letter_opener_web 1.3.4 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5371ec444a8c7c1d8446e0c61e163787a52d0e9e919ccc9113ae611c19087f02
-  data.tar.gz: 2d6a00656c5f18e33d7a31d9dfea339c73af434c6dda1498ab803a4f0f045e96
+  metadata.gz: 3b31a75a1e88a4e79a2c79ef92da951522caf6ffbd7ab684b53a46b0982efd85
+  data.tar.gz: a4f6a87162bdcc3d28632f192f97aaba812939697c08c86904a36aa4ce9b6da8
 SHA512:
-  metadata.gz: 02a86b66e9c4804785777ffcffc790a024d5760edbfb49453680ce11d02055542d3bdf27e8e498f9fa10ed3b531d241c55b1dc11895e3e6d496713d015819487
-  data.tar.gz: 288baaa9373f2f02187197c49cf5078dc872ce89455ae119feb0491e756ec712a67a3d7134eb8bc66e1684579912671e3b3c785bd8aa3525f055ad751d6e0ff2
+  metadata.gz: 7c4e1575132e8e895cdd5fdc881516396af19c3efabde95276727c39f106df67d7f0237ae009264f7b31dce15cfd8d83874f0f098fa1145ed2c5d2f4a77fd2d8
+  data.tar.gz: d3b2d72727adfe59f1c3468d832df6522d7792ee1d7e555a205ec2720a2c34e3ff7689cb38016e0561b89ed04ab94e364cdfca68235c4c0f9c1c1a630db140c5

data/.github/workflows/brakeman-analysis.yml

@@ -0,0 +1,46 @@
+# This workflow integrates Brakeman with GitHub's Code Scanning feature
+# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications
+
+name: Brakeman Scan
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '21 4 * * 4'
+
+jobs:
+  brakeman-scan:
+    name: Brakeman Scan
+    runs-on: ubuntu-latest
+    steps:
+    # Checkout the repository to the GitHub Actions runner
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    # Customize the ruby version depending on your needs
+    - name: Setup Ruby
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: '2.7'
+
+    - name: Setup Brakeman
+      env:
+        BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+
+      run: |
+        gem install brakeman --version $BRAKEMAN_VERSION
+
+    # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis
+    - name: Scan
+      continue-on-error: true
+      run: |
+        brakeman -f sarif -o output.sarif.json .
+
+    # Upload the SARIF file generated in the previous step
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: output.sarif.json

data/.github/workflows/main.yml

@@ -0,0 +1,34 @@
+name: Run tests
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master, next ]
+
+jobs:
+  test:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        ruby-version: [2.7, 3.0]
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Ruby ${{ matrix.ruby-version }}
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+          bundler-cache: true
+
+      - name: Install dependencies
+        run: bundle install
+
+      - name: Run tests
+        run: bundle exec rake
+
+      - name: Build gem
+        run: bundle exec rake build

data/.github/workflows/release-gem.yml

@@ -0,0 +1,32 @@
+name: Release gem
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build:
+    name: Build + Publish
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Ruby 3.0
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.0
+
+      - run: bundle install
+
+      - name: Publish to RubyGems
+        run: |
+          mkdir -p $HOME/.gem
+          touch $HOME/.gem/credentials
+          chmod 0600 $HOME/.gem/credentials
+          printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+          bundle exec rake build
+          gem push pkg/*.gem
+        env:
+          GEM_HOST_API_KEY: "${{secrets.RUBYGEMS_AUTH_TOKEN}}"

data/.gitignore

@@ -2,6 +2,7 @@
 *.rbc
 .bundle
 .config
+.ruby-version
 .yardoc
 InstalledFiles
 _yardoc

data/.rspec

@@ -1,4 +1,4 @@
 --order rand
 --color
 --format progress
---require spec_helper
+--require rails_helper

data/.rubocop.yml

@@ -1,28 +1,17 @@
 ---
+inherit_from: .rubocop_todo.yml
+
 AllCops:
-  TargetRubyVersion: 2.3
+  NewCops: enable
+  TargetRubyVersion: 2.7
   Exclude:
-    - "bin/**/*"
     - "spec/dummy/bin/**/*"
     - "tmp/**/*"
     - "vendor/**/*"
 
-# not available in older versions of Ruby
-Layout/IndentHeredoc:
-  Enabled: false
-
-Style/Documentation:
-  Enabled: false
-
-Style/ClassAndModuleChildren:
-  EnforcedStyle: nested
-
-Style/SingleLineBlockParams:
-  Enabled: false
-
 Metrics/BlockLength:
   Exclude:
     - spec/**/*_spec.rb
 
-Metrics/LineLength:
+Layout/LineLength:
   Max: 120

data/.rubocop_todo.yml

@@ -0,0 +1,19 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2021-10-02 14:42:36 UTC using RuboCop version 1.22.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 5
+# Configuration parameters: AllowedConstants.
+Style/Documentation:
+  Exclude:
+    - 'spec/**/*'
+    - 'test/**/*'
+    - 'app/controllers/letter_opener_web/letters_controller.rb'
+    - 'app/models/letter_opener_web/letter.rb'
+    - 'lib/letter_opener_web.rb'
+    - 'lib/letter_opener_web/delivery_method.rb'
+    - 'lib/letter_opener_web/engine.rb'

data/CHANGELOG.md

@@ -1,4 +1,25 @@
-## [Unreleased](https://github.com/fgrehm/letter_opener_web/compare/v1.3.4...master)
+## [v2.0.0](https://github.com/fgrehm/letter_opener_web/compare/v1.4.1...v2.0.0)
+
+  - Require Rails >= 5.2, run tests against Rails 6.1 [#113](https://github.com/fgrehm/letter_opener_web/pull/113)
+  - Inline CSS and Javascript, to avoid dependency on asset pipeline [#113](https://github.com/fgrehm/letter_opener_web/pull/113)
+  - Upgrade to Bootstrap 5.1.1 [#113](https://github.com/fgrehm/letter_opener_web/pull/113)
+  - Add rexml gem into dependency for Ruby 3.0 [#106](https://github.com/fgrehm/letter_opener_web/pull/106)
+  - Add routes for Rails API mode [#69](https://github.com/fgrehm/letter_opener_web/pull/69)
+  - Prevent name conflict with `Letter` class [#108](https://github.com/fgrehm/letter_opener_web/pull/108)
+  - Add Rails' built-in CSRF protection [#111](https://github.com/fgrehm/letter_opener_web/pull/111)
+  - Add Rails' CSP nonce to the script tag [#112](https://github.com/fgrehm/letter_opener_web/pull/112)
+  - Update dev dependencies [#113](https://github.com/fgrehm/letter_opener_web/pull/113)
+  - Switched to using GitHub actions as CI for the project [#113](https://github.com/fgrehm/letter_opener_web/pull/113)
+
+## [1.4.1](https://github.com/fgrehm/letter_opener_web/compare/v1.4.0...v1.4.1) (Oct 5, 2021)
+
+  - Ensure letter is within letters base path [#110](https://github.com/fgrehm/letter_opener_web/pull/110)
+
+## [1.4.0](https://github.com/fgrehm/letter_opener_web/compare/v1.3.4...v1.4.0) (Jan 29, 2020)
+
+  - Removed the dependency on the asset pipeline. Good news for API-only apps! [#83](https://github.com/fgrehm/letter_opener_web/pull/83)
+  - Avoid `require_dependency` if Zeitwerk is enabled [#98](https://github.com/fgrehm/letter_opener_web/pull/98)
+  - Drop support for old rubies and rails. Ruby 2.5+ is supported and Rails 4 is no longer tested [#100](https://github.com/fgrehm/letter_opener_web/pull/100)
 
 ## [1.3.4](https://github.com/fgrehm/letter_opener_web/compare/v1.3.3...v1.3.4) (Apr 04, 2018)
 

data/Gemfile

@@ -6,3 +6,7 @@ source 'http://rubygems.org'
 # Bundler will treat runtime dependencies like base dependencies, and
 # development dependencies will be added by default to the :development group.
 gemspec
+
+group :test do
+  gem 'codecov', require: false
+end

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2013-2014 Fabio Rehm
+Copyright (c) 2013-2021 Fabio Rehm
 
 MIT License
 

data/README.md

@@ -1,6 +1,8 @@
 # letter_opener_web
 
-[![Build Status](https://travis-ci.org/fgrehm/letter_opener_web.png?branch=master)](https://travis-ci.org/fgrehm/letter_opener_web) [![Gem Version](https://badge.fury.io/rb/letter_opener_web.png)](http://badge.fury.io/rb/letter_opener_web) [![Code Climate](https://codeclimate.com/github/fgrehm/letter_opener_web.png)](https://codeclimate.com/github/fgrehm/letter_opener_web) [![Gitter chat](https://badges.gitter.im/fgrehm/letter_opener_web.png)](https://gitter.im/fgrehm/letter_opener_web)
+![Build Status](https://github.com/fgrehm/letter_opener_web/actions/workflows/main.yml/badge.svg)
+[![Gem Version](https://badge.fury.io/rb/letter_opener_web.svg)](http://badge.fury.io/rb/letter_opener_web)
+[![Code Climate](https://codeclimate.com/github/fgrehm/letter_opener_web.svg)](https://codeclimate.com/github/fgrehm/letter_opener_web)
 
 Gives [letter_opener](https://github.com/ryanb/letter_opener) an interface for
 browsing sent emails.
@@ -13,7 +15,7 @@ First add the gem to your development environment and run the `bundle` command t
 
 ```ruby
 group :development do
-  gem 'letter_opener_web'
+  gem 'letter_opener_web', '~> 2.0'
 end
 ```
 
@@ -23,9 +25,7 @@ Add to your routes.rb:
 
 ```ruby
 Your::Application.routes.draw do
-  if Rails.env.development?
-    mount LetterOpenerWeb::Engine, at: "/letter_opener"
-  end
+  mount LetterOpenerWeb::Engine, at: "/letter_opener" if Rails.env.development?
 end
 ```
 
@@ -33,8 +33,9 @@ And make sure you have [`:letter_opener` delivery method](https://github.com/rya
 configured for your app. Then visit `http://localhost:3000/letter_opener` after
 sending an email and have fun.
 
-If you are running the app from a [Vagrant](http://vagrantup.com) machine, you
-might want to skip `letter_opener`'s `launchy` calls and avoid messages like these:
+If you are running the app from a [Vagrant](http://vagrantup.com) machine or Docker
+container, you might want to skip `letter_opener`'s `launchy` calls and avoid messages
+like these:
 
 ```terminal
 12:33:42 web.1  | Failure in opening /vagrant/tmp/letter_opener/1358825621_ba83a22/rich.html
@@ -43,19 +44,16 @@ environment variable LAUNCHY_DEBUG=true or the '-d' commandline option and file
 https://github.com/copiousfreetime/launchy/issues/new
 ```
 
-In that case (or if you just want to browse mails using the web interface), you
-can set `:letter_opener_web` as your delivery method on your
-`config/environments/development.rb`:
+In that case (or if you really just want to browse mails using the web interface and
+don't care about opening emails automatically), you can set `:letter_opener_web` as
+your delivery method on your `config/environments/development.rb`:
 
 ```ruby
 config.action_mailer.delivery_method = :letter_opener_web
-
-# If not everyone on the team is using vagrant
-config.action_mailer.delivery_method = ENV['USER'] == 'vagrant' ? :letter_opener_web : :letter_opener
 ```
 
-If you're using `:letter_opener_web` as your delivery method, you can change the location of the letters by adding the
-following to an initializer (or in development.rb):
+If you're using `:letter_opener_web` as your delivery method, you can change the location of
+the letters by adding the following to an initializer (or in development.rb):
 
 ```ruby
 LetterOpenerWeb.configure do |config|
@@ -63,13 +61,16 @@ LetterOpenerWeb.configure do |config|
 end
 ```
 
-## Usage on Heroku
+## Usage on pre-production environments
+
+Some people use this gem on staging / pre-production environments to avoid having real emails
+being sent out. To set that up you'll need to:
 
-Some people use this gem on staging environments on Heroku and to set that up
-is just a matter of moving the gem out of the `development` group and enabling
-the route for all environments on your `routes.rb`.
+1. Move the gem out of the `development` group in your `Gemfile`
+2. Set `config.action_mailer.delivery_method` on the appropriate `config/environments/<env>.rb`
+3. Enable the route for the environments on your `routes.rb`.
 
-In order words, your `Gemfile` will have:
+In other words, your `Gemfile` will have:
 
 ```ruby
 gem 'letter_opener_web'
@@ -79,20 +80,28 @@ And your `routes.rb`:
 
 ```ruby
 Your::Application.routes.draw do
-  mount LetterOpenerWeb::Engine, at: "/letter_opener"
+  # If you have a dedicated config/environments/staging.rb
+  mount LetterOpenerWeb::Engine, at: "/letter_opener" if Rails.env.staging?
+
+  # If you use RAILS_ENV=production in staging environments, you'll need another
+  # way to disable it in "real production"
+  mount LetterOpenerWeb::Engine, at: "/letter_opener" unless ENV["PRODUCTION_FOR_REAL"]
 end
 ```
 
 You might also want to have a look at the sources for the [demo](http://letter-opener-web.herokuapp.com)
 available at https://github.com/fgrehm/letter_opener_web_demo.
 
-**NOTICE: Using this gem on Heroku will only work if your app has just one Dyno and does not send emails from background jobs. For updates on this matter please subscribe to [GH-35](https://github.com/fgrehm/letter_opener_web/issues/35)**
+**NOTICE: Using this gem on Heroku will only work if your app has just one Dyno
+and does not send emails from background jobs. For updates on this matter please
+subscribe to [GH-35](https://github.com/fgrehm/letter_opener_web/issues/35)**
 
 ## Acknowledgements
 
 Special thanks to [@alexrothenberg](https://github.com/alexrothenberg) for some
-ideas on [this pull request](https://github.com/ryanb/letter_opener/pull/12).
-
+ideas on [this pull request](https://github.com/ryanb/letter_opener/pull/12) and
+[@pseudomuto](https://github.com/pseudomuto) for keeping the project alive for a
+few years.
 
 ## Contributing
 

data/app/controllers/letter_opener_web/application_controller.rb

@@ -2,5 +2,6 @@
 
 module LetterOpenerWeb
   class ApplicationController < ActionController::Base
+    protect_from_forgery with: :exception, unless: -> { Rails.configuration.try(:api_only) }
   end
 end

data/app/controllers/letter_opener_web/letters_controller.rb

@@ -1,14 +1,16 @@
 # frozen_string_literal: true
 
-require_dependency 'letter_opener_web/application_controller'
+unless Rails.respond_to?(:autoloaders) && Rails.autoloaders.zeitwerk_enabled?
+  require_dependency 'letter_opener_web/application_controller'
+end
 
 module LetterOpenerWeb
   class LettersController < ApplicationController
-    before_action :check_style, only: [:show]
+    before_action :check_style, only: :show
     before_action :load_letter, only: %i[show attachment destroy]
 
     def index
-      @letters = Letter.search
+      @letters = LetterOpenerWeb::Letter.search
     end
 
     def show
@@ -24,17 +26,21 @@ module LetterOpenerWeb
       file     = @letter.attachments[filename]
 
       return render plain: 'Attachment not found!', status: 404 unless file.present?
+
       send_file(file, filename: filename, disposition: 'inline')
     end
 
     def clear
-      Letter.destroy_all
+      LetterOpenerWeb::Letter.destroy_all
       redirect_to routes.letters_path
     end
 
     def destroy
       @letter.delete
-      redirect_to routes.letters_path
+      respond_to do |format|
+        format.html { redirect_to routes.letters_path }
+        format.js { render js: "window.location='#{routes.letters_path}'" }
+      end
     end
 
     private
@@ -44,8 +50,9 @@ module LetterOpenerWeb
     end
 
     def load_letter
-      @letter = Letter.find(params[:id])
-      head :not_found unless @letter.exists?
+      @letter = LetterOpenerWeb::Letter.find(params[:id])
+
+      head :not_found unless @letter.valid?
     end
 
     def routes

data/app/models/letter_opener_web/letter.rb

@@ -33,6 +33,18 @@ module LetterOpenerWeb
       @sent_at = params[:sent_at]
     end
 
+    def headers
+      html = read_file(:rich) if style_exists?('rich')
+      html ||= read_file(:plain)
+
+      # NOTE: This is ugly, we should look into using nokogiri and making that a
+      # dependency of this gem
+      match_data = html.match(%r{<body>\s*<div[^>]+id="container">\s*<div[^>]+id="message_headers">\s*(<dl>.+</dl>)}m)
+      return remove_attachments_link(match_data[1]).html_safe if match_data && match_data[1].present?
+
+      'UNABLE TO PARSE HEADERS'
+    end
+
     def plain_text
       @plain_text ||= adjust_link_targets(read_file(:plain))
     end
@@ -56,17 +68,28 @@ module LetterOpenerWeb
     end
 
     def delete
-      FileUtils.rm_rf("#{LetterOpenerWeb.config.letters_location}/#{id}")
+      return unless valid?
+
+      FileUtils.rm_rf(base_dir.to_s)
     end
 
-    def exists?
-      File.exist?(base_dir)
+    def valid?
+      exists? && base_dir_within_letters_location?
     end
 
     private
 
+    def remove_attachments_link(headers)
+      xml = REXML::Document.new(headers)
+      if xml.root.elements.size == 10
+        xml.delete_element('//dd[last()]')
+        xml.delete_element('//dt[last()]')
+      end
+      xml.to_s
+    end
+
     def base_dir
-      "#{LetterOpenerWeb.config.letters_location}/#{id}"
+      LetterOpenerWeb.config.letters_location.join(id).cleanpath
     end
 
     def read_file(style)
@@ -77,8 +100,16 @@ module LetterOpenerWeb
       File.exist?("#{base_dir}/#{style}.html")
     end
 
+    def exists?
+      File.exist?(base_dir)
+    end
+
+    def base_dir_within_letters_location?
+      base_dir.to_s.start_with?(LetterOpenerWeb.config.letters_location.to_s)
+    end
+
     def adjust_link_targets(contents)
-      # We cannot feed the whole file to an XML parser as some mails are
+      # We cannot feed the whole file to a XML parser as some mails are
       # "complete" (as in they have the whole <html> structure) and letter_opener
       # prepends some information about the mail being sent, making REXML
       # complain about it
@@ -86,6 +117,7 @@ module LetterOpenerWeb
         fixed_link = fix_link_html(link)
         xml        = REXML::Document.new(fixed_link).root
         next if xml.attributes['href'] =~ /(plain|rich).html/
+
         xml.attributes['target'] = '_blank'
         xml.add_text('') unless xml.text
         contents.gsub!(link, xml.to_s)

data/app/views/layouts/letter_opener_web/_javascripts.html.erb

@@ -0,0 +1,31 @@
+<%= render "layouts/letter_opener_web/js/jquery" %>
+<%= render "layouts/letter_opener_web/js/favcount" %>
+
+<script nonce="<%= content_security_policy_nonce %>">
+function update_favicon(favicon) {
+    favicon.set($('.letter-opener a').length);
+}
+
+jQuery(function($) {
+    var favicon = new Favcount($('link[rel="icon"]').attr('href'));
+    update_favicon(favicon);
+
+    $('.letter-opener').on('click', 'a', function() {
+        var $this = $(this);
+        $('iframe').attr('src', $this.attr('href'));
+        $this.parents('.list-group').find('.active').removeClass('active');
+        $this.parent().addClass('active');
+    });
+
+    $('.refresh').click(function(e) {
+        e.preventDefault();
+
+        var wrapper = $('.letter-opener');
+        wrapper.find('div').text('Loading...');
+        wrapper.load(wrapper.data('letters-path') + ' .letter-opener', function() {
+            $('iframe').attr('src', $('.letter-opener a:first-child()').attr('href'));
+            update_favicon(favicon);
+        });
+    });
+});
+</script>

data/app/views/layouts/letter_opener_web/_styles.html.erb

@@ -0,0 +1,3 @@
+<%= render "layouts/letter_opener_web/styles/icon" %>
+<%= render "layouts/letter_opener_web/styles/bootstrap" %>
+<%= render "layouts/letter_opener_web/styles/letters" %>

data/{vendor/assets/javascripts/letter_opener_web/favcount.js → app/views/layouts/letter_opener_web/js/_favcount.html.erb}

@@ -1,3 +1,4 @@
+<script nonce="<%= content_security_policy_nonce %>">
 /*
  * favcount.js v1.5.0
  * http://chrishunt.co/favcount
@@ -46,11 +47,10 @@
 
   function drawCanvas(canvas, opacity, font, img, count) {
     var head = document.getElementsByTagName('head')[0],
-        favicon = document.createElement('link'),
+        favicon = document.querySelector('link[rel=icon]'),
+        newFavicon = document.createElement('link'),
         multiplier, fontSize, context, xOffset, yOffset, border, shadow;
 
-    favicon.rel = 'icon';
-
     // Scale canvas elements based on favicon size
     multiplier = img.width / 16;
     fontSize   = multiplier * 11;
@@ -89,14 +89,16 @@
     );
 
     // Replace favicon with new favicon
-    favicon.href = canvas.toDataURL('image/png');
-    head.removeChild(document.querySelector('link[rel=icon]'));
-    head.appendChild(favicon);
+    newFavicon.rel = 'icon';
+    newFavicon.href = canvas.toDataURL('image/png');
+    if (favicon) { head.removeChild(favicon); }
+    head.appendChild(newFavicon);
   }
 
   this.Favcount = Favcount;
 }).call(this);
 
 (function(){
-  Favcount.VERSION = '1.5.0';
+  Favcount.VERSION = '1.5.1';
 }).call(this);
+</script>