mascot 0.1.3 → 0.1.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 3076800f4b6e26c015d5ebd26ef066554c791740
4
- data.tar.gz: 623e0ab9c640f0176f1358b318252ece1d14cae2
3
+ metadata.gz: 9d18ef5037dc7af6b3f592ed65bf3b67f5099854
4
+ data.tar.gz: 0bd16879741ce6a7f936e5156e22b6055e196717
5
5
  SHA512:
6
- metadata.gz: ff1773ff6586b2f6f3da6158abe7177b0208db6235ed6bcdb2f2c6f050e0ec24a05e44001565365a262a7816dd68c4c0564ee93a39a58925ea7ac43c02aa9d31
7
- data.tar.gz: 62826327d9c4b2605f1348053b9abce0d80384e7caa3acee6c36ef4dbfcf8f51a78f2ab572231f088bc3a89a5f58b13ce5004894adec50550dc928132e5b38eb
6
+ metadata.gz: 342b222a5a1f7ad3624611039b892fbf0a2c95f8e7e18132e55577fd17e3c0c8f6926da069dd750995789eb155f117c2560dd733e550703882b0fd506ab11d1f
7
+ data.tar.gz: 9712af3200ea7ad081b6e4c5996ac0aca96e5cae4857e3cf5a048556fd57952beeec0472effabf1e795307f2e0d0cb9c31ba769275422243e4c677ac66d2ae97
@@ -1,3 +1,3 @@
1
1
  module Mascot
2
- VERSION = "0.1.3"
2
+ VERSION = "0.1.4"
3
3
  end
data/lib/mascot.rb CHANGED
@@ -6,6 +6,9 @@ require "yaml"
6
6
  require "mime/types"
7
7
 
8
8
  module Mascot
9
+ # Raised if a user attempts to access a resource outside of the sitemap path.
10
+ InsecurePathAccessError = Class.new(SecurityError)
11
+
9
12
  # Parses metadata from the header of the page.
10
13
  class Frontmatter
11
14
  DELIMITER = "---".freeze
@@ -91,13 +94,14 @@ module Mascot
91
94
 
92
95
  # Lazy stream of resources.
93
96
  def resources(glob = DEFAULT_GLOB)
94
- Dir[@file_path.join(glob)].select(&File.method(:file?)).lazy.map do |path|
97
+ Dir[validate_path(@file_path.join(glob))].select(&File.method(:file?)).lazy.map do |path|
95
98
  Resource.new request_path: request_path(path), file_path: path
96
99
  end
97
100
  end
98
101
 
99
102
  # Find the page with a path.
100
103
  def find_by_request_path(request_path)
104
+ return if request_path.nil?
101
105
  resources.find { |r| r.request_path == File.join("/", request_path) }
102
106
  end
103
107
 
@@ -110,6 +114,20 @@ module Mascot
110
114
  end
111
115
 
112
116
  private
117
+
118
+ # Make sure the user is accessing a file within the root path of the
119
+ # sitemap.
120
+ def validate_path(path)
121
+ root_path = @file_path.expand_path.to_s
122
+ resource_path = path.expand_path.to_s
123
+
124
+ if resource_path.start_with? root_path
125
+ path
126
+ else
127
+ raise Mascot::InsecurePathAccessError, "#{resource_path} outside sitemap #{root_path} directory"
128
+ end
129
+ end
130
+
113
131
  # Given a @file_path of `/hi`, this method changes `/hi/there/friend.html.erb`
114
132
  # to an absolute `/there/friend` format by removing the file extensions
115
133
  def request_path(path)
data/mascot.gemspec CHANGED
@@ -20,6 +20,7 @@ Gem::Specification.new do |spec|
20
20
  spec.add_development_dependency "bundler", "~> 1.11"
21
21
  spec.add_development_dependency "rake", "~> 10.0"
22
22
  spec.add_development_dependency "rspec", "~> 3.0"
23
+ spec.add_development_dependency "pry"
23
24
 
24
25
  spec.add_runtime_dependency "mime-types", ">= 2.99"
25
26
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: mascot
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.3
4
+ version: 0.1.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Brad Gessler
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2016-07-23 00:00:00.000000000 Z
11
+ date: 2016-07-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -52,6 +52,20 @@ dependencies:
52
52
  - - "~>"
53
53
  - !ruby/object:Gem::Version
54
54
  version: '3.0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: pry
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - ">="
60
+ - !ruby/object:Gem::Version
61
+ version: '0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - ">="
67
+ - !ruby/object:Gem::Version
68
+ version: '0'
55
69
  - !ruby/object:Gem::Dependency
56
70
  name: mime-types
57
71
  requirement: !ruby/object:Gem::Requirement