rollbar 2.8.3 → 3.6.0

data/lib/rollbar/request_data_extractor.rb

@@ -1,19 +1,28 @@
 require 'rack'
 require 'tempfile'
 
+require 'rollbar/scrubbers'
 require 'rollbar/scrubbers/url'
+require 'rollbar/scrubbers/params'
 require 'rollbar/util/ip_obfuscator'
+require 'rollbar/util/ip_anonymizer'
+require 'rollbar/json'
 
 module Rollbar
   module RequestDataExtractor
-    SKIPPED_CLASSES = [Tempfile]
+    ALLOWED_HEADERS_REGEX = /^HTTP_|^CONTENT_TYPE$|^CONTENT_LENGTH$/.freeze
+    ALLOWED_BODY_PARSEABLE_METHODS = %w[POST PUT PATCH DELETE].freeze
 
     def extract_person_data_from_controller(env)
-      if env.has_key? 'rollbar.person_data'
+      if env.key?('rollbar.person_data')
         person_data = env['rollbar.person_data'] || {}
       else
         controller = env['action_controller.instance']
-        person_data = controller.rollbar_person_data rescue {}
+        person_data = begin
+          controller.rollbar_person_data
+        rescue StandardError
+          {}
+        end
       end
 
       person_data
@@ -21,48 +30,60 @@ module Rollbar
 
     def extract_request_data_from_rack(env)
       rack_req = ::Rack::Request.new(env)
-
       sensitive_params = sensitive_params_list(env)
-      request_params = rollbar_filtered_params(sensitive_params, rollbar_request_params(env))
-      get_params = rollbar_filtered_params(sensitive_params, rollbar_get_params(rack_req))
-      post_params = rollbar_filtered_params(sensitive_params, rollbar_post_params(rack_req))
-      raw_body_params = rollbar_filtered_params(sensitive_params, mergeable_raw_body_params(rack_req))
-      cookies = rollbar_filtered_params(sensitive_params, rollbar_request_cookies(rack_req))
-      session = rollbar_filtered_params(sensitive_params, rollbar_request_session(rack_req))
-      route_params = rollbar_filtered_params(sensitive_params, rollbar_route_params(env))
-
-      url_scrubber = Rollbar::Scrubbers::URL.new(:scrub_fields => sensitive_params,
-                                                 :scrub_user => Rollbar.configuration.scrub_user,
-                                                 :scrub_password => Rollbar.configuration.scrub_password,
-                                                 :randomize_scrub_length => Rollbar.configuration.randomize_scrub_length)
-      url = url_scrubber.call(rollbar_url(env))
-
-      params = request_params.merge(get_params).merge(post_params).merge(raw_body_params)
+
+      get_params = scrub_params(rollbar_get_params(rack_req), sensitive_params)
+      post_params = scrub_params(rollbar_post_params(rack_req), sensitive_params)
+      raw_body_params = scrub_params(mergeable_raw_body_params(rack_req),
+                                     sensitive_params)
+      cookies = scrub_params(rollbar_request_cookies(rack_req), sensitive_params)
+      session = scrub_params(rollbar_request_session(env), sensitive_params)
+      route_params = scrub_params(rollbar_route_params(env), sensitive_params)
+
+      url = scrub_url(rollbar_url(env), sensitive_params)
 
       data = {
-        :params => params,
         :url => url,
+        :params => route_params,
+        :GET => get_params,
+        :POST => post_params,
+        :body => Rollbar::JSON.dump(raw_body_params),
         :user_ip => rollbar_user_ip(env),
         :headers => rollbar_headers(env),
         :cookies => cookies,
         :session => session,
-        :method => rollbar_request_method(env),
-        :route => route_params,
+        :method => rollbar_request_method(env)
       }
 
-      if env["action_dispatch.request_id"]
-        data[:request_id] = env["action_dispatch.request_id"]
+      if env['action_dispatch.request_id']
+        data[:request_id] =
+          env['action_dispatch.request_id']
       end
 
       data
     end
 
-    def rollbar_scrubbed(value)
-      if Rollbar.configuration.randomize_scrub_length
-        random_filtered_value
-      else
-        '*' * (value.length rescue 8)
-      end
+    def scrub_url(url, sensitive_params)
+      options = {
+        :url => url,
+        :scrub_fields => Array(Rollbar.configuration.scrub_fields) + sensitive_params,
+        :scrub_user => Rollbar.configuration.scrub_user,
+        :scrub_password => Rollbar.configuration.scrub_password,
+        :randomize_scrub_length => Rollbar.configuration.randomize_scrub_length,
+        :whitelist => Rollbar.configuration.scrub_whitelist
+      }
+
+      Rollbar::Scrubbers::URL.call(options)
+    end
+
+    def scrub_params(params, sensitive_params)
+      options = {
+        :params => params,
+        :config => Rollbar.configuration.scrub_fields,
+        :extra_fields => sensitive_params,
+        :whitelist => Rollbar.configuration.scrub_whitelist
+      }
+      Rollbar::Scrubbers::Params.call(options)
     end
 
     private
@@ -70,9 +91,10 @@ module Rollbar
     def mergeable_raw_body_params(rack_req)
       raw_body_params = rollbar_raw_body_params(rack_req)
 
-      if raw_body_params.is_a?(Hash)
+      case raw_body_params
+      when Hash
         raw_body_params
-      elsif raw_body_params.is_a?(Array)
+      when Array
         { 'body.multi' => raw_body_params }
       else
         { 'body.value' => raw_body_params }
@@ -84,12 +106,26 @@ module Rollbar
     end
 
     def rollbar_headers(env)
-      env.keys.grep(/^HTTP_/).map do |header|
+      env.keys.grep(ALLOWED_HEADERS_REGEX).map do |header|
         name = header.gsub(/^HTTP_/, '').split('_').map(&:capitalize).join('-')
         if name == 'Cookie'
           {}
         elsif sensitive_headers_list.include?(name)
-          { name => rollbar_scrubbed(env[header]) }
+          { name => Rollbar::Scrubbers.scrub_value(env[header]) }
+        elsif name == 'X-Forwarded-For' && !Rollbar.configuration.collect_user_ip
+          {}
+        elsif name == 'X-Forwarded-For' &&
+              Rollbar.configuration.collect_user_ip &&
+              Rollbar.configuration.anonymize_user_ip
+          ips = env[header].sub(' ', '').split(',')
+          ips = ips.map { |ip| Rollbar::Util::IPAnonymizer.anonymize_ip(ip) }
+          { name => ips.join(', ') }
+        elsif name == 'X-Real-Ip' && !Rollbar.configuration.collect_user_ip
+          {}
+        elsif name == 'X-Real-Ip' &&
+              Rollbar.configuration.collect_user_ip &&
+              Rollbar.configuration.anonymize_user_ip
+          { name => Rollbar::Util::IPAnonymizer.anonymize_ip(env[header]) }
         else
           { name => env[header] }
         end
@@ -100,148 +136,152 @@ module Rollbar
       forwarded_proto = env['HTTP_X_FORWARDED_PROTO'] || env['rack.url_scheme'] || ''
       scheme = forwarded_proto.split(',').first
 
-      host = env['HTTP_X_FORWARDED_HOST'] || env['HTTP_HOST'] || env['SERVER_NAME']
+      host = env['HTTP_X_FORWARDED_HOST'] || env['HTTP_HOST'] || env['SERVER_NAME'] || ''
+      host = host.split(',').first.strip unless host.empty?
+
       path = env['ORIGINAL_FULLPATH'] || env['REQUEST_URI']
-      unless path.nil? || path.empty?
-        path = '/' + path.to_s if path.to_s.slice(0, 1) != '/'
-      end
+      query = env['QUERY_STRING'].to_s.empty? ? nil : "?#{env['QUERY_STRING']}"
+      path ||= "#{env['SCRIPT_NAME']}#{env['PATH_INFO']}#{query}"
+      path = "/#{path}" if !(path.nil? || path.empty?) && (path.to_s.slice(0, 1) != '/')
 
       port = env['HTTP_X_FORWARDED_PORT']
-      if port && !(scheme.downcase == 'http' && port.to_i == 80) && \
-                 !(scheme.downcase == 'https' && port.to_i == 443) && \
-                 !(host.include? ':')
-        host = host + ':' + port
+      if port && !(!scheme.nil? && scheme.casecmp('http').zero? && port.to_i == 80) && \
+         !(!scheme.nil? && scheme.casecmp('https').zero? && port.to_i == 443) && \
+         !(host.include? ':')
+        host = "#{host}:#{port}"
       end
 
       [scheme, '://', host, path].join
     end
 
     def rollbar_user_ip(env)
-      user_ip_string = (env['action_dispatch.remote_ip'] || env['HTTP_X_REAL_IP'] || env['HTTP_X_FORWARDED_FOR'] || env['REMOTE_ADDR']).to_s
+      return nil unless Rollbar.configuration.collect_user_ip
+
+      user_ip_string = (user_ip_at_configured_key(env) ||
+                        env['action_dispatch.remote_ip'] ||
+                        env['HTTP_X_REAL_IP'] ||
+                        x_forwarded_for_client(env['HTTP_X_FORWARDED_FOR']) ||
+                        env['REMOTE_ADDR']).to_s
+
+      user_ip_string = Rollbar::Util::IPAnonymizer.anonymize_ip(user_ip_string)
 
       Rollbar::Util::IPObfuscator.obfuscate_ip(user_ip_string)
-    rescue
+    rescue StandardError
       nil
     end
 
+    def user_ip_at_configured_key(env)
+      return nil unless Rollbar.configuration.user_ip_rack_env_key
+
+      env[Rollbar.configuration.user_ip_rack_env_key]
+    end
+
+    def x_forwarded_for_client(header_value)
+      return nil unless header_value
+
+      ips = header_value.split(',').map(&:strip)
+
+      find_not_private_ip(ips)
+    end
+
+    def find_not_private_ip(ips)
+      ips.detect do |ip|
+        octets = ip.match(/^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/)[1, 4].map(&:to_i)
+
+        is_private = (octets[0] == 10) ||
+                     ((octets[0] == 172) && (octets[1] >= 16) && (octets[1] <= 31)) ||
+                     ((octets[0] == 192) && (octets[1] == 168))
+
+        !is_private
+      end
+    end
+
     def rollbar_get_params(rack_req)
       rack_req.GET
-    rescue
+    rescue StandardError
       {}
     end
 
     def rollbar_post_params(rack_req)
       rack_req.POST
-    rescue
+    rescue StandardError
       {}
     end
 
     def rollbar_raw_body_params(rack_req)
-      correct_method = rack_req.post? || rack_req.put? || rack_req.patch?
+      correct_method = ALLOWED_BODY_PARSEABLE_METHODS.include?(rack_req.request_method)
 
       return {} unless correct_method
       return {} unless json_request?(rack_req)
 
-      Rollbar::JSON.load(rack_req.body.read)
-    rescue
+      raw_body = read_raw_body(rack_req.body)
+      begin
+        Rollbar::JSON.load(raw_body)
+      rescue StandardError
+        raw_body
+      end
+    rescue StandardError
       {}
-    ensure
-      rack_req.body.rewind
     end
 
-    def json_request?(rack_req)
-      !!(rack_req.env['CONTENT_TYPE'] =~ %r{application/json} ||
-         rack_req.env['ACCEPT']       =~ /\bjson\b/)
+    def read_raw_body(body)
+      return {} unless body.respond_to?(:rewind)
+
+      body.rewind
+      raw_body = body.read
+      body.rewind
+      raw_body
     end
 
-    def rollbar_request_params(env)
-      env['action_dispatch.request.parameters'] || {}
+    def json_request?(rack_req)
+      json_regex = /\bjson\b/
+
+      !!(rack_req.env['CONTENT_TYPE'] =~ json_regex)
     end
 
     def rollbar_route_params(env)
       return {} unless defined?(Rails)
 
       begin
-        route = ::Rails.application.routes.recognize_path(env['PATH_INFO'])
-
-        {
-          :controller => route[:controller],
-          :action => route[:action],
-          :format => route[:format]
-        }
-      rescue
+        environment = { :method => rollbar_request_method(env) }
+
+        # recognize_path() will return the controller, action
+        # route params (if any)and format (if defined)
+        ::Rails.application.routes.recognize_path(env['PATH_INFO'],
+                                                  environment)
+      rescue StandardError
         {}
       end
     end
 
-    def rollbar_request_session(rack_req)
-      session = rack_req.session
+    def rollbar_request_session(env)
+      session = env.fetch('rack.session', {})
 
       session.to_hash
-    rescue
+    rescue StandardError
       {}
     end
 
     def rollbar_request_cookies(rack_req)
       rack_req.cookies
-    rescue
+    rescue StandardError
       {}
     end
 
-    def rollbar_filtered_params(sensitive_params, params)
-      sensitive_params_regexp = Regexp.new(sensitive_params.map{ |val| Regexp.escape(val.to_s).to_s }.join('|'), true)
-
-      return {} unless params
-
-      params.to_hash.inject({}) do |result, (key, value)|
-        if sensitive_params_regexp =~ Rollbar::Encoding.encode(key).to_s
-          result[key] = rollbar_scrubbed(value)
-        elsif value.is_a?(Hash)
-          result[key] = rollbar_filtered_params(sensitive_params, value)
-        elsif value.is_a?(Array)
-          result[key] = value.map do |v|
-            v.is_a?(Hash) ? rollbar_filtered_params(sensitive_params, v) : rollbar_filtered_param_value(v)
-          end
-        elsif skip_value?(value)
-          result[key] = "Skipped value of class '#{value.class.name}'"
-        else
-          result[key] = rollbar_filtered_param_value(value)
-        end
-
-        result
-      end
-    end
-
-    def rollbar_filtered_param_value(value)
-      if ATTACHMENT_CLASSES.include?(value.class.name)
-        begin
-          {
-            :content_type => value.content_type,
-            :original_filename => value.original_filename,
-            :size => value.tempfile.size
-          }
-        rescue
-          'Uploaded file'
-        end
-      else
-        value
-      end
-    end
-
     def sensitive_params_list(env)
-      Array(Rollbar.configuration.scrub_fields) | Array(env['action_dispatch.parameter_filter'])
+      Array(env['action_dispatch.parameter_filter'])
     end
 
     def sensitive_headers_list
-      Rollbar.configuration.scrub_headers || []
-    end
-
-    def random_filtered_value
-      '*' * (rand(5) + 3)
-    end
+      unless Rollbar.configuration.scrub_headers &&
+             Rollbar.configuration.scrub_headers.is_a?(Array)
+        return []
+      end
 
-    def skip_value?(value)
-      SKIPPED_CLASSES.any? { |klass| value.is_a?(klass) }
+      # Normalize into the expected matching format
+      Rollbar.configuration.scrub_headers.map do |header|
+        header.split(/[-_]/).map(&:capitalize).join('-').gsub(/^Http-/, '')
+      end
     end
   end
 end

data/lib/rollbar/rollbar_test.rb

@@ -0,0 +1,38 @@
+require 'rollbar'
+
+module RollbarTest # :nodoc:
+  def self.run
+    return unless confirmed_token?
+
+    puts 'Test sending to Rollbar...'
+    result = Rollbar.info('Test message from rollbar:test')
+
+    if result == 'error'
+      puts error_message
+    else
+      puts success_message
+    end
+  end
+
+  def self.confirmed_token?
+    return true if Rollbar.configuration.access_token
+
+    puts token_error_message
+
+    false
+  end
+
+  def self.token_error_message
+    'Rollbar needs an access token configured. Check the README for instructions.'
+  end
+
+  def self.error_message
+    'Test failed! You may have a configuration issue, or you could be using a ' \
+    'gem that\'s blocking the test. Contact support@rollbar.com if you need ' \
+    'help troubleshooting.'
+  end
+
+  def self.success_message
+    'Testing rollbar with "rake rollbar:test". If you can see this, it works.'
+  end
+end

data/lib/rollbar/scrubbers/params.rb

@@ -0,0 +1,133 @@
+require 'tempfile'
+require 'rollbar/scrubbers'
+
+module Rollbar
+  module Scrubbers
+    # This class contains the logic to scrub the received parameters. It will
+    # scrub the parameters matching Rollbar.configuration.scrub_fields Array.
+    # Also, if that configuration option is set to :scrub_all, it will scrub all
+    # received parameters. It will not scrub anything that is in the scrub_whitelist
+    # configuration array even if :scrub_all is true.
+    class Params
+      SKIPPED_CLASSES = [::Tempfile].freeze
+      ATTACHMENT_CLASSES = %w[ActionDispatch::Http::UploadedFile
+                              Rack::Multipart::UploadedFile].freeze
+      SCRUB_ALL = :scrub_all
+
+      def self.call(*args)
+        new.call(*args)
+      end
+
+      def call(options = {})
+        params = options[:params]
+        return {} unless params
+
+        @scrubbed_objects = {}.compare_by_identity
+
+        config = options[:config]
+        extra_fields = options[:extra_fields]
+        whitelist = options[:whitelist] || []
+
+        scrub(params, build_scrub_options(config, extra_fields, whitelist))
+      end
+
+      private
+
+      def build_scrub_options(config, extra_fields, whitelist)
+        ary_config = Array(config)
+
+        {
+          :fields_regex => build_fields_regex(ary_config, extra_fields),
+          :scrub_all => ary_config.include?(SCRUB_ALL),
+          :whitelist => build_whitelist_regex(whitelist)
+        }
+      end
+
+      def build_fields_regex(config, extra_fields)
+        fields = config.find_all { |f| f.is_a?(String) || f.is_a?(Symbol) }
+        fields += Array(extra_fields)
+
+        return unless fields.any?
+
+        Regexp.new(fields.map { |val| Regexp.escape(val.to_s).to_s }.join('|'), true)
+      end
+
+      def build_whitelist_regex(whitelist)
+        fields = whitelist.find_all do |f|
+          f.is_a?(String) || f.is_a?(Symbol) || f.is_a?(Regexp)
+        end
+        return unless fields.any?
+
+        Regexp.new(fields.map do |val|
+                     val.is_a?(Regexp) ? val : /\A#{Regexp.escape(val.to_s)}\z/
+                   end.join('|'))
+      end
+
+      def scrub(params, options)
+        return params if @scrubbed_objects[params]
+
+        @scrubbed_objects[params] = true
+
+        fields_regex = options[:fields_regex]
+        scrub_all = options[:scrub_all]
+        whitelist_regex = options[:whitelist]
+
+        return scrub_array(params, options) if params.is_a?(Array)
+
+        params.to_hash.inject({}) do |result, (key, value)|
+          encoded_key = Rollbar::Encoding.encode(key).to_s
+          result[key] = if (fields_regex === encoded_key) &&
+                           !(whitelist_regex === encoded_key)
+                          scrub_value(value)
+                        elsif value.is_a?(Hash)
+                          scrub(value, options)
+                        elsif scrub_all && !(whitelist_regex === encoded_key)
+                          scrub_value(value)
+                        elsif value.is_a?(Array)
+                          scrub_array(value, options)
+                        elsif skip_value?(value)
+                          "Skipped value of class '#{value.class.name}'"
+                        else
+                          rollbar_filtered_param_value(value)
+                        end
+
+          result
+        end
+      end
+
+      def scrub_array(array, options)
+        array.map do |value|
+          value.is_a?(Hash) ? scrub(value, options) : rollbar_filtered_param_value(value)
+        end
+      end
+
+      def scrub_value(value)
+        Rollbar::Scrubbers.scrub_value(value)
+      end
+
+      def rollbar_filtered_param_value(value)
+        if ATTACHMENT_CLASSES.include?(value.class.name)
+          begin
+            attachment_value(value)
+          rescue StandardError
+            'Uploaded file'
+          end
+        else
+          value
+        end
+      end
+
+      def attachment_value(value)
+        {
+          :content_type => value.content_type,
+          :original_filename => value.original_filename,
+          :size => value.tempfile.size
+        }
+      end
+
+      def skip_value?(value)
+        SKIPPED_CLASSES.any? { |klass| value.is_a?(klass) }
+      end
+    end
+  end
+end