letter_opener_web 1.4.0 → 1.4.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e4e55f6426c388994e7d06824aa7a0b4ebe1f9342854f777bdc8cbdfb0f79eee
4
- data.tar.gz: d683940cd611dc76784c050bf8872a6be7e8871891774117e7fa327de9e1f0d9
3
+ metadata.gz: cf8f22bcc360d6d8da5a1e462a24faa5d8dfe4589a7cad91bebe688a06a1001c
4
+ data.tar.gz: f9cc899aee871f4d68ec12390be6470d62fba0b85123ecb38ae5a11e98899f42
5
5
  SHA512:
6
- metadata.gz: a647a30f84bc33477050478c485aec7a6a28b0778c4d5f689b1b195cc77470c6c37a3b9f608675953183fb430574eff90c67e997a106ffa41e0cb288be9bcb24
7
- data.tar.gz: 65c306586fd9eb8a4aef17d73c46571a9b5e1b75540e48e72262e196328ac546ed2f8bed8c1a37837963d5df30429e578a894360930363fa8e2802ffd66eead9
6
+ metadata.gz: 79ecd487c5042e2acfd3627a38ee8379e8a372c06a64aaa8c01be30cddf01b123dc23ec80dafe1cc94f7924698ef80304066c1b06a5d776f8304a547ddaa11be
7
+ data.tar.gz: c5fb0b7be26b025400c346a8d4850e834e890f578cfd6a849fd949d1b12c93999aaefef65c1e641e8a6fca2a25e866467f6f223527ed84cea94fb4022b07984e
data/.travis.yml CHANGED
@@ -1,4 +1,3 @@
1
- sudo: false
2
1
  language: ruby
3
2
 
4
3
  rvm:
data/CHANGELOG.md CHANGED
@@ -1,4 +1,6 @@
1
- ## [Unreleased](https://github.com/fgrehm/letter_opener_web/compare/v1.4.0...master)
1
+ ## [1.4.1](https://github.com/fgrehm/letter_opener_web/compare/v1.4.0...v1.4.1) (Oct 5, 2021)
2
+
3
+ - Ensure letter is within letters base path [#110](https://github.com/fgrehm/letter_opener_web/pull/110)
2
4
 
3
5
  ## [1.4.0](https://github.com/fgrehm/letter_opener_web/compare/v1.3.4...v1.4.0) (Jan 29, 2020)
4
6
 
data/Gemfile CHANGED
@@ -6,3 +6,7 @@ source 'http://rubygems.org'
6
6
  # Bundler will treat runtime dependencies like base dependencies, and
7
7
  # development dependencies will be added by default to the :development group.
8
8
  gemspec
9
+
10
+ group :test do
11
+ gem 'codecov', require: false
12
+ end
data/README.md CHANGED
@@ -1,8 +1,8 @@
1
1
  # letter_opener_web
2
2
 
3
- [![Build Status](https://travis-ci.org/fgrehm/letter_opener_web.png?branch=master)](https://travis-ci.org/fgrehm/letter_opener_web)
4
- [![Gem Version](https://badge.fury.io/rb/letter_opener_web.png)](http://badge.fury.io/rb/letter_opener_web)
5
- [![Code Climate](https://codeclimate.com/github/fgrehm/letter_opener_web.png)](https://codeclimate.com/github/fgrehm/letter_opener_web)
3
+ [![Build Status](https://travis-ci.org/fgrehm/letter_opener_web.svg?branch=master)](https://travis-ci.org/fgrehm/letter_opener_web)
4
+ [![Gem Version](https://badge.fury.io/rb/letter_opener_web.svg)](http://badge.fury.io/rb/letter_opener_web)
5
+ [![Code Climate](https://codeclimate.com/github/fgrehm/letter_opener_web.svg)](https://codeclimate.com/github/fgrehm/letter_opener_web)
6
6
 
7
7
  Gives [letter_opener](https://github.com/ryanb/letter_opener) an interface for
8
8
  browsing sent emails.
@@ -6,7 +6,7 @@ end
6
6
 
7
7
  module LetterOpenerWeb
8
8
  class LettersController < ApplicationController
9
- before_action :check_style, only: [:show]
9
+ before_action :check_style, only: :show
10
10
  before_action :load_letter, only: %i[show attachment destroy]
11
11
 
12
12
  def index
@@ -48,7 +48,8 @@ module LetterOpenerWeb
48
48
 
49
49
  def load_letter
50
50
  @letter = Letter.find(params[:id])
51
- head :not_found unless @letter.exists?
51
+
52
+ head :not_found unless @letter.valid?
52
53
  end
53
54
 
54
55
  def routes
@@ -56,17 +56,19 @@ module LetterOpenerWeb
56
56
  end
57
57
 
58
58
  def delete
59
- FileUtils.rm_rf("#{LetterOpenerWeb.config.letters_location}/#{id}")
59
+ return unless valid?
60
+
61
+ FileUtils.rm_rf(base_dir.to_s)
60
62
  end
61
63
 
62
- def exists?
63
- File.exist?(base_dir)
64
+ def valid?
65
+ exists? && base_dir_within_letters_location?
64
66
  end
65
67
 
66
68
  private
67
69
 
68
70
  def base_dir
69
- "#{LetterOpenerWeb.config.letters_location}/#{id}"
71
+ LetterOpenerWeb.config.letters_location.join(id).cleanpath
70
72
  end
71
73
 
72
74
  def read_file(style)
@@ -77,6 +79,14 @@ module LetterOpenerWeb
77
79
  File.exist?("#{base_dir}/#{style}.html")
78
80
  end
79
81
 
82
+ def exists?
83
+ File.exist?(base_dir)
84
+ end
85
+
86
+ def base_dir_within_letters_location?
87
+ base_dir.to_s.start_with?(LetterOpenerWeb.config.letters_location.to_s)
88
+ end
89
+
80
90
  def adjust_link_targets(contents)
81
91
  # We cannot feed the whole file to an XML parser as some mails are
82
92
  # "complete" (as in they have the whole <html> structure) and letter_opener
@@ -9,7 +9,7 @@ module LetterOpenerWeb
9
9
  ENV['LAUNCHY_DRY_RUN'] = 'true'
10
10
 
11
11
  super
12
- rescue Launchy::CommandNotFoundError # rubocop:disable Lint/SuppressedException
12
+ rescue Launchy::CommandNotFoundError
13
13
  # Ignore for non-executable Launchy environment.
14
14
  ensure
15
15
  ENV['LAUNCHY_DRY_RUN'] = original
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module LetterOpenerWeb
4
- VERSION = '1.4.0'
4
+ VERSION = '1.4.1'
5
5
  end
@@ -32,7 +32,7 @@ describe LetterOpenerWeb::LettersController do
32
32
  shared_examples 'found letter examples' do |letter_style|
33
33
  before(:each) do
34
34
  expect(LetterOpenerWeb::Letter).to receive(:find).with(id).and_return(letter)
35
- expect(letter).to receive(:exists?).and_return(true)
35
+ expect(letter).to receive(:valid?).and_return(true)
36
36
  get :show, params: { id: id, style: letter_style }
37
37
  end
38
38
 
@@ -84,7 +84,7 @@ describe LetterOpenerWeb::LettersController do
84
84
 
85
85
  before do
86
86
  allow(LetterOpenerWeb::Letter).to receive(:find).with(id).and_return(letter)
87
- allow(letter).to receive(:exists?).and_return(true)
87
+ allow(letter).to receive(:valid?).and_return(true)
88
88
  end
89
89
 
90
90
  it 'sends the file as an inline attachment' do
@@ -118,9 +118,20 @@ describe LetterOpenerWeb::LettersController do
118
118
  let(:id) { 'an-id' }
119
119
 
120
120
  it 'removes the selected letter' do
121
- allow_any_instance_of(LetterOpenerWeb::Letter).to receive(:exists?).and_return(true)
121
+ allow_any_instance_of(LetterOpenerWeb::Letter).to receive(:valid?).and_return(true)
122
122
  expect_any_instance_of(LetterOpenerWeb::Letter).to receive(:delete)
123
123
  delete :destroy, params: { id: id }
124
124
  end
125
+
126
+ it 'throws a 404 if attachment is outside of the letters base path' do
127
+ bad_id = '../an-id'
128
+
129
+ allow_any_instance_of(LetterOpenerWeb::Letter).to receive(:valid?).and_return(false)
130
+ expect_any_instance_of(LetterOpenerWeb::Letter).not_to receive(:delete)
131
+
132
+ delete :destroy, params: { id: bad_id }
133
+
134
+ expect(response.status).to eq(404)
135
+ end
125
136
  end
126
137
  end
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  describe LetterOpenerWeb::Letter do
4
- let(:location) { File.expand_path('../../tmp', __dir__) }
4
+ let(:location) { Pathname.new(__dir__).join('..', '..', 'tmp').cleanpath }
5
5
 
6
6
  def rich_text(mail_id)
7
7
  <<-MAIL
@@ -128,13 +128,24 @@ Rich text for #{mail_id}
128
128
 
129
129
  describe '#delete' do
130
130
  let(:id) { '1111_1111' }
131
+
131
132
  subject { described_class.new(id: id).delete }
132
133
 
133
- it'removes the letter with given id' do
134
+ it 'removes the letter with given id' do
134
135
  subject
135
136
  directories = Dir["#{location}/*"]
136
137
  expect(directories.count).to eql(1)
137
138
  expect(directories.first).not_to match(id)
138
139
  end
140
+
141
+ context 'when the id is outside of the letters base path' do
142
+ let(:id) { '../3333_3333' }
143
+
144
+ it 'does not remove the letter' do
145
+ expect(FileUtils).not_to receive(:rm_rf).with(location.join(id).cleanpath.to_s)
146
+
147
+ expect(subject).to be_nil
148
+ end
149
+ end
139
150
  end
140
151
  end
data/spec/spec_helper.rb CHANGED
@@ -1,5 +1,13 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require 'simplecov'
4
+ SimpleCov.start
5
+
6
+ if ENV.fetch('CI', '') == 'true'
7
+ require 'codecov'
8
+ SimpleCov.formatter = SimpleCov::Formatter::Codecov
9
+ end
10
+
3
11
  require 'shoulda-matchers'
4
12
 
5
13
  RSpec.configure do |config|
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: letter_opener_web
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.4.0
4
+ version: 1.4.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Fabio Rehm
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2020-01-30 00:00:00.000000000 Z
12
+ date: 2021-10-06 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: actionmailer
@@ -217,8 +217,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
217
217
  - !ruby/object:Gem::Version
218
218
  version: '0'
219
219
  requirements: []
220
- rubyforge_project:
221
- rubygems_version: 2.7.7
220
+ rubygems_version: 3.2.3
222
221
  signing_key:
223
222
  specification_version: 4
224
223
  summary: Gives letter_opener an interface for browsing sent emails