lanyon 0.2.0 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a1d734e248758a22e846cf73dc15b13a323548a6
-  data.tar.gz: b7f4ed547b531a6d746f5a0caf31928af6ad968e
+  metadata.gz: 3ba71c4bb36491071c4f3918250373339f2b06fe
+  data.tar.gz: 77bf257ad911b6e56e1420a7c2443b61b1e149df
 SHA512:
-  metadata.gz: 36f129ec0ff9053464adcfaec6984d10eb04d6d9252538ab4f434ed0fd2de5aeaa3348d68507eb0b906b3664a44d526bd333668ae0a1757f24f526796850106b
-  data.tar.gz: 33a2dc54b3b19c0108773903e18d525808875dcce69f98abf725b5f4fe7bc3cc52f97b0d2d61bffce8c89186495bf24cce627c392a4e6b06c97a626f6b96e960
+  metadata.gz: 2595d1de19d7f28071efdc3288708089ad6d316ae16406174197eb02c35ad8ff7cc1d113cc99247070179c8bb7ab1eb64571623618c295778fcf820b1c342b0e
+  data.tar.gz: 8f8870aba29ea1fe713f93ef87b633965288a747e210297925bd420833c368b804640603bc06f3c8f80ad7f32b3d0cee82becfd3f084b7ac1cb5d079ee530f42

data/lib/lanyon/application.rb

@@ -41,7 +41,7 @@ module Lanyon
     private
 
     def response(filename)  # :nodoc:
-      response = Rack::Response.new(File.read(filename))
+      response = Rack::Response.new(File.binread(filename))
       response["Content-Type"]  = media_type(filename)
       response["Last-Modified"] = modification_time(filename)
 

data/lib/lanyon/router.rb

@@ -1,3 +1,6 @@
+require "rack/utils"
+
+
 module Lanyon
 
   # Router class for Lanyon applications.
@@ -17,17 +20,12 @@ module Lanyon
     # - +:must_redirect+ if the request must be redirected to <tt>path/</tt>.
     #
     def endpoint(path)
-      fullpath = File.join(@root, path)
-
-      if fullpath.end_with?("/")
-        normalized = fullpath + "index.html"
-      else
-        normalized = fullpath
-      end
+      normalized = normalize_path_info(path)
 
-      endpoint = if FileTest.file?(normalized)
-                   normalized
-                 elsif needs_redirect_to_dir?(normalized)
+      fullpath = File.join(@root, normalized)
+      endpoint = if FileTest.file?(fullpath)
+                   fullpath
+                 elsif needs_redirect_to_dir?(fullpath)
                    :must_redirect
                  else
                    :not_found
@@ -40,7 +38,7 @@ module Lanyon
     def custom_404_body
       filename = File.join(root, "404.html")
 
-      File.exist?(filename) ? File.read(filename) : nil
+      File.exist?(filename) ? File.binread(filename) : nil
     end
 
     private
@@ -48,5 +46,15 @@ module Lanyon
     def needs_redirect_to_dir?(fullpath)  # :nodoc:
       !fullpath.end_with?("/") && FileTest.file?(fullpath + "/index.html")
     end
+
+    def normalize_path_info(path)
+      if path.end_with?("/")
+        normalized = path + "index.html"
+      else
+        normalized = path
+      end
+
+      Rack::Utils.clean_path_info(normalized)
+    end
   end
 end

data/lib/lanyon/version.rb

@@ -1,4 +1,4 @@
 module Lanyon
-  VERSION  = '0.2.0'
-  DATE     = '2015-11-11'
+  VERSION  = '0.2.2'
+  DATE     = '2015-12-06'
 end

data/lib/lanyon.rb

@@ -3,6 +3,7 @@
 # See Lanyon module for documentation.
 
 require "jekyll"
+require "rack"
 
 require "lanyon/application"
 require "lanyon/router"
@@ -18,7 +19,8 @@ require "lanyon/version"
 #
 module Lanyon
 
-  # Builds the Jekyll site and returns a Rack application.
+  # Builds the Jekyll site, prepares the middleware stack,
+  # and returns the Rack application.
   #
   # Options:
   #
@@ -38,7 +40,7 @@ module Lanyon
     if skip_build
       puts skip_build_warning
     else
-      build(config)
+      process(config)
     end
 
     destination = config["destination"]
@@ -71,7 +73,11 @@ module Lanyon
   end
 
   # @private
-  def self.build(config)  # :nodoc:
+  #
+  # Wraps Jekyll::Site's process method that builds the site.
+  #
+  # Takes a Jekyll configuration hash as argument.
+  def self.process(config)  # :nodoc:
     site = ::Jekyll::Site.new(config)
     puts "Generating site: #{site.source} -> #{site.dest}"
     site.process

data/test/source/crlf.dat

@@ -0,0 +1,4 @@
+File
+with
+CRLF
+newlines

data/test/test_integration.rb

@@ -177,6 +177,18 @@ describe "when handling requests" do
   end
 
 
+  describe "when asked for paths with directory traversal" do
+
+    it "returns status 404 for unsafe directory traversal" do
+      filename = File.join(@destdir, "/../_site/index.html")
+      assert File.exist?(filename)
+
+      @response = @request.get("/../_site/index.html")
+      @response.status.must_equal 404
+    end
+  end
+
+
   describe "when a directory is requested" do
 
     it "redirects to 'directory/' for 'directory' with index.html" do
@@ -233,7 +245,8 @@ describe "when handling requests" do
     end
 
     it "returns correct body" do
-      @response.body.must_match %r{<p>¡Buenos días!</p>}
+      response_body = @response.body.force_encoding("UTF-8")
+      response_body.must_match %r{<p>¡Buenos días!</p>}
     end
 
     it "returns the bytesize as Content-Length header" do
@@ -242,6 +255,23 @@ describe "when handling requests" do
   end
 
 
+  describe "when resource contains CRLF newlines" do
+
+    before do
+      @response = @request.get("/crlf.dat")
+    end
+
+    it "returns correct body" do
+      expected = "File\r\nwith\r\nCRLF\r\nnewlines\r\n"
+      @response.body.must_equal expected
+    end
+
+    it "returns the bytesize as Content-Length header" do
+      @response.original_headers["Content-Length"].must_equal "28"
+    end
+  end
+
+
   describe "when handling If-Modified-Since requests" do
 
     before do

data/test/test_router.rb

@@ -79,6 +79,35 @@ describe Lanyon::Router do
   end
 
 
+  describe "when asked for paths with directory traversal" do
+
+    it "discards leading '..' for existing path" do
+      filename = File.join(@sitedir, "page.html")
+      @router.endpoint("/../../page.html").must_equal filename
+    end
+
+    it "allows safe directory traversal" do
+      filename = File.join(@sitedir, "index.html")
+      @router.endpoint("/dir1/../").must_equal filename
+    end
+
+    it "returns :not_found for unsafe directory traversal 1" do
+      filename = File.join(@sitedir, "/../_site/page.html")
+      assert File.exist?(filename)
+
+      @router.endpoint("/../_site/page.html").must_equal :not_found
+    end
+
+    it "returns :not_found for unsafe directory traversal 2" do
+      @router.endpoint("/%2E%2E/_site/").must_equal :not_found
+    end
+
+    it "returns :not_found for unsafe directory traversal 3" do
+      @router.endpoint("/dir1/../dir1/../../_site/").must_equal :not_found
+    end
+  end
+
+
   describe "when asked for #custom_404_body" do
 
     describe "when 404.html does not exist" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: lanyon
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.2
 platform: ruby
 authors:
 - Marcus Stollsteimer
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-11-11 00:00:00.000000000 Z
+date: 2015-12-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jekyll
@@ -97,6 +97,7 @@ files:
 - test/helper.rb
 - test/source/_posts/2015-11-05-hello-world.md
 - test/source/buenos_dias.md
+- test/source/crlf.dat
 - test/source/css/test.css
 - test/source/dir-with-index/index.md
 - test/source/dir-without-index/page.md