roda 3.44.0 → 3.45.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG +4 -0
- data/README.rdoc +11 -13
- data/doc/release_notes/3.45.0.txt +22 -0
- data/lib/roda/plugins/assets.rb +16 -0
- data/lib/roda/plugins/typecast_params.rb +28 -1
- data/lib/roda/version.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5dbdf55425a681a0cb32fa0b4a44cd50bf5be6f85c78c1ea1adbdd19e28c2d61
|
|
4
|
+
data.tar.gz: e91ee695e5f8648f4269a2c229b794ef2ee921f4291102519d4ca2cadd9bf13a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: aa46429e09091c3cf0112c251a9863845c69d4245674dcaddaec030244213d8b9ac1aae96cfa6093680c33f87c732ee4464e4cbe2572d192eb0a9f7e09acd43b
|
|
7
|
+
data.tar.gz: 57cf84f7db6e6334918f0c01f7308c4c48db7e0ba9f2a14fe87420c3b2bd17471a229ec02a2ad9242ec6fd4aa67848f6dff04b319fea361a985dd264b52252ab
|
data/CHANGELOG
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
= 3.45.0 (2021-06-14)
|
|
2
|
+
|
|
3
|
+
* Make typecast_params plugin check for null bytes in strings by default, with :allow_null_bytes option for previous behavior (jeremyevans)
|
|
4
|
+
|
|
1
5
|
= 3.44.0 (2021-05-12)
|
|
2
6
|
|
|
3
7
|
* Add optimized_segment_matchers plugin for optimized matchers for a single String class argument (jeremyevans)
|
data/README.rdoc
CHANGED
|
@@ -965,19 +965,17 @@ option. If you really want to turn path checking off, you can do so via the
|
|
|
965
965
|
Roda does not ship with integrated support for code reloading, but there are rack-based
|
|
966
966
|
reloaders that will work with Roda apps.
|
|
967
967
|
|
|
968
|
-
|
|
969
|
-
|
|
970
|
-
|
|
971
|
-
|
|
972
|
-
rack-unreloader
|
|
973
|
-
|
|
974
|
-
|
|
975
|
-
|
|
976
|
-
|
|
977
|
-
|
|
978
|
-
|
|
979
|
-
does not rely on autoloading then +require_dependency+ must be used to require the dependencies
|
|
980
|
-
or they won't be reloaded.
|
|
968
|
+
{Zeitwerk}[https://github.com/fxn/zeitwerk] (which Rails now uses for reloading) can be used
|
|
969
|
+
with Roda. It requires minimal setup and handles most cases. It overrides +require+ when
|
|
970
|
+
activated. If it can meet the needs of your application, it's probably the best approach.
|
|
971
|
+
|
|
972
|
+
{rack-unreloader}[https://github.com/jeremyevans/rack-unreloader] uses a fast
|
|
973
|
+
approach to reloading while still being fairly safe, as it only reloads files that have
|
|
974
|
+
been modified, and unloads constants defined in the files before reloading them. It can handle
|
|
975
|
+
advanced cases that Zeitwerk does not support, such as classes defined in multiple files
|
|
976
|
+
(common when using separate route files for different routing branches in the same application).
|
|
977
|
+
However, rack-unreloader does not modify core classes and using it requires modifying your
|
|
978
|
+
application code to use rack-unreloader specific APIs, which may not be simple.
|
|
981
979
|
|
|
982
980
|
{AutoReloader}[https://github.com/rosenfeld/auto_reloader] provides transparent reloading for
|
|
983
981
|
all files reached from one of the +reloadable_paths+ option entries, by detecting new top-level
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
= Improvements
|
|
2
|
+
|
|
3
|
+
* The typecast_params plugin checks now checks for null bytes by
|
|
4
|
+
default before typecasting. If null bytes are present, it raises
|
|
5
|
+
an error. Most applications do not require null bytes in
|
|
6
|
+
parameters, and in some cases allowing them can lead to security
|
|
7
|
+
issues, especially when parameters are passed to C extensions.
|
|
8
|
+
In general, the benefit of forbidding null bytes in parameters is
|
|
9
|
+
greater than the cost.
|
|
10
|
+
|
|
11
|
+
If you would like to continue allowing null bytes, use the
|
|
12
|
+
:allow_null_bytes option when loading the plugin.
|
|
13
|
+
|
|
14
|
+
Note that this change does not affect uploaded files, since those
|
|
15
|
+
are expected to contain null bytes.
|
|
16
|
+
|
|
17
|
+
= Backwards Compatibility
|
|
18
|
+
|
|
19
|
+
* The change to the typecast_params plugin to raise an error for
|
|
20
|
+
null bytes can break applications that are expecting null bytes
|
|
21
|
+
to be passed in parameters. Such applications should use the
|
|
22
|
+
:allow_null_bytes option when loading the plugin.
|
data/lib/roda/plugins/assets.rb
CHANGED
|
@@ -152,6 +152,22 @@ class Roda
|
|
|
152
152
|
# together and not compressed during compilation. You can use the
|
|
153
153
|
# :css_compressor and :js_compressor options to specify the compressor to use.
|
|
154
154
|
#
|
|
155
|
+
# It is also possible to use the built-in compression options in the CSS or JS
|
|
156
|
+
# compiler, assuming the compiler supports such options. For example, with
|
|
157
|
+
# sass/sassc, you can use:
|
|
158
|
+
#
|
|
159
|
+
# plugin :assets,
|
|
160
|
+
# css_opts: {style: :compressed}
|
|
161
|
+
#
|
|
162
|
+
# === Source Maps (CSS)
|
|
163
|
+
#
|
|
164
|
+
# The assets plugin does not have direct support for source maps, so it is
|
|
165
|
+
# recommended you use embedded source maps if supported by the CSS compiler.
|
|
166
|
+
# For sass/sassc, you can use:
|
|
167
|
+
#
|
|
168
|
+
# plugin :assets,
|
|
169
|
+
# css_opts: {:source_map_embed=>true, source_map_contents: true, source_map_file: "."}
|
|
170
|
+
#
|
|
155
171
|
# === With Asset Groups
|
|
156
172
|
#
|
|
157
173
|
# When using asset groups, a separate compiled file will be produced per
|
|
@@ -260,6 +260,11 @@ class Roda
|
|
|
260
260
|
# strip leading and trailing whitespace from parameter string values before processing, which
|
|
261
261
|
# you can do by passing the <tt>strip: :all</tt> option when loading the plugin.
|
|
262
262
|
#
|
|
263
|
+
# By default, the typecast_params conversion procs check that null bytes are not allowed
|
|
264
|
+
# in param string values. This check for null bytes occurs prior to any type conversion.
|
|
265
|
+
# If you would like to skip this check and allow null bytes in param string values,
|
|
266
|
+
# you can do by passing the <tt>:allow_null_bytes</tt> option when loading the plugin.
|
|
267
|
+
#
|
|
263
268
|
# By design, typecast_params only deals with string keys, it is not possible to use
|
|
264
269
|
# symbol keys as arguments to the conversion methods and have them converted.
|
|
265
270
|
module TypecastParams
|
|
@@ -356,6 +361,14 @@ class Roda
|
|
|
356
361
|
end
|
|
357
362
|
end
|
|
358
363
|
|
|
364
|
+
module AllowNullByte
|
|
365
|
+
private
|
|
366
|
+
|
|
367
|
+
# Allow ASCII NUL bytes ("\0") in parameter string values.
|
|
368
|
+
def check_null_byte(v)
|
|
369
|
+
end
|
|
370
|
+
end
|
|
371
|
+
|
|
359
372
|
module StringStripper
|
|
360
373
|
private
|
|
361
374
|
|
|
@@ -391,7 +404,10 @@ class Roda
|
|
|
391
404
|
convert_array_meth = :"_convert_array_#{type}"
|
|
392
405
|
define_method(convert_array_meth) do |v|
|
|
393
406
|
raise Error, "expected array but received #{v.inspect}" unless v.is_a?(Array)
|
|
394
|
-
v.map!
|
|
407
|
+
v.map! do |val|
|
|
408
|
+
check_null_byte(val)
|
|
409
|
+
send(convert_meth, val)
|
|
410
|
+
end
|
|
395
411
|
end
|
|
396
412
|
|
|
397
413
|
private convert_meth, convert_array_meth
|
|
@@ -927,12 +943,20 @@ class Roda
|
|
|
927
943
|
end
|
|
928
944
|
end
|
|
929
945
|
|
|
946
|
+
# Raise an Error if the value is a string containing a null byte.
|
|
947
|
+
def check_null_byte(v)
|
|
948
|
+
if v.is_a?(String) && v.index("\0")
|
|
949
|
+
handle_error(nil, :null_byte, "string parameter contains null byte", true)
|
|
950
|
+
end
|
|
951
|
+
end
|
|
952
|
+
|
|
930
953
|
# Get the value of +key+ for the object, and convert it to the expected type using +meth+.
|
|
931
954
|
# If the value either before or after conversion is nil, return the +default+ value.
|
|
932
955
|
def process(meth, key, default)
|
|
933
956
|
v = param_value(key)
|
|
934
957
|
|
|
935
958
|
unless v.nil?
|
|
959
|
+
check_null_byte(v)
|
|
936
960
|
v = send(meth, v)
|
|
937
961
|
end
|
|
938
962
|
|
|
@@ -992,6 +1016,9 @@ class Roda
|
|
|
992
1016
|
if opts[:strip] == :all
|
|
993
1017
|
app::TypecastParams.send(:include, StringStripper)
|
|
994
1018
|
end
|
|
1019
|
+
if opts[:allow_null_bytes]
|
|
1020
|
+
app::TypecastParams.send(:include, AllowNullByte)
|
|
1021
|
+
end
|
|
995
1022
|
end
|
|
996
1023
|
|
|
997
1024
|
module ClassMethods
|
data/lib/roda/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: roda
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.45.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-06-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -215,6 +215,7 @@ extra_rdoc_files:
|
|
|
215
215
|
- doc/release_notes/3.42.0.txt
|
|
216
216
|
- doc/release_notes/3.43.0.txt
|
|
217
217
|
- doc/release_notes/3.44.0.txt
|
|
218
|
+
- doc/release_notes/3.45.0.txt
|
|
218
219
|
- doc/release_notes/3.5.0.txt
|
|
219
220
|
- doc/release_notes/3.6.0.txt
|
|
220
221
|
- doc/release_notes/3.7.0.txt
|
|
@@ -266,6 +267,7 @@ files:
|
|
|
266
267
|
- doc/release_notes/3.42.0.txt
|
|
267
268
|
- doc/release_notes/3.43.0.txt
|
|
268
269
|
- doc/release_notes/3.44.0.txt
|
|
270
|
+
- doc/release_notes/3.45.0.txt
|
|
269
271
|
- doc/release_notes/3.5.0.txt
|
|
270
272
|
- doc/release_notes/3.6.0.txt
|
|
271
273
|
- doc/release_notes/3.7.0.txt
|