class Watch < Gon
     class << self

data/lib/gon.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'request_store'
 require 'action_view'
 require 'action_controller'

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: gon
 version: !ruby/object:Gem::Version
-  version: 6.3.2
+  version: 6.5.0
 platform: ruby
 authors:
 - gazay
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-19 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -70,16 +69,16 @@ dependencies:
   name: rabl
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 0.11.3
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 0.11.3
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rabl-rails
   requirement: !ruby/object:Gem::Requirement
@@ -164,6 +163,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: If you need to send some data to your js files and you don't want to
   do this with long way trough views and parsing - use this force!
 email:
@@ -172,19 +185,10 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/FUNDING.yml"
-- ".gitignore"
-- ".travis.yml"
 - CHANGELOG.md
-- Gemfile
 - LICENSE
 - README.md
-- Rakefile
 - coffee/watch.coffee
-- doc/logo.png
-- doc/logo_small.png
-- doc/top_sample.png
-- gon.gemspec
 - js/watch.js
 - lib/gon.rb
 - lib/gon/base.rb
@@ -201,30 +205,10 @@ files:
 - lib/gon/spec_helpers.rb
 - lib/gon/version.rb
 - lib/gon/watch.rb
-- spec/gon/basic_spec.rb
-- spec/gon/global_spec.rb
-- spec/gon/jbuilder_spec.rb
-- spec/gon/rabl_spec.rb
-- spec/gon/templates_spec.rb
-- spec/gon/thread_spec.rb
-- spec/gon/watch_spec.rb
-- spec/spec_helper.rb
-- spec/test_data/_sample_partial.json.jbuilder
-- spec/test_data/sample.json.jbuilder
-- spec/test_data/sample.rabl
-- spec/test_data/sample_rabl_rails.rabl
-- spec/test_data/sample_url_helpers.json.jbuilder
-- spec/test_data/sample_with_controller_method.json.jbuilder
-- spec/test_data/sample_with_helpers.json.jbuilder
-- spec/test_data/sample_with_helpers.rabl
-- spec/test_data/sample_with_helpers_rabl_rails.rabl
-- spec/test_data/sample_with_locals.json.jbuilder
-- spec/test_data/sample_with_partial.json.jbuilder
 homepage: https://github.com/gazay/gon
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -239,8 +223,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Get your Rails variables in your JS
 test_files: []

data/.github/FUNDING.yml

@@ -1 +0,0 @@
-tidelift: "rubygems/gon"

data/.gitignore

@@ -1,7 +0,0 @@
-*.gem
-.bundle
-Gemfile.lock
-pkg/*
-tmp/*
-.rvmrc
-*.idea

data/.travis.yml

@@ -1,12 +0,0 @@
-language: ruby
-sudo: false
-env:
-  - "RABL_GEM=rabl"
-  - "RABL_GEM=rabl-rails"
-
-rvm:
-  - 2.2.10
-  - 2.3.7
-  - 2.4.4
-  - 2.5.1
-  - ruby-head

data/Gemfile

@@ -1,6 +0,0 @@
-source "https://rubygems.org"
-
-# Specify your gem's dependencies in gon.gemspec
-gem ENV['RABL_GEM'] || 'rabl'
-
-gemspec

data/Rakefile

@@ -1,10 +0,0 @@
-require 'bundler'
-Bundler::GemHelper.install_tasks
-
-desc 'Run all tests by default'
-task :default => :spec
-
-require 'rspec/core/rake_task'
-RSpec::Core::RakeTask.new do |t|
-  t.rspec_opts = ["--color", '--format doc', '--require spec_helper']
-end

data/gon.gemspec

@@ -1,30 +0,0 @@
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'gon/version'
-
-Gem::Specification.new do |s|
-  s.name        = 'gon'
-  s.version     = Gon::VERSION
-  s.platform    = Gem::Platform::RUBY
-  s.authors     = ['gazay']
-  s.licenses    = ['MIT']
-  s.email       = ['alex.gaziev@gmail.com']
-  s.homepage    = 'https://github.com/gazay/gon'
-  s.summary     = %q{Get your Rails variables in your JS}
-  s.description = %q{If you need to send some data to your js files and you don't want to do this with long way trough views and parsing - use this force!}
-
-  s.files         = `git ls-files`.split("\n")
-  s.require_paths = ['lib']
-  s.required_ruby_version = '>= 2.2.0'
-  s.add_dependency 'actionpack', '>= 3.0.20'
-  s.add_dependency 'i18n', '>= 0.7'
-  s.add_dependency 'request_store', '>= 1.0'
-  s.add_dependency 'multi_json'
-  s.add_development_dependency 'rabl', '0.11.3'
-  s.add_development_dependency 'rabl-rails'
-  s.add_development_dependency 'rspec', '>= 3.0'
-  s.add_development_dependency 'jbuilder'
-  s.add_development_dependency 'railties', '>= 3.0.20'
-  s.add_development_dependency 'rake'
-  s.add_development_dependency 'pry'
-end