RubyGems - mascot - Versions diffs - 0.1.3 → 0.1.4 - Mend

mascot 0.1.3 → 0.1.4

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3076800f4b6e26c015d5ebd26ef066554c791740
-  data.tar.gz: 623e0ab9c640f0176f1358b318252ece1d14cae2
+  metadata.gz: 9d18ef5037dc7af6b3f592ed65bf3b67f5099854
+  data.tar.gz: 0bd16879741ce6a7f936e5156e22b6055e196717
 SHA512:
-  metadata.gz: ff1773ff6586b2f6f3da6158abe7177b0208db6235ed6bcdb2f2c6f050e0ec24a05e44001565365a262a7816dd68c4c0564ee93a39a58925ea7ac43c02aa9d31
-  data.tar.gz: 62826327d9c4b2605f1348053b9abce0d80384e7caa3acee6c36ef4dbfcf8f51a78f2ab572231f088bc3a89a5f58b13ce5004894adec50550dc928132e5b38eb
+  metadata.gz: 342b222a5a1f7ad3624611039b892fbf0a2c95f8e7e18132e55577fd17e3c0c8f6926da069dd750995789eb155f117c2560dd733e550703882b0fd506ab11d1f
+  data.tar.gz: 9712af3200ea7ad081b6e4c5996ac0aca96e5cae4857e3cf5a048556fd57952beeec0472effabf1e795307f2e0d0cb9c31ba769275422243e4c677ac66d2ae97

data/lib/mascot/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Mascot
-  VERSION = "0.1.3"
+  VERSION = "0.1.4"
 end

data/lib/mascot.rb CHANGED Viewed

@@ -6,6 +6,9 @@ require "yaml"
 require "mime/types"
 module Mascot
+  # Raised if a user attempts to access a resource outside of the sitemap path.
+  InsecurePathAccessError = Class.new(SecurityError)
   # Parses metadata from the header of the page.
   class Frontmatter
     DELIMITER = "---".freeze
@@ -91,13 +94,14 @@ module Mascot
     # Lazy stream of resources.
     def resources(glob = DEFAULT_GLOB)
-      Dir[@file_path.join(glob)].select(&File.method(:file?)).lazy.map do |path|
+      Dir[validate_path(@file_path.join(glob))].select(&File.method(:file?)).lazy.map do |path|
         Resource.new request_path: request_path(path), file_path: path
       end
     end
     # Find the page with a path.
     def find_by_request_path(request_path)
+      return if request_path.nil?
       resources.find { |r| r.request_path == File.join("/", request_path) }
     end
@@ -110,6 +114,20 @@ module Mascot
     end
     private
+    # Make sure the user is accessing a file within the root path of the
+    # sitemap.
+    def validate_path(path)
+      root_path = @file_path.expand_path.to_s
+      resource_path = path.expand_path.to_s
+      if resource_path.start_with? root_path
+        path
+      else
+        raise Mascot::InsecurePathAccessError, "#{resource_path} outside sitemap #{root_path} directory"
+      end
+    end
     # Given a @file_path of `/hi`, this method changes `/hi/there/friend.html.erb`
     # to an absolute `/there/friend` format by removing the file extensions
     def request_path(path)

data/mascot.gemspec CHANGED Viewed

@@ -20,6 +20,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 1.11"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "pry"
   spec.add_runtime_dependency "mime-types", ">= 2.99"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: mascot
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Brad Gessler
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-07-23 00:00:00.000000000 Z
+date: 2016-07-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -52,6 +52,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: mime-types
   requirement: !ruby/object:Gem::Requirement