grape 0.2.1 → 0.2.1.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of grape might be problematic. Click here for more details.

Files changed (9) hide show
  1. data/CHANGELOG.markdown +4 -0
  2. data/grape.gemspec +1 -1
  3. data/lib/grape/middleware/base.rb +4 -0
  4. data/lib/grape/middleware/formatter.rb +17 -5
  5. data/lib/grape/version.rb +1 -1
  6. data/spec/grape/api_spec.rb +12 -0
  7. data/spec/spec_helper.rb +0 -1
  8. metadata +83 -30
  9. data/spec/support/rack_patch.rb +0 -25
data/CHANGELOG.markdown CHANGED
@@ -1,3 +1,7 @@
1
+ 0.2.1.1 (1/11/2013)
2
+ ====================
3
+ * Fix: CVE-2013-0175, `multi_xml` parse vulnerability, require 'multi_xml' 0.5.2 - [@dblock](http://github.com/dblock).
4
+
1
5
  0.2.1 (7/11/2012)
2
6
  =================
3
7
 
data/grape.gemspec CHANGED
@@ -18,7 +18,7 @@ Gem::Specification.new do |s|
18
18
  s.add_runtime_dependency 'rack-mount'
19
19
  # s.add_runtime_dependency 'rack-jsonp'
20
20
  s.add_runtime_dependency 'multi_json'
21
- s.add_runtime_dependency 'multi_xml'
21
+ s.add_runtime_dependency 'multi_xml', '>= 0.5.2'
22
22
  s.add_runtime_dependency 'hashie', '~> 1.2'
23
23
 
24
24
  s.add_development_dependency 'rake'
data/lib/grape/middleware/base.rb CHANGED
@@ -70,6 +70,10 @@ module Grape
70
70
  PARSERS.merge(options[:parsers] || {})
71
71
  end
72
72
 
73
+ def content_type_for(format)
74
+ Hash.new(content_types)[format.to_sym]
75
+ end
76
+
73
77
  def content_types
74
78
  CONTENT_TYPES.merge(options[:content_types] || {})
75
79
  end
data/lib/grape/middleware/formatter.rb CHANGED
@@ -25,11 +25,23 @@ module Grape
25
25
  parser = parser_for fmt
26
26
  unless parser.nil?
27
27
  begin
28
- body = parser.call(body)
29
- env['rack.request.form_hash'] = !env['rack.request.form_hash'].nil? ? env['rack.request.form_hash'].merge(body) : body
30
- env['rack.request.form_input'] = env['rack.input']
31
- rescue
32
- # It's possible that it's just regular POST content -- just back off
28
+ fmt = mime_types[request.media_type] if request.media_type
29
+ if content_type_for(fmt)
30
+ parser = parser_for fmt
31
+ unless parser.nil?
32
+ begin
33
+ body = parser.call body
34
+ env['rack.request.form_hash'] = !env['rack.request.form_hash'].nil? ? env['rack.request.form_hash'].merge(body) : body
35
+ env['rack.request.form_input'] = env['rack.input']
36
+ rescue
37
+ # It's possible that it's just regular POST content -- just back off
38
+ end
39
+ end
40
+ else
41
+ throw :error, :status => 406, :message => 'The requested content-type is not supported.'
42
+ end
43
+ ensure
44
+ env['rack.input'].rewind
33
45
  end
34
46
  end
35
47
  env['rack.input'].rewind
data/lib/grape/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Grape
2
- VERSION = '0.2.1'
2
+ VERSION = '0.2.1.1'
3
3
  end
data/spec/grape/api_spec.rb CHANGED
@@ -766,7 +766,19 @@ describe Grape::API do
766
766
  last_response.status.should eql 403
767
767
  end
768
768
  end
769
+
770
+ context "muti_xml" do
771
+ it "doesn't parse yaml" do
772
+ subject.put :yaml do
773
+ params[:tag]
774
+ end
769
775
 
776
+ expect {
777
+ put '/yaml', '<tag type="symbol">a123</tag>', "CONTENT_TYPE" => "application/xml"
778
+ }.to raise_error(MultiXml::DisallowedTypeError)
779
+ end
780
+ end
781
+
770
782
  context "routes" do
771
783
  describe "empty api structure" do
772
784
  it "returns an empty array of routes" do
data/spec/spec_helper.rb CHANGED
@@ -23,6 +23,5 @@ end
23
23
 
24
24
  RSpec.configure do |config|
25
25
  config.include Rack::Test::Methods
26
- config.include Rack::Test::Methods::Patch
27
26
  end
28
27
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: grape
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.1
4
+ version: 0.2.1.1
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,11 +9,11 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-07-13 00:00:00.000000000 Z
12
+ date: 2013-01-11 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rack
16
- requirement: &70130298033500 !ruby/object:Gem::Requirement
16
+ requirement: !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ! '>='
@@ -21,10 +21,15 @@ dependencies:
21
21
  version: '0'
22
22
  type: :runtime
23
23
  prerelease: false
24
- version_requirements: *70130298033500
24
+ version_requirements: !ruby/object:Gem::Requirement
25
+ none: false
26
+ requirements:
27
+ - - ! '>='
28
+ - !ruby/object:Gem::Version
29
+ version: '0'
25
30
  - !ruby/object:Gem::Dependency
26
31
  name: rack-mount
27
- requirement: &70130298033080 !ruby/object:Gem::Requirement
32
+ requirement: !ruby/object:Gem::Requirement
28
33
  none: false
29
34
  requirements:
30
35
  - - ! '>='
@@ -32,10 +37,15 @@ dependencies:
32
37
  version: '0'
33
38
  type: :runtime
34
39
  prerelease: false
35
- version_requirements: *70130298033080
40
+ version_requirements: !ruby/object:Gem::Requirement
41
+ none: false
42
+ requirements:
43
+ - - ! '>='
44
+ - !ruby/object:Gem::Version
45
+ version: '0'
36
46
  - !ruby/object:Gem::Dependency
37
47
  name: multi_json
38
- requirement: &70130298032660 !ruby/object:Gem::Requirement
48
+ requirement: !ruby/object:Gem::Requirement
39
49
  none: false
40
50
  requirements:
41
51
  - - ! '>='
@@ -43,21 +53,31 @@ dependencies:
43
53
  version: '0'
44
54
  type: :runtime
45
55
  prerelease: false
46
- version_requirements: *70130298032660
56
+ version_requirements: !ruby/object:Gem::Requirement
57
+ none: false
58
+ requirements:
59
+ - - ! '>='
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
47
62
  - !ruby/object:Gem::Dependency
48
63
  name: multi_xml
49
- requirement: &70130298032240 !ruby/object:Gem::Requirement
64
+ requirement: !ruby/object:Gem::Requirement
50
65
  none: false
51
66
  requirements:
52
67
  - - ! '>='
53
68
  - !ruby/object:Gem::Version
54
- version: '0'
69
+ version: 0.5.2
55
70
  type: :runtime
56
71
  prerelease: false
57
- version_requirements: *70130298032240
72
+ version_requirements: !ruby/object:Gem::Requirement
73
+ none: false
74
+ requirements:
75
+ - - ! '>='
76
+ - !ruby/object:Gem::Version
77
+ version: 0.5.2
58
78
  - !ruby/object:Gem::Dependency
59
79
  name: hashie
60
- requirement: &70130298031740 !ruby/object:Gem::Requirement
80
+ requirement: !ruby/object:Gem::Requirement
61
81
  none: false
62
82
  requirements:
63
83
  - - ~>
@@ -65,10 +85,15 @@ dependencies:
65
85
  version: '1.2'
66
86
  type: :runtime
67
87
  prerelease: false
68
- version_requirements: *70130298031740
88
+ version_requirements: !ruby/object:Gem::Requirement
89
+ none: false
90
+ requirements:
91
+ - - ~>
92
+ - !ruby/object:Gem::Version
93
+ version: '1.2'
69
94
  - !ruby/object:Gem::Dependency
70
95
  name: rake
71
- requirement: &70130298031320 !ruby/object:Gem::Requirement
96
+ requirement: !ruby/object:Gem::Requirement
72
97
  none: false
73
98
  requirements:
74
99
  - - ! '>='
@@ -76,10 +101,15 @@ dependencies:
76
101
  version: '0'
77
102
  type: :development
78
103
  prerelease: false
79
- version_requirements: *70130298031320
104
+ version_requirements: !ruby/object:Gem::Requirement
105
+ none: false
106
+ requirements:
107
+ - - ! '>='
108
+ - !ruby/object:Gem::Version
109
+ version: '0'
80
110
  - !ruby/object:Gem::Dependency
81
111
  name: maruku
82
- requirement: &70130298030860 !ruby/object:Gem::Requirement
112
+ requirement: !ruby/object:Gem::Requirement
83
113
  none: false
84
114
  requirements:
85
115
  - - ! '>='
@@ -87,10 +117,15 @@ dependencies:
87
117
  version: '0'
88
118
  type: :development
89
119
  prerelease: false
90
- version_requirements: *70130298030860
120
+ version_requirements: !ruby/object:Gem::Requirement
121
+ none: false
122
+ requirements:
123
+ - - ! '>='
124
+ - !ruby/object:Gem::Version
125
+ version: '0'
91
126
  - !ruby/object:Gem::Dependency
92
127
  name: yard
93
- requirement: &70130298030440 !ruby/object:Gem::Requirement
128
+ requirement: !ruby/object:Gem::Requirement
94
129
  none: false
95
130
  requirements:
96
131
  - - ! '>='
@@ -98,10 +133,15 @@ dependencies:
98
133
  version: '0'
99
134
  type: :development
100
135
  prerelease: false
101
- version_requirements: *70130298030440
136
+ version_requirements: !ruby/object:Gem::Requirement
137
+ none: false
138
+ requirements:
139
+ - - ! '>='
140
+ - !ruby/object:Gem::Version
141
+ version: '0'
102
142
  - !ruby/object:Gem::Dependency
103
143
  name: rack-test
104
- requirement: &70130298030020 !ruby/object:Gem::Requirement
144
+ requirement: !ruby/object:Gem::Requirement
105
145
  none: false
106
146
  requirements:
107
147
  - - ! '>='
@@ -109,10 +149,15 @@ dependencies:
109
149
  version: '0'
110
150
  type: :development
111
151
  prerelease: false
112
- version_requirements: *70130298030020
152
+ version_requirements: !ruby/object:Gem::Requirement
153
+ none: false
154
+ requirements:
155
+ - - ! '>='
156
+ - !ruby/object:Gem::Version
157
+ version: '0'
113
158
  - !ruby/object:Gem::Dependency
114
159
  name: rspec
115
- requirement: &70130298029520 !ruby/object:Gem::Requirement
160
+ requirement: !ruby/object:Gem::Requirement
116
161
  none: false
117
162
  requirements:
118
163
  - - ~>
@@ -120,10 +165,15 @@ dependencies:
120
165
  version: '2.9'
121
166
  type: :development
122
167
  prerelease: false
123
- version_requirements: *70130298029520
168
+ version_requirements: !ruby/object:Gem::Requirement
169
+ none: false
170
+ requirements:
171
+ - - ~>
172
+ - !ruby/object:Gem::Version
173
+ version: '2.9'
124
174
  - !ruby/object:Gem::Dependency
125
175
  name: bundler
126
- requirement: &70130298029100 !ruby/object:Gem::Requirement
176
+ requirement: !ruby/object:Gem::Requirement
127
177
  none: false
128
178
  requirements:
129
179
  - - ! '>='
@@ -131,7 +181,12 @@ dependencies:
131
181
  version: '0'
132
182
  type: :development
133
183
  prerelease: false
134
- version_requirements: *70130298029100
184
+ version_requirements: !ruby/object:Gem::Requirement
185
+ none: false
186
+ requirements:
187
+ - - ! '>='
188
+ - !ruby/object:Gem::Version
189
+ version: '0'
135
190
  description: A Ruby framework for rapid API development with great conventions.
136
191
  email:
137
192
  - michael@intridea.com
@@ -190,7 +245,6 @@ files:
190
245
  - spec/shared/versioning_examples.rb
191
246
  - spec/spec_helper.rb
192
247
  - spec/support/basic_auth_encode_helpers.rb
193
- - spec/support/rack_patch.rb
194
248
  - spec/support/versioned_helpers.rb
195
249
  homepage: https://github.com/intridea/grape
196
250
  licenses:
@@ -207,7 +261,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
207
261
  version: '0'
208
262
  segments:
209
263
  - 0
210
- hash: 2226649609976967092
264
+ hash: 512216654996826600
211
265
  required_rubygems_version: !ruby/object:Gem::Requirement
212
266
  none: false
213
267
  requirements:
@@ -216,10 +270,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
216
270
  version: '0'
217
271
  segments:
218
272
  - 0
219
- hash: 2226649609976967092
273
+ hash: 512216654996826600
220
274
  requirements: []
221
275
  rubyforge_project: grape
222
- rubygems_version: 1.8.10
276
+ rubygems_version: 1.8.24
223
277
  signing_key:
224
278
  specification_version: 3
225
279
  summary: A simple Ruby framework for building REST-like APIs.
@@ -244,6 +298,5 @@ test_files:
244
298
  - spec/shared/versioning_examples.rb
245
299
  - spec/spec_helper.rb
246
300
  - spec/support/basic_auth_encode_helpers.rb
247
- - spec/support/rack_patch.rb
248
301
  - spec/support/versioned_helpers.rb
249
302
  has_rdoc:
data/spec/support/rack_patch.rb DELETED
@@ -1,25 +0,0 @@
1
- unless Rack::Test::Session.method_defined?(:patch)
2
- module Rack
3
- module Test
4
- module Methods
5
- module Patch
6
- extend Forwardable
7
- def_delegators :current_session, *[:patch]
8
- end
9
- end
10
- end
11
- end
12
-
13
- module Rack
14
- module Test
15
- class Session
16
- def patch(uri, params = {}, env = {}, &block)
17
- env = env_for(uri, env.merge(:method => "PATCH", :params => params))
18
- process_request(uri, env, &block)
19
- end
20
- end
21
- end
22
- end
23
- else
24
- raise LoadError, "Remove spec/support/rack_patch.rb | rack-test #{Rack::Test::VERSION} has a method patch"
25
- end