pact_broker 2.56.1 → 2.57.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +16 -0
- data/lib/pact_broker/api/renderers/html_pact_renderer.rb +1 -1
- data/lib/pact_broker/app.rb +11 -0
- data/lib/pact_broker/configuration.rb +15 -0
- data/lib/pact_broker/locale/en.yml +4 -0
- data/lib/pact_broker/version.rb +1 -1
- data/lib/rack/pact_broker/invalid_uri_protection.rb +25 -4
- data/lib/rack/pact_broker/use_when.rb +55 -0
- data/pact_broker.gemspec +1 -1
- data/spec/lib/rack/pact_broker/invalid_uri_protection_spec.rb +23 -3
- data/spec/lib/rack/pact_broker/use_when_spec.rb +49 -0
- metadata +11 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1de4cab3f4fb99ade4806255fb8e1ea1745429fdac8302154d092c99c36c7d76
|
4
|
+
data.tar.gz: 910569291d130d66d73b3a557a983ba4563a70ae7d3c581ad9ebc770958ea56e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2df74e9cbdfa705a1221f4422fb9dc18e33106b25a68b9b2013f649e8d35ad015b344251d2aacd7e9b22d73d50435eb3cdc2e773843de0b49792859e5daa83c6
|
7
|
+
data.tar.gz: 2f5255f3ba8292bd2df960db95c40b86196872c49f3080afb8cdb398dd96b22022bd6bd28ca73a221881322112fa9f9da6bf9d1b870dba6a59cd286bfb45fbeb
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,19 @@
|
|
1
|
+
<a name="v2.57.0"></a>
|
2
|
+
### v2.57.0 (2020-06-16)
|
3
|
+
|
4
|
+
|
5
|
+
#### Features
|
6
|
+
|
7
|
+
* add Content Security Policy header ([fd2e81fb](/../../commit/fd2e81fb))
|
8
|
+
|
9
|
+
|
10
|
+
#### Bug Fixes
|
11
|
+
|
12
|
+
* upgrade Rack for vulnerability CVE-2020-8184 ([99b78b3c](/../../commit/99b78b3c))
|
13
|
+
* fix Home link on pact page ([081d1586](/../../commit/081d1586))
|
14
|
+
* return a 422 if the URL path contains a new line or tab ([db9f7f4d](/../../commit/db9f7f4d))
|
15
|
+
|
16
|
+
|
1
17
|
<a name="v2.56.1"></a>
|
2
18
|
### v2.56.1 (2020-06-01)
|
3
19
|
|
data/lib/pact_broker/app.rb
CHANGED
@@ -15,12 +15,14 @@ require 'rack/pact_broker/no_auth'
|
|
15
15
|
require 'rack/pact_broker/convert_404_to_hal'
|
16
16
|
require 'rack/pact_broker/reset_thread_data'
|
17
17
|
require 'rack/pact_broker/add_vary_header'
|
18
|
+
require 'rack/pact_broker/use_when'
|
18
19
|
require 'sucker_punch'
|
19
20
|
|
20
21
|
module PactBroker
|
21
22
|
|
22
23
|
class App
|
23
24
|
include PactBroker::Logging
|
25
|
+
using Rack::PactBroker::UseWhen
|
24
26
|
|
25
27
|
attr_accessor :configuration
|
26
28
|
|
@@ -162,6 +164,15 @@ module PactBroker
|
|
162
164
|
# NOTE THAT NONE OF THIS IS PROTECTED BY AUTH - is that ok?
|
163
165
|
if configuration.use_rack_protection
|
164
166
|
@app_builder.use Rack::Protection, except: [:path_traversal, :remote_token, :session_hijacking, :http_origin]
|
167
|
+
|
168
|
+
is_hal_browser = ->(env) { env['PATH_INFO'] == '/hal-browser/browser.html' }
|
169
|
+
not_hal_browser = ->(env) { env['PATH_INFO'] != '/hal-browser/browser.html' }
|
170
|
+
|
171
|
+
@app_builder.use_when not_hal_browser,
|
172
|
+
Rack::Protection::ContentSecurityPolicy, configuration.content_security_policy
|
173
|
+
@app_builder.use_when is_hal_browser,
|
174
|
+
Rack::Protection::ContentSecurityPolicy,
|
175
|
+
configuration.content_security_policy.merge(configuration.hal_browser_content_security_policy_overrides)
|
165
176
|
end
|
166
177
|
@app_builder.use Rack::PactBroker::InvalidUriProtection
|
167
178
|
@app_builder.use Rack::PactBroker::ResetThreadData
|
@@ -43,6 +43,7 @@ module PactBroker
|
|
43
43
|
attr_accessor :semver_formats
|
44
44
|
attr_accessor :enable_public_badge_access, :shields_io_base_url, :badge_provider_mode
|
45
45
|
attr_accessor :disable_ssl_verification
|
46
|
+
attr_accessor :content_security_policy, :hal_browser_content_security_policy_overrides
|
46
47
|
attr_accessor :base_equality_only_on_content_that_affects_verification_results
|
47
48
|
attr_reader :api_error_reporters
|
48
49
|
attr_reader :custom_logger
|
@@ -90,6 +91,20 @@ module PactBroker
|
|
90
91
|
config.webhook_http_method_whitelist = ['POST']
|
91
92
|
config.webhook_scheme_whitelist = ['https']
|
92
93
|
config.webhook_host_whitelist = []
|
94
|
+
# TODO get rid of unsafe-inline
|
95
|
+
config.content_security_policy = {
|
96
|
+
script_src: "'self' 'unsafe-inline'",
|
97
|
+
style_src: "'self' 'unsafe-inline'",
|
98
|
+
img_src: "'self' data:",
|
99
|
+
font_src: "'self' data:",
|
100
|
+
base_uri: "'self'",
|
101
|
+
frame_src: "'self'",
|
102
|
+
frame_ancestors: "'self'"
|
103
|
+
}
|
104
|
+
config.hal_browser_content_security_policy_overrides = {
|
105
|
+
script_src: "'self' 'unsafe-inline' 'unsafe-eval'",
|
106
|
+
frame_ancestors: "'self'"
|
107
|
+
}
|
93
108
|
config
|
94
109
|
end
|
95
110
|
|
@@ -10,6 +10,7 @@ en:
|
|
10
10
|
non_templated_host?: "cannot have a template parameter in the host"
|
11
11
|
pacticipant_exists?: "does not match an existing pacticipant"
|
12
12
|
|
13
|
+
|
13
14
|
pact_broker:
|
14
15
|
messages:
|
15
16
|
response_body_hidden: For security purposes, the response details are not logged. To enable response logging, configure the webhook_host_whitelist property. See %{base_url}/doc/webhooks#whitelist for more information.
|
@@ -53,6 +54,9 @@ en:
|
|
53
54
|
$ curl -v -XPOST -H "Content-Type: application/json" -d "{\"name\": \"%{new_name}\"}" %{create_pacticipant_url}
|
54
55
|
If the pact broker requires basic authentication, add '-u <username:password>' to the command.
|
55
56
|
To disable this check, set `check_for_potential_duplicate_pacticipant_names` to false in the configuration.
|
57
|
+
new_line_in_url_path: URL path cannot contain a new line character.
|
58
|
+
tab_in_url_path: URL path cannot contain a tab character.
|
59
|
+
|
56
60
|
"400":
|
57
61
|
title: 400 Malformed Request
|
58
62
|
message: The request was malformed and could not be processed.
|
data/lib/pact_broker/version.rb
CHANGED
@@ -1,4 +1,8 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
1
3
|
require 'uri'
|
4
|
+
require 'pact_broker/messages'
|
5
|
+
|
2
6
|
|
3
7
|
# This class is for https://github.com/pact-foundation/pact_broker/issues/101
|
4
8
|
# curl -i "http://127.0.0.1:9292/<script>"
|
@@ -6,31 +10,48 @@ require 'uri'
|
|
6
10
|
module Rack
|
7
11
|
module PactBroker
|
8
12
|
class InvalidUriProtection
|
13
|
+
include ::PactBroker::Messages
|
9
14
|
|
10
15
|
def initialize app
|
11
16
|
@app = app
|
12
17
|
end
|
13
18
|
|
14
19
|
def call env
|
15
|
-
if valid_uri?
|
16
|
-
|
20
|
+
if (uri = valid_uri?(env))
|
21
|
+
if (error_message = validate(uri))
|
22
|
+
[422, {'Content-Type' => 'text/plain'}, [error_message]]
|
23
|
+
else
|
24
|
+
app.call(env)
|
25
|
+
end
|
17
26
|
else
|
18
27
|
[404, {}, []]
|
19
28
|
end
|
20
29
|
end
|
21
30
|
|
31
|
+
private
|
32
|
+
|
33
|
+
attr_reader :app
|
34
|
+
|
22
35
|
def valid_uri? env
|
23
36
|
begin
|
24
37
|
parse(::Rack::Request.new(env).url)
|
25
|
-
true
|
26
38
|
rescue URI::InvalidURIError, ArgumentError
|
27
|
-
|
39
|
+
nil
|
28
40
|
end
|
29
41
|
end
|
30
42
|
|
31
43
|
def parse uri
|
32
44
|
URI.parse(uri)
|
33
45
|
end
|
46
|
+
|
47
|
+
def validate(uri)
|
48
|
+
decoded_path = URI.decode(uri.path)
|
49
|
+
if decoded_path.include?("\n")
|
50
|
+
message('errors.new_line_in_url_path')
|
51
|
+
elsif decoded_path.include?("\t")
|
52
|
+
message('errors.tab_in_url_path')
|
53
|
+
end
|
54
|
+
end
|
34
55
|
end
|
35
56
|
end
|
36
57
|
end
|
@@ -0,0 +1,55 @@
|
|
1
|
+
=begin
|
2
|
+
|
3
|
+
Conditionally use Rack Middleware.
|
4
|
+
|
5
|
+
Usage:
|
6
|
+
|
7
|
+
condition_proc = ->(env) { env['PATH_INFO'] == '/match' }
|
8
|
+
use_when condition_proc, SomeMiddleware, options
|
9
|
+
|
10
|
+
I feel sure there must be something like this officially supported somewhere, but I can't find it.
|
11
|
+
|
12
|
+
=end
|
13
|
+
|
14
|
+
module Rack
|
15
|
+
module PactBroker
|
16
|
+
module UseWhen
|
17
|
+
class ConditionallyUseMiddleware
|
18
|
+
def initialize(app, condition_proc, middleware, *args, &block)
|
19
|
+
@app_without_middleware = app
|
20
|
+
@condition_proc = condition_proc
|
21
|
+
@middleware = middleware
|
22
|
+
@args = args
|
23
|
+
@block = block
|
24
|
+
end
|
25
|
+
|
26
|
+
def call(env)
|
27
|
+
if condition_proc.call(env)
|
28
|
+
app_with_middleware.call(env)
|
29
|
+
else
|
30
|
+
app_without_middleware.call(env)
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
private
|
35
|
+
|
36
|
+
attr_reader :app_without_middleware, :condition_proc, :middleware, :args, :block
|
37
|
+
|
38
|
+
def app_with_middleware
|
39
|
+
@app_with_middleware ||= begin
|
40
|
+
rack_builder = ::Rack::Builder.new
|
41
|
+
rack_builder.use middleware, *args, &block
|
42
|
+
rack_builder.run app_without_middleware
|
43
|
+
rack_builder.to_app
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
refine Rack::Builder do
|
49
|
+
def use_when(condition_proc, middleware, *args, &block)
|
50
|
+
use(ConditionallyUseMiddleware, condition_proc, middleware, *args, &block)
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
54
|
+
end
|
55
|
+
end
|
data/pact_broker.gemspec
CHANGED
@@ -51,7 +51,7 @@ Gem::Specification.new do |gem|
|
|
51
51
|
gem.add_runtime_dependency 'sequel', '~> 5.28'
|
52
52
|
gem.add_runtime_dependency 'webmachine', '1.5.0'
|
53
53
|
gem.add_runtime_dependency 'semver2', '~> 3.4.2'
|
54
|
-
gem.add_runtime_dependency 'rack', '~> 2.2'
|
54
|
+
gem.add_runtime_dependency 'rack', '~> 2.2', '>= 2.2.3'
|
55
55
|
gem.add_runtime_dependency 'redcarpet', '>=3.3.2', '~>3.3'
|
56
56
|
gem.add_runtime_dependency 'pact-support', '~> 1.14', '>= 1.14.1'
|
57
57
|
gem.add_runtime_dependency 'padrino-core', '>= 0.14.3', '~> 0.14'
|
@@ -3,12 +3,14 @@ require 'rack/pact_broker/invalid_uri_protection'
|
|
3
3
|
module Rack
|
4
4
|
module PactBroker
|
5
5
|
describe InvalidUriProtection do
|
6
|
+
let(:target_app) { ->(env){ [200, {}, []] } }
|
7
|
+
let(:app) { InvalidUriProtection.new(target_app) }
|
8
|
+
let(:path) { URI.encode("/foo") }
|
6
9
|
|
7
|
-
|
8
|
-
|
9
|
-
subject { get "/badpath"; last_response }
|
10
|
+
subject { get(path) }
|
10
11
|
|
11
12
|
context "with a URI that the Ruby default URI library cannot parse" do
|
13
|
+
let(:path) { "/badpath" }
|
12
14
|
|
13
15
|
before do
|
14
16
|
# Can't use or stub URI.parse because rack test uses it to execute the actual test
|
@@ -24,6 +26,24 @@ module Rack
|
|
24
26
|
it "passes the request to the underlying app" do
|
25
27
|
expect(subject.status).to eq 200
|
26
28
|
end
|
29
|
+
|
30
|
+
context "when the URI contains a new line because someone forgot to strip the result of `git rev-parse HEAD`, and I have totally never done this before myself" do
|
31
|
+
let(:path) { URI.encode("/foo\n/bar") }
|
32
|
+
|
33
|
+
it "returns a 422" do
|
34
|
+
expect(subject.status).to eq 422
|
35
|
+
expect(subject.body).to include "new line"
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
context "when the URI contains a tab because sooner or later someone is eventually going to do this" do
|
40
|
+
let(:path) { URI.encode("/foo\t/bar") }
|
41
|
+
|
42
|
+
it "returns a 422" do
|
43
|
+
expect(subject.status).to eq 422
|
44
|
+
expect(subject.body).to include "tab"
|
45
|
+
end
|
46
|
+
end
|
27
47
|
end
|
28
48
|
end
|
29
49
|
end
|
@@ -0,0 +1,49 @@
|
|
1
|
+
require 'rack/pact_broker/use_when'
|
2
|
+
require 'rack/test'
|
3
|
+
|
4
|
+
module Rack
|
5
|
+
module PactBroker
|
6
|
+
describe UseWhen do
|
7
|
+
|
8
|
+
using Rack::PactBroker::UseWhen
|
9
|
+
include Rack::Test::Methods
|
10
|
+
|
11
|
+
class TestMiddleware
|
12
|
+
def initialize(app, additional_headers)
|
13
|
+
@app = app
|
14
|
+
@additional_headers = additional_headers
|
15
|
+
end
|
16
|
+
|
17
|
+
def call(env)
|
18
|
+
status, headers, body = @app.call(env)
|
19
|
+
[status, headers.merge(@additional_headers), body]
|
20
|
+
end
|
21
|
+
end
|
22
|
+
|
23
|
+
let(:app) do
|
24
|
+
target_app = -> (env) { [200, {}, []] }
|
25
|
+
builder = Rack::Builder.new
|
26
|
+
condition = ->(env) { env['PATH_INFO'] == '/match' }
|
27
|
+
builder.use_when condition, TestMiddleware, { "Foo" => "Bar" }
|
28
|
+
builder.run target_app
|
29
|
+
builder.to_app
|
30
|
+
end
|
31
|
+
|
32
|
+
context "when the condition matches" do
|
33
|
+
subject { get '/match' }
|
34
|
+
|
35
|
+
it "uses the middleware" do
|
36
|
+
expect(subject.headers).to include "Foo" => "Bar"
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
context "when the condition does not match" do
|
41
|
+
subject { get '/no-match' }
|
42
|
+
|
43
|
+
it "does not use the middleware" do
|
44
|
+
expect(subject.headers.keys).to_not include "Foo"
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: pact_broker
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.57.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Bethany Skurrie
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2020-06-
|
13
|
+
date: 2020-06-15 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: httparty
|
@@ -137,6 +137,9 @@ dependencies:
|
|
137
137
|
- - "~>"
|
138
138
|
- !ruby/object:Gem::Version
|
139
139
|
version: '2.2'
|
140
|
+
- - ">="
|
141
|
+
- !ruby/object:Gem::Version
|
142
|
+
version: 2.2.3
|
140
143
|
type: :runtime
|
141
144
|
prerelease: false
|
142
145
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -144,6 +147,9 @@ dependencies:
|
|
144
147
|
- - "~>"
|
145
148
|
- !ruby/object:Gem::Version
|
146
149
|
version: '2.2'
|
150
|
+
- - ">="
|
151
|
+
- !ruby/object:Gem::Version
|
152
|
+
version: 2.2.3
|
147
153
|
- !ruby/object:Gem::Dependency
|
148
154
|
name: redcarpet
|
149
155
|
requirement: !ruby/object:Gem::Requirement
|
@@ -1177,6 +1183,7 @@ files:
|
|
1177
1183
|
- lib/rack/pact_broker/reset_thread_data.rb
|
1178
1184
|
- lib/rack/pact_broker/ui_authentication.rb
|
1179
1185
|
- lib/rack/pact_broker/ui_request_filter.rb
|
1186
|
+
- lib/rack/pact_broker/use_when.rb
|
1180
1187
|
- lib/webmachine/rack_adapter_monkey_patch.rb
|
1181
1188
|
- pact_broker.gemspec
|
1182
1189
|
- pact_broker_client-pact_broker.json
|
@@ -1529,6 +1536,7 @@ files:
|
|
1529
1536
|
- spec/lib/rack/pact_broker/database_transaction_spec.rb
|
1530
1537
|
- spec/lib/rack/pact_broker/invalid_uri_protection_spec.rb
|
1531
1538
|
- spec/lib/rack/pact_broker/request_target_spec.rb
|
1539
|
+
- spec/lib/rack/pact_broker/use_when_spec.rb
|
1532
1540
|
- spec/lib/webmachine/rack_adapter_monkey_patch_spec.rb
|
1533
1541
|
- spec/migrations/20180201_create_head_matrix_spec.rb
|
1534
1542
|
- spec/migrations/23_pact_versions_spec.rb
|
@@ -1911,6 +1919,7 @@ test_files:
|
|
1911
1919
|
- spec/lib/rack/pact_broker/database_transaction_spec.rb
|
1912
1920
|
- spec/lib/rack/pact_broker/invalid_uri_protection_spec.rb
|
1913
1921
|
- spec/lib/rack/pact_broker/request_target_spec.rb
|
1922
|
+
- spec/lib/rack/pact_broker/use_when_spec.rb
|
1914
1923
|
- spec/lib/webmachine/rack_adapter_monkey_patch_spec.rb
|
1915
1924
|
- spec/migrations/20180201_create_head_matrix_spec.rb
|
1916
1925
|
- spec/migrations/23_pact_versions_spec.rb
|