roda 3.44.0 → 3.45.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG +4 -0
- data/README.rdoc +11 -13
- data/doc/release_notes/3.45.0.txt +22 -0
- data/lib/roda/plugins/assets.rb +16 -0
- data/lib/roda/plugins/typecast_params.rb +28 -1
- data/lib/roda/version.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5dbdf55425a681a0cb32fa0b4a44cd50bf5be6f85c78c1ea1adbdd19e28c2d61
|
4
|
+
data.tar.gz: e91ee695e5f8648f4269a2c229b794ef2ee921f4291102519d4ca2cadd9bf13a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: aa46429e09091c3cf0112c251a9863845c69d4245674dcaddaec030244213d8b9ac1aae96cfa6093680c33f87c732ee4464e4cbe2572d192eb0a9f7e09acd43b
|
7
|
+
data.tar.gz: 57cf84f7db6e6334918f0c01f7308c4c48db7e0ba9f2a14fe87420c3b2bd17471a229ec02a2ad9242ec6fd4aa67848f6dff04b319fea361a985dd264b52252ab
|
data/CHANGELOG
CHANGED
@@ -1,3 +1,7 @@
|
|
1
|
+
= 3.45.0 (2021-06-14)
|
2
|
+
|
3
|
+
* Make typecast_params plugin check for null bytes in strings by default, with :allow_null_bytes option for previous behavior (jeremyevans)
|
4
|
+
|
1
5
|
= 3.44.0 (2021-05-12)
|
2
6
|
|
3
7
|
* Add optimized_segment_matchers plugin for optimized matchers for a single String class argument (jeremyevans)
|
data/README.rdoc
CHANGED
@@ -965,19 +965,17 @@ option. If you really want to turn path checking off, you can do so via the
|
|
965
965
|
Roda does not ship with integrated support for code reloading, but there are rack-based
|
966
966
|
reloaders that will work with Roda apps.
|
967
967
|
|
968
|
-
|
969
|
-
|
970
|
-
|
971
|
-
|
972
|
-
rack-unreloader
|
973
|
-
|
974
|
-
|
975
|
-
|
976
|
-
|
977
|
-
|
978
|
-
|
979
|
-
does not rely on autoloading then +require_dependency+ must be used to require the dependencies
|
980
|
-
or they won't be reloaded.
|
968
|
+
{Zeitwerk}[https://github.com/fxn/zeitwerk] (which Rails now uses for reloading) can be used
|
969
|
+
with Roda. It requires minimal setup and handles most cases. It overrides +require+ when
|
970
|
+
activated. If it can meet the needs of your application, it's probably the best approach.
|
971
|
+
|
972
|
+
{rack-unreloader}[https://github.com/jeremyevans/rack-unreloader] uses a fast
|
973
|
+
approach to reloading while still being fairly safe, as it only reloads files that have
|
974
|
+
been modified, and unloads constants defined in the files before reloading them. It can handle
|
975
|
+
advanced cases that Zeitwerk does not support, such as classes defined in multiple files
|
976
|
+
(common when using separate route files for different routing branches in the same application).
|
977
|
+
However, rack-unreloader does not modify core classes and using it requires modifying your
|
978
|
+
application code to use rack-unreloader specific APIs, which may not be simple.
|
981
979
|
|
982
980
|
{AutoReloader}[https://github.com/rosenfeld/auto_reloader] provides transparent reloading for
|
983
981
|
all files reached from one of the +reloadable_paths+ option entries, by detecting new top-level
|
@@ -0,0 +1,22 @@
|
|
1
|
+
= Improvements
|
2
|
+
|
3
|
+
* The typecast_params plugin checks now checks for null bytes by
|
4
|
+
default before typecasting. If null bytes are present, it raises
|
5
|
+
an error. Most applications do not require null bytes in
|
6
|
+
parameters, and in some cases allowing them can lead to security
|
7
|
+
issues, especially when parameters are passed to C extensions.
|
8
|
+
In general, the benefit of forbidding null bytes in parameters is
|
9
|
+
greater than the cost.
|
10
|
+
|
11
|
+
If you would like to continue allowing null bytes, use the
|
12
|
+
:allow_null_bytes option when loading the plugin.
|
13
|
+
|
14
|
+
Note that this change does not affect uploaded files, since those
|
15
|
+
are expected to contain null bytes.
|
16
|
+
|
17
|
+
= Backwards Compatibility
|
18
|
+
|
19
|
+
* The change to the typecast_params plugin to raise an error for
|
20
|
+
null bytes can break applications that are expecting null bytes
|
21
|
+
to be passed in parameters. Such applications should use the
|
22
|
+
:allow_null_bytes option when loading the plugin.
|
data/lib/roda/plugins/assets.rb
CHANGED
@@ -152,6 +152,22 @@ class Roda
|
|
152
152
|
# together and not compressed during compilation. You can use the
|
153
153
|
# :css_compressor and :js_compressor options to specify the compressor to use.
|
154
154
|
#
|
155
|
+
# It is also possible to use the built-in compression options in the CSS or JS
|
156
|
+
# compiler, assuming the compiler supports such options. For example, with
|
157
|
+
# sass/sassc, you can use:
|
158
|
+
#
|
159
|
+
# plugin :assets,
|
160
|
+
# css_opts: {style: :compressed}
|
161
|
+
#
|
162
|
+
# === Source Maps (CSS)
|
163
|
+
#
|
164
|
+
# The assets plugin does not have direct support for source maps, so it is
|
165
|
+
# recommended you use embedded source maps if supported by the CSS compiler.
|
166
|
+
# For sass/sassc, you can use:
|
167
|
+
#
|
168
|
+
# plugin :assets,
|
169
|
+
# css_opts: {:source_map_embed=>true, source_map_contents: true, source_map_file: "."}
|
170
|
+
#
|
155
171
|
# === With Asset Groups
|
156
172
|
#
|
157
173
|
# When using asset groups, a separate compiled file will be produced per
|
@@ -260,6 +260,11 @@ class Roda
|
|
260
260
|
# strip leading and trailing whitespace from parameter string values before processing, which
|
261
261
|
# you can do by passing the <tt>strip: :all</tt> option when loading the plugin.
|
262
262
|
#
|
263
|
+
# By default, the typecast_params conversion procs check that null bytes are not allowed
|
264
|
+
# in param string values. This check for null bytes occurs prior to any type conversion.
|
265
|
+
# If you would like to skip this check and allow null bytes in param string values,
|
266
|
+
# you can do by passing the <tt>:allow_null_bytes</tt> option when loading the plugin.
|
267
|
+
#
|
263
268
|
# By design, typecast_params only deals with string keys, it is not possible to use
|
264
269
|
# symbol keys as arguments to the conversion methods and have them converted.
|
265
270
|
module TypecastParams
|
@@ -356,6 +361,14 @@ class Roda
|
|
356
361
|
end
|
357
362
|
end
|
358
363
|
|
364
|
+
module AllowNullByte
|
365
|
+
private
|
366
|
+
|
367
|
+
# Allow ASCII NUL bytes ("\0") in parameter string values.
|
368
|
+
def check_null_byte(v)
|
369
|
+
end
|
370
|
+
end
|
371
|
+
|
359
372
|
module StringStripper
|
360
373
|
private
|
361
374
|
|
@@ -391,7 +404,10 @@ class Roda
|
|
391
404
|
convert_array_meth = :"_convert_array_#{type}"
|
392
405
|
define_method(convert_array_meth) do |v|
|
393
406
|
raise Error, "expected array but received #{v.inspect}" unless v.is_a?(Array)
|
394
|
-
v.map!
|
407
|
+
v.map! do |val|
|
408
|
+
check_null_byte(val)
|
409
|
+
send(convert_meth, val)
|
410
|
+
end
|
395
411
|
end
|
396
412
|
|
397
413
|
private convert_meth, convert_array_meth
|
@@ -927,12 +943,20 @@ class Roda
|
|
927
943
|
end
|
928
944
|
end
|
929
945
|
|
946
|
+
# Raise an Error if the value is a string containing a null byte.
|
947
|
+
def check_null_byte(v)
|
948
|
+
if v.is_a?(String) && v.index("\0")
|
949
|
+
handle_error(nil, :null_byte, "string parameter contains null byte", true)
|
950
|
+
end
|
951
|
+
end
|
952
|
+
|
930
953
|
# Get the value of +key+ for the object, and convert it to the expected type using +meth+.
|
931
954
|
# If the value either before or after conversion is nil, return the +default+ value.
|
932
955
|
def process(meth, key, default)
|
933
956
|
v = param_value(key)
|
934
957
|
|
935
958
|
unless v.nil?
|
959
|
+
check_null_byte(v)
|
936
960
|
v = send(meth, v)
|
937
961
|
end
|
938
962
|
|
@@ -992,6 +1016,9 @@ class Roda
|
|
992
1016
|
if opts[:strip] == :all
|
993
1017
|
app::TypecastParams.send(:include, StringStripper)
|
994
1018
|
end
|
1019
|
+
if opts[:allow_null_bytes]
|
1020
|
+
app::TypecastParams.send(:include, AllowNullByte)
|
1021
|
+
end
|
995
1022
|
end
|
996
1023
|
|
997
1024
|
module ClassMethods
|
data/lib/roda/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: roda
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.45.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jeremy Evans
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-06-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rack
|
@@ -215,6 +215,7 @@ extra_rdoc_files:
|
|
215
215
|
- doc/release_notes/3.42.0.txt
|
216
216
|
- doc/release_notes/3.43.0.txt
|
217
217
|
- doc/release_notes/3.44.0.txt
|
218
|
+
- doc/release_notes/3.45.0.txt
|
218
219
|
- doc/release_notes/3.5.0.txt
|
219
220
|
- doc/release_notes/3.6.0.txt
|
220
221
|
- doc/release_notes/3.7.0.txt
|
@@ -266,6 +267,7 @@ files:
|
|
266
267
|
- doc/release_notes/3.42.0.txt
|
267
268
|
- doc/release_notes/3.43.0.txt
|
268
269
|
- doc/release_notes/3.44.0.txt
|
270
|
+
- doc/release_notes/3.45.0.txt
|
269
271
|
- doc/release_notes/3.5.0.txt
|
270
272
|
- doc/release_notes/3.6.0.txt
|
271
273
|
- doc/release_notes/3.7.0.txt
|