RubyGems - grover - Versions diffs - 1.1.7 → 1.1.9 - Mend

grover 1.1.7 → 1.1.9

Files changed (10) hide show

checksums.yaml +4 -4
data/lib/grover/configuration.rb +3 -1
data/lib/grover/errors.rb +1 -0
data/lib/grover/js/processor.cjs +7 -4
data/lib/grover/middleware.rb +13 -2
data/lib/grover/options_builder.rb +6 -6
data/lib/grover/processor.rb +1 -0
data/lib/grover/version.rb +1 -1
data/lib/grover.rb +15 -14
metadata +2 -176

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e791010e46d99d4347edc987fc2a7b90b08d038a1449cf927b57b828e58f1d59
-  data.tar.gz: 62837cb867ec1728c000c91b33352f01a1c4beb5b0823647dff74946d09c0cbd
+  metadata.gz: 82b9a3edaa4f0d20c326f3e79d61b1d2a0190454ac9ffb6867191a9607ec1ea0
+  data.tar.gz: 4e71234c41bf19c88a5b44c0a043a1c2ae5a74f94d0606fb0cd627c02e8511a2
 SHA512:
-  metadata.gz: 1471dda6f9817f921ae1f7ef88cbdf0ffab143448b1057ef1e3f71f5d91a9fce95b77fbece05f10c0823b51fbc181a4138ae5a6c6db437074c2d95143e90fa4d
-  data.tar.gz: fad1c63de120fb414aa23ffcf0b2adec6e419550ec2add1c5008ce3e1d855343934bbae4de1e9a14f8c74e974699ad7a74aad2a22bc2d6ef7ba1cd8850a73b36
+  metadata.gz: 737079399ecd8ef4c6a88c535495a2aa52fcb9e2e8fa0ca171d3453b58134d795237e606487a9f3dd06afad73baac8fac834a76a33445a1099e168f929f13835
+  data.tar.gz: 767e6ebf33ce60336d9afd71859e004b54765910136387ed81b44a12489de7728ff88d0b5f33890dea45314a58476972d31a1f3e9e5e7834f6d68979acf0eb19

data/lib/grover/configuration.rb CHANGED Viewed

@@ -7,7 +7,7 @@ class Grover
   class Configuration
     attr_accessor :options, :meta_tag_prefix, :ignore_path, :ignore_request,
                   :root_url, :use_pdf_middleware, :use_png_middleware,
-                  :use_jpeg_middleware
+                  :use_jpeg_middleware, :node_env_vars, :allow_file_uris
     def initialize
       @options = {}
@@ -18,6 +18,8 @@ class Grover
       @use_pdf_middleware = true
       @use_png_middleware = false
       @use_jpeg_middleware = false
+      @node_env_vars = {}
+      @allow_file_uris = false
     end
   end
 end

data/lib/grover/errors.rb CHANGED Viewed

@@ -15,4 +15,5 @@ class Grover
       const_set name, Class.new(Error)
     end
   end
+  UnsafeConfigurationError = Class.new(Error)
 end

data/lib/grover/js/processor.cjs CHANGED Viewed

@@ -26,7 +26,7 @@ const fs = require('fs');
 const os = require('os');
 const path = require('path');
-const _processPage = (async (convertAction, urlOrHtml, options) => {
+const _processPage = (async (convertAction, uriOrHtml, options) => {
   let browser, page, errors = [], tmpDir, wsConnection = false;
   try {
@@ -100,6 +100,7 @@ const _processPage = (async (convertAction, urlOrHtml, options) => {
     }
     // Setup timeout option (if provided)
+    if (options.timeout === null) delete options.timeout;
     let requestOptions = {};
     let requestTimeout = options.requestTimeout; delete options.requestTimeout;
     if (requestTimeout === undefined) requestTimeout = options.timeout;
@@ -172,10 +173,12 @@ const _processPage = (async (convertAction, urlOrHtml, options) => {
     }
     const waitUntil = options.waitUntil; delete options.waitUntil;
-    if (urlOrHtml.match(/^http/i)) {
+    const allowFileUri = options.allowFileUri; delete options.allowFileUri;
+    const uriRegex = allowFileUri ? /^(https?|file):\/\//i : /^https?:\/\//i;
+    if (uriOrHtml.match(uriRegex)) {
       // Request is for a URL, so request it
       requestOptions.waitUntil = waitUntil || 'networkidle2';
-      await page.goto(urlOrHtml, requestOptions);
+      await page.goto(uriOrHtml, requestOptions);
     } else {
       // Request is some HTML content. Use request interception to assign the body
       requestOptions.waitUntil = waitUntil || 'networkidle0';
@@ -187,7 +190,7 @@ const _processPage = (async (convertAction, urlOrHtml, options) => {
           request.continue();
         else {
           htmlIntercepted = true
-          request.respond({ body: urlOrHtml === '' ? ' ' : urlOrHtml });
+          request.respond({ body: uriOrHtml === '' ? ' ' : uriOrHtml });
         }
       });
       const displayUrl = options.displayUrl; delete options.displayUrl;

data/lib/grover/middleware.rb CHANGED Viewed

@@ -24,11 +24,14 @@ class Grover
       dup._call(env)
     end
-    def _call(env)
+    def _call(env) # rubocop:disable Metrics/MethodLength
       @request = Rack::Request.new(env)
       identify_request_type
-      configure_env_for_grover_request(env) if grover_request?
+      if grover_request?
+        check_file_uri_configuration
+        configure_env_for_grover_request(env)
+      end
       status, headers, response = @app.call(env)
       response = update_response response, headers if grover_request? && html_content?(headers)
@@ -45,6 +48,14 @@ class Grover
     attr_reader :pdf_request, :png_request, :jpeg_request
+    def check_file_uri_configuration
+      return unless Grover.configuration.allow_file_uris
+      # The combination of middleware and allowing file URLs is exceptionally
+      # unsafe as it can lead to data exfiltration from the host system.
+      raise UnsafeConfigurationError, 'using `allow_file_uris` configuration with middleware is exceptionally unsafe'
+    end
     def identify_request_type
       @pdf_request = Grover.configuration.use_pdf_middleware && path_matches?(PDF_REGEX)
       @png_request = Grover.configuration.use_png_middleware && path_matches?(PNG_REGEX)

data/lib/grover/options_builder.rb CHANGED Viewed

@@ -8,12 +8,12 @@ class Grover
   # Build options from Grover.configuration, meta_options, and passed-in options
   #
   class OptionsBuilder < Hash
-    def initialize(options, url)
+    def initialize(options, uri)
       super()
-      @url = url
+      @uri = uri
       combined = grover_configuration
       Utils.deep_merge! combined, Utils.deep_stringify_keys(options)
-      Utils.deep_merge! combined, meta_options unless url_source?
+      Utils.deep_merge! combined, meta_options unless uri_source?
       update OptionsFixer.new(combined).run
     end
@@ -41,11 +41,11 @@ class Grover
     end
     def meta_tags
-      Nokogiri::HTML(@url).xpath('//meta')
+      Nokogiri::HTML(@uri).xpath('//meta')
     end
-    def url_source?
-      @url.match(/\Ahttp/i)
+    def uri_source?
+      @uri.match?(%r{\A(https?|file)://}i)
     end
   end
 end

data/lib/grover/processor.rb CHANGED Viewed

@@ -32,6 +32,7 @@ class Grover
     def spawn_process
       @stdin, @stdout, @stderr, @wait_thr = Open3.popen3(
+        Grover.configuration.node_env_vars,
         'node',
         File.expand_path(File.join(__dir__, 'js/processor.cjs')),
         chdir: app_root

data/lib/grover/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 class Grover
-  VERSION = '1.1.7'
+  VERSION = '1.1.9'
 end

data/lib/grover.rb CHANGED Viewed

@@ -28,40 +28,40 @@ class Grover
   attr_reader :front_cover_path, :back_cover_path
   #
-  # @param [String] url URL of the page to convert
+  # @param [String] uri URI of the page to convert
   # @param [Hash] options Optional parameters to pass to PDF processor
   #   see https://github.com/puppeteer/puppeteer/blob/main/docs/api/puppeteer.pdfoptions.md
   #   and https://github.com/puppeteer/puppeteer/blob/main/docs/api/puppeteer.screenshotoptions.md
   #
-  def initialize(url, **options)
-    @url = url.to_s
-    @options = OptionsBuilder.new(options, @url)
+  def initialize(uri, **options)
+    @uri = uri.to_s
+    @options = OptionsBuilder.new(options, @uri)
     @root_path = @options.delete 'root_path'
     @front_cover_path = @options.delete 'front_cover_path'
     @back_cover_path = @options.delete 'back_cover_path'
   end
   #
-  # Request URL with provided options and create PDF
+  # Request URI with provided options and create PDF
   #
   # @param [String] path Optional path to write the PDF to
   # @return [String] The resulting PDF data
   #
   def to_pdf(path = nil)
-    processor.convert :pdf, @url, normalized_options(path: path)
+    processor.convert :pdf, @uri, normalized_options(path: path)
   end
   #
-  # Request URL with provided options and render HTML
+  # Request URI with provided options and render HTML
   #
   # @return [String] The resulting HTML string
   #
   def to_html
-    processor.convert :content, @url, normalized_options(path: nil)
+    processor.convert :content, @uri, normalized_options(path: nil)
   end
   #
-  # Request URL with provided options and create screenshot
+  # Request URI with provided options and create screenshot
   #
   # @param [String] path Optional path to write the screenshot to
   # @param [String] format Optional format of the screenshot
@@ -70,11 +70,11 @@ class Grover
   def screenshot(path: nil, format: nil)
     options = normalized_options(path: path)
     options['type'] = format if %w[png jpeg].include? format
-    processor.convert :screenshot, @url, options
+    processor.convert :screenshot, @uri, options
   end
   #
-  # Request URL with provided options and create PNG
+  # Request URI with provided options and create PNG
   #
   # @param [String] path Optional path to write the screenshot to
   # @return [String] The resulting PNG data
@@ -84,7 +84,7 @@ class Grover
   end
   #
-  # Request URL with provided options and create JPEG
+  # Request URI with provided options and create JPEG
   #
   # @param [String] path Optional path to write the screenshot to
   # @return [String] The resulting JPEG data
@@ -116,10 +116,10 @@ class Grover
   #
   def inspect
     format(
-      '#<%<class_name>s:0x%<object_id>p @url="%<url>s">',
+      '#<%<class_name>s:0x%<object_id>p @uri="%<uri>s">',
       class_name: self.class.name,
       object_id: object_id,
-      url: @url
+      uri: @uri
     )
   end
@@ -147,6 +147,7 @@ class Grover
   def normalized_options(path:)
     normalized_options = Utils.normalize_object @options, excluding: ['extraHTTPHeaders']
     normalized_options['path'] = path if path.is_a? ::String
+    normalized_options['allowFileUri'] = Grover.configuration.allow_file_uris == true
     normalized_options
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: grover
 version: !ruby/object:Gem::Version
-  version: 1.1.7
+  version: 1.1.9
 platform: ruby
 authors:
 - Andrew Bromwich
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-09 00:00:00.000000000 Z
+date: 2024-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: combine_pdf
@@ -38,180 +38,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: childprocess
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: mini_magick
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '4.12'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '4.12'
-- !ruby/object:Gem::Dependency
-  name: pdf-reader
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.11'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.11'
-- !ruby/object:Gem::Dependency
-  name: puma
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '6.4'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '6.4'
-- !ruby/object:Gem::Dependency
-  name: rack-test
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.1'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.1'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '13.0'
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.12'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.12'
-- !ruby/object:Gem::Dependency
-  name: rubocop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.43'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.43'
-- !ruby/object:Gem::Dependency
-  name: rubocop-rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.6'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.6'
-- !ruby/object:Gem::Dependency
-  name: rubocop-rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.18'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.18'
-- !ruby/object:Gem::Dependency
-  name: sinatra
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.2'
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.17'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '0.18'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.17'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '0.18'
 description: Transform HTML into PDF/PNG/JPEG using Google Puppeteer/Chromium
 email:
 - abromwich@studiosity.com