rollbar 2.16.2 → 2.22.1

data/lib/rollbar/item/frame.rb

@@ -1,5 +1,6 @@
 # We want to use Gem.path
 require 'rubygems'
+require 'rollbar/item/locals'
 
 module Rollbar
   class Item
@@ -47,7 +48,8 @@ module Rollbar
 
         {
           :code => code_data(file_lines, lineno),
-          :context => context_data(file_lines, lineno)
+          :context => context_data(file_lines, lineno),
+          :locals => locals_data(filename, lineno)
         }
       end
 
@@ -94,6 +96,10 @@ module Rollbar
         }
       end
 
+      def locals_data(filename, lineno)
+        ::Rollbar::Item::Locals.locals_for_location(filename, lineno)
+      end
+
       def post_data(file_lines, lineno)
         from_line = lineno
         number_of_lines = [from_line + MAX_CONTEXT_LENGTH, file_lines.size].min - from_line

data/lib/rollbar/item/locals.rb

@@ -0,0 +1,56 @@
+require 'rollbar/notifier'
+require 'rollbar/scrubbers/params'
+
+module Rollbar
+  class Item
+    class Locals # :nodoc:
+      class << self
+        def exception_frames
+          Rollbar.notifier.exception_bindings
+        end
+
+        def locals_for_location(filename, lineno)
+          if (frame = frame_for_location(filename, lineno))
+            scrub(locals_for(frame[:binding]))
+          else
+            {}
+          end
+        end
+
+        def frame_for_location(filename, lineno)
+          while (frame = exception_frames.pop)
+            return nil unless frame
+            return frame if matching_frame?(frame, filename, lineno)
+          end
+          nil
+        end
+
+        private
+
+        def matching_frame?(frame, filename, lineno)
+          frame[:path] == filename && frame[:lineno].to_i <= lineno.to_i
+        end
+
+        def locals_for(frame)
+          {}.tap do |hash|
+            frame.local_variables.map do |var|
+              hash[var] = prepare_value(frame.local_variable_get(var))
+            end
+          end
+        end
+
+        def prepare_value(value)
+          value.to_s
+        end
+
+        def scrub(hash)
+          Rollbar::Scrubbers::Params.call(
+            :params => hash,
+            :config => Rollbar.configuration.scrub_fields,
+            :whitelist => Rollbar.configuration.scrub_whitelist
+          )
+        end
+      end
+    end
+  end
+end

data/lib/rollbar/json.rb

@@ -1,65 +1,19 @@
-require 'multi_json'
-require 'rollbar/json/oj'
-require 'rollbar/json/default'
 require 'rollbar/language_support'
 
-begin
-  require 'oj'
-rescue LoadError
-end
-
 module Rollbar
-  module JSON
+  module JSON # :nodoc:
     extend self
 
     attr_writer :options_module
 
     def dump(object)
-      with_adapter { MultiJson.dump(object, adapter_options) }
-    end
-
-    def load(string)
-      with_adapter { MultiJson.load(string, adapter_options) }
-    end
-
-    def with_adapter(&block)
-      MultiJson.with_adapter(detect_multi_json_adapter, &block)
-    end
-
-    def detect_multi_json_adapter
-      options = {}
-      options[:adapter] = :oj if defined?(::Oj)
-
-      MultiJson.current_adapter(options)
-    end
-
-    def adapter_options
-      options_module.options
-    end
-
-    def options_module
-      @options_module ||= find_options_module
-    end
-
-    def find_options_module
-      module_name = multi_json_adapter_module_name
-
-      if LanguageSupport.const_defined?(Rollbar::JSON, module_name, false)
-        LanguageSupport.const_get(Rollbar::JSON, module_name, false)
-      else
-        Default
+      Rollbar.plugins.get('basic_socket').load_scoped!(true) do
+        ::JSON.generate(object)
       end
     end
 
-    # MultiJson adapters have this name structure:
-    # "MultiJson::Adapters::{AdapterModule}"
-    #
-    # Ex: MultiJson::Adapters::Oj
-    # Ex: MultiJson::Adapters::JsonGem
-    #
-    # In this method we just get the last module name.
-    def multi_json_adapter_module_name
-      detect_multi_json_adapter.name[/^MultiJson::Adapters::(.*)$/, 1]
+    def load(string)
+      ::JSON.parse(string)
     end
   end
 end

data/lib/rollbar/language_support.rb

@@ -1,29 +1,13 @@
 module Rollbar
   module LanguageSupport
-    extend self
+    module_function
 
     def const_defined?(mod, target, inherit = true)
-      if ruby_18?
-        mod.const_defined?(target)
-      else
-        mod.const_defined?(target, inherit)
-      end
+      mod.const_defined?(target, inherit)
     end
 
     def const_get(mod, target, inherit = true)
-      if ruby_18?
-        mod.const_get(target)
-      else
-        mod.const_get(target, inherit)
-      end
-    end
-
-    def can_scrub_url?
-      !version?('1.8')
-    end
-
-    def ruby_18?
-      version?('1.8')
+      mod.const_get(target, inherit)
     end
 
     def ruby_19?
@@ -37,7 +21,7 @@ module Rollbar
     end
 
     def timeout_exceptions
-      return [] if ruby_18? || ruby_19?
+      return [] if ruby_19?
 
       [Net::ReadTimeout, Net::OpenTimeout]
     end

data/lib/rollbar/lazy_store.rb

@@ -21,11 +21,11 @@ module Rollbar
     end
 
     def ==(other)
-      if other.is_a?(self.class)
-        raw == other.raw
-      else
-        raw == other
-      end
+      raw == if other.is_a?(self.class)
+               other.raw
+             else
+               other
+             end
     end
 
     # With this version of clone we ensure that the loaded_data is empty

data/lib/rollbar/logger.rb

@@ -67,6 +67,7 @@ module Rollbar
 
     def blank?(message)
       return message.blank? if message.respond_to?(:blank?)
+
       message.respond_to?(:empty?) ? !!message.empty? : !message
     end
 

data/lib/rollbar/logger_proxy.rb

@@ -23,12 +23,25 @@ module Rollbar
     end
 
     def log(level, message)
-      return unless Rollbar.configuration.enabled
+      return unless Rollbar.configuration.enabled && acceptable_levels.include?(level.to_sym)
 
       @object.send(level, message)
-    rescue
+    rescue StandardError
       puts "[Rollbar] Error logging #{level}:"
       puts "[Rollbar] #{message}"
     end
+
+    protected
+
+    def acceptable_levels
+      @acceptable_levels ||= begin
+        levels = [:debug, :info, :warn, :error]
+        if Rollbar.configuration.logger_level
+          levels[levels.find_index(Rollbar.configuration.logger_level)..-1]
+        else
+          []
+        end
+      end
+    end
   end
 end

data/lib/rollbar/middleware/js.rb

@@ -13,7 +13,7 @@ module Rollbar
       attr_reader :app
       attr_reader :config
 
-      JS_IS_INJECTED_KEY = 'rollbar.js_is_injected'
+      JS_IS_INJECTED_KEY = 'rollbar.js_is_injected'.freeze
       SNIPPET = File.read(File.expand_path('../../../../data/rollbar.snippet.js', __FILE__))
 
       def initialize(app, config)
@@ -29,13 +29,15 @@ module Rollbar
 
           response_string = add_js(env, app_result[2])
           build_response(env, app_result, response_string)
-        rescue => e
+        rescue StandardError => e
           Rollbar.log_error("[Rollbar] Rollbar.js could not be added because #{e} exception")
 
           app_result
         end
       end
 
+      private
+
       def enabled?
         !!config[:enabled]
       end
@@ -69,7 +71,7 @@ module Rollbar
         return nil unless insert_after_idx
 
         build_body_with_js(env, body, insert_after_idx)
-      rescue => e
+      rescue StandardError => e
         Rollbar.log_error("[Rollbar] Rollbar.js could not be added because #{e} exception")
         nil
       end
@@ -118,7 +120,11 @@ module Rollbar
 
         add_person_data(js_config, env)
 
-        script_tag("var _rollbarConfig = #{js_config.to_json};", env)
+        # MUST use the Ruby JSON encoder (JSON#generate).
+        # See lib/rollbar/middleware/js/json_value
+        json = ::JSON.generate(js_config)
+
+        script_tag("var _rollbarConfig = #{json};", env)
       end
 
       def add_person_data(js_config, env)
@@ -139,7 +145,9 @@ module Rollbar
       end
 
       def script_tag(content, env)
-        if append_nonce?
+        if (nonce = rails5_nonce(env))
+          script_tag_content = "\n<script type=\"text/javascript\" nonce=\"#{nonce}\">#{content}</script>"
+        elsif secure_headers_nonce?
           nonce = ::SecureHeaders.content_security_policy_script_nonce(::Rack::Request.new(env))
           script_tag_content = "\n<script type=\"text/javascript\" nonce=\"#{nonce}\">#{content}</script>"
         else
@@ -154,11 +162,103 @@ module Rollbar
         string
       end
 
-      def append_nonce?
-        defined?(::SecureHeaders) && ::SecureHeaders.respond_to?(:content_security_policy_script_nonce) &&
-          defined?(::SecureHeaders::Configuration) &&
-          !::SecureHeaders::Configuration.get.csp.opt_out? &&
-          !::SecureHeaders::Configuration.get.current_csp[:script_src].to_a.include?("'unsafe-inline'")
+      # Rails 5.2 Secure Content Policy
+      def rails5_nonce(env)
+        # The nonce is the preferred method, however 'unsafe-inline' is also possible.
+        # The app gets to decide, so we handle both. If the script_src key is missing,
+        # Rails will not add the nonce to the headers, so we should not add it either.
+        # If the 'unsafe-inline' value is present, the app should not add a nonce and
+        # we should ignore it if they do.
+        req = ::ActionDispatch::Request.new env
+        req.respond_to?(:content_security_policy) &&
+          req.content_security_policy &&
+          req.content_security_policy.directives['script-src'] &&
+          !req.content_security_policy.directives['script-src'].include?("'unsafe-inline'") &&
+          req.content_security_policy_nonce
+      end
+
+      # Secure Headers gem
+      def secure_headers_nonce?
+        secure_headers.append_nonce?
+      end
+
+      def secure_headers
+        return SecureHeadersFalse.new unless defined?(::SecureHeaders::Configuration)
+
+        config = ::SecureHeaders::Configuration
+
+        secure_headers_cls = nil
+
+        secure_headers_cls = if !::SecureHeaders.respond_to?(:content_security_policy_script_nonce)
+                               SecureHeadersFalse
+                             elsif config.respond_to?(:get)
+                               SecureHeaders3To5
+                             elsif config.dup.respond_to?(:csp)
+                               SecureHeaders6
+                             else
+                               SecureHeadersFalse
+                             end
+
+        secure_headers_cls.new
+      end
+
+      class SecureHeadersResolver
+        def append_nonce?
+          csp_needs_nonce?(find_csp)
+        end
+
+        private
+
+        def find_csp
+          raise NotImplementedError
+        end
+
+        def csp_needs_nonce?(csp)
+          !opt_out?(csp) && !unsafe_inline?(csp)
+        end
+
+        def opt_out?(_csp)
+          raise NotImplementedError
+        end
+
+        def unsafe_inline?(csp)
+          csp[:script_src].to_a.include?("'unsafe-inline'")
+        end
+      end
+
+      class SecureHeadersFalse < SecureHeadersResolver
+        def append_nonce?
+          false
+        end
+      end
+
+      class SecureHeaders3To5 < SecureHeadersResolver
+        private
+
+        def find_csp
+          ::SecureHeaders::Configuration.get.csp
+        end
+
+        def opt_out?(csp)
+          if csp.respond_to?(:opt_out?) && csp.opt_out?
+            csp.opt_out?
+          # secure_headers csp 3.0.x-3.4.x doesn't respond to 'opt_out?'
+          elsif defined?(::SecureHeaders::OPT_OUT) && ::SecureHeaders::OPT_OUT.is_a?(Symbol)
+            csp == ::SecureHeaders::OPT_OUT
+          end
+        end
+      end
+
+      class SecureHeaders6 < SecureHeadersResolver
+        private
+
+        def find_csp
+          ::SecureHeaders::Configuration.dup.csp
+        end
+
+        def opt_out?(csp)
+          csp.opt_out?
+        end
       end
     end
   end

data/lib/rollbar/middleware/js/json_value.rb

@@ -0,0 +1,26 @@
+# Allows a Ruby String to be used to create native Javascript objects
+# when calling JSON#generate.
+#
+# Example:
+# JSON.generate({ foo: Rollbar::JSON::Value.new('function(){ alert("bar") }') })
+# => '{"foo":function(){ alert(\"bar\") }}'
+#
+# MUST use the Ruby JSON encoder, as in the example. The ActiveSupport encoder,
+# which is installed with Rails, is invoked when calling Hash#to_json and #as_json,
+# and will not work.
+#
+module Rollbar
+  module JSON
+    class Value # :nodoc:
+      attr_accessor :value
+
+      def initialize(value)
+        @value = value
+      end
+
+      def to_json(*_args)
+        value
+      end
+    end
+  end
+end