rack-utf8_sanitizer 1.10.1 → 1.11.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 82e811bd6d8b84490a60a5bb33ed291fadcfb7311648081083b61ebf860b1e0a
-  data.tar.gz: cbe49d5c3c9d7333053881defc88facc7a5120e4b6b26a66b8c025dcfdd6b264
+  metadata.gz: 14d5b3232eb52814e46f5960b435851d0b0a6bdd6d18cfb1220adc08c5ecdb1e
+  data.tar.gz: 40d9329c056a74dd0328ac7af2fa4183799cb451cd1795630f6754f24718324a
 SHA512:
-  metadata.gz: d1ca5bc38275c76c39d3fec9ada79b3472ba4bf03c28126961676584407de2f6f910f45eea2f4c96c33b533615313a529f562218473f15d7cb51d22cf61d3dd9
-  data.tar.gz: 1d224db1938b544b0f3053d14ce269fba82c89973b5ac142ad7233168967eeb8f0784e7c9710e4e30b66d807f4c164f92cf81dd79bbc14eca3bfd941ada8585b
+  metadata.gz: 11ffb7389bcbe67ef49ce1d29829de920d72c44799c623924dd0b93e578d89414de07bb4ef315d50d13e5463825b1d4727f999c10faafb1d507e52875caa09be
+  data.tar.gz: 4b9115c9909dc1cfd8378451f0974808f5d834bd7daaaca012d04413e48ed80cc5f8bcb10f6307300b982cf5f56080dafada5963126b5563df18ff83772dcfd8

data/.github/workflows/ci.yml

@@ -5,15 +5,32 @@ on: [push, pull_request]
 jobs:
   test:
 
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
 
     strategy:
       fail-fast: false
       matrix:
-        ruby: ["2.5", "2.6", "2.7", "3.0", "3.1", "3.2", "3.3", ruby-head, jruby-9.2, jruby-9.3, jruby-head]
+        os: [ubuntu-latest]
+        ruby:
+          - 2.5
+          - 2.6
+          - 2.7
+          - "3.0"
+          - 3.1
+          - 3.2
+          - 3.3
+          - 3.4
+          - ruby-head
+          - jruby-9.3
+          - jruby-9.4
+          - jruby-10.0
+          - jruby-head
+        include:
+          - os: ubuntu-22.04
+            ruby: jruby-9.2
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v6
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:

data/CHANGELOG.md

@@ -1,7 +1,119 @@
 Changelog
 =========
 
-Master
+v1.11.0 (2025-12-04)
+-------------------------
+
+Bugs fixed:
+
+  * Return HTTP 400 when Content-Length is too large (Benjamin Quorning, #103)
+
+v1.10.1 (2025-01-10)
+-------------------------
+
+Bugs fixed:
+
+  * Fix `URI::RFC2396_PARSER` issue with older Rubies (Tekin Süleyman, #94)
+
+
+v1.10.0 (2025-01-08)
+-------------------------
+
+Changes:
+
+  * Require Ruby 2.3.0+.  (Jean Boussier, #80)
+
+Bugs fixed:
+
+  * Skip sanitizing the request body if the charset is non-utf-8 (#84)
+  * Don't use a mutable constant as Rack response (Jean Boussier, #86)
+
+Chores:
+
+  * Add the `frozen_string_literal` header (Benjamin Quorning, #90)
+  * Avoid deprecation warming by switching from `URI::DEFAULT_PARSER` to `URI::RFC2396_PARSER` (Roman Gaufman, #92)
+
+Performance:
+
+  * Use Content-Length to read the request body if available (Jean Boussier, #80)
+  * Avoid 2nd degree polynomial regexp for sanitizing content type (Jean Boussier, #82)
+  * Use `Regexp#match?` over `String#=~` when testing for null bytes (Geoff Harcourt, #85)
+
+v1.9.1 (2023-08-31)
+-------------------------
+
+Bugs fixed:
+
+  * Fix null byte sanitisation (Szymon Madeja, #78)
+
+v1.9.0 (2023-07-06)
+-------------------------
+
+  * Optionally sanitize null bytes (James Coleman, #75)
+  * CI: add Ruby 3.2 (Peter Goldstein, #71)
+
+v1.8.0 (2022-10-25)
+-------------------------
+
+Bugs fixed:
+
+  * Handle EOFError (Kir Shatrov, #57)
+
+Features implemented:
+
+  * Allow Rack version 3 (Alexander Popov, #66)
+  * Various CI chores (Olle Jonsson)
+  * Move to GitHub Actions, configure Dependabot (Peter Goldstein, #62, #64)
+
+v1.7.0 (2020-05-05)
+-------------------------
+
+  * Resolve Ruby warnings about `URI.escape` (Alexander Popov, #53)
+  * README: better reflect that this also can sanitize text bodies (Zach McCormick, #47)
+  * Update documentation on exception strategy handler (Josh Frankel, #52)
+
+v1.6.0 (2018-06-06)
+-------------------------
+
+Bugs fixed:
+
+  * Add sanitation of cookie header (John Hager, #45)
+
+v1.5.0 (2018-02-16)
+-------------------------
+
+Bugs fixed:
+
+  * Sanitize `nil` in `sanitize_uri_encoded_string` (David Čepelík, #44)
+
+Features implemented:
+
+  * Add `:only` and `:except` options (John Hager, #43)
+  * Add strategies to rack-utf8_sanitizer (John Hager, #41)
+
+    ```rb
+    # Example usage in Rails config/application.rb:
+    config.middleware.insert(0, Rack::UTF8Sanitizer, strategy: :exception)
+    ```
+
+v1.4.0 (2016-03-07)
+-------------------------
+
+Performance:
+
+  * Use more performant `%char` decoding `.hex.chr` (Martin Emde, #36)
+  * Make `HTTP_` a constant to avoid creating the string every loop (Martin Emde, #35)
+
+Features implemented:
+
+  * Add SERVER_NAME to list of sanitization (Denis Lysenko, 9644371)
+
+Chores:
+
+  * Add license to gemspec (Robert Reiz, #38)
+
+
+v1.3.2 (2015-12-23)
 -------------------------
 
 API modifications:
@@ -10,6 +122,9 @@ Features implemented:
 
 Bugs fixed:
 
+  * Strip UTF-8 Byte Order Mark from the request body (Jean Boussier, #29)
+  * Add options to #initialize to allow configurable sanitizable content types (Shelby Switzer, #30)
+
 v1.3.1 (2015-07-09)
 -------------------------
 

data/README.md

@@ -52,11 +52,15 @@ The default content types to be sanitized are 'text/plain', 'application/x-www-f
 
 To add sanitizable content types to the list of defaults, pass the `additional_content_types` options when using Rack::UTF8Sanitizer, e.g.
 
-    config.middleware.insert 0, Rack::UTF8Sanitizer, additional_content_types: ['application/vnd.api+json']
+``` ruby
+config.middleware.insert 0, Rack::UTF8Sanitizer, additional_content_types: ['application/vnd.api+json']
+```
 
 To explicitly set sanitizable content types and override the defaults, use the `sanitizable_content_types` option:
 
-    config.middleware.insert 0, Rack::UTF8Sanitizer, sanitizable_content_types: ['application/vnd.api+json']
+``` ruby
+config.middleware.insert 0, Rack::UTF8Sanitizer, sanitizable_content_types: ['application/vnd.api+json']
+```
 
 ### Whitelist/Blacklist Rack Env Keys
 

data/lib/rack/utf8_sanitizer.rb

@@ -10,6 +10,7 @@ module Rack
     StringIO = ::StringIO
     NULL_BYTE_REGEX = /\x00/.freeze
 
+    class InvalidStream < IOError; end
     class NullByteInString < StandardError; end
 
     # options[:sanitizable_content_types] Array
@@ -27,7 +28,7 @@ module Rack
     def call(env)
       begin
         env = sanitize(env)
-      rescue EOFError
+      rescue EOFError, InvalidStream
         return [400, { "Content-Type" => "text/plain" }, ["Bad Request"]]
       end
       @app.call(env)
@@ -174,6 +175,7 @@ module Rack
       else
         io.read
       end
+      raise InvalidStream if input.nil?
       sanitized_input = sanitize_string(strip_byte_order_mark(input))
       if uri_encoded
         sanitized_input = sanitize_uri_encoded_string(sanitized_input).

data/rack-utf8_sanitizer.gemspec

@@ -3,7 +3,7 @@
 
 Gem::Specification.new do |gem|
   gem.name          = "rack-utf8_sanitizer"
-  gem.version       = '1.10.1'
+  gem.version       = '1.11.1'
   gem.authors       = ["Catherine"]
   gem.license       = "MIT"
   gem.email         = ["whitequark@whitequark.org"]

data/test/test_utf8_sanitizer.rb

@@ -245,6 +245,12 @@ describe Rack::UTF8Sanitizer do
       response_env[1]["Set-Cookie"].should == nil
     end
 
+    it "returns HTTP 400 if CONTENT_LENGTH is larger than actual length of rack.input" do
+      @rack_input = StringIO.new("")
+      response_env = @app.(request_env.merge("CONTENT_LENGTH" => (@rack_input.length + 1).to_s))
+      response_env.should == [400, {"Content-Type"=>"text/plain"}, ["Bad Request"]]
+    end
+
     it "sanitizes StringIO rack.input" do
       input = "foo=bla&quux=bar"
       @rack_input = StringIO.new input

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack-utf8_sanitizer
 version: !ruby/object:Gem::Version
-  version: 1.10.1
+  version: 1.11.1
 platform: ruby
 authors:
 - Catherine
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-01-10 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -84,7 +83,6 @@ files:
 - ".github/dependabot.yml"
 - ".github/workflows/ci.yml"
 - ".gitignore"
-- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
@@ -97,7 +95,6 @@ homepage: https://github.com/whitequark/rack-utf8_sanitizer
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -112,8 +109,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.15
-signing_key:
+rubygems_version: 3.6.7
 specification_version: 4
 summary: Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters
   in request URI and headers.

data/.travis.yml

@@ -1,14 +0,0 @@
-language: ruby
-
-rvm:
-  - 2.3
-  - 2.4
-  - 2.5
-  - 2.6
-  - 2.7
-  - 3.0
-  - 3.1
-  - jruby
-
-before_install:
-  - gem install bundler