RubyGems - pact_broker - Versions diffs - 2.54.0 → 2.58.0 - Mend

pact_broker 2.54.0 → 2.58.0

Files changed (77) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +73 -0
data/example/config.ru +1 -1
data/lib/pact_broker/api/contracts/verification_contract.rb +2 -0
data/lib/pact_broker/api/contracts/webhook_contract.rb +6 -4
data/lib/pact_broker/api/decorators/reason_decorator.rb +17 -0
data/lib/pact_broker/api/pact_broker_urls.rb +2 -2
data/lib/pact_broker/api/renderers/html_pact_renderer.rb +14 -14
data/lib/pact_broker/api/resources/base_resource.rb +5 -0
data/lib/pact_broker/api/resources/error_handler.rb +10 -3
data/lib/pact_broker/api/resources/latest_pact.rb +1 -1
data/lib/pact_broker/api/resources/pact.rb +3 -3
data/lib/pact_broker/app.rb +24 -4
data/lib/pact_broker/configuration.rb +15 -0
data/lib/pact_broker/db.rb +9 -1
data/lib/pact_broker/db/log_quietener.rb +7 -4
data/lib/pact_broker/doc/controllers/app.rb +11 -1
data/lib/pact_broker/doc/views/layouts/main.haml +1 -1
data/lib/pact_broker/domain/verification.rb +13 -0
data/lib/pact_broker/hash_refinements.rb +39 -0
data/lib/pact_broker/integrations/service.rb +2 -2
data/lib/pact_broker/locale/en.yml +4 -0
data/lib/pact_broker/logging.rb +14 -4
data/lib/pact_broker/logging/default_formatter.rb +3 -1
data/lib/pact_broker/matrix/deployment_status_summary.rb +23 -1
data/lib/pact_broker/matrix/reason.rb +9 -0
data/lib/pact_broker/pacts/content.rb +26 -2
data/lib/pact_broker/pacts/repository.rb +2 -2
data/lib/pact_broker/tasks/migration_task.rb +20 -1
data/lib/pact_broker/ui/app.rb +1 -0
data/lib/pact_broker/ui/controllers/base_controller.rb +1 -1
data/lib/pact_broker/ui/controllers/clusters.rb +2 -2
data/lib/pact_broker/ui/controllers/groups.rb +3 -2
data/lib/pact_broker/ui/controllers/index.rb +3 -2
data/lib/pact_broker/ui/controllers/matrix.rb +5 -3
data/lib/pact_broker/ui/helpers/url_helper.rb +4 -4
data/lib/pact_broker/ui/view_models/index_item.rb +16 -11
data/lib/pact_broker/ui/view_models/index_items.rb +2 -2
data/lib/pact_broker/ui/view_models/matrix_line.rb +12 -7
data/lib/pact_broker/ui/view_models/matrix_lines.rb +2 -2
data/lib/pact_broker/ui/views/groups/show.html.erb +3 -3
data/lib/pact_broker/ui/views/index/_css_and_js.haml +9 -9
data/lib/pact_broker/ui/views/index/_navbar.haml +3 -3
data/lib/pact_broker/ui/views/index/_pagination.haml +1 -1
data/lib/pact_broker/ui/views/index/show-with-tags.haml +3 -3
data/lib/pact_broker/ui/views/index/show.haml +3 -3
data/lib/pact_broker/ui/views/layouts/main.haml +4 -4
data/lib/pact_broker/ui/views/matrix/show.haml +10 -10
data/lib/pact_broker/verifications/repository.rb +2 -2
data/lib/pact_broker/version.rb +1 -1
data/lib/pact_broker/webhooks/service.rb +4 -3
data/lib/rack/pact_broker/invalid_uri_protection.rb +25 -4
data/lib/rack/pact_broker/use_when.rb +55 -0
data/pact_broker.gemspec +3 -3
data/public/javascripts/pact.js +7 -6
data/script/foo-bar-verification.json +3 -1
data/script/foo-bar.json +11 -0
data/script/seed.rb +1 -1
data/spec/features/delete_integration_spec.rb +2 -2
data/spec/integration/ui/index_spec.rb +16 -0
data/spec/integration/ui/matrix_spec.rb +1 -1
data/spec/lib/pact_broker/api/contracts/verification_contract_spec.rb +18 -4
data/spec/lib/pact_broker/api/decorators/reason_decorator_spec.rb +18 -1
data/spec/lib/pact_broker/api/renderers/html_pact_renderer_spec.rb +1 -1
data/spec/lib/pact_broker/api/resources/latest_pact_spec.rb +1 -0
data/spec/lib/pact_broker/api/resources/pact_spec.rb +1 -0
data/spec/lib/pact_broker/db/log_quietener_spec.rb +10 -0
data/spec/lib/pact_broker/doc/controllers/app_spec.rb +16 -0
data/spec/lib/pact_broker/hash_refinements_spec.rb +24 -0
data/spec/lib/pact_broker/integrations/service_spec.rb +6 -0
data/spec/lib/pact_broker/matrix/deployment_status_summary_spec.rb +6 -2
data/spec/lib/pact_broker/matrix/integration_spec.rb +43 -0
data/spec/lib/pact_broker/pacts/content_spec.rb +125 -0
data/spec/lib/rack/pact_broker/invalid_uri_protection_spec.rb +23 -3
data/spec/lib/rack/pact_broker/use_when_spec.rb +49 -0
data/vendor/hal-browser/browser.html +5 -2
metadata +27 -6

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9147b88a513fab2205b74006fcba47e6aff79b52205bc04d639f15cdc4078d12
-  data.tar.gz: 784bae2c2977392c3671580ca59f094da810aed6ef842e66eec540d531cd00f5
+  metadata.gz: e9b3ca0a02cb3eb39138704d804ed6a9997aa044cf0729059175d24acf02794f
+  data.tar.gz: 619a828a1ab0f7b1d5677525c5d52b82ec785455a19c0603ce18a3981be81eb7
 SHA512:
-  metadata.gz: 6e8928e7c7b4d393d618e1ceec3b7e1a72d32db2e52c32f4e87a434ecce2857180a96db4a7103070fbddf8fd2d5661a411d273bc05c77042c22e68e1c5137912
-  data.tar.gz: 551c37f0fc7d63b11076adc2067800b7e2fd70ed52030859f07d287f80236d60520f60f67c91b9f1c3dca2695579a39021fe1b83ef5e5cccd8a05714f756c3a2
+  metadata.gz: 80e5a6272e05b35ff82a5a08fc26cb8acc2729d64b969f3764dbd1bb6be4ed168722d884ca635fe85dc58946c085dc60d65b1d4c95cc0fc8d9437a9f8aaa3356
+  data.tar.gz: d094ef10bf315a635afd6c6ef52148ac25c2e03afafcbb5e53b411c4ff2e676fd01d9db45414be4354054396547ae182b4991beadf6e6f0de63045cb38b2ccde

data/CHANGELOG.md CHANGED

@@ -1,3 +1,76 @@
+<a name="v2.58.0"></a>
+### v2.58.0 (2020-06-19)
+#### Features
+* log foreign key constraint errors as warn as 99% of the time they are transitory and unreproducible and should not cause alarms to be raised	 ([71fd0270](/../../commit/71fd0270))
+* use structured logs for logging errors	 ([1e097b37](/../../commit/1e097b37))
+#### Bug Fixes
+* fix: update sanitize gem for CVE-2020-4054	 ([2af4bf9d](/../../commit/2af4bf9d))
+* do not parse the provider version as a semantic version when order_versions_by_date is true	 ([bf30024f](/../../commit/bf30024f))
+<a name="v2.57.0"></a>
+### v2.57.0 (2020-06-16)
+#### Features
+* add Content Security Policy header	 ([fd2e81fb](/../../commit/fd2e81fb))
+#### Bug Fixes
+* upgrade Rack for vulnerability CVE-2020-8184	 ([99b78b3c](/../../commit/99b78b3c))
+* fix Home link on pact page	 ([081d1586](/../../commit/081d1586))
+* return a 422 if the URL path contains a new line or tab	 ([db9f7f4d](/../../commit/db9f7f4d))
+<a name="v2.56.1"></a>
+### v2.56.1 (2020-06-01)
+#### Bug Fixes
+* **matrix ui**
+  * fix home link	 ([67065b7d](/../../commit/67065b7d))
+<a name="v2.56.0"></a>
+### v2.56.0 (2020-06-01)
+#### Features
+* **database**
+  * log schema versions and migration info on startup	 ([b385e535](/../../commit/b385e535))
+  * allow options to be passed to Sequel migrate via the MigrationTask	 ([143613e7](/../../commit/143613e7))
+* allow Pactflow messages in logs to be hidden by setting PACT_BROKER_HIDE_PACTFLOW_MESSAGES=true	 ([a7550105](/../../commit/a7550105))
+* **can-i-deploy**
+  * experimental - add a warning message if there are interactions missing verification test results.	 ([f7ab8cc5](/../../commit/f7ab8cc5))
+#### Bug Fixes
+* use relative URLs when base_url not explictly set to ensure app is not vulnerable to host header attacks	 ([92c45a0a](/../../commit/92c45a0a))
+* raise PactBroker::Error when either pacticipant is not found in the business layer while attempting to delete an integration	 ([3c209a46](/../../commit/3c209a46))
+<a name="v2.55.0"></a>
+### v2.55.0 (2020-05-22)
+#### Features
+* support non root context (#344)	 ([dc480499](/../../commit/dc480499))
 <a name="v2.54.0"></a>
 ### v2.54.0 (2020-05-13)

data/example/config.ru CHANGED

@@ -8,7 +8,7 @@ ENV['RACK_ENV'] ||= 'production'
 # Create a real database, and set the credentials for it here
 # It is highly recommended to set the encoding to utf8
-DATABASE_CREDENTIALS = {adapter: "sqlite", database: "pact_broker_database.sqlite3", :encoding => 'utf8'}
+DATABASE_CREDENTIALS = { adapter: "sqlite", database: "pact_broker_database.sqlite3", :encoding => 'utf8', sql_log_level: :debug }
 # For postgres:
 #

data/lib/pact_broker/api/contracts/verification_contract.rb CHANGED

@@ -25,6 +25,8 @@ module PactBroker
             end
             def valid_version_number?(value)
+              return true if PactBroker.configuration.order_versions_by_date
               parsed_version_number = PactBroker.configuration.version_parser.call(value)
               !!parsed_version_number
             end

data/lib/pact_broker/api/contracts/webhook_contract.rb CHANGED

@@ -14,11 +14,13 @@ module PactBroker
           # I just cannot seem to get the validation to stop on the first error.
           # If one rule fails, they all come back failed, and it's driving me nuts.
           # Why on earth would I want that behaviour?
-          new_errors = Reform::Contract::Errors.new
-          errors.messages.each do | key, value |
-            new_errors.add(key, value.first)
+          # I cannot believe I have to do this shit.
+          @first_errors = errors
+          @first_errors.messages.keys.each do | key |
+            @first_errors.messages[key] = @first_errors.messages[key][0...1]
           end
-          @errors = new_errors
+          def self.errors; @first_errors end
           result
         end

data/lib/pact_broker/api/decorators/reason_decorator.rb CHANGED

@@ -22,6 +22,11 @@ module PactBroker
             "There are no missing dependencies"
           when PactBroker::Matrix::Successful
             "All required verification results are published and successful"
+          when PactBroker::Matrix::InteractionsMissingVerifications
+            descriptions = reason.interactions.collect do | interaction |
+              interaction_description(interaction)
+            end.join('; ')
+            "WARNING: Although the verification was reported as successful, the results for #{reason.consumer_selector.description} and #{reason.provider_selector.description} may be missing tests for the following interactions: #{descriptions}"
           else
             reason
           end
@@ -44,6 +49,18 @@ module PactBroker
             ""
           end
         end
+        # TODO move this somewhere else
+        def interaction_description(interaction)
+          if interaction['providerState'] && interaction['providerState'] != ''
+            "#{interaction['description']} given #{interaction['providerState']}"
+          elsif interaction['providerStates'] && interaction['providerStates'].is_a?(Array) && interaction['providerStates'].any?
+            provider_states = interaction['providerStates'].collect{ |ps| ps['name'] }.compact.join(', ')
+            "#{interaction['description']} given #{provider_states}"
+          else
+            interaction['description']
+          end
+        end
       end
     end
   end

data/lib/pact_broker/api/pact_broker_urls.rb CHANGED

@@ -284,8 +284,8 @@ module PactBroker
         "#{base_url}/groups/#{pacticipant_name}"
       end
-      def hal_browser_url target_url
-        "/hal-browser/browser.html#" + target_url
+      def hal_browser_url target_url, base_url = ''
+        "#{base_url}/hal-browser/browser.html#" + target_url
       end
       def url_encode param

data/lib/pact_broker/api/renderers/html_pact_renderer.rb CHANGED

@@ -37,18 +37,18 @@ module PactBroker
         def head
          "<title>#{title}</title>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/github.css'>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/pact.css'>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/github-json.css'>
-          <link rel='stylesheet' type='text/css' href='/css/bootstrap.min.css'>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/material-menu.css'>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/jquery-confirm.min.css'>
-          <script src='/javascripts/highlight.pack.js'></script>
-          <script src='/javascripts/jquery-3.3.1.min.js'></script>
-          <script src='/js/bootstrap.min.js'></script>
-          <script src='/javascripts/material-menu.js'></script>
-          <script src='/javascripts/pact.js'></script>
-          <script src='/javascripts/jquery-confirm.min.js'></script>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/github.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/pact.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/github-json.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/css/bootstrap.min.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/material-menu.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/jquery-confirm.min.css'>
+          <script src='#{base_url}/javascripts/highlight.pack.js'></script>
+          <script src='#{base_url}/javascripts/jquery-3.3.1.min.js'></script>
+          <script src='#{base_url}/js/bootstrap.min.js'></script>
+          <script src='#{base_url}/javascripts/material-menu.js'></script>
+          <script src='#{base_url}/javascripts/pact.js'></script>
+          <script src='#{base_url}/javascripts/jquery-confirm.min.js'></script>
           <script>hljs.initHighlightingOnLoad();</script>"
         end
@@ -72,7 +72,7 @@ module PactBroker
                 <a href=\"#{matrix_url}\">View Matrix</a>
               </li>
               <li>
-                <a href=\"/\">Home</a>
+                <a href=\"#{base_url}/\">Home</a>
               </li>
               <li>
                 <span data-consumer-name=\"#{@pact.consumer.name}\"
@@ -129,7 +129,7 @@ module PactBroker
         end
         def json_url
-          PactBroker::Api::PactBrokerUrls.hal_browser_url pact_url
+          PactBroker::Api::PactBrokerUrls.hal_browser_url pact_url, base_url
         end
         def pact_url

data/lib/pact_broker/api/resources/base_resource.rb CHANGED

@@ -62,6 +62,11 @@ module PactBroker
           PactBroker.configuration.base_url || request.base_uri.to_s.chomp('/')
         end
+        # See comments for base_url in lib/pact_broker/doc/controllers/app.rb
+        def ui_base_url
+          PactBroker.configuration.base_url || ''
+        end
         def charsets_provided
           [['utf-8', :encode]]
         end

data/lib/pact_broker/api/resources/error_handler.rb CHANGED

@@ -8,13 +8,16 @@ module PactBroker
         include PactBroker::Logging
+        WARNING_ERROR_CLASSES = [Sequel::ForeignKeyConstraintViolation]
         def self.call e, request, response
           error_reference = generate_error_reference
-          if reportable?(e)
+          if log_as_warning?(e)
+            logger.warn("Error reference #{error_reference}", e)
+          elsif reportable?(e)
             log_error(e, "Error reference #{error_reference}")
             report(e, error_reference, request)
-          else
-            logger.info "Error reference #{error_reference} - #{e.class} #{e.message}\n#{e.backtrace.join("\n")}"
+            logger.info("Error reference #{error_reference}", e)
           end
           response.body = response_body_hash(e, error_reference).to_json
         end
@@ -27,6 +30,10 @@ module PactBroker
           !e.is_a?(PactBroker::Error) && !e.is_a?(JSON::GeneratorError)
         end
+        def self.log_as_warning?(e)
+          WARNING_ERROR_CLASSES.any? { |clazz| e.is_a?(clazz) }
+        end
         def self.display_message(e, error_reference)
           if PactBroker.configuration.show_backtrace_in_error_response?
             e.message || obfuscated_error_message(error_reference)

data/lib/pact_broker/api/resources/latest_pact.rb CHANGED

@@ -36,7 +36,7 @@ module PactBroker
         def to_html
           PactBroker.configuration.html_pact_renderer.call(
             pact, {
-              base_url: base_url,
+              base_url: ui_base_url,
               badge_url: "#{resource_url}/badge.svg"
           })
         end

data/lib/pact_broker/api/resources/pact.rb CHANGED

@@ -77,8 +77,8 @@ module PactBroker
         def to_html
           PactBroker.configuration.html_pact_renderer.call(
             pact, {
-              base_url: base_url,
-              badge_url: badge_url_for_latest_pact(pact, base_url)
+              base_url: ui_base_url,
+              badge_url: badge_url_for_latest_pact(pact, ui_base_url)
           })
         end
@@ -100,7 +100,7 @@ module PactBroker
         def set_post_deletion_response
           latest_pact = pact_service.find_latest_pact(pact_params)
-          response_body = { "_links" => {} }
+          response_body = { "_links" => { index: { href: base_url } } }
           if latest_pact
             response_body["_links"]["pb:latest-pact-version"] = {
               href: latest_pact_url(base_url, latest_pact),

data/lib/pact_broker/app.rb CHANGED

@@ -15,12 +15,14 @@ require 'rack/pact_broker/no_auth'
 require 'rack/pact_broker/convert_404_to_hal'
 require 'rack/pact_broker/reset_thread_data'
 require 'rack/pact_broker/add_vary_header'
+require 'rack/pact_broker/use_when'
 require 'sucker_punch'
 module PactBroker
   class App
     include PactBroker::Logging
+    using Rack::PactBroker::UseWhen
     attr_accessor :configuration
@@ -81,11 +83,18 @@ module PactBroker
     end
     def prepare_database
+      logger.info "Database schema version is #{PactBroker::DB.version(configuration.database_connection)}"
       if configuration.auto_migrate_db
-        logger.info "Migrating database"
-        PactBroker::DB.run_migrations configuration.database_connection, allow_missing_migration_files: configuration.allow_missing_migration_files
+        migration_options = { allow_missing_migration_files: configuration.allow_missing_migration_files }
+        if PactBroker::DB.is_current?(configuration.database_connection, migration_options)
+          logger.info "Skipping database migrations as the latest migration has already been applied"
+        else
+          logger.info "Migrating database schema"
+          PactBroker::DB.run_migrations configuration.database_connection, migration_options
+          logger.info "Database schema version is now #{PactBroker::DB.version(configuration.database_connection)}"
+        end
       else
-        logger.info "Skipping database migrations"
+        logger.info "Skipping database schema migrations as database auto migrate is disabled"
       end
       if configuration.auto_migrate_db_data
@@ -155,6 +164,15 @@ module PactBroker
       # NOTE THAT NONE OF THIS IS PROTECTED BY AUTH - is that ok?
       if configuration.use_rack_protection
         @app_builder.use Rack::Protection, except: [:path_traversal, :remote_token, :session_hijacking, :http_origin]
+        is_hal_browser = ->(env) { env['PATH_INFO'] == '/hal-browser/browser.html' }
+        not_hal_browser = ->(env) { env['PATH_INFO'] != '/hal-browser/browser.html' }
+        @app_builder.use_when not_hal_browser,
+          Rack::Protection::ContentSecurityPolicy, configuration.content_security_policy
+        @app_builder.use_when is_hal_browser,
+          Rack::Protection::ContentSecurityPolicy,
+          configuration.content_security_policy.merge(configuration.hal_browser_content_security_policy_overrides)
       end
       @app_builder.use Rack::PactBroker::InvalidUriProtection
       @app_builder.use Rack::PactBroker::ResetThreadData
@@ -232,7 +250,9 @@ module PactBroker
     end
     def print_startup_message
-      logger.info "\n\n#{'*' * 80}\n\nWant someone to manage your Pact Broker for you? Check out https://pactflow.io/oss for a hardened, fully supported SaaS version of the Pact Broker with an improved UI + more.\n\n#{'*' * 80}\n"
+      if ENV['PACT_BROKER_HIDE_PACTFLOW_MESSAGES'] != 'true'
+        logger.info "\n\n#{'*' * 80}\n\nWant someone to manage your Pact Broker for you? Check out https://pactflow.io/oss for a hardened, fully supported SaaS version of the Pact Broker with an improved UI + more.\n\n#{'*' * 80}\n"
+      end
     end
   end
 end

data/lib/pact_broker/configuration.rb CHANGED

@@ -43,6 +43,7 @@ module PactBroker
     attr_accessor :semver_formats
     attr_accessor :enable_public_badge_access, :shields_io_base_url, :badge_provider_mode
     attr_accessor :disable_ssl_verification
+    attr_accessor :content_security_policy, :hal_browser_content_security_policy_overrides
     attr_accessor :base_equality_only_on_content_that_affects_verification_results
     attr_reader :api_error_reporters
     attr_reader :custom_logger
@@ -90,6 +91,20 @@ module PactBroker
       config.webhook_http_method_whitelist = ['POST']
       config.webhook_scheme_whitelist = ['https']
       config.webhook_host_whitelist = []
+      # TODO get rid of unsafe-inline
+      config.content_security_policy = {
+        script_src: "'self' 'unsafe-inline'",
+        style_src: "'self' 'unsafe-inline'",
+        img_src: "'self' data:",
+        font_src: "'self' data:",
+        base_uri: "'self'",
+        frame_src: "'self'",
+        frame_ancestors: "'self'"
+      }
+      config.hal_browser_content_security_policy_overrides = {
+        script_src: "'self' 'unsafe-inline' 'unsafe-eval'",
+        frame_ancestors: "'self'"
+      }
       config
     end

data/lib/pact_broker/db.rb CHANGED

@@ -2,12 +2,12 @@ require 'sequel'
 require 'pact_broker/db/validate_encoding'
 require 'pact_broker/db/migrate'
 require 'pact_broker/db/migrate_data'
+require 'pact_broker/db/version'
 Sequel.datetime_class = DateTime
 module PactBroker
   module DB
     MIGRATIONS_DIR = File.expand_path("../../../db/migrations", __FILE__)
     def self.connection= connection
@@ -27,6 +27,14 @@ module PactBroker
       PactBroker::DB::MigrateData.(database_connection)
     end
+    def self.is_current? database_connection, options = {}
+      Sequel::TimestampMigrator.is_current?(database_connection, PactBroker::DB::MIGRATIONS_DIR, options)
+    end
+    def self.version database_connection
+      PactBroker::DB::Version.call(database_connection)
+    end
     def self.validate_connection_config
       PactBroker::DB::ValidateEncoding.(connection)
     end

data/lib/pact_broker/db/log_quietener.rb CHANGED

@@ -9,13 +9,11 @@ require 'delegate'
 module PactBroker
   module DB
     class LogQuietener < SimpleDelegator
-      def info *args
-        __getobj__().debug(*args)
-      end
       def error *args
         if error_is_about_table_not_existing?(args)
           __getobj__().debug(*reassure_people_that_this_is_expected(args))
+        elsif foreign_key_error?(args)
+          __getobj__().warn(*args)
         else
           __getobj__().error(*args)
         end
@@ -28,6 +26,11 @@ module PactBroker
             args.first.include?("no such view"))
       end
+      # Foreign key exceptions are almost always transitory and unreproducible by this stage
+      def foreign_key_error?(args)
+        args.first.is_a?(String) && args.first.downcase.include?("foreign key")
+      end
       def reassure_people_that_this_is_expected(args)
         message = args.shift
         message = message + " Don't panic. This happens when Sequel doesn't know if a table/view exists or not."

data/lib/pact_broker/doc/controllers/app.rb CHANGED

@@ -33,7 +33,7 @@ module PactBroker
         get ":rel_name" do
           rel_name = params[:rel_name]
           context = params[:context]
-          view_params = {:layout_engine => :haml, layout: :'layouts/main'}
+          view_params = {:layout_engine => :haml, layout: :'layouts/main', locals: { base_url: base_url }}
           if resource_exists? rel_name, context
             markdown view_name_for(rel_name, context).to_sym, view_params, {}
           elsif resource_exists? rel_name
@@ -42,6 +42,16 @@ module PactBroker
             markdown :not_found, view_params, {}
           end
         end
+        private
+        def base_url
+          # Using the X-Forwarded headers in the UI can leave the app vulnerable
+          # https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
+          # Either use the explicitly configured base url or an empty string,
+          # rather than request.base_url, which uses the X-Forwarded headers.
+          PactBroker.configuration.base_url || ''
+        end
       end
     end
   end