RubyGems - pact_broker - Versions diffs - 2.54.0 → 2.58.0 - Mend

pact_broker 2.54.0 → 2.58.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +73 -0
data/example/config.ru +1 -1
data/lib/pact_broker/api/contracts/verification_contract.rb +2 -0
data/lib/pact_broker/api/contracts/webhook_contract.rb +6 -4
data/lib/pact_broker/api/decorators/reason_decorator.rb +17 -0
data/lib/pact_broker/api/pact_broker_urls.rb +2 -2
data/lib/pact_broker/api/renderers/html_pact_renderer.rb +14 -14
data/lib/pact_broker/api/resources/base_resource.rb +5 -0
data/lib/pact_broker/api/resources/error_handler.rb +10 -3
data/lib/pact_broker/api/resources/latest_pact.rb +1 -1
data/lib/pact_broker/api/resources/pact.rb +3 -3
data/lib/pact_broker/app.rb +24 -4
data/lib/pact_broker/configuration.rb +15 -0
data/lib/pact_broker/db.rb +9 -1
data/lib/pact_broker/db/log_quietener.rb +7 -4
data/lib/pact_broker/doc/controllers/app.rb +11 -1
data/lib/pact_broker/doc/views/layouts/main.haml +1 -1
data/lib/pact_broker/domain/verification.rb +13 -0
data/lib/pact_broker/hash_refinements.rb +39 -0
data/lib/pact_broker/integrations/service.rb +2 -2
data/lib/pact_broker/locale/en.yml +4 -0
data/lib/pact_broker/logging.rb +14 -4
data/lib/pact_broker/logging/default_formatter.rb +3 -1
data/lib/pact_broker/matrix/deployment_status_summary.rb +23 -1
data/lib/pact_broker/matrix/reason.rb +9 -0
data/lib/pact_broker/pacts/content.rb +26 -2
data/lib/pact_broker/pacts/repository.rb +2 -2
data/lib/pact_broker/tasks/migration_task.rb +20 -1
data/lib/pact_broker/ui/app.rb +1 -0
data/lib/pact_broker/ui/controllers/base_controller.rb +1 -1
data/lib/pact_broker/ui/controllers/clusters.rb +2 -2
data/lib/pact_broker/ui/controllers/groups.rb +3 -2
data/lib/pact_broker/ui/controllers/index.rb +3 -2
data/lib/pact_broker/ui/controllers/matrix.rb +5 -3
data/lib/pact_broker/ui/helpers/url_helper.rb +4 -4
data/lib/pact_broker/ui/view_models/index_item.rb +16 -11
data/lib/pact_broker/ui/view_models/index_items.rb +2 -2
data/lib/pact_broker/ui/view_models/matrix_line.rb +12 -7
data/lib/pact_broker/ui/view_models/matrix_lines.rb +2 -2
data/lib/pact_broker/ui/views/groups/show.html.erb +3 -3
data/lib/pact_broker/ui/views/index/_css_and_js.haml +9 -9
data/lib/pact_broker/ui/views/index/_navbar.haml +3 -3
data/lib/pact_broker/ui/views/index/_pagination.haml +1 -1
data/lib/pact_broker/ui/views/index/show-with-tags.haml +3 -3
data/lib/pact_broker/ui/views/index/show.haml +3 -3
data/lib/pact_broker/ui/views/layouts/main.haml +4 -4
data/lib/pact_broker/ui/views/matrix/show.haml +10 -10
data/lib/pact_broker/verifications/repository.rb +2 -2
data/lib/pact_broker/version.rb +1 -1
data/lib/pact_broker/webhooks/service.rb +4 -3
data/lib/rack/pact_broker/invalid_uri_protection.rb +25 -4
data/lib/rack/pact_broker/use_when.rb +55 -0
data/pact_broker.gemspec +3 -3
data/public/javascripts/pact.js +7 -6
data/script/foo-bar-verification.json +3 -1
data/script/foo-bar.json +11 -0
data/script/seed.rb +1 -1
data/spec/features/delete_integration_spec.rb +2 -2
data/spec/integration/ui/index_spec.rb +16 -0
data/spec/integration/ui/matrix_spec.rb +1 -1
data/spec/lib/pact_broker/api/contracts/verification_contract_spec.rb +18 -4
data/spec/lib/pact_broker/api/decorators/reason_decorator_spec.rb +18 -1
data/spec/lib/pact_broker/api/renderers/html_pact_renderer_spec.rb +1 -1
data/spec/lib/pact_broker/api/resources/latest_pact_spec.rb +1 -0
data/spec/lib/pact_broker/api/resources/pact_spec.rb +1 -0
data/spec/lib/pact_broker/db/log_quietener_spec.rb +10 -0
data/spec/lib/pact_broker/doc/controllers/app_spec.rb +16 -0
data/spec/lib/pact_broker/hash_refinements_spec.rb +24 -0
data/spec/lib/pact_broker/integrations/service_spec.rb +6 -0
data/spec/lib/pact_broker/matrix/deployment_status_summary_spec.rb +6 -2
data/spec/lib/pact_broker/matrix/integration_spec.rb +43 -0
data/spec/lib/pact_broker/pacts/content_spec.rb +125 -0
data/spec/lib/rack/pact_broker/invalid_uri_protection_spec.rb +23 -3
data/spec/lib/rack/pact_broker/use_when_spec.rb +49 -0
data/vendor/hal-browser/browser.html +5 -2
metadata +27 -6

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9147b88a513fab2205b74006fcba47e6aff79b52205bc04d639f15cdc4078d12
-  data.tar.gz: 784bae2c2977392c3671580ca59f094da810aed6ef842e66eec540d531cd00f5
+  metadata.gz: e9b3ca0a02cb3eb39138704d804ed6a9997aa044cf0729059175d24acf02794f
+  data.tar.gz: 619a828a1ab0f7b1d5677525c5d52b82ec785455a19c0603ce18a3981be81eb7
 SHA512:
-  metadata.gz: 6e8928e7c7b4d393d618e1ceec3b7e1a72d32db2e52c32f4e87a434ecce2857180a96db4a7103070fbddf8fd2d5661a411d273bc05c77042c22e68e1c5137912
-  data.tar.gz: 551c37f0fc7d63b11076adc2067800b7e2fd70ed52030859f07d287f80236d60520f60f67c91b9f1c3dca2695579a39021fe1b83ef5e5cccd8a05714f756c3a2
+  metadata.gz: 80e5a6272e05b35ff82a5a08fc26cb8acc2729d64b969f3764dbd1bb6be4ed168722d884ca635fe85dc58946c085dc60d65b1d4c95cc0fc8d9437a9f8aaa3356
+  data.tar.gz: d094ef10bf315a635afd6c6ef52148ac25c2e03afafcbb5e53b411c4ff2e676fd01d9db45414be4354054396547ae182b4991beadf6e6f0de63045cb38b2ccde

data/CHANGELOG.md CHANGED

@@ -1,3 +1,76 @@
+<a name="v2.58.0"></a>
+### v2.58.0 (2020-06-19)
+#### Features
+* log foreign key constraint errors as warn as 99% of the time they are transitory and unreproducible and should not cause alarms to be raised	 ([71fd0270](/../../commit/71fd0270))
+* use structured logs for logging errors	 ([1e097b37](/../../commit/1e097b37))
+#### Bug Fixes
+* fix: update sanitize gem for CVE-2020-4054	 ([2af4bf9d](/../../commit/2af4bf9d))
+* do not parse the provider version as a semantic version when order_versions_by_date is true	 ([bf30024f](/../../commit/bf30024f))
+<a name="v2.57.0"></a>
+### v2.57.0 (2020-06-16)
+#### Features
+* add Content Security Policy header	 ([fd2e81fb](/../../commit/fd2e81fb))
+#### Bug Fixes
+* upgrade Rack for vulnerability CVE-2020-8184	 ([99b78b3c](/../../commit/99b78b3c))
+* fix Home link on pact page	 ([081d1586](/../../commit/081d1586))
+* return a 422 if the URL path contains a new line or tab	 ([db9f7f4d](/../../commit/db9f7f4d))
+<a name="v2.56.1"></a>
+### v2.56.1 (2020-06-01)
+#### Bug Fixes
+* **matrix ui**
+  * fix home link	 ([67065b7d](/../../commit/67065b7d))
+<a name="v2.56.0"></a>
+### v2.56.0 (2020-06-01)
+#### Features
+* **database**
+  * log schema versions and migration info on startup	 ([b385e535](/../../commit/b385e535))
+  * allow options to be passed to Sequel migrate via the MigrationTask	 ([143613e7](/../../commit/143613e7))
+* allow Pactflow messages in logs to be hidden by setting PACT_BROKER_HIDE_PACTFLOW_MESSAGES=true	 ([a7550105](/../../commit/a7550105))
+* **can-i-deploy**
+  * experimental - add a warning message if there are interactions missing verification test results.	 ([f7ab8cc5](/../../commit/f7ab8cc5))
+#### Bug Fixes
+* use relative URLs when base_url not explictly set to ensure app is not vulnerable to host header attacks	 ([92c45a0a](/../../commit/92c45a0a))
+* raise PactBroker::Error when either pacticipant is not found in the business layer while attempting to delete an integration	 ([3c209a46](/../../commit/3c209a46))
+<a name="v2.55.0"></a>
+### v2.55.0 (2020-05-22)
+#### Features
+* support non root context (#344)	 ([dc480499](/../../commit/dc480499))
 <a name="v2.54.0"></a>
 ### v2.54.0 (2020-05-13)

data/example/config.ru CHANGED

@@ -8,7 +8,7 @@ ENV['RACK_ENV'] ||= 'production'
 # Create a real database, and set the credentials for it here
 # It is highly recommended to set the encoding to utf8
-DATABASE_CREDENTIALS = {adapter: "sqlite", database: "pact_broker_database.sqlite3", :encoding => 'utf8'}
+DATABASE_CREDENTIALS = { adapter: "sqlite", database: "pact_broker_database.sqlite3", :encoding => 'utf8', sql_log_level: :debug }
 # For postgres:
 #

data/lib/pact_broker/api/contracts/verification_contract.rb CHANGED

@@ -25,6 +25,8 @@ module PactBroker
             end
             def valid_version_number?(value)
+              return true if PactBroker.configuration.order_versions_by_date
               parsed_version_number = PactBroker.configuration.version_parser.call(value)
               !!parsed_version_number
             end

data/lib/pact_broker/api/contracts/webhook_contract.rb CHANGED

@@ -14,11 +14,13 @@ module PactBroker
           # I just cannot seem to get the validation to stop on the first error.
           # If one rule fails, they all come back failed, and it's driving me nuts.
           # Why on earth would I want that behaviour?
-          new_errors = Reform::Contract::Errors.new
-          errors.messages.each do | key, value |
-            new_errors.add(key, value.first)
+          # I cannot believe I have to do this shit.
+          @first_errors = errors
+          @first_errors.messages.keys.each do | key |
+            @first_errors.messages[key] = @first_errors.messages[key][0...1]
           end
-          @errors = new_errors
+          def self.errors; @first_errors end
           result
         end

data/lib/pact_broker/api/decorators/reason_decorator.rb CHANGED

@@ -22,6 +22,11 @@ module PactBroker
             "There are no missing dependencies"
           when PactBroker::Matrix::Successful
             "All required verification results are published and successful"
+          when PactBroker::Matrix::InteractionsMissingVerifications
+            descriptions = reason.interactions.collect do | interaction |
+              interaction_description(interaction)
+            end.join('; ')
+            "WARNING: Although the verification was reported as successful, the results for #{reason.consumer_selector.description} and #{reason.provider_selector.description} may be missing tests for the following interactions: #{descriptions}"
           else
             reason
           end
@@ -44,6 +49,18 @@ module PactBroker
             ""
           end
         end
+        # TODO move this somewhere else
+        def interaction_description(interaction)
+          if interaction['providerState'] && interaction['providerState'] != ''
+            "#{interaction['description']} given #{interaction['providerState']}"
+          elsif interaction['providerStates'] && interaction['providerStates'].is_a?(Array) && interaction['providerStates'].any?
+            provider_states = interaction['providerStates'].collect{ |ps| ps['name'] }.compact.join(', ')
+            "#{interaction['description']} given #{provider_states}"
+          else
+            interaction['description']
+          end
+        end
       end
     end
   end

data/lib/pact_broker/api/pact_broker_urls.rb CHANGED

@@ -284,8 +284,8 @@ module PactBroker
         "#{base_url}/groups/#{pacticipant_name}"
       end
-      def hal_browser_url target_url
-        "/hal-browser/browser.html#" + target_url
+      def hal_browser_url target_url, base_url = ''
+        "#{base_url}/hal-browser/browser.html#" + target_url
       end
       def url_encode param

data/lib/pact_broker/api/renderers/html_pact_renderer.rb CHANGED

@@ -37,18 +37,18 @@ module PactBroker
         def head
          "<title>#{title}</title>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/github.css'>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/pact.css'>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/github-json.css'>
-          <link rel='stylesheet' type='text/css' href='/css/bootstrap.min.css'>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/material-menu.css'>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/jquery-confirm.min.css'>
-          <script src='/javascripts/highlight.pack.js'></script>
-          <script src='/javascripts/jquery-3.3.1.min.js'></script>
-          <script src='/js/bootstrap.min.js'></script>
-          <script src='/javascripts/material-menu.js'></script>
-          <script src='/javascripts/pact.js'></script>
-          <script src='/javascripts/jquery-confirm.min.js'></script>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/github.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/pact.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/github-json.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/css/bootstrap.min.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/material-menu.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/jquery-confirm.min.css'>
+          <script src='#{base_url}/javascripts/highlight.pack.js'></script>
+          <script src='#{base_url}/javascripts/jquery-3.3.1.min.js'></script>
+          <script src='#{base_url}/js/bootstrap.min.js'></script>
+          <script src='#{base_url}/javascripts/material-menu.js'></script>
+          <script src='#{base_url}/javascripts/pact.js'></script>
+          <script src='#{base_url}/javascripts/jquery-confirm.min.js'></script>
           <script>hljs.initHighlightingOnLoad();</script>"
         end
@@ -72,7 +72,7 @@ module PactBroker
                 <a href=\"#{matrix_url}\">View Matrix</a>
               </li>
               <li>
-                <a href=\"/\">Home</a>
+                <a href=\"#{base_url}/\">Home</a>
               </li>
               <li>
                 <span data-consumer-name=\"#{@pact.consumer.name}\"
@@ -129,7 +129,7 @@ module PactBroker
         end
         def json_url
-          PactBroker::Api::PactBrokerUrls.hal_browser_url pact_url
+          PactBroker::Api::PactBrokerUrls.hal_browser_url pact_url, base_url
         end
         def pact_url

data/lib/pact_broker/api/resources/base_resource.rb CHANGED

@@ -62,6 +62,11 @@ module PactBroker
           PactBroker.configuration.base_url || request.base_uri.to_s.chomp('/')
         end
+        # See comments for base_url in lib/pact_broker/doc/controllers/app.rb
+        def ui_base_url
+          PactBroker.configuration.base_url || ''
+        end
         def charsets_provided
           [['utf-8', :encode]]
         end

data/lib/pact_broker/api/resources/error_handler.rb CHANGED

@@ -8,13 +8,16 @@ module PactBroker
         include PactBroker::Logging
+        WARNING_ERROR_CLASSES = [Sequel::ForeignKeyConstraintViolation]
         def self.call e, request, response
           error_reference = generate_error_reference
-          if reportable?(e)
+          if log_as_warning?(e)
+            logger.warn("Error reference #{error_reference}", e)
+          elsif reportable?(e)
             log_error(e, "Error reference #{error_reference}")
             report(e, error_reference, request)
-          else
-            logger.info "Error reference #{error_reference} - #{e.class} #{e.message}\n#{e.backtrace.join("\n")}"
+            logger.info("Error reference #{error_reference}", e)
           end
           response.body = response_body_hash(e, error_reference).to_json
         end
@@ -27,6 +30,10 @@ module PactBroker
           !e.is_a?(PactBroker::Error) && !e.is_a?(JSON::GeneratorError)
         end
+        def self.log_as_warning?(e)
+          WARNING_ERROR_CLASSES.any? { |clazz| e.is_a?(clazz) }
+        end
         def self.display_message(e, error_reference)
           if PactBroker.configuration.show_backtrace_in_error_response?
             e.message || obfuscated_error_message(error_reference)

data/lib/pact_broker/api/resources/latest_pact.rb CHANGED

@@ -36,7 +36,7 @@ module PactBroker
         def to_html
           PactBroker.configuration.html_pact_renderer.call(
             pact, {
-              base_url: base_url,
+              base_url: ui_base_url,
               badge_url: "#{resource_url}/badge.svg"
           })
         end

data/lib/pact_broker/api/resources/pact.rb CHANGED

@@ -77,8 +77,8 @@ module PactBroker
         def to_html
           PactBroker.configuration.html_pact_renderer.call(
             pact, {
-              base_url: base_url,
-              badge_url: badge_url_for_latest_pact(pact, base_url)
+              base_url: ui_base_url,
+              badge_url: badge_url_for_latest_pact(pact, ui_base_url)
           })
         end
@@ -100,7 +100,7 @@ module PactBroker
         def set_post_deletion_response
           latest_pact = pact_service.find_latest_pact(pact_params)
-          response_body = { "_links" => {} }
+          response_body = { "_links" => { index: { href: base_url } } }
           if latest_pact
             response_body["_links"]["pb:latest-pact-version"] = {
               href: latest_pact_url(base_url, latest_pact),

data/lib/pact_broker/app.rb CHANGED

@@ -15,12 +15,14 @@ require 'rack/pact_broker/no_auth'
 require 'rack/pact_broker/convert_404_to_hal'
 require 'rack/pact_broker/reset_thread_data'
 require 'rack/pact_broker/add_vary_header'
+require 'rack/pact_broker/use_when'
 require 'sucker_punch'
 module PactBroker
   class App
     include PactBroker::Logging
+    using Rack::PactBroker::UseWhen
     attr_accessor :configuration
@@ -81,11 +83,18 @@ module PactBroker
     end
     def prepare_database
+      logger.info "Database schema version is #{PactBroker::DB.version(configuration.database_connection)}"
       if configuration.auto_migrate_db
-        logger.info "Migrating database"
-        PactBroker::DB.run_migrations configuration.database_connection, allow_missing_migration_files: configuration.allow_missing_migration_files
+        migration_options = { allow_missing_migration_files: configuration.allow_missing_migration_files }
+        if PactBroker::DB.is_current?(configuration.database_connection, migration_options)
+          logger.info "Skipping database migrations as the latest migration has already been applied"
+        else
+          logger.info "Migrating database schema"
+          PactBroker::DB.run_migrations configuration.database_connection, migration_options
+          logger.info "Database schema version is now #{PactBroker::DB.version(configuration.database_connection)}"
+        end
       else
-        logger.info "Skipping database migrations"
+        logger.info "Skipping database schema migrations as database auto migrate is disabled"
       end
       if configuration.auto_migrate_db_data
@@ -155,6 +164,15 @@ module PactBroker
       # NOTE THAT NONE OF THIS IS PROTECTED BY AUTH - is that ok?
       if configuration.use_rack_protection
         @app_builder.use Rack::Protection, except: [:path_traversal, :remote_token, :session_hijacking, :http_origin]
+        is_hal_browser = ->(env) { env['PATH_INFO'] == '/hal-browser/browser.html' }
+        not_hal_browser = ->(env) { env['PATH_INFO'] != '/hal-browser/browser.html' }
+        @app_builder.use_when not_hal_browser,
+          Rack::Protection::ContentSecurityPolicy, configuration.content_security_policy
+        @app_builder.use_when is_hal_browser,
+          Rack::Protection::ContentSecurityPolicy,
+          configuration.content_security_policy.merge(configuration.hal_browser_content_security_policy_overrides)
       end
       @app_builder.use Rack::PactBroker::InvalidUriProtection
       @app_builder.use Rack::PactBroker::ResetThreadData
@@ -232,7 +250,9 @@ module PactBroker
     end
     def print_startup_message
-      logger.info "\n\n#{'*' * 80}\n\nWant someone to manage your Pact Broker for you? Check out https://pactflow.io/oss for a hardened, fully supported SaaS version of the Pact Broker with an improved UI + more.\n\n#{'*' * 80}\n"
+      if ENV['PACT_BROKER_HIDE_PACTFLOW_MESSAGES'] != 'true'
+        logger.info "\n\n#{'*' * 80}\n\nWant someone to manage your Pact Broker for you? Check out https://pactflow.io/oss for a hardened, fully supported SaaS version of the Pact Broker with an improved UI + more.\n\n#{'*' * 80}\n"
+      end
     end
   end
 end

data/lib/pact_broker/configuration.rb CHANGED

@@ -43,6 +43,7 @@ module PactBroker
     attr_accessor :semver_formats
     attr_accessor :enable_public_badge_access, :shields_io_base_url, :badge_provider_mode
     attr_accessor :disable_ssl_verification
+    attr_accessor :content_security_policy, :hal_browser_content_security_policy_overrides
     attr_accessor :base_equality_only_on_content_that_affects_verification_results
     attr_reader :api_error_reporters
     attr_reader :custom_logger
@@ -90,6 +91,20 @@ module PactBroker
       config.webhook_http_method_whitelist = ['POST']
       config.webhook_scheme_whitelist = ['https']
       config.webhook_host_whitelist = []
+      # TODO get rid of unsafe-inline
+      config.content_security_policy = {
+        script_src: "'self' 'unsafe-inline'",
+        style_src: "'self' 'unsafe-inline'",
+        img_src: "'self' data:",
+        font_src: "'self' data:",
+        base_uri: "'self'",
+        frame_src: "'self'",
+        frame_ancestors: "'self'"
+      }
+      config.hal_browser_content_security_policy_overrides = {
+        script_src: "'self' 'unsafe-inline' 'unsafe-eval'",
+        frame_ancestors: "'self'"
+      }
       config
     end

data/lib/pact_broker/db.rb CHANGED

@@ -2,12 +2,12 @@ require 'sequel'
 require 'pact_broker/db/validate_encoding'
 require 'pact_broker/db/migrate'
 require 'pact_broker/db/migrate_data'
+require 'pact_broker/db/version'
 Sequel.datetime_class = DateTime
 module PactBroker
   module DB
     MIGRATIONS_DIR = File.expand_path("../../../db/migrations", __FILE__)
     def self.connection= connection
@@ -27,6 +27,14 @@ module PactBroker
       PactBroker::DB::MigrateData.(database_connection)
     end
+    def self.is_current? database_connection, options = {}
+      Sequel::TimestampMigrator.is_current?(database_connection, PactBroker::DB::MIGRATIONS_DIR, options)
+    end
+    def self.version database_connection
+      PactBroker::DB::Version.call(database_connection)
+    end
     def self.validate_connection_config
       PactBroker::DB::ValidateEncoding.(connection)
     end

data/lib/pact_broker/db/log_quietener.rb CHANGED

@@ -9,13 +9,11 @@ require 'delegate'
 module PactBroker
   module DB
     class LogQuietener < SimpleDelegator
-      def info *args
-        __getobj__().debug(*args)
-      end
       def error *args
         if error_is_about_table_not_existing?(args)
           __getobj__().debug(*reassure_people_that_this_is_expected(args))
+        elsif foreign_key_error?(args)
+          __getobj__().warn(*args)
         else
           __getobj__().error(*args)
         end
@@ -28,6 +26,11 @@ module PactBroker
             args.first.include?("no such view"))
       end
+      # Foreign key exceptions are almost always transitory and unreproducible by this stage
+      def foreign_key_error?(args)
+        args.first.is_a?(String) && args.first.downcase.include?("foreign key")
+      end
       def reassure_people_that_this_is_expected(args)
         message = args.shift
         message = message + " Don't panic. This happens when Sequel doesn't know if a table/view exists or not."

data/lib/pact_broker/doc/controllers/app.rb CHANGED

@@ -33,7 +33,7 @@ module PactBroker
         get ":rel_name" do
           rel_name = params[:rel_name]
           context = params[:context]
-          view_params = {:layout_engine => :haml, layout: :'layouts/main'}
+          view_params = {:layout_engine => :haml, layout: :'layouts/main', locals: { base_url: base_url }}
           if resource_exists? rel_name, context
             markdown view_name_for(rel_name, context).to_sym, view_params, {}
           elsif resource_exists? rel_name
@@ -42,6 +42,16 @@ module PactBroker
             markdown :not_found, view_params, {}
           end
         end
+        private
+        def base_url
+          # Using the X-Forwarded headers in the UI can leave the app vulnerable
+          # https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
+          # Either use the explicitly configured base url or an empty string,
+          # rather than request.base_url, which uses the X-Forwarded headers.
+          PactBroker.configuration.base_url || ''
+        end
       end
     end
   end