plezi 0.10.16 → 0.10.17

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9ba53dc3edc704550c8afdc060088aed2cd9db01
-  data.tar.gz: 7aa792d205aabce90e999f1c5637a882c40de10a
+  metadata.gz: c509d0a1c5c9aa5fec5827c0f7b6a27dbf143840
+  data.tar.gz: c1cef78d006408e83140295a0a392553ee8b1521
 SHA512:
-  metadata.gz: 667725a7647a0c49e81991e0d164c3729c639ecbd37e56de37cb0131ed91cf059039e2b9eba121bef365b23e89e8b0dcca57b7bcdc0b75fa547bb3949fd29161
-  data.tar.gz: 44a1bb1546727e1e96fecfbe3e65607dcd0f9093ac4f1fb8a9161d33a119f23c739f93f9ea761abfe1536f4763a96518117b912c19de9382f6e7a6d4bbd598e9
+  metadata.gz: edfc62fc655f782518bc355b0fd83b6784e141b445867f4307c948b8d92dd79d5d20dbb7b843143cc4e45f4cf0a9a1867b7a9df433e952c57b117644a6c2453c
+  data.tar.gz: 46af810bb76558461e3933645e9e6064109228257e57aea3f09063425a3676fcf61a06d5cb96b6849aed99376f56dc29f14f794ae628b981a98d2d0e7eb774e6

data/CHANGELOG.md

@@ -2,6 +2,16 @@
 
 ***
 
+Change log v.0.10.17
+
+**Update**: Requires a newer version of the GRHttp server and GReactor, building on it's WSClient and HTTP decoding improvements.
+
+**Security**: Redis connection broadcasting now enforces `safe_load`, so that even id the Redis server and it's data are compromized, it should not lead to foreign code execution. Please note that this will enforce limits on session data as well as on websocket broadcasting.
+
+**Sessions**: Sessions are now avoided unless explicitly created or unless a websocket connection is established. The reason being that unless Redis is defined, sessions are stored in-memory and end up requiring a lot of space. File storage might be considered for future releases.
+
+***
+
 Change log v.0.10.16
 
 **Fix**: Requires a newer version of the GRHttp server, which fixs an issue with Firefox's websocket implementation. 

data/lib/plezi/common/dsl.rb

@@ -95,7 +95,7 @@ unless defined? PLEZI_NON_DSL
 	$PL_ARGV = $*.dup
 
 	# sets up a generic session-token name based on the script name
-	GRHttp.session_token = "#{($0).split(/[\\\/]/).last.split(/[\s]+/).first}_uuid"
+	GRHttp.session_token = "#{($0).split(/[\\\/]/).last.split(/[\s\.]+/).first}_uuid"
 	# restarts the Plezi app with the same arguments as when it was started.
 	#
 	# EXPERIMENTAL

data/lib/plezi/common/redis.rb

@@ -1,6 +1,53 @@
 
 module Plezi
 
+	module Base
+		module AutoRedis
+			@redis_locker ||= Mutex.new
+			@redis = @redis_sub_thread = nil
+			module_function
+			def inner_init_redis
+				return false unless ENV['PL_REDIS_URL'] && defined?(::Redis)
+				@redis_locker.synchronize do
+					return @redis if (@redis_sub_thread && @redis_sub_thread.alive?) && @redis # repeat the test once syncing is done.
+					@redis_uri ||= URI.parse(ENV['PL_REDIS_URL'])
+					@redis.quit if @redis
+					@redis = ::Redis.new(host: @redis_uri.host, port: @redis_uri.port, password: @redis_uri.password)
+					raise "Redis connction failed for: #{ENV['PL_REDIS_URL']}" unless @redis
+					@redis_sub_thread = Thread.new do
+						begin
+							safe_types = [Symbol, Date, Time, Encoding, Struct, Regexp, Range, Set]
+							::Redis.new(host: @redis_uri.host, port: @redis_uri.port, password: @redis_uri.password).subscribe(Plezi::Settings.redis_channel_name, Plezi::Settings.uuid) do |on|
+								on.message do |channel, msg|
+									begin
+										data = YAML.safe_load(msg, safe_types)
+										next if data[:server] == Plezi::Settings.uuid
+										data[:type] = Object.const_get(data[:type]) unless data[:type].nil? || data[:type] == :all
+										if data[:target]
+											GRHttp::Base::WSHandler.unicast data[:target], data
+										else
+											GRHttp::Base::WSHandler.broadcast data
+										end
+									rescue => e
+										GReactor.error e
+									end
+								end
+							end
+						rescue => e
+							GReactor.error e
+							retry
+						end
+					end
+					@redis
+				end
+			end
+			def get_redis
+				return @redis if (@redis_sub_thread && @redis_sub_thread.alive?) && @redis
+				inner_init_redis
+			end
+		end
+	end
+
 	module_function
 
 	# Reviews the Redis connection, sets it up if it's missing and returns the Redis connection.
@@ -10,41 +57,16 @@ module Plezi
 	#      ENV['PL_REDIS_URL'] = ENV['REDISCLOUD_URL']`
 	# or
 	#      ENV['PL_REDIS_URL'] = "redis://username:password@my.host:6379"
+	#
+	# Accepts an optional block that will receive the Redis connection object. i.e.
+	#
+	#      Plezi.redis {|r| r.connected? }
+	#
+	# Returns the Redis object or the block's returned value (if a block is provided).
 	def redis
-		return @redis if (@redis_sub_thread && @redis_sub_thread.alive?) && @redis
-		return false unless defined?(Redis) && ENV['PL_REDIS_URL']
-		@redis_locker ||= Mutex.new
-		@redis_locker.synchronize do
-			return @redis if (@redis_sub_thread && @redis_sub_thread.alive?) && @redis # repeat the test once syncing is done.
-			@redis_uri ||= URI.parse(ENV['PL_REDIS_URL'])
-			@redis ||= Redis.new(host: @redis_uri.host, port: @redis_uri.port, password: @redis_uri.password)
-			raise "Redis connction failed for: #{ENV['PL_REDIS_URL']}" unless @redis
-			@redis_sub_thread = Thread.new do
-				begin
-				Redis.new(host: @redis_uri.host, port: @redis_uri.port, password: @redis_uri.password).subscribe(Plezi::Settings.redis_channel_name, Plezi::Settings.uuid) do |on|
-						on.message do |channel, msg|
-							begin
-								data = YAML.load(msg)
-								next if data[:server] == Plezi::Settings.uuid
-								if data[:target]
-									GRHttp::Base::WSHandler.unicast data[:target], data
-								else
-									GRHttp::Base::WSHandler.broadcast data
-								end
-							rescue => e
-								Reactor.error e
-							end
-						end
-					end
-				rescue => e
-					Reactor.error e
-					retry
-				end
-			end
+		if r = Plezi::Base::AutoRedis.get_redis
+			return (block_given? ? yield(r) : r)
 		end
-		@redis
-	rescue => e
-		Reactor.error e
 		false
 	end
 	alias :redis_connection :redis

data/lib/plezi/handlers/controller_core.rb

@@ -19,7 +19,6 @@ module Plezi
 					@host_params = request.io[:params]
 					@response = response
 					@cookies = request.cookies
-					@session = response.session
 					# # \@response["content-type"] ||= ::Plezi.default_content_type
 					super()
 				end
@@ -38,6 +37,8 @@ module Plezi
 					return false if (defined?(super) && !super)
 					# finish if the response was sent
 					return false if response.headers_sent?
+					# make sure that the session object is available for websocket connections
+					response.session
 					# complete handshake
 					return self
 				end

data/lib/plezi/handlers/controller_magic.rb

@@ -34,8 +34,14 @@ module Plezi
 			# Cookies and some other data must be set BEFORE the response's headers are sent.
 			attr_reader :cookies
 
-			# Session data can be stored here (for now, session data doesn't scale - coming soon).
-			attr_reader :session
+			# Session data can be stored here (session data will be stored on the Redis server, if Redis is available).
+			#
+			# The first time this method is called, the session object will be created. The session object must be created BEFORE the headers are set , if it is to be used.
+			#
+			# Sessions are not automatically created, because they are memory hogs. The one exception is the Websocket connection that will force a session object into existence.
+			def session
+				response.session
+			end
 
 			# the HTTPResponse **OR** the WSResponse object that formats the response and sends it. use `response << data`. This object can be used to send partial data (such as headers, or partial html content) in blocking mode as well as sending data in the default non-blocking mode.
 			attr_reader :response

data/lib/plezi/handlers/route.rb

@@ -112,7 +112,7 @@ module Plezi
 				param_name = param_name[1].to_sym if param_name
 
 				if param_name && dest[param_name]
-					url << GRHttp::HTTP.encode(dest.delete(param_name).to_s, :url)
+					url << GRHttp::HTTP.encode_url(dest.delete(param_name))
 					url << '/' 
 				elsif !param_name
 					url << sec
@@ -125,7 +125,7 @@ module Plezi
 			end
 			unless dest.empty?
 				add = '?'
-				dest.each {|k, v| url << "#{add}#{GRHttp::HTTP.encode(k.to_s, :url)}=#{GRHttp::HTTP.encode(v.to_s, :url)}"; add = '&'}
+				dest.each {|k, v| url << "#{add}#{GRHttp::HTTP.encode_url k}=#{GRHttp::HTTP.encode_url v}"; add = '&'}
 			end
 			url
 

data/lib/plezi/handlers/session.rb

@@ -4,6 +4,7 @@ module Plezi
 			module_function
 			# returns a session object
 			def fetch id
+				return Plezi::Session.new(id) if Plezi.redis # avoid a local cache if Redis is used.
 				@session_cache[id] || (@session_cache[id] = Plezi::Session.new(id))
 			end
 			@session_cache = {}
@@ -20,7 +21,7 @@ module Plezi
 		# called by the Plezi framework to initiate a session with the id requested
 		def initialize id
 			@id = id
-			if (conn=Plezi.redis)
+			if id && (conn=Plezi.redis)
 				@data=conn.hgetall(id)
 			end
 			@data ||= {}

data/lib/plezi/handlers/ws_object.rb

@@ -193,6 +193,8 @@ module Plezi
 
 				def __inner_redis_broadcast data
 					return unless conn = Plezi.redis
+					data = data.dup
+					data[:type] = data[:type].name if data[:type]
 					data[:server] = Plezi::Settings.uuid
 					return conn.publish( ( data[:to_server] ? data[:to_server] : Plezi::Settings.redis_channel_name ), data.to_yaml ) if conn
 					false

data/lib/plezi/oauth/auth_controller.rb

@@ -74,7 +74,7 @@ module Plezi
 		#
 		# defaults to the example above, which isn't a very sercure behavior, but allows for easy testing.
 		def self.auth_callback &block
-			block_given? ? (@@auth_callback = block) : ( @@auth_callback ||= (Proc.new {|service, service_token, id, email, res| Plezi.info "deafult callback called for #{service}, with response: #{res.to_s}";  cookies["#{service}_pl_auth_token".to_sym], cookies["#{service}_user_id".to_sym], cookies["#{service}_user_email".to_sym] = service_token, id, email}) )
+			block_given? ? (@@auth_callback = block) : ( @@auth_callback ||= (Proc.new {|service, service_token, id, email, res| Plezi.info "deafult callback called for #{service}, with response: #{res.to_s}";  session["#{service}_pl_auth_token"], session["#{service}_user_id"], session["#{service}_user_email"] = service_token, id, email}) )
 		end
 
 

data/lib/plezi/version.rb

@@ -1,3 +1,3 @@
 module Plezi
-    VERSION = "0.10.16"
+    VERSION = "0.10.17"
 end

data/plezi.gemspec

@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "grhttp", "~> 0.0.21"
+  spec.add_dependency "grhttp", "~> 0.0.23"
   spec.add_development_dependency "bundler", "~> 1.7"
   spec.add_development_dependency "rake", "~> 10.0"
 

data/resources/mini_app.rb

@@ -5,7 +5,7 @@
 	require 'pathname'
 	## Set up root object, it might be used by the environment and\or the plezi extension gems.
 	Root ||= Pathname.new(File.dirname(__FILE__)).expand_path
-	## Set a persistant session token id name
+	## Set a persistent session token id name
 	GRHttp.session_token = 'appname_uui'
 	## make sure all file access and file loading is relative to the application's root folder
 	# Dir.chdir Root.to_s

data/resources/mini_welcome_page.html

@@ -2,7 +2,8 @@
 <head>
 <title>appname - Feed Me!</title>
 <meta content="width=device-width, initial-scale=1, maximum-scale=2.0, user-scalable=yes, minimal-ui=yes" name="viewport">
-<link href='http://fonts.googleapis.com/css?family=Shadows+Into+Light|Architects+Daughter' rel='stylesheet' type='text/css'>
+<link href='https://fonts.googleapis.com/css?family=Shadows+Into+Light|Architects+Daughter' rel='stylesheet' type='text/css'>
+<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>
 <style type="text/css">
 /*
 med-blue: #44518E
@@ -185,6 +186,7 @@ var websocket_fail_count = 0
 
 function init_websocket()
 {
+    if(websocket && websocket.readyState == 1) return true; // console.log('no need to renew socket connection');
     websocket = new WebSocket(ws_uri);
     websocket.onopen = function(e) {
         //restart fail count

data/resources/websockets.js

@@ -14,6 +14,7 @@ var websocket_fail_limit = NaN
 
 function init_websocket()
 {
+	if(websocket && websocket.readyState == 1) return true; // console.log('no need to renew socket connection');
 	websocket = new WebSocket(ws_uri);
 	websocket.onopen = function(e) {
 		// reset the count.

data/resources/welcome_page.html

@@ -2,7 +2,8 @@
 <head>
 <title>appname - Feed Me!</title>
 <meta content="width=device-width, initial-scale=1, maximum-scale=2.0, user-scalable=yes, minimal-ui=yes" name="viewport">
-<link href='http://fonts.googleapis.com/css?family=Shadows+Into+Light|Architects+Daughter' rel='stylesheet' type='text/css'>
+<link href='https://fonts.googleapis.com/css?family=Shadows+Into+Light|Architects+Daughter' rel='stylesheet' type='text/css'>
+<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>
 <style type="text/css">
 /*
 med-blue: #44518E
@@ -185,6 +186,7 @@ var websocket_fail_count = 0
 
 function init_websocket()
 {
+    if(websocket && websocket.readyState == 1) return true; // console.log('no need to renew socket connection');
     websocket = new WebSocket(ws_uri);
     websocket.onopen = function(e) {
         //restart fail count

data/test/console

@@ -1,11 +1,10 @@
 #!/usr/bin/env ruby
 # encoding: UTF-8
 
-Dir.chdir '/Users/2Be/Ruby/plezi/plezi/'
-
 require 'benchmark'
-require "bundler/setup"
+$LOAD_PATH.unshift File.expand_path(File.join('..', '..', 'lib'), __FILE__ )
 require "plezi"
+require "bundler/setup"
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: plezi
 version: !ruby/object:Gem::Version
-  version: 0.10.16
+  version: 0.10.17
 platform: ruby
 authors:
 - Boaz Segev
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-07-31 00:00:00.000000000 Z
+date: 2015-08-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: grhttp
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.21
+        version: 0.0.23
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.0.21
+        version: 0.0.23
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement