RubyGems - grover - Versions diffs - 1.1.8 → 1.1.9 - Mend

grover 1.1.8 → 1.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/lib/grover/configuration.rb +2 -1
data/lib/grover/errors.rb +1 -0
data/lib/grover/js/processor.cjs +6 -4
data/lib/grover/middleware.rb +13 -2
data/lib/grover/options_builder.rb +6 -6
data/lib/grover/version.rb +1 -1
data/lib/grover.rb +15 -14
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7bfcdc3d84dade94866bbb29eca6c1e91b9459a5f020ebd175341f740dfdd585
-  data.tar.gz: 539a10195c08de66249983fccdf3f5314f1adec83b400d6058f87d127e731f86
+  metadata.gz: 82b9a3edaa4f0d20c326f3e79d61b1d2a0190454ac9ffb6867191a9607ec1ea0
+  data.tar.gz: 4e71234c41bf19c88a5b44c0a043a1c2ae5a74f94d0606fb0cd627c02e8511a2
 SHA512:
-  metadata.gz: 6322c7cd633f776d58bb2fcad105d067a3df4782dcbc2fb15aff4fe60dcc2e8e1a58075e4972bb9f65362075eebe973e51f8aa385bd651d89ad41078e00fd4ca
-  data.tar.gz: e9431f9a613f4b40f5d836616ad2e8afd6470a606a8daf80ad5553e248a461035228c62e290f0778e742aa2f2a9b663fe23f0590600cdda592cd8a26339ba391
+  metadata.gz: 737079399ecd8ef4c6a88c535495a2aa52fcb9e2e8fa0ca171d3453b58134d795237e606487a9f3dd06afad73baac8fac834a76a33445a1099e168f929f13835
+  data.tar.gz: 767e6ebf33ce60336d9afd71859e004b54765910136387ed81b44a12489de7728ff88d0b5f33890dea45314a58476972d31a1f3e9e5e7834f6d68979acf0eb19

data/lib/grover/configuration.rb CHANGED Viewed

@@ -7,7 +7,7 @@ class Grover
   class Configuration
     attr_accessor :options, :meta_tag_prefix, :ignore_path, :ignore_request,
                   :root_url, :use_pdf_middleware, :use_png_middleware,
-                  :use_jpeg_middleware, :node_env_vars
+                  :use_jpeg_middleware, :node_env_vars, :allow_file_uris
     def initialize
       @options = {}
@@ -19,6 +19,7 @@ class Grover
       @use_png_middleware = false
       @use_jpeg_middleware = false
       @node_env_vars = {}
+      @allow_file_uris = false
     end
   end
 end

data/lib/grover/errors.rb CHANGED Viewed

@@ -15,4 +15,5 @@ class Grover
       const_set name, Class.new(Error)
     end
   end
+  UnsafeConfigurationError = Class.new(Error)
 end

data/lib/grover/js/processor.cjs CHANGED Viewed

@@ -26,7 +26,7 @@ const fs = require('fs');
 const os = require('os');
 const path = require('path');
-const _processPage = (async (convertAction, urlOrHtml, options) => {
+const _processPage = (async (convertAction, uriOrHtml, options) => {
   let browser, page, errors = [], tmpDir, wsConnection = false;
   try {
@@ -173,10 +173,12 @@ const _processPage = (async (convertAction, urlOrHtml, options) => {
     }
     const waitUntil = options.waitUntil; delete options.waitUntil;
-    if (urlOrHtml.match(/^http/i)) {
+    const allowFileUri = options.allowFileUri; delete options.allowFileUri;
+    const uriRegex = allowFileUri ? /^(https?|file):\/\//i : /^https?:\/\//i;
+    if (uriOrHtml.match(uriRegex)) {
       // Request is for a URL, so request it
       requestOptions.waitUntil = waitUntil || 'networkidle2';
-      await page.goto(urlOrHtml, requestOptions);
+      await page.goto(uriOrHtml, requestOptions);
     } else {
       // Request is some HTML content. Use request interception to assign the body
       requestOptions.waitUntil = waitUntil || 'networkidle0';
@@ -188,7 +190,7 @@ const _processPage = (async (convertAction, urlOrHtml, options) => {
           request.continue();
         else {
           htmlIntercepted = true
-          request.respond({ body: urlOrHtml === '' ? ' ' : urlOrHtml });
+          request.respond({ body: uriOrHtml === '' ? ' ' : uriOrHtml });
         }
       });
       const displayUrl = options.displayUrl; delete options.displayUrl;

data/lib/grover/middleware.rb CHANGED Viewed

@@ -24,11 +24,14 @@ class Grover
       dup._call(env)
     end
-    def _call(env)
+    def _call(env) # rubocop:disable Metrics/MethodLength
       @request = Rack::Request.new(env)
       identify_request_type
-      configure_env_for_grover_request(env) if grover_request?
+      if grover_request?
+        check_file_uri_configuration
+        configure_env_for_grover_request(env)
+      end
       status, headers, response = @app.call(env)
       response = update_response response, headers if grover_request? && html_content?(headers)
@@ -45,6 +48,14 @@ class Grover
     attr_reader :pdf_request, :png_request, :jpeg_request
+    def check_file_uri_configuration
+      return unless Grover.configuration.allow_file_uris
+      # The combination of middleware and allowing file URLs is exceptionally
+      # unsafe as it can lead to data exfiltration from the host system.
+      raise UnsafeConfigurationError, 'using `allow_file_uris` configuration with middleware is exceptionally unsafe'
+    end
     def identify_request_type
       @pdf_request = Grover.configuration.use_pdf_middleware && path_matches?(PDF_REGEX)
       @png_request = Grover.configuration.use_png_middleware && path_matches?(PNG_REGEX)

data/lib/grover/options_builder.rb CHANGED Viewed

@@ -8,12 +8,12 @@ class Grover
   # Build options from Grover.configuration, meta_options, and passed-in options
   #
   class OptionsBuilder < Hash
-    def initialize(options, url)
+    def initialize(options, uri)
       super()
-      @url = url
+      @uri = uri
       combined = grover_configuration
       Utils.deep_merge! combined, Utils.deep_stringify_keys(options)
-      Utils.deep_merge! combined, meta_options unless url_source?
+      Utils.deep_merge! combined, meta_options unless uri_source?
       update OptionsFixer.new(combined).run
     end
@@ -41,11 +41,11 @@ class Grover
     end
     def meta_tags
-      Nokogiri::HTML(@url).xpath('//meta')
+      Nokogiri::HTML(@uri).xpath('//meta')
     end
-    def url_source?
-      @url.match(/\Ahttp/i)
+    def uri_source?
+      @uri.match?(%r{\A(https?|file)://}i)
     end
   end
 end

data/lib/grover/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 class Grover
-  VERSION = '1.1.8'
+  VERSION = '1.1.9'
 end

data/lib/grover.rb CHANGED Viewed

@@ -28,40 +28,40 @@ class Grover
   attr_reader :front_cover_path, :back_cover_path
   #
-  # @param [String] url URL of the page to convert
+  # @param [String] uri URI of the page to convert
   # @param [Hash] options Optional parameters to pass to PDF processor
   #   see https://github.com/puppeteer/puppeteer/blob/main/docs/api/puppeteer.pdfoptions.md
   #   and https://github.com/puppeteer/puppeteer/blob/main/docs/api/puppeteer.screenshotoptions.md
   #
-  def initialize(url, **options)
-    @url = url.to_s
-    @options = OptionsBuilder.new(options, @url)
+  def initialize(uri, **options)
+    @uri = uri.to_s
+    @options = OptionsBuilder.new(options, @uri)
     @root_path = @options.delete 'root_path'
     @front_cover_path = @options.delete 'front_cover_path'
     @back_cover_path = @options.delete 'back_cover_path'
   end
   #
-  # Request URL with provided options and create PDF
+  # Request URI with provided options and create PDF
   #
   # @param [String] path Optional path to write the PDF to
   # @return [String] The resulting PDF data
   #
   def to_pdf(path = nil)
-    processor.convert :pdf, @url, normalized_options(path: path)
+    processor.convert :pdf, @uri, normalized_options(path: path)
   end
   #
-  # Request URL with provided options and render HTML
+  # Request URI with provided options and render HTML
   #
   # @return [String] The resulting HTML string
   #
   def to_html
-    processor.convert :content, @url, normalized_options(path: nil)
+    processor.convert :content, @uri, normalized_options(path: nil)
   end
   #
-  # Request URL with provided options and create screenshot
+  # Request URI with provided options and create screenshot
   #
   # @param [String] path Optional path to write the screenshot to
   # @param [String] format Optional format of the screenshot
@@ -70,11 +70,11 @@ class Grover
   def screenshot(path: nil, format: nil)
     options = normalized_options(path: path)
     options['type'] = format if %w[png jpeg].include? format
-    processor.convert :screenshot, @url, options
+    processor.convert :screenshot, @uri, options
   end
   #
-  # Request URL with provided options and create PNG
+  # Request URI with provided options and create PNG
   #
   # @param [String] path Optional path to write the screenshot to
   # @return [String] The resulting PNG data
@@ -84,7 +84,7 @@ class Grover
   end
   #
-  # Request URL with provided options and create JPEG
+  # Request URI with provided options and create JPEG
   #
   # @param [String] path Optional path to write the screenshot to
   # @return [String] The resulting JPEG data
@@ -116,10 +116,10 @@ class Grover
   #
   def inspect
     format(
-      '#<%<class_name>s:0x%<object_id>p @url="%<url>s">',
+      '#<%<class_name>s:0x%<object_id>p @uri="%<uri>s">',
       class_name: self.class.name,
       object_id: object_id,
-      url: @url
+      uri: @uri
     )
   end
@@ -147,6 +147,7 @@ class Grover
   def normalized_options(path:)
     normalized_options = Utils.normalize_object @options, excluding: ['extraHTTPHeaders']
     normalized_options['path'] = path if path.is_a? ::String
+    normalized_options['allowFileUri'] = Grover.configuration.allow_file_uris == true
     normalized_options
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: grover
 version: !ruby/object:Gem::Version
-  version: 1.1.8
+  version: 1.1.9
 platform: ruby
 authors:
 - Andrew Bromwich
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-23 00:00:00.000000000 Z
+date: 2024-07-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: combine_pdf