pact_broker 2.56.1 → 2.57.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 78ca82ae8d3f9574d9844689ebb3423e5a2c2966f5907253f82e996aa0dbdcd4
4
- data.tar.gz: 64a1cec77d11ae9f82e4408736147afe69d294def7b07afa31bdab1c38947a72
3
+ metadata.gz: 1de4cab3f4fb99ade4806255fb8e1ea1745429fdac8302154d092c99c36c7d76
4
+ data.tar.gz: 910569291d130d66d73b3a557a983ba4563a70ae7d3c581ad9ebc770958ea56e
5
5
  SHA512:
6
- metadata.gz: c43133723319d295e3e3a9a818ef668e5f15b75b65589c90d77902737e807145e5647b92e4d7c80880e9886a4e75c20f23140716310f5c28dc77cd8a726e381c
7
- data.tar.gz: 92cd37b6e992d89886fe7f9f6f9b220879b92c48f081c64ea344201229e45d8ca6a12fb676d0cecdba9d15da0ccd70163e54392acda943d4e66adea46706d9b6
6
+ metadata.gz: 2df74e9cbdfa705a1221f4422fb9dc18e33106b25a68b9b2013f649e8d35ad015b344251d2aacd7e9b22d73d50435eb3cdc2e773843de0b49792859e5daa83c6
7
+ data.tar.gz: 2f5255f3ba8292bd2df960db95c40b86196872c49f3080afb8cdb398dd96b22022bd6bd28ca73a221881322112fa9f9da6bf9d1b870dba6a59cd286bfb45fbeb
@@ -1,3 +1,19 @@
1
+ <a name="v2.57.0"></a>
2
+ ### v2.57.0 (2020-06-16)
3
+
4
+
5
+ #### Features
6
+
7
+ * add Content Security Policy header ([fd2e81fb](/../../commit/fd2e81fb))
8
+
9
+
10
+ #### Bug Fixes
11
+
12
+ * upgrade Rack for vulnerability CVE-2020-8184 ([99b78b3c](/../../commit/99b78b3c))
13
+ * fix Home link on pact page ([081d1586](/../../commit/081d1586))
14
+ * return a 422 if the URL path contains a new line or tab ([db9f7f4d](/../../commit/db9f7f4d))
15
+
16
+
1
17
  <a name="v2.56.1"></a>
2
18
  ### v2.56.1 (2020-06-01)
3
19
 
@@ -72,7 +72,7 @@ module PactBroker
72
72
  <a href=\"#{matrix_url}\">View Matrix</a>
73
73
  </li>
74
74
  <li>
75
- <a href=\"#{base_url}\">Home</a>
75
+ <a href=\"#{base_url}/\">Home</a>
76
76
  </li>
77
77
  <li>
78
78
  <span data-consumer-name=\"#{@pact.consumer.name}\"
@@ -15,12 +15,14 @@ require 'rack/pact_broker/no_auth'
15
15
  require 'rack/pact_broker/convert_404_to_hal'
16
16
  require 'rack/pact_broker/reset_thread_data'
17
17
  require 'rack/pact_broker/add_vary_header'
18
+ require 'rack/pact_broker/use_when'
18
19
  require 'sucker_punch'
19
20
 
20
21
  module PactBroker
21
22
 
22
23
  class App
23
24
  include PactBroker::Logging
25
+ using Rack::PactBroker::UseWhen
24
26
 
25
27
  attr_accessor :configuration
26
28
 
@@ -162,6 +164,15 @@ module PactBroker
162
164
  # NOTE THAT NONE OF THIS IS PROTECTED BY AUTH - is that ok?
163
165
  if configuration.use_rack_protection
164
166
  @app_builder.use Rack::Protection, except: [:path_traversal, :remote_token, :session_hijacking, :http_origin]
167
+
168
+ is_hal_browser = ->(env) { env['PATH_INFO'] == '/hal-browser/browser.html' }
169
+ not_hal_browser = ->(env) { env['PATH_INFO'] != '/hal-browser/browser.html' }
170
+
171
+ @app_builder.use_when not_hal_browser,
172
+ Rack::Protection::ContentSecurityPolicy, configuration.content_security_policy
173
+ @app_builder.use_when is_hal_browser,
174
+ Rack::Protection::ContentSecurityPolicy,
175
+ configuration.content_security_policy.merge(configuration.hal_browser_content_security_policy_overrides)
165
176
  end
166
177
  @app_builder.use Rack::PactBroker::InvalidUriProtection
167
178
  @app_builder.use Rack::PactBroker::ResetThreadData
@@ -43,6 +43,7 @@ module PactBroker
43
43
  attr_accessor :semver_formats
44
44
  attr_accessor :enable_public_badge_access, :shields_io_base_url, :badge_provider_mode
45
45
  attr_accessor :disable_ssl_verification
46
+ attr_accessor :content_security_policy, :hal_browser_content_security_policy_overrides
46
47
  attr_accessor :base_equality_only_on_content_that_affects_verification_results
47
48
  attr_reader :api_error_reporters
48
49
  attr_reader :custom_logger
@@ -90,6 +91,20 @@ module PactBroker
90
91
  config.webhook_http_method_whitelist = ['POST']
91
92
  config.webhook_scheme_whitelist = ['https']
92
93
  config.webhook_host_whitelist = []
94
+ # TODO get rid of unsafe-inline
95
+ config.content_security_policy = {
96
+ script_src: "'self' 'unsafe-inline'",
97
+ style_src: "'self' 'unsafe-inline'",
98
+ img_src: "'self' data:",
99
+ font_src: "'self' data:",
100
+ base_uri: "'self'",
101
+ frame_src: "'self'",
102
+ frame_ancestors: "'self'"
103
+ }
104
+ config.hal_browser_content_security_policy_overrides = {
105
+ script_src: "'self' 'unsafe-inline' 'unsafe-eval'",
106
+ frame_ancestors: "'self'"
107
+ }
93
108
  config
94
109
  end
95
110
 
@@ -10,6 +10,7 @@ en:
10
10
  non_templated_host?: "cannot have a template parameter in the host"
11
11
  pacticipant_exists?: "does not match an existing pacticipant"
12
12
 
13
+
13
14
  pact_broker:
14
15
  messages:
15
16
  response_body_hidden: For security purposes, the response details are not logged. To enable response logging, configure the webhook_host_whitelist property. See %{base_url}/doc/webhooks#whitelist for more information.
@@ -53,6 +54,9 @@ en:
53
54
  $ curl -v -XPOST -H "Content-Type: application/json" -d "{\"name\": \"%{new_name}\"}" %{create_pacticipant_url}
54
55
  If the pact broker requires basic authentication, add '-u <username:password>' to the command.
55
56
  To disable this check, set `check_for_potential_duplicate_pacticipant_names` to false in the configuration.
57
+ new_line_in_url_path: URL path cannot contain a new line character.
58
+ tab_in_url_path: URL path cannot contain a tab character.
59
+
56
60
  "400":
57
61
  title: 400 Malformed Request
58
62
  message: The request was malformed and could not be processed.
@@ -1,3 +1,3 @@
1
1
  module PactBroker
2
- VERSION = '2.56.1'
2
+ VERSION = '2.57.0'
3
3
  end
@@ -1,4 +1,8 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'uri'
4
+ require 'pact_broker/messages'
5
+
2
6
 
3
7
  # This class is for https://github.com/pact-foundation/pact_broker/issues/101
4
8
  # curl -i "http://127.0.0.1:9292/<script>"
@@ -6,31 +10,48 @@ require 'uri'
6
10
  module Rack
7
11
  module PactBroker
8
12
  class InvalidUriProtection
13
+ include ::PactBroker::Messages
9
14
 
10
15
  def initialize app
11
16
  @app = app
12
17
  end
13
18
 
14
19
  def call env
15
- if valid_uri? env
16
- @app.call(env)
20
+ if (uri = valid_uri?(env))
21
+ if (error_message = validate(uri))
22
+ [422, {'Content-Type' => 'text/plain'}, [error_message]]
23
+ else
24
+ app.call(env)
25
+ end
17
26
  else
18
27
  [404, {}, []]
19
28
  end
20
29
  end
21
30
 
31
+ private
32
+
33
+ attr_reader :app
34
+
22
35
  def valid_uri? env
23
36
  begin
24
37
  parse(::Rack::Request.new(env).url)
25
- true
26
38
  rescue URI::InvalidURIError, ArgumentError
27
- false
39
+ nil
28
40
  end
29
41
  end
30
42
 
31
43
  def parse uri
32
44
  URI.parse(uri)
33
45
  end
46
+
47
+ def validate(uri)
48
+ decoded_path = URI.decode(uri.path)
49
+ if decoded_path.include?("\n")
50
+ message('errors.new_line_in_url_path')
51
+ elsif decoded_path.include?("\t")
52
+ message('errors.tab_in_url_path')
53
+ end
54
+ end
34
55
  end
35
56
  end
36
57
  end
@@ -0,0 +1,55 @@
1
+ =begin
2
+
3
+ Conditionally use Rack Middleware.
4
+
5
+ Usage:
6
+
7
+ condition_proc = ->(env) { env['PATH_INFO'] == '/match' }
8
+ use_when condition_proc, SomeMiddleware, options
9
+
10
+ I feel sure there must be something like this officially supported somewhere, but I can't find it.
11
+
12
+ =end
13
+
14
+ module Rack
15
+ module PactBroker
16
+ module UseWhen
17
+ class ConditionallyUseMiddleware
18
+ def initialize(app, condition_proc, middleware, *args, &block)
19
+ @app_without_middleware = app
20
+ @condition_proc = condition_proc
21
+ @middleware = middleware
22
+ @args = args
23
+ @block = block
24
+ end
25
+
26
+ def call(env)
27
+ if condition_proc.call(env)
28
+ app_with_middleware.call(env)
29
+ else
30
+ app_without_middleware.call(env)
31
+ end
32
+ end
33
+
34
+ private
35
+
36
+ attr_reader :app_without_middleware, :condition_proc, :middleware, :args, :block
37
+
38
+ def app_with_middleware
39
+ @app_with_middleware ||= begin
40
+ rack_builder = ::Rack::Builder.new
41
+ rack_builder.use middleware, *args, &block
42
+ rack_builder.run app_without_middleware
43
+ rack_builder.to_app
44
+ end
45
+ end
46
+ end
47
+
48
+ refine Rack::Builder do
49
+ def use_when(condition_proc, middleware, *args, &block)
50
+ use(ConditionallyUseMiddleware, condition_proc, middleware, *args, &block)
51
+ end
52
+ end
53
+ end
54
+ end
55
+ end
@@ -51,7 +51,7 @@ Gem::Specification.new do |gem|
51
51
  gem.add_runtime_dependency 'sequel', '~> 5.28'
52
52
  gem.add_runtime_dependency 'webmachine', '1.5.0'
53
53
  gem.add_runtime_dependency 'semver2', '~> 3.4.2'
54
- gem.add_runtime_dependency 'rack', '~> 2.2'
54
+ gem.add_runtime_dependency 'rack', '~> 2.2', '>= 2.2.3'
55
55
  gem.add_runtime_dependency 'redcarpet', '>=3.3.2', '~>3.3'
56
56
  gem.add_runtime_dependency 'pact-support', '~> 1.14', '>= 1.14.1'
57
57
  gem.add_runtime_dependency 'padrino-core', '>= 0.14.3', '~> 0.14'
@@ -3,12 +3,14 @@ require 'rack/pact_broker/invalid_uri_protection'
3
3
  module Rack
4
4
  module PactBroker
5
5
  describe InvalidUriProtection do
6
+ let(:target_app) { ->(env){ [200, {}, []] } }
7
+ let(:app) { InvalidUriProtection.new(target_app) }
8
+ let(:path) { URI.encode("/foo") }
6
9
 
7
- let(:app) { InvalidUriProtection.new(->(env){ [200,{},[]] }) }
8
-
9
- subject { get "/badpath"; last_response }
10
+ subject { get(path) }
10
11
 
11
12
  context "with a URI that the Ruby default URI library cannot parse" do
13
+ let(:path) { "/badpath" }
12
14
 
13
15
  before do
14
16
  # Can't use or stub URI.parse because rack test uses it to execute the actual test
@@ -24,6 +26,24 @@ module Rack
24
26
  it "passes the request to the underlying app" do
25
27
  expect(subject.status).to eq 200
26
28
  end
29
+
30
+ context "when the URI contains a new line because someone forgot to strip the result of `git rev-parse HEAD`, and I have totally never done this before myself" do
31
+ let(:path) { URI.encode("/foo\n/bar") }
32
+
33
+ it "returns a 422" do
34
+ expect(subject.status).to eq 422
35
+ expect(subject.body).to include "new line"
36
+ end
37
+ end
38
+
39
+ context "when the URI contains a tab because sooner or later someone is eventually going to do this" do
40
+ let(:path) { URI.encode("/foo\t/bar") }
41
+
42
+ it "returns a 422" do
43
+ expect(subject.status).to eq 422
44
+ expect(subject.body).to include "tab"
45
+ end
46
+ end
27
47
  end
28
48
  end
29
49
  end
@@ -0,0 +1,49 @@
1
+ require 'rack/pact_broker/use_when'
2
+ require 'rack/test'
3
+
4
+ module Rack
5
+ module PactBroker
6
+ describe UseWhen do
7
+
8
+ using Rack::PactBroker::UseWhen
9
+ include Rack::Test::Methods
10
+
11
+ class TestMiddleware
12
+ def initialize(app, additional_headers)
13
+ @app = app
14
+ @additional_headers = additional_headers
15
+ end
16
+
17
+ def call(env)
18
+ status, headers, body = @app.call(env)
19
+ [status, headers.merge(@additional_headers), body]
20
+ end
21
+ end
22
+
23
+ let(:app) do
24
+ target_app = -> (env) { [200, {}, []] }
25
+ builder = Rack::Builder.new
26
+ condition = ->(env) { env['PATH_INFO'] == '/match' }
27
+ builder.use_when condition, TestMiddleware, { "Foo" => "Bar" }
28
+ builder.run target_app
29
+ builder.to_app
30
+ end
31
+
32
+ context "when the condition matches" do
33
+ subject { get '/match' }
34
+
35
+ it "uses the middleware" do
36
+ expect(subject.headers).to include "Foo" => "Bar"
37
+ end
38
+ end
39
+
40
+ context "when the condition does not match" do
41
+ subject { get '/no-match' }
42
+
43
+ it "does not use the middleware" do
44
+ expect(subject.headers.keys).to_not include "Foo"
45
+ end
46
+ end
47
+ end
48
+ end
49
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: pact_broker
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.56.1
4
+ version: 2.57.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Bethany Skurrie
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2020-06-01 00:00:00.000000000 Z
13
+ date: 2020-06-15 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: httparty
@@ -137,6 +137,9 @@ dependencies:
137
137
  - - "~>"
138
138
  - !ruby/object:Gem::Version
139
139
  version: '2.2'
140
+ - - ">="
141
+ - !ruby/object:Gem::Version
142
+ version: 2.2.3
140
143
  type: :runtime
141
144
  prerelease: false
142
145
  version_requirements: !ruby/object:Gem::Requirement
@@ -144,6 +147,9 @@ dependencies:
144
147
  - - "~>"
145
148
  - !ruby/object:Gem::Version
146
149
  version: '2.2'
150
+ - - ">="
151
+ - !ruby/object:Gem::Version
152
+ version: 2.2.3
147
153
  - !ruby/object:Gem::Dependency
148
154
  name: redcarpet
149
155
  requirement: !ruby/object:Gem::Requirement
@@ -1177,6 +1183,7 @@ files:
1177
1183
  - lib/rack/pact_broker/reset_thread_data.rb
1178
1184
  - lib/rack/pact_broker/ui_authentication.rb
1179
1185
  - lib/rack/pact_broker/ui_request_filter.rb
1186
+ - lib/rack/pact_broker/use_when.rb
1180
1187
  - lib/webmachine/rack_adapter_monkey_patch.rb
1181
1188
  - pact_broker.gemspec
1182
1189
  - pact_broker_client-pact_broker.json
@@ -1529,6 +1536,7 @@ files:
1529
1536
  - spec/lib/rack/pact_broker/database_transaction_spec.rb
1530
1537
  - spec/lib/rack/pact_broker/invalid_uri_protection_spec.rb
1531
1538
  - spec/lib/rack/pact_broker/request_target_spec.rb
1539
+ - spec/lib/rack/pact_broker/use_when_spec.rb
1532
1540
  - spec/lib/webmachine/rack_adapter_monkey_patch_spec.rb
1533
1541
  - spec/migrations/20180201_create_head_matrix_spec.rb
1534
1542
  - spec/migrations/23_pact_versions_spec.rb
@@ -1911,6 +1919,7 @@ test_files:
1911
1919
  - spec/lib/rack/pact_broker/database_transaction_spec.rb
1912
1920
  - spec/lib/rack/pact_broker/invalid_uri_protection_spec.rb
1913
1921
  - spec/lib/rack/pact_broker/request_target_spec.rb
1922
+ - spec/lib/rack/pact_broker/use_when_spec.rb
1914
1923
  - spec/lib/webmachine/rack_adapter_monkey_patch_spec.rb
1915
1924
  - spec/migrations/20180201_create_head_matrix_spec.rb
1916
1925
  - spec/migrations/23_pact_versions_spec.rb