pact_broker 2.56.1 → 2.57.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 78ca82ae8d3f9574d9844689ebb3423e5a2c2966f5907253f82e996aa0dbdcd4
-  data.tar.gz: 64a1cec77d11ae9f82e4408736147afe69d294def7b07afa31bdab1c38947a72
+  metadata.gz: 1de4cab3f4fb99ade4806255fb8e1ea1745429fdac8302154d092c99c36c7d76
+  data.tar.gz: 910569291d130d66d73b3a557a983ba4563a70ae7d3c581ad9ebc770958ea56e
 SHA512:
-  metadata.gz: c43133723319d295e3e3a9a818ef668e5f15b75b65589c90d77902737e807145e5647b92e4d7c80880e9886a4e75c20f23140716310f5c28dc77cd8a726e381c
-  data.tar.gz: 92cd37b6e992d89886fe7f9f6f9b220879b92c48f081c64ea344201229e45d8ca6a12fb676d0cecdba9d15da0ccd70163e54392acda943d4e66adea46706d9b6
+  metadata.gz: 2df74e9cbdfa705a1221f4422fb9dc18e33106b25a68b9b2013f649e8d35ad015b344251d2aacd7e9b22d73d50435eb3cdc2e773843de0b49792859e5daa83c6
+  data.tar.gz: 2f5255f3ba8292bd2df960db95c40b86196872c49f3080afb8cdb398dd96b22022bd6bd28ca73a221881322112fa9f9da6bf9d1b870dba6a59cd286bfb45fbeb

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+<a name="v2.57.0"></a>
+### v2.57.0 (2020-06-16)
+
+
+#### Features
+
+* add Content Security Policy header	 ([fd2e81fb](/../../commit/fd2e81fb))
+
+
+#### Bug Fixes
+
+* upgrade Rack for vulnerability CVE-2020-8184	 ([99b78b3c](/../../commit/99b78b3c))
+* fix Home link on pact page	 ([081d1586](/../../commit/081d1586))
+* return a 422 if the URL path contains a new line or tab	 ([db9f7f4d](/../../commit/db9f7f4d))
+
+
 <a name="v2.56.1"></a>
 ### v2.56.1 (2020-06-01)
 

data/lib/pact_broker/api/renderers/html_pact_renderer.rb

@@ -72,7 +72,7 @@ module PactBroker
                 <a href=\"#{matrix_url}\">View Matrix</a>
               </li>
               <li>
-                <a href=\"#{base_url}\">Home</a>
+                <a href=\"#{base_url}/\">Home</a>
               </li>
               <li>
                 <span data-consumer-name=\"#{@pact.consumer.name}\"

data/lib/pact_broker/app.rb

@@ -15,12 +15,14 @@ require 'rack/pact_broker/no_auth'
 require 'rack/pact_broker/convert_404_to_hal'
 require 'rack/pact_broker/reset_thread_data'
 require 'rack/pact_broker/add_vary_header'
+require 'rack/pact_broker/use_when'
 require 'sucker_punch'
 
 module PactBroker
 
   class App
     include PactBroker::Logging
+    using Rack::PactBroker::UseWhen
 
     attr_accessor :configuration
 
@@ -162,6 +164,15 @@ module PactBroker
       # NOTE THAT NONE OF THIS IS PROTECTED BY AUTH - is that ok?
       if configuration.use_rack_protection
         @app_builder.use Rack::Protection, except: [:path_traversal, :remote_token, :session_hijacking, :http_origin]
+
+        is_hal_browser = ->(env) { env['PATH_INFO'] == '/hal-browser/browser.html' }
+        not_hal_browser = ->(env) { env['PATH_INFO'] != '/hal-browser/browser.html' }
+
+        @app_builder.use_when not_hal_browser,
+          Rack::Protection::ContentSecurityPolicy, configuration.content_security_policy
+        @app_builder.use_when is_hal_browser,
+          Rack::Protection::ContentSecurityPolicy,
+          configuration.content_security_policy.merge(configuration.hal_browser_content_security_policy_overrides)
       end
       @app_builder.use Rack::PactBroker::InvalidUriProtection
       @app_builder.use Rack::PactBroker::ResetThreadData

data/lib/pact_broker/configuration.rb

@@ -43,6 +43,7 @@ module PactBroker
     attr_accessor :semver_formats
     attr_accessor :enable_public_badge_access, :shields_io_base_url, :badge_provider_mode
     attr_accessor :disable_ssl_verification
+    attr_accessor :content_security_policy, :hal_browser_content_security_policy_overrides
     attr_accessor :base_equality_only_on_content_that_affects_verification_results
     attr_reader :api_error_reporters
     attr_reader :custom_logger
@@ -90,6 +91,20 @@ module PactBroker
       config.webhook_http_method_whitelist = ['POST']
       config.webhook_scheme_whitelist = ['https']
       config.webhook_host_whitelist = []
+      # TODO get rid of unsafe-inline
+      config.content_security_policy = {
+        script_src: "'self' 'unsafe-inline'",
+        style_src: "'self' 'unsafe-inline'",
+        img_src: "'self' data:",
+        font_src: "'self' data:",
+        base_uri: "'self'",
+        frame_src: "'self'",
+        frame_ancestors: "'self'"
+      }
+      config.hal_browser_content_security_policy_overrides = {
+        script_src: "'self' 'unsafe-inline' 'unsafe-eval'",
+        frame_ancestors: "'self'"
+      }
       config
     end
 

data/lib/pact_broker/locale/en.yml

@@ -10,6 +10,7 @@ en:
     non_templated_host?: "cannot have a template parameter in the host"
     pacticipant_exists?: "does not match an existing pacticipant"
 
+
   pact_broker:
     messages:
       response_body_hidden: For security purposes, the response details are not logged. To enable response logging, configure the webhook_host_whitelist property. See %{base_url}/doc/webhooks#whitelist for more information.
@@ -53,6 +54,9 @@ en:
         $ curl -v -XPOST -H "Content-Type: application/json" -d "{\"name\": \"%{new_name}\"}" %{create_pacticipant_url}
         If the pact broker requires basic authentication, add '-u <username:password>' to the command.
         To disable this check, set `check_for_potential_duplicate_pacticipant_names` to false in the configuration.
+      new_line_in_url_path: URL path cannot contain a new line character.
+      tab_in_url_path: URL path cannot contain a tab character.
+
       "400":
         title: 400 Malformed Request
         message: The request was malformed and could not be processed.

data/lib/pact_broker/version.rb

@@ -1,3 +1,3 @@
 module PactBroker
-  VERSION = '2.56.1'
+  VERSION = '2.57.0'
 end

data/lib/rack/pact_broker/invalid_uri_protection.rb

@@ -1,4 +1,8 @@
+# frozen_string_literal: true
+
 require 'uri'
+require 'pact_broker/messages'
+
 
 # This class is for https://github.com/pact-foundation/pact_broker/issues/101
 # curl -i "http://127.0.0.1:9292/<script>"
@@ -6,31 +10,48 @@ require 'uri'
 module Rack
   module PactBroker
     class InvalidUriProtection
+      include ::PactBroker::Messages
 
       def initialize app
         @app = app
       end
 
       def call env
-        if valid_uri? env
-          @app.call(env)
+        if (uri = valid_uri?(env))
+          if (error_message = validate(uri))
+            [422, {'Content-Type' => 'text/plain'}, [error_message]]
+          else
+            app.call(env)
+          end
         else
           [404, {}, []]
         end
       end
 
+      private
+
+      attr_reader :app
+
       def valid_uri? env
         begin
           parse(::Rack::Request.new(env).url)
-          true
         rescue URI::InvalidURIError, ArgumentError
-          false
+          nil
         end
       end
 
       def parse uri
         URI.parse(uri)
       end
+
+      def validate(uri)
+        decoded_path = URI.decode(uri.path)
+        if decoded_path.include?("\n")
+          message('errors.new_line_in_url_path')
+        elsif decoded_path.include?("\t")
+          message('errors.tab_in_url_path')
+        end
+      end
     end
   end
 end

data/lib/rack/pact_broker/use_when.rb

@@ -0,0 +1,55 @@
+=begin
+
+Conditionally use Rack Middleware.
+
+Usage:
+
+condition_proc = ->(env) { env['PATH_INFO'] == '/match' }
+use_when condition_proc, SomeMiddleware, options
+
+I feel sure there must be something like this officially supported somewhere, but I can't find it.
+
+=end
+
+module Rack
+  module PactBroker
+    module UseWhen
+      class ConditionallyUseMiddleware
+        def initialize(app, condition_proc, middleware, *args, &block)
+          @app_without_middleware = app
+          @condition_proc = condition_proc
+          @middleware = middleware
+          @args = args
+          @block = block
+        end
+
+        def call(env)
+          if condition_proc.call(env)
+            app_with_middleware.call(env)
+          else
+            app_without_middleware.call(env)
+          end
+        end
+
+        private
+
+        attr_reader :app_without_middleware, :condition_proc, :middleware, :args, :block
+
+        def app_with_middleware
+          @app_with_middleware ||= begin
+            rack_builder = ::Rack::Builder.new
+            rack_builder.use middleware, *args, &block
+            rack_builder.run app_without_middleware
+            rack_builder.to_app
+          end
+        end
+      end
+
+      refine Rack::Builder do
+        def use_when(condition_proc, middleware, *args, &block)
+          use(ConditionallyUseMiddleware, condition_proc, middleware, *args, &block)
+        end
+      end
+    end
+  end
+end

data/pact_broker.gemspec

@@ -51,7 +51,7 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency 'sequel', '~> 5.28'
   gem.add_runtime_dependency 'webmachine', '1.5.0'
   gem.add_runtime_dependency 'semver2', '~> 3.4.2'
-  gem.add_runtime_dependency 'rack', '~> 2.2'
+  gem.add_runtime_dependency 'rack', '~> 2.2', '>= 2.2.3'
   gem.add_runtime_dependency 'redcarpet', '>=3.3.2', '~>3.3'
   gem.add_runtime_dependency 'pact-support', '~> 1.14', '>= 1.14.1'
   gem.add_runtime_dependency 'padrino-core', '>= 0.14.3', '~> 0.14'

data/spec/lib/rack/pact_broker/invalid_uri_protection_spec.rb

@@ -3,12 +3,14 @@ require 'rack/pact_broker/invalid_uri_protection'
 module Rack
   module PactBroker
     describe InvalidUriProtection do
+      let(:target_app) { ->(env){ [200, {}, []] } }
+      let(:app) { InvalidUriProtection.new(target_app) }
+      let(:path) { URI.encode("/foo") }
 
-      let(:app) { InvalidUriProtection.new(->(env){ [200,{},[]] }) }
-
-      subject { get "/badpath"; last_response }
+      subject { get(path) }
 
       context "with a URI that the Ruby default URI library cannot parse" do
+        let(:path) { "/badpath" }
 
         before do
           # Can't use or stub URI.parse because rack test uses it to execute the actual test
@@ -24,6 +26,24 @@ module Rack
         it "passes the request to the underlying app" do
           expect(subject.status).to eq 200
         end
+
+        context "when the URI contains a new line because someone forgot to strip the result of `git rev-parse HEAD`, and I have totally never done this before myself" do
+          let(:path) { URI.encode("/foo\n/bar") }
+
+          it "returns a 422" do
+            expect(subject.status).to eq 422
+            expect(subject.body).to include "new line"
+          end
+        end
+
+        context "when the URI contains a tab because sooner or later someone is eventually going to do this" do
+          let(:path) { URI.encode("/foo\t/bar") }
+
+          it "returns a 422" do
+            expect(subject.status).to eq 422
+            expect(subject.body).to include "tab"
+          end
+        end
       end
     end
   end

data/spec/lib/rack/pact_broker/use_when_spec.rb

@@ -0,0 +1,49 @@
+require 'rack/pact_broker/use_when'
+require 'rack/test'
+
+module Rack
+  module PactBroker
+    describe UseWhen do
+
+      using Rack::PactBroker::UseWhen
+      include Rack::Test::Methods
+
+      class TestMiddleware
+        def initialize(app, additional_headers)
+          @app = app
+          @additional_headers = additional_headers
+        end
+
+        def call(env)
+          status, headers, body = @app.call(env)
+          [status, headers.merge(@additional_headers), body]
+        end
+      end
+
+      let(:app) do
+        target_app = -> (env) { [200, {}, []] }
+        builder = Rack::Builder.new
+        condition = ->(env) { env['PATH_INFO'] == '/match' }
+        builder.use_when condition, TestMiddleware, { "Foo" => "Bar" }
+        builder.run target_app
+        builder.to_app
+      end
+
+      context "when the condition matches" do
+        subject { get '/match' }
+
+        it "uses the middleware" do
+          expect(subject.headers).to include "Foo" => "Bar"
+        end
+      end
+
+      context "when the condition does not match" do
+        subject { get '/no-match' }
+
+        it "does not use the middleware" do
+          expect(subject.headers.keys).to_not include "Foo"
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pact_broker
 version: !ruby/object:Gem::Version
-  version: 2.56.1
+  version: 2.57.0
 platform: ruby
 authors:
 - Bethany Skurrie
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-06-01 00:00:00.000000000 Z
+date: 2020-06-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: httparty
@@ -137,6 +137,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -144,6 +147,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.2'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.2.3
 - !ruby/object:Gem::Dependency
   name: redcarpet
   requirement: !ruby/object:Gem::Requirement
@@ -1177,6 +1183,7 @@ files:
 - lib/rack/pact_broker/reset_thread_data.rb
 - lib/rack/pact_broker/ui_authentication.rb
 - lib/rack/pact_broker/ui_request_filter.rb
+- lib/rack/pact_broker/use_when.rb
 - lib/webmachine/rack_adapter_monkey_patch.rb
 - pact_broker.gemspec
 - pact_broker_client-pact_broker.json
@@ -1529,6 +1536,7 @@ files:
 - spec/lib/rack/pact_broker/database_transaction_spec.rb
 - spec/lib/rack/pact_broker/invalid_uri_protection_spec.rb
 - spec/lib/rack/pact_broker/request_target_spec.rb
+- spec/lib/rack/pact_broker/use_when_spec.rb
 - spec/lib/webmachine/rack_adapter_monkey_patch_spec.rb
 - spec/migrations/20180201_create_head_matrix_spec.rb
 - spec/migrations/23_pact_versions_spec.rb
@@ -1911,6 +1919,7 @@ test_files:
 - spec/lib/rack/pact_broker/database_transaction_spec.rb
 - spec/lib/rack/pact_broker/invalid_uri_protection_spec.rb
 - spec/lib/rack/pact_broker/request_target_spec.rb
+- spec/lib/rack/pact_broker/use_when_spec.rb
 - spec/lib/webmachine/rack_adapter_monkey_patch_spec.rb
 - spec/migrations/20180201_create_head_matrix_spec.rb
 - spec/migrations/23_pact_versions_spec.rb