sanitize_email 2.0.9 → 2.0.11

data/RUBOCOP.md

@@ -0,0 +1,71 @@
+# RuboCop Usage Guide
+
+## Overview
+
+A tale of two RuboCop plugin gems.
+
+### RuboCop Gradual
+
+This project uses `rubocop_gradual` instead of vanilla RuboCop for code style checking. The `rubocop_gradual` tool allows for gradual adoption of RuboCop rules by tracking violations in a lock file.
+
+### RuboCop LTS
+
+This project uses `rubocop-lts` to ensure, on a best-effort basis, compatibility with Ruby >= 1.9.2.
+RuboCop rules are meticulously configured by the `rubocop-lts` family of gems to ensure that a project is compatible with a specific version of Ruby. See: https://rubocop-lts.gitlab.io for more.
+
+## Checking RuboCop Violations
+
+To check for RuboCop violations in this project, always use:
+
+```bash
+bundle exec rake rubocop_gradual:check
+```
+
+**Do not use** the standard RuboCop commands like:
+- `bundle exec rubocop`
+- `rubocop`
+
+## Understanding the Lock File
+
+The `.rubocop_gradual.lock` file tracks all current RuboCop violations in the project. This allows the team to:
+
+1. Prevent new violations while gradually fixing existing ones
+2. Track progress on code style improvements
+3. Ensure CI builds don't fail due to pre-existing violations
+
+## Common Commands
+
+- **Check violations**
+    - `bundle exec rake rubocop_gradual`
+    - `bundle exec rake rubocop_gradual:check`
+- **(Safe) Autocorrect violations, and update lockfile if no new violations**
+  - `bundle exec rake rubocop_gradual:autocorrect`
+- **Force update the lock file (w/o autocorrect) to match violations present in code**
+  - `bundle exec rake rubocop_gradual:force_update`
+
+## Workflow
+
+1. Before submitting a PR, run `bundle exec rake rubocop_gradual:autocorrect`
+   a. or just the default `bundle exec rake`, as autocorrection is a pre-requisite of the default task.
+2. If there are new violations, either:
+   - Fix them in your code
+   - Run `bundle exec rake rubocop_gradual:force_update` to update the lock file (only for violations you can't fix immediately)
+3. Commit the updated `.rubocop_gradual.lock` file along with your changes
+
+## Never add inline RuboCop disables
+
+Do not add inline `rubocop:disable` / `rubocop:enable` comments anywhere in the codebase (including specs, except when following the few existing `rubocop:disable` patterns for a rule already being disabled elsewhere in the code). We handle exceptions in two supported ways:
+
+- Permanent/structural exceptions: prefer adjusting the RuboCop configuration (e.g., in `.rubocop.yml`) to exclude a rule for a path or file pattern when it makes sense project-wide.
+- Temporary exceptions while improving code: record the current violations in `.rubocop_gradual.lock` via the gradual workflow:
+  - `bundle exec rake rubocop_gradual:autocorrect` (preferred; will autocorrect what it can and update the lock only if no new violations were introduced)
+  - If needed, `bundle exec rake rubocop_gradual:force_update` (as a last resort when you cannot fix the newly reported violations immediately)
+
+In general, treat the rules as guidance to follow; fix violations rather than ignore them. For example, RSpec conventions in this project expect `described_class` to be used in specs that target a specific class under test.
+
+## Benefits of rubocop_gradual
+
+- Allows incremental adoption of code style rules
+- Prevents CI failures due to pre-existing violations
+- Provides a clear record of code style debt
+- Enables focused efforts on improving code quality over time

data/SECURITY.md

@@ -2,14 +2,20 @@
 
 ## Supported Versions
 
-| Version | Supported |
-|---------|-----------|
-| 2.x     | ✅         |
-| 1.x     | ❌         |
-| 0.x     | ❌         |
+| Version  | Supported |
+|----------|-----------|
+| 1.latest | ✅         |
 
-## Reporting a Vulnerability
+## Security contact information
 
-Peter Boling is the primary maintainer of this gem. Please find a way
-to [contact him directly](https://railsbling.com/contact) to report the issue. Include as much relevant information as
-possible.
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
+
+## Additional Support
+
+If you are interested in support for versions older than the latest release,
+please consider sponsoring the project / maintainer @ https://liberapay.com/pboling/donate,
+or find other sponsorship links in the [README].
+
+[README]: README.md

data/certs/pboling.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgDCCAuigAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMRUwEwYDVQQDDAxwZXRl
+ci5ib2xpbmcxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkW
+A2NvbTAeFw0yNTA1MDQxNTMzMDlaFw00NTA0MjkxNTMzMDlaMEMxFTATBgNVBAMM
+DHBldGVyLmJvbGluZzEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPy
+LGQBGRYDY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAruUoo0WA
+uoNuq6puKWYeRYiZekz/nsDeK5x/0IEirzcCEvaHr3Bmz7rjo1I6On3gGKmiZs61
+LRmQ3oxy77ydmkGTXBjruJB+pQEn7UfLSgQ0xa1/X3kdBZt6RmabFlBxnHkoaGY5
+mZuZ5+Z7walmv6sFD9ajhzj+oIgwWfnEHkXYTR8I6VLN7MRRKGMPoZ/yvOmxb2DN
+coEEHWKO9CvgYpW7asIihl/9GMpKiRkcYPm9dGQzZc6uTwom1COfW0+ZOFrDVBuV
+FMQRPswZcY4Wlq0uEBLPU7hxnCL9nKK6Y9IhdDcz1mY6HZ91WImNslOSI0S8hRpj
+yGOWxQIhBT3fqCBlRIqFQBudrnD9jSNpSGsFvbEijd5ns7Z9ZMehXkXDycpGAUj1
+to/5cuTWWw1JqUWrKJYoifnVhtE1o1DZ+LkPtWxHtz5kjDG/zR3MG0Ula0UOavlD
+qbnbcXPBnwXtTFeZ3C+yrWpE4pGnl3yGkZj9SMTlo9qnTMiPmuWKQDatAgMBAAGj
+fzB9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQE8uWvNbPVNRXZ
+HlgPbc2PCzC4bjAhBgNVHREEGjAYgRZwZXRlci5ib2xpbmdAZ21haWwuY29tMCEG
+A1UdEgQaMBiBFnBldGVyLmJvbGluZ0BnbWFpbC5jb20wDQYJKoZIhvcNAQELBQAD
+ggGBAJbnUwfJQFPkBgH9cL7hoBfRtmWiCvdqdjeTmi04u8zVNCUox0A4gT982DE9
+wmuN12LpdajxZONqbXuzZvc+nb0StFwmFYZG6iDwaf4BPywm2e/Vmq0YG45vZXGR
+L8yMDSK1cQXjmA+ZBKOHKWavxP6Vp7lWvjAhz8RFwqF9GuNIdhv9NpnCAWcMZtpm
+GUPyIWw/Cw/2wZp74QzZj6Npx+LdXoLTF1HMSJXZ7/pkxLCsB8m4EFVdb/IrW/0k
+kNSfjtAfBHO8nLGuqQZVH9IBD1i9K6aSs7pT6TW8itXUIlkIUI2tg5YzW6OFfPzq
+QekSkX3lZfY+HTSp/o+YvKkqWLUV7PQ7xh1ZYDtocpaHwgxe/j3bBqHE+CUPH2vA
+0V/FwdTRWcwsjVoOJTrYcff8pBZ8r2MvtAc54xfnnhGFzeRHfcltobgFxkAXdE6p
+DVjBtqT23eugOqQ73umLcYDZkc36vnqGxUBSsXrzY9pzV5gGr2I8YUxMqf6ATrZt
+L9nRqA==
+-----END CERTIFICATE-----

data/lib/sanitize_email/bleach.rb

@@ -8,6 +8,7 @@ module SanitizeEmail
   #   and does so when appropriate.
   class Bleach
     extend SanitizeEmail::Deprecation
+
     attr_accessor :overridden_addresses # TODO: Just a stub, not implemented
 
     class << self
@@ -28,7 +29,8 @@ module SanitizeEmail
 
         return if message["personalizations"].nil?
 
-        message["personalizations"].value = overridden.overridden_personalizations
+        message["personalizations"] = nil
+        message["personalizations"] = overridden.overridden_personalizations
       end
 
       # Will be called by the Hook to determine if an override should occur

data/lib/sanitize_email/config.rb

@@ -9,9 +9,7 @@ module SanitizeEmail
   class Config
     extend SanitizeEmail::Deprecation
 
-    class << self
-      attr_accessor :config
-    end
+    CONFIG_MUTEX = Mutex.new
 
     DEFAULTS = {
       # Specify the BCC addresses for the messages
@@ -60,43 +58,62 @@ module SanitizeEmail
       activation_proc: proc { false },
     }.freeze
 
-    @config ||= DEFAULTS.dup
-    def self.configure
-      yield @config
+    INIT_KEYS = [:sanitized_to, :sanitized_cc, :sanitized_bcc, :good_list, :bad_list].freeze
+    @config = DEFAULTS.dup
 
-      # Gracefully handle deprecated config values.
-      # Actual deprecation warnings are thrown in the top SanitizeEmail module
-      #   thanks to our use of dynamic methods.
-      if @config[:local_environments] && defined?(Rails)
-        @config[:activation_proc] = proc do
-          SanitizeEmail.local_environments.include?(Rails.env)
-        end
+    class << self
+      def config
+        CONFIG_MUTEX.synchronize { @config }
+      end
+
+      def config=(value)
+        CONFIG_MUTEX.synchronize { @config = value }
       end
-      if @config[:sanitized_recipients]
+
+      def configure
+        sanitized_recipients = nil
+
+        CONFIG_MUTEX.synchronize do
+          yield @config
+
+          # Gracefully handle deprecated config values.
+          # Actual deprecation warnings are thrown in the top SanitizeEmail module
+          #   thanks to our use of dynamic methods.
+          if @config[:local_environments] && defined?(Rails)
+            @config[:activation_proc] = proc do
+              SanitizeEmail.local_environments.include?(Rails.env)
+            end
+          end
+          if @config[:sanitized_recipients]
+            sanitized_recipients = @config[:sanitized_recipients]
+            @config[:sanitized_to] = sanitized_recipients
+          end
+        end
+
         # calling it to trigger the deprecation warning.
-        # Won't actually be set with any value,
-        # because we are still inside the configure block.
-        SanitizeEmail.sanitized_recipients
-        @config[:sanitized_to] = @config[:sanitized_recipients]
+        SanitizeEmail.sanitized_recipients if sanitized_recipients
+        config_force_sanitize_deprecation_warning
       end
-      config_force_sanitize_deprecation_warning
-    end
 
-    def self.config_force_sanitize_deprecation_warning
-      return if @config[:force_sanitize].nil?
-      deprecation_warning_message(
-        <<-DEPRECATION,
-              SanitizeEmail::Config.config[:force_sanitize] is deprecated.
-              Please use SanitizeEmail.force_sanitize or SanitizeEmail.sanitary instead.
-              Refer to https://github.com/pboling/sanitize_email/wiki for examples.
-      DEPRECATION
-      )
-      SanitizeEmail.force_sanitize = @config[:force_sanitize]
-    end
+      def config_force_sanitize_deprecation_warning
+        force_sanitize = CONFIG_MUTEX.synchronize { @config[:force_sanitize] }
+        return if force_sanitize.nil?
+
+        deprecation_warning_message(
+          <<-DEPRECATION,
+                SanitizeEmail::Config.config[:force_sanitize] is deprecated.
+                Please use SanitizeEmail.force_sanitize or SanitizeEmail.sanitary instead.
+                Refer to https://github.com/galtzo-floss/sanitize_email/wiki for examples.
+        DEPRECATION
+        )
+        SanitizeEmail.force_sanitize = force_sanitize
+      end
 
-    INIT_KEYS = [:sanitized_to, :sanitized_cc, :sanitized_bcc, :good_list, :bad_list].freeze
-    def self.to_init
-      @config.select { |key, _value| INIT_KEYS.include?(key) }
+      def to_init
+        CONFIG_MUTEX.synchronize do
+          @config.select { |key, _value| INIT_KEYS.include?(key) }
+        end
+      end
     end
   end
 end

data/lib/sanitize_email/deprecation.rb

@@ -7,8 +7,16 @@ module SanitizeEmail
   # Provides tools that allow methods to be deprecated with new releases of the gem.
   # See http://www.seejohncode.com/2012/01/09/deprecating-methods-in-ruby/
   module Deprecation
+    DEPRECATE_IN_SILENCE_MUTEX = Mutex.new
+
     class << self
-      attr_accessor :deprecate_in_silence
+      def deprecate_in_silence
+        DEPRECATE_IN_SILENCE_MUTEX.synchronize { @deprecate_in_silence }
+      end
+
+      def deprecate_in_silence=(value)
+        DEPRECATE_IN_SILENCE_MUTEX.synchronize { @deprecate_in_silence = value }
+      end
     end
 
     @deprecate_in_silence = false

data/lib/sanitize_email/mail_ext.rb

@@ -5,13 +5,15 @@
 require "mail"
 
 # Cribbed from email_spec gem
-module SanitizeEmail::MailExt
-  def default_part
-    @default_part ||= html_part || text_part || self
-  end
+module SanitizeEmail
+  module MailExt
+    def default_part
+      @default_part ||= html_part || text_part || self
+    end
 
-  def default_part_body
-    default_part.body
+    def default_part_body
+      default_part.body
+    end
   end
 end
 

data/lib/sanitize_email/mail_header_tools.rb

@@ -6,77 +6,80 @@
 module SanitizeEmail
   # Tools for modifying the header of an email
   module MailHeaderTools
-    def self.prepend_subject_array(message)
-      prepend = []
-      if SanitizeEmail.use_actual_email_prepended_to_subject
-        prepend << SanitizeEmail::MailHeaderTools
-          .prepend_email_to_subject(Array(message.to))
+    class << self
+      def prepend_subject_array(message)
+        prepend = []
+        if SanitizeEmail.use_actual_email_prepended_to_subject
+          prepend << SanitizeEmail::MailHeaderTools
+            .prepend_email_to_subject(Array(message.to))
+        end
+        if SanitizeEmail.use_actual_environment_prepended_to_subject
+          prepend << SanitizeEmail::MailHeaderTools
+            .prepend_environment_to_subject
+        end
+        # this will force later joins to add an extra space
+        prepend << "" unless prepend.empty?
+        prepend
       end
-      if SanitizeEmail.use_actual_environment_prepended_to_subject
-        prepend << SanitizeEmail::MailHeaderTools
-          .prepend_environment_to_subject
+
+      def custom_subject(message)
+        prepend_subject_array(message).join(" ")
       end
-      # this will force later joins to add an extra space
-      prepend << "" unless prepend.empty?
-      prepend
-    end
 
-    def self.custom_subject(message)
-      prepend_subject_array(message).join(" ")
-    end
+      def prepend_environment_to_subject
+        if SanitizeEmail::Config.config[:environment].respond_to?(:call)
+          SanitizeEmail::Config.config[:environment].call.to_s
+        else
+          SanitizeEmail::Config.config[:environment].to_s
+        end
+      end
 
-    def self.prepend_environment_to_subject
-      if SanitizeEmail::Config.config[:environment].respond_to?(:call)
-        SanitizeEmail::Config.config[:environment].call.to_s
-      else
-        SanitizeEmail::Config.config[:environment].to_s
+      def prepend_email_to_subject(actual_addresses)
+        "(#{Array(actual_addresses).uniq.join(",").gsub(/@/, " at ")
+          .gsub(/[<>]/, "~")})"
       end
-    end
 
-    def self.prepend_email_to_subject(actual_addresses)
-      "(#{Array(actual_addresses).uniq.join(",").gsub(/@/, " at ")
-        .gsub(/[<>]/, "~")})"
-    end
+      def add_original_addresses_as_headers(message)
+        # Add headers by string concat.
+        # Setting hash values on message.headers does nothing, strangely.
+        # See: http://goo.gl/v46GY
+        to_addrs = message[:to]&.addrs
+        cc_addrs = message[:cc]&.addrs
+        to_decoded = Array(to_addrs&.map(&:decoded))
+        cc_decoded = Array(cc_addrs&.map(&:decoded))
+        {
+          # can be an arrays, so casting it as arrays
+          "X-Sanitize-Email-To" => to_decoded,
+          "X-Sanitize-Email-Cc" => cc_decoded,
+          # Don't write out the BCC, as those addresses should not be visible
+          #   in message headers for obvious reasons
+        }.each do |header_key, header_value|
+          # For each type of address line
+          SanitizeEmail::MailHeaderTools.update_header(
+            header_key,
+            header_value,
+            message,
+          )
+        end
+      end
 
-    def self.add_original_addresses_as_headers(message)
-      # Add headers by string concat.
-      # Setting hash values on message.headers does nothing, strangely.
-      # See: http://goo.gl/v46GY
-      to_addrs = message[:to]&.addrs
-      cc_addrs = message[:cc]&.addrs
-      to_decoded = Array(to_addrs&.map(&:decoded))
-      cc_decoded = Array(cc_addrs&.map(&:decoded))
-      {
-        # can be an arrays, so casting it as arrays
-        "X-Sanitize-Email-To" => to_decoded,
-        "X-Sanitize-Email-Cc" => cc_decoded,
-        # Don't write out the BCC, as those addresses should not be visible
-        #   in message headers for obvious reasons
-      }.each do |header_key, header_value|
-        # For each type of address line
-        SanitizeEmail::MailHeaderTools.update_header(
-          header_key,
-          header_value,
-          message,
-        )
+      def prepend_custom_subject(message)
+        message.subject = "" unless message.subject
+        custom_subject = SanitizeEmail::MailHeaderTools.custom_subject(message)
+        message.subject = custom_subject + message.subject
       end
-    end
 
-    def self.prepend_custom_subject(message)
-      message.subject = "" unless message.subject
-      custom_subject = SanitizeEmail::MailHeaderTools.custom_subject(message)
-      message.subject = custom_subject + message.subject
-    end
+      # According to https://github.com/mikel/mail
+      #   this is the correct way to update headers.
+      def update_header(header_key, header_value, message)
+        return unless header_value
 
-    # According to https://github.com/mikel/mail
-    #   this is the correct way to update headers.
-    def self.update_header(header_key, header_value, message)
-      return unless header_value
-      # For each address, as header_value can be an array of addresses
-      Array(header_value).each_with_index do |elem, index|
-        num = index + 1
-        new_header_key = (num > 1) ? "#{header_key}-#{num}" : header_key
-        message.header[new_header_key] = elem.to_s
+        # For each address, as header_value can be an array of addresses
+        Array(header_value).each_with_index do |elem, index|
+          num = index + 1
+          new_header_key = (num > 1) ? "#{header_key}-#{num}" : header_key
+          message.header[new_header_key] = elem.to_s
+        end
       end
     end
   end

data/lib/sanitize_email/rspec_matchers.rb

@@ -5,7 +5,7 @@
 # Note: the RspecMatchers are composed matchers:
 # See: http://www.relishapp.com/rspec/rspec-expectations/v/3-5/docs/composing-matchers
 
-require "sanitize_email/mail_ext"
+require_relative "mail_ext"
 
 module SanitizeEmail
   # Provides matchers that can be used in

data/lib/sanitize_email/version.rb

@@ -1,10 +1,8 @@
 # frozen_string_literal: true
 
-# Copyright (c) 2008 - 2018, 2020, 2022, 2024 Peter H. Boling of RailsBling.com
-# Released under the MIT license
-
 module SanitizeEmail
   module Version
-    VERSION = "2.0.9"
+    VERSION = "2.0.11"
   end
+  VERSION = Version::VERSION # Traditional Constant Location
 end

data/lib/sanitize_email.rb

@@ -7,14 +7,16 @@
 require "version_gem"
 
 # This Library
-require "sanitize_email/version"
-require "sanitize_email/deprecation"
-require "sanitize_email/config"
-require "sanitize_email/mail_header_tools"
-require "sanitize_email/overridden_addresses"
-require "sanitize_email/bleach"
+require_relative "sanitize_email/version"
+require_relative "sanitize_email/deprecation"
+require_relative "sanitize_email/config"
+require_relative "sanitize_email/mail_header_tools"
+require_relative "sanitize_email/overridden_addresses"
+require_relative "sanitize_email/bleach"
 
 module SanitizeEmail
+  FORCE_SANITIZE_MUTEX = Mutex.new
+
   # Error is raised when a block parameter is required and not provided to a method
   class MissingBlockParameter < StandardError; end
 
@@ -22,17 +24,18 @@ module SanitizeEmail
   # This gem must be loaded **after** Rails in order for the Engine/Railtie to register itself automatically.
   # Otherwise, you'd have to manually require what you need from below.
   # Allow non-rails implementations to use this gem
+  # :nocov:
   if defined?(::Rails::VERSION)
     if defined?(::Rails::Engine)
       if ::Rails::VERSION::MAJOR >= 6
         # Rails 6.0+
-        require "sanitize_email/engine_v6"
+        require_relative "sanitize_email/engine_v6"
       else
         # Rails 3.1 to 5.2
-        require "sanitize_email/engine_v5"
+        require_relative "sanitize_email/engine_v5"
       end
     elsif ::Rails::VERSION::MAJOR == 3 && ::Rails::VERSION::MINOR.zero?
-      require "sanitize_email/railtie"
+      require_relative "sanitize_email/railtie"
     else
       raise "Please use the 0.X.X versions of sanitize_email for Rails 2.X and below."
     end
@@ -50,11 +53,18 @@ module SanitizeEmail
       warn "SanitizeEmail was unable to detect a compatible Mail class to register an interceptor on."
     end
   end
+  # :nocov:
 
   class << self
     extend SanitizeEmail::Deprecation
 
-    attr_accessor :force_sanitize
+    def force_sanitize
+      FORCE_SANITIZE_MUTEX.synchronize { @force_sanitize }
+    end
+
+    def force_sanitize=(value)
+      FORCE_SANITIZE_MUTEX.synchronize { @force_sanitize = value }
+    end
 
     def [](key)
       return unless key.respond_to?(:to_sym)

data/sig/sanitize_email/version.rbs

@@ -0,0 +1,6 @@
+module SanitizeEmail
+  module Version
+    VERSION: String
+  end
+  VERSION: String
+end