rollbar 3.0.0 → 3.2.0

data/lib/rollbar/middleware/js.rb

@@ -157,8 +157,7 @@ module Rollbar
       def script_tag(content, env)
         if (nonce = rails5_nonce(env))
           script_tag_content = "\n<script type=\"text/javascript\" nonce=\"#{nonce}\">#{content}</script>"
-        elsif secure_headers_nonce?
-          nonce = ::SecureHeaders.content_security_policy_script_nonce(::Rack::Request.new(env))
+        elsif (nonce = secure_headers_nonce(env))
           script_tag_content = "\n<script type=\"text/javascript\" nonce=\"#{nonce}\">#{content}</script>"
         else
           script_tag_content = "\n<script type=\"text/javascript\">#{content}</script>"
@@ -172,29 +171,40 @@ module Rollbar
         string
       end
 
-      # Rails 5.2 Secure Content Policy
+      # Rails 5.2+ Secure Content Policy
       def rails5_nonce(env)
-        # The nonce is the preferred method, however 'unsafe-inline' is also possible.
-        # The app gets to decide, so we handle both. If the script_src key is missing,
-        # Rails will not add the nonce to the headers, so we should not add it either.
-        # If the 'unsafe-inline' value is present, the app should not add a nonce and
-        # we should ignore it if they do.
-        req = ::ActionDispatch::Request.new env
+        req = ::ActionDispatch::Request.new(env)
+
+        # Rails will only return a nonce if the app has set a nonce generator.
+        # So if we get a valid nonce here, we know we should use it.
+        #
+        # Having both 'unsafe-inline' and a nonce is a valid and preferred
+        # browser compatibility configuration.
+        #
+        # If the script_src key is missing, Rails will not add the nonce to the headers,
+        # so we detect this and will not add it in this case.
         req.respond_to?(:content_security_policy) &&
           req.content_security_policy &&
           req.content_security_policy.directives['script-src'] &&
-          !req.content_security_policy.directives['script-src'].include?("'unsafe-inline'") &&
           req.content_security_policy_nonce
       end
 
       # Secure Headers gem
-      def secure_headers_nonce?
-        secure_headers.append_nonce?
+      def secure_headers_nonce(env)
+        req = ::Rack::Request.new(env)
+
+        return unless secure_headers(req).append_nonce?
+
+        ::SecureHeaders.content_security_policy_script_nonce(req)
       end
 
-      def secure_headers
+      def secure_headers(req)
         return SecureHeadersFalse.new unless defined?(::SecureHeaders::Configuration)
 
+        # If the nonce key has been set, the app is using nonces for this request.
+        # If it hasn't, we shouldn't cause one to be added to script_src, so return now.
+        return SecureHeadersFalse.new unless secure_headers_nonce_key(req)
+
         config = ::SecureHeaders::Configuration
 
         secure_headers_cls = nil
@@ -212,6 +222,10 @@ module Rollbar
         secure_headers_cls.new
       end
 
+      def secure_headers_nonce_key(req)
+        defined?(::SecureHeaders::NONCE_KEY) && req.env[::SecureHeaders::NONCE_KEY]
+      end
+
       class SecureHeadersResolver
         def append_nonce?
           csp_needs_nonce?(find_csp)
@@ -224,16 +238,12 @@ module Rollbar
         end
 
         def csp_needs_nonce?(csp)
-          !opt_out?(csp) && !unsafe_inline?(csp)
+          !opt_out?(csp)
         end
 
         def opt_out?(_csp)
           raise NotImplementedError
         end
-
-        def unsafe_inline?(csp)
-          csp[:script_src].to_a.include?("'unsafe-inline'")
-        end
       end
 
       class SecureHeadersFalse < SecureHeadersResolver

data/lib/rollbar/notifier.rb

@@ -640,7 +640,11 @@ module Rollbar
       request = Net::HTTP::Post.new(uri.request_uri)
 
       request.body = pack_ruby260_bytes(body)
-      request.add_field('X-Rollbar-Access-Token', access_token)
+
+      # Ensure the payload token will be used if the option is set.
+      unless (configuration.use_payload_access_token)
+        request.add_field('X-Rollbar-Access-Token', access_token)
+      end
 
       handle_net_retries { http.request(request) }
     end

data/lib/rollbar/plugins/sidekiq.rb

@@ -9,7 +9,7 @@ Rollbar.plugins.define('sidekiq >= 3') do
 
     Sidekiq.configure_server do |config|
       config.server_middleware do |chain|
-        chain.add Rollbar::Sidekiq::ClearScope
+        chain.add Rollbar::Sidekiq::ResetScope
       end
 
       config.error_handlers << proc do |e, context|

data/lib/rollbar/plugins/sidekiq/plugin.rb

@@ -4,21 +4,39 @@ module Rollbar
   class Sidekiq
     PARAM_BLACKLIST = %w[backtrace error_backtrace error_message error_class].freeze
 
-    class ClearScope
-      def call(_worker, _msg, _queue)
-        Rollbar.reset_notifier!
+    class ResetScope
+      def call(_worker, msg, _queue)
+        Rollbar.reset_notifier! # clears scope
 
-        yield
+        return yield unless Rollbar.configuration.sidekiq_use_scoped_block
+
+        Rollbar.scoped(Rollbar::Sidekiq.job_scope(msg)) { yield }
       end
     end
 
-    def self.handle_exception(ctx_hash, e)
-      job_hash = ctx_hash && (ctx_hash[:job] || ctx_hash)
-      return if skip_report?(job_hash, e)
+    def self.handle_exception(msg, e)
+      return if skip_report?(msg, e)
+
+      Rollbar.scope(job_scope(msg)).error(e, :use_exception_level_filters => true)
+    end
+
+    def self.skip_report?(msg, _e)
+      job_hash = job_hash_from_msg(msg)
+
+      return false if job_hash.nil?
+
+      # when rollbar middleware catches, sidekiq's retry_job processor hasn't set
+      # the retry_count for the current job yet, so adding 1 gives the actual retry count
+      actual_retry_count = job_hash.fetch('retry_count', -1) + 1
+      job_hash['retry'] && actual_retry_count < ::Rollbar.configuration.sidekiq_threshold
+    end
 
+    def self.job_scope(msg)
       scope = {
         :framework => "Sidekiq: #{::Sidekiq::VERSION}"
       }
+      job_hash = job_hash_from_msg(msg)
+
       unless job_hash.nil?
         params = job_hash.reject { |k| PARAM_BLACKLIST.include?(k) }
         scope[:request] = { :params => scrub_params(params) }
@@ -26,7 +44,7 @@ module Rollbar
         scope[:queue] = params['queue']
       end
 
-      Rollbar.scope(scope).error(e, :use_exception_level_filters => true)
+      scope
     end
 
     def self.scrub_params(params)
@@ -38,22 +56,21 @@ module Rollbar
       Rollbar::Scrubbers::Params.call(options)
     end
 
-    def self.skip_report?(job_hash, _e)
-      return false if job_hash.nil?
-
-      # when rollbar middleware catches, sidekiq's retry_job processor hasn't set
-      # the retry_count for the current job yet, so adding 1 gives the actual retry count
-      actual_retry_count = job_hash.fetch('retry_count', -1) + 1
-      job_hash['retry'] && actual_retry_count < ::Rollbar.configuration.sidekiq_threshold
-    end
-
+    # see https://github.com/mperham/sidekiq/wiki/Middleware#server-middleware
     def call(_worker, msg, _queue)
-      Rollbar.reset_notifier!
+      Rollbar.reset_notifier! # clears scope
 
-      yield
+      return yield unless Rollbar.configuration.sidekiq_use_scoped_block
+
+      Rollbar.scoped(Rollbar::Sidekiq.job_scope(msg)) { yield }
     rescue Exception => e
       Rollbar::Sidekiq.handle_exception(msg, e)
       raise
     end
+
+    def self.job_hash_from_msg(msg)
+      msg && (msg[:job] || msg)
+    end
+    private_class_method :job_hash_from_msg
   end
 end

data/lib/rollbar/plugins/thread.rb

@@ -1,13 +1,14 @@
 Rollbar.plugins.define('thread') do
-  execute do
-    Thread.class_eval do
-      def initialize_with_rollbar(*args, &block)
+  module Rollbar
+    module ThreadPlugin
+      def initialize(*args)
         self[:_rollbar_notifier] ||= Rollbar.notifier.scope
-        initialize_without_rollbar(*args, &block)
+        super
       end
-
-      alias_method :initialize_without_rollbar, :initialize
-      alias_method :initialize, :initialize_with_rollbar
     end
   end
+
+  execute do
+    Thread.send(:prepend, Rollbar::ThreadPlugin) # rubocop:disable Lint/SendWithMixinArgument
+  end
 end

data/lib/rollbar/scrubbers/url.rb

@@ -13,7 +13,7 @@ module Rollbar
       end
 
       def call(options = {})
-        url = options[:url]
+        url = ascii_encode(options[:url])
 
         filter(url,
                build_regex(options[:scrub_fields]),
@@ -29,6 +29,20 @@ module Rollbar
 
       private
 
+      def ascii_encode(url)
+        # In some cases non-ascii characters won't be properly encoded, so we do it here.
+        #
+        # The standard encoders (the CGI and URI methods) are not reliable when the query string
+        # is already embedded in the full URL, but the inconsistencies are limited to issues
+        # with characters in the ascii range. (For example, the '#' if it appears in an unexpected place.)
+        # For escaping non-ascii, they are all OK, so we'll take care to skip the ascii chars.
+
+        return url if url.ascii_only?
+
+        # Iterate each char and only escape non-ascii characters.
+        url.each_char.map { |c| c.ascii_only? ? c : CGI.escape(c) }.join
+      end
+
       def build_whitelist_regex(whitelist)
         fields = whitelist.find_all { |f| f.is_a?(String) || f.is_a?(Symbol) }
         return unless fields.any?

data/lib/rollbar/version.rb

@@ -1,3 +1,3 @@
 module Rollbar
-  VERSION = '3.0.0'.freeze
+  VERSION = '3.2.0'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rollbar
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.2.0
 platform: ruby
 authors:
 - Rollbar, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-08-28 00:00:00.000000000 Z
+date: 2021-05-28 00:00:00.000000000 Z
 dependencies: []
 description: Easy and powerful exception tracking for Ruby
 email:
@@ -20,10 +20,10 @@ extra_rdoc_files: []
 files:
 - ".codeclimate.yml"
 - ".github/pull_request_template.md"
+- ".github/workflows/ci.yml"
 - ".gitignore"
 - ".gitmodules"
 - ".rubocop.yml"
-- ".travis.yml"
 - Appraisals
 - CHANGELOG.md
 - Gemfile
@@ -47,6 +47,7 @@ files:
 - gemfiles/rails51.gemfile
 - gemfiles/rails52.gemfile
 - gemfiles/rails60.gemfile
+- gemfiles/rails61.gemfile
 - lib/generators/rollbar/rollbar_generator.rb
 - lib/generators/rollbar/templates/initializer.rb
 - lib/rails/rollbar_runner.rb
@@ -160,7 +161,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Reports exceptions to Rollbar

data/.travis.yml

@@ -1,268 +0,0 @@
-sudo: false
-dist: trusty
-services:
-  - redis-server
-language: ruby
-
-rvm:
-  - 2.0.0
-  - 2.1.0
-  - 2.2.2
-  - 2.3.8
-  - 2.4.5
-  - 2.5.3
-  - 2.6.5
-  - 2.7.0
-  - rbx
-  # Travis's own rvm installer is failing on JRuby builds, TODO: reenable when fixed.
-  # - jruby-9.1.9.0
-
-  #
-  # # About legacy JRuby
-  #
-  # Legacy JRubies (jruby-18mode, jruby-19mode) have been disabled for some time by
-  # listing all possible targets in either the exclude or allow_failures sections.
-  # I have taken a look at getting them running, and have found that no valid
-  # combination of dependencies is possible for Rails 3.0 and higher. It appears
-  # Rails 2.2 is meant to work, though I haven't tried it.
-  #
-  # For Rails 3.0, it is possible to get a working bundle with all gem dependencies,
-  # but the JDBC adapter gem needs an earlier version of ActiveSupport, and it will
-  # fail at runtime.
-  #
-  # For Rails 3.1 and 3.2, Rack 1.3.x and higher require Ruby 2.x, while Rails 3.x will
-  # not accept any 1.2.x version of Rack. Even if this could be resolved, one would
-  # hit the above runtime issue amyway.
-  #
-  # # About current JRuby
-  #
-  # While current JRuby builds aim to be Ruby 2.5.x compatible, the JDBC adapter
-  # gem is constrained to only Rails 5.0, 5.1 and 5.2 at this time. (Old versions
-  # of the gem allow >= Rails 2.2, but in practice it will not work with Rails 3.0
-  # and higher because of the ActiveSupport issue described above.) For as long as
-  # the test suite relies on Rails and SqlLite, it is not possible to include
-  # earlier Rails for JRuby.
-
-jdk:
-  # These are the JDKs currently supported on Travis (Trusty - Ubuntu 14.04)
-  - openjdk7
-  - openjdk8
-  - oraclejdk8
-  - oraclejdk9
-gemfile:
-  - gemfiles/rails30.gemfile
-  - gemfiles/rails31.gemfile
-  - gemfiles/rails32.gemfile
-  - gemfiles/rails40.gemfile
-  - gemfiles/rails41.gemfile
-  - gemfiles/rails42.gemfile
-  - gemfiles/rails50.gemfile
-  - gemfiles/rails51.gemfile
-  - gemfiles/rails52.gemfile
-  - gemfiles/rails60.gemfile
-matrix:
-  include: []
-
-  allow_failures:
-    - rvm: ruby-head
-    - rvm: jruby-head
-    # oraclejdk9 has a dependency issue that needs to be investigated
-    - jdk: oraclejdk9
-
-  exclude:
-    # Don't run tests for non-jruby environments with the JDK.
-    # NOTE: openjdk7 is missing from these exclusions so that Travis will run at least 1 build for the given rvm.
-    - rvm: 2.0.0
-      jdk: openjdk8
-    - rvm: 2.0.0
-      jdk: oraclejdk8
-    - rvm: 2.0.0
-      jdk: oraclejdk9
-    - rvm: 2.1.0
-      jdk: openjdk8
-    - rvm: 2.1.0
-      jdk: oraclejdk8
-    - rvm: 2.1.0
-      jdk: oraclejdk9
-    - rvm: 2.2.2
-      jdk: openjdk8
-    - rvm: 2.2.2
-      jdk: oraclejdk8
-    - rvm: 2.2.2
-      jdk: oraclejdk9
-    - rvm: 2.3.8
-      jdk: openjdk8
-    - rvm: 2.3.8
-      jdk: oraclejdk8
-    - rvm: 2.3.8
-      jdk: oraclejdk9
-    - rvm: 2.4.5
-      jdk: openjdk8
-    - rvm: 2.4.5
-      jdk: oraclejdk8
-    - rvm: 2.4.5
-      jdk: oraclejdk9
-    - rvm: 2.5.3
-      jdk: openjdk8
-    - rvm: 2.5.3
-      jdk: oraclejdk8
-    - rvm: 2.5.3
-      jdk: oraclejdk9
-    - rvm: 2.6.5
-      jdk: openjdk8
-    - rvm: 2.6.5
-      jdk: oraclejdk8
-    - rvm: 2.6.5
-      jdk: oraclejdk9
-    - rvm: 2.7.0
-      jdk: openjdk8
-    - rvm: 2.7.0
-      jdk: oraclejdk8
-    - rvm: 2.7.0
-      jdk: oraclejdk9
-
-    - rvm: ruby-head
-      jdk: openjdk8
-    - rvm: ruby-head
-      jdk: oraclejdk8
-    - rvm: ruby-head
-      jdk: oraclejdk9
-    - rvm: rbx
-      jdk: openjdk8
-    - rvm: rbx
-      jdk: oraclejdk8
-    - rvm: rbx
-      jdk: oraclejdk9
-
-    # Rails 6.x requires Ruby 2.5.0 or higher
-    - rvm: 2.2.2
-      gemfile: gemfiles/rails60.gemfile
-    - rvm: 2.3.8
-      gemfile: gemfiles/rails60.gemfile
-    - rvm: 2.4.5
-      gemfile: gemfiles/rails60.gemfile
-    # Rails 5.x requires Ruby 2.2.2 or higher
-    - rvm: 2.0.0
-      gemfile: gemfiles/rails50.gemfile
-    - rvm: 2.0.0
-      gemfile: gemfiles/rails51.gemfile
-    - rvm: 2.0.0
-      gemfile: gemfiles/rails52.gemfile
-    - rvm: 2.0.0
-      gemfile: gemfiles/rails60.gemfile
-    # Rails 5.x requires Ruby 2.2.2 or higher
-    - rvm: 2.1.0
-      gemfile: gemfiles/rails50.gemfile
-    - rvm: 2.1.0
-      gemfile: gemfiles/rails51.gemfile
-    - rvm: 2.1.0
-      gemfile: gemfiles/rails52.gemfile
-    - rvm: 2.1.0
-      gemfile: gemfiles/rails60.gemfile
-    # MRI 2.2.2 supports Rails 3.2.x and higher, except Rails 5.2.4 and higher*
-    # * ActionDispatch 5.2.4 uses Ruby 3.x safe navigation operator.
-    - rvm: 2.2.2
-      gemfile: gemfiles/rails30.gemfile
-    - rvm: 2.2.2
-      gemfile: gemfiles/rails31.gemfile
-    - rvm: 2.2.2
-      gemfile: gemfiles/rails52.gemfile
-    # MRI 2.3.x supports Rails 4.0.x and higher
-    - rvm: 2.3.8
-      gemfile: gemfiles/rails30.gemfile
-    - rvm: 2.3.8
-      gemfile: gemfiles/rails31.gemfile
-    - rvm: 2.3.8
-      gemfile: gemfiles/rails32.gemfile
-    - rvm: 2.3.8
-      gemfile: gemfiles/rails40.gemfile
-    - rvm: 2.3.8
-      gemfile: gemfiles/rails41.gemfile
-    # MRI 2.4.x and higher (e.g. 2.5.x, 2.6.x, etc) supports Rails 4.2.8 and higher
-    # Rails lower than 4.2.8 is incompatible with Ruby 2.4 Integer class
-    - rvm: 2.4.5
-      gemfile: gemfiles/rails30.gemfile
-    - rvm: 2.4.5
-      gemfile: gemfiles/rails31.gemfile
-    - rvm: 2.4.5
-      gemfile: gemfiles/rails32.gemfile
-    - rvm: 2.4.5
-      gemfile: gemfiles/rails40.gemfile
-    - rvm: 2.4.5
-      gemfile: gemfiles/rails41.gemfile
-    - rvm: 2.5.3
-      gemfile: gemfiles/rails30.gemfile
-    - rvm: 2.5.3
-      gemfile: gemfiles/rails31.gemfile
-    - rvm: 2.5.3
-      gemfile: gemfiles/rails32.gemfile
-    - rvm: 2.5.3
-      gemfile: gemfiles/rails40.gemfile
-    - rvm: 2.5.3
-      gemfile: gemfiles/rails41.gemfile
-    - rvm: 2.6.5
-      gemfile: gemfiles/rails30.gemfile
-    - rvm: 2.6.5
-      gemfile: gemfiles/rails31.gemfile
-    - rvm: 2.6.5
-      gemfile: gemfiles/rails32.gemfile
-    - rvm: 2.6.5
-      gemfile: gemfiles/rails40.gemfile
-    - rvm: 2.6.5
-      gemfile: gemfiles/rails41.gemfile
-    - rvm: 2.6.5
-      gemfile: gemfiles/rails42.gemfile
-    # Rails 6.x tries to be compatible with Ruby 2.7, though
-    # it still throws a lot of warnings. No point testing earlier
-    # Rails with Ruby 2.7.
-    - rvm: 2.7.0
-      gemfile: gemfiles/rails30.gemfile
-    - rvm: 2.7.0
-      gemfile: gemfiles/rails31.gemfile
-    - rvm: 2.7.0
-      gemfile: gemfiles/rails32.gemfile
-    - rvm: 2.7.0
-      gemfile: gemfiles/rails40.gemfile
-    - rvm: 2.7.0
-      gemfile: gemfiles/rails41.gemfile
-    - rvm: 2.7.0
-      gemfile: gemfiles/rails42.gemfile
-    - rvm: 2.7.0
-      gemfile: gemfiles/rails50.gemfile
-    - rvm: 2.7.0
-      gemfile: gemfiles/rails51.gemfile
-    - rvm: 2.7.0
-      gemfile: gemfiles/rails52.gemfile
-    # JRuby JDBC Adapter is only compatible with Rails >= 5.x
-    - rvm: jruby-9.1.9.0
-      gemfile: gemfiles/rails30.gemfile
-    - rvm: jruby-9.1.9.0
-      gemfile: gemfiles/rails31.gemfile
-    - rvm: jruby-9.1.9.0
-      gemfile: gemfiles/rails32.gemfile
-    - rvm: jruby-9.1.9.0
-      gemfile: gemfiles/rails40.gemfile
-    - rvm: jruby-9.1.9.0
-      gemfile: gemfiles/rails41.gemfile
-    - rvm: jruby-9.1.9.0
-      gemfile: gemfiles/rails42.gemfile
-    - rvm: rbx
-      gemfile: gemfiles/rails30.gemfile
-    - rvm: rbx
-      gemfile: gemfiles/rails31.gemfile
-    - rvm: rbx
-      gemfile: gemfiles/rails32.gemfile
-    - rvm: rbx
-      gemfile: gemfiles/rails40.gemfile
-    - rvm: rbx
-      gemfile: gemfiles/rails41.gemfile
-    - rvm: rbx
-      gemfile: gemfiles/rails42.gemfile
-    - rvm: rbx
-      gemfile: gemfiles/rails50.gemfile
-    - rvm: rbx
-      gemfile: gemfiles/rails51.gemfile
-    - rvm: rbx
-      gemfile: gemfiles/rails52.gemfile
-    - rvm: rbx
-      gemfile: gemfiles/rails60.gemfile