sinatra 4.0.0 → 4.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 71d0bb379c736d6c251ceb424cac84dbe3a8b22d80a54473a0af1085b93b7dbf
-  data.tar.gz: 489d48a5e4f934127e04cdafa2d0d582c5143cc2a8f476239ea5b5b0f0e492c9
+  metadata.gz: a487551e0b40831dadeffd669ae0a8fb408fc5880825f2257105beec8be727ec
+  data.tar.gz: f7999f252d7d1c2192a3c909911ff5879075a811a8c742c89a2d700bf1db8b82
 SHA512:
-  metadata.gz: fbe92c1867d3ebe8ddc3f707c4e9f9cf2b68bddf2556164b85083ac635650725d63f8c847b4c70d0ad2abf6793b5f1054918b0b7c4e04d303119867be84c3253
-  data.tar.gz: 0727d88e9f5574c304dd3f31c6107a2b3e1cde96914e258c86fee529a1e922b0ff1d023f109fcc3b232f010ae21d9bdb4c365001dc7c3f658c0bd75b95e8d24d
+  metadata.gz: 611bf8733959bae4110a357e22be091cd3c044a5f810d133a9833993c84e2ae7a3b2c3999fd13991338c44e72ac5ab6b9b3af8bc9d4667384fd97b7715c086d2
+  data.tar.gz: 824f4f37c5cc5fde671bdf286c63cd67672566c10fadcf80b841eddc9685f92b88a9032ee8b711a2b859a5529afc082fe11f09ac1204f8b04659501f13a03747

data/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 4.1.0 / 2024-11-18
+
+* New: Add `host_authorization` setting ([#2053](https://github.com/sinatra/sinatra/pull/2053))
+  * Defaults to `.localhost`, `.test` and any IP address in development mode.
+  * Security: addresses [CVE-2018-11627](https://github.com/advisories/GHSA-hxx2-7vcw-mqr3).
+* Fix: Return an instance of `Sinatra::IndifferentHash` when calling `#except` ([#2044](https://github.com/sinatra/sinatra/pull/2044))
+* Fix: Address warning from `URI` for Ruby 3.4 ([#2060](https://github.com/sinatra/sinatra/pull/2060))
+* Fix: `rackup` no longer depends on WEBrick, recommend Puma instead ([`4a558503`](https://github.com/sinatra/sinatra/commit/4a558503a0ee41f26d4ebc07b478340e8a8a5ed6))
+* Fix: Zeitwerk 2.7.0+ compatibility ([#2050](https://github.com/sinatra/sinatra/pull/2050))
+* Fix: Address warning about Hash construction for Ruby 3.4 ([#2028](https://github.com/sinatra/sinatra/pull/2028))
+* Fix: Declare missing dependencies for Ruby 3.5 ([#2032](https://github.com/sinatra/sinatra/pull/2032))
+* Fix: Compatibility with `--enable-frozen-string-literal` ([#2033](https://github.com/sinatra/sinatra/pull/2033))
+* Fix: Rack 3.1 compatibility ([#2035](https://github.com/sinatra/sinatra/pull/2035))
+  * Don't depend on `Rack::Logger`
+  * Don't delete `content-length` header when `Rack::Files` is used
+
 ## 4.0.0. / 2024-01-19
 
 * New: Add support for Rack 3 ([#1857])
@@ -243,7 +259,7 @@
 
 * Fix issue with passed routes and provides Fixes [#1095](https://github.com/sinatra/sinatra/pull/1095) [#1606](https://github.com/sinatra/sinatra/pull/1606) by Mike Pastore, Jordan Owens
 
-* Add QuietLogger that excludes pathes from Rack::CommonLogger [1250](https://github.com/sinatra/sinatra/pull/1250) by Christoph Wagner
+* Add QuietLogger that excludes paths from Rack::CommonLogger [1250](https://github.com/sinatra/sinatra/pull/1250) by Christoph Wagner
 
 * Sinatra::Contrib dependency updates. Fixes [#1207](https://github.com/sinatra/sinatra/pull/1207) [#1411](https://github.com/sinatra/sinatra/pull/1411) by Mike Pastore
 
@@ -1609,7 +1625,7 @@ the 1.0 release:
    Hash structure. e.g., "post[title]=Hello&post[body]=World" yields
    params: {'post' => {'title' => 'Hello', 'body' => 'World'}}.
 
- * Regular expressions may now be used in route pattens; captures are
+ * Regular expressions may now be used in route patterns; captures are
    available at "params[:captures]".
 
  * New ":provides" route condition takes an array of mime types and

data/Gemfile

@@ -22,6 +22,10 @@ puma_version = nil if puma_version.empty? || (puma_version == 'stable')
 puma_version = { github: 'puma/puma' } if puma_version == 'head'
 gem 'puma', puma_version
 
+zeitwerk_version = ENV['zeitwerk'].to_s
+zeitwerk_version = nil if zeitwerk_version.empty? || (zeitwerk_version == 'stable')
+gem 'zeitwerk', zeitwerk_version
+
 gem 'minitest', '~> 5.0'
 gem 'rack-test'
 gem 'rubocop', '~> 1.32.0', require: false
@@ -42,15 +46,15 @@ gem 'kramdown'
 gem 'liquid'
 gem 'markaby'
 gem 'nokogiri', '> 1.5.0'
+gem 'ostruct'
 gem 'pandoc-ruby', '~> 2.0.2'
 gem 'rabl'
 gem 'rdiscount', platforms: [:ruby]
 gem 'rdoc'
 gem 'redcarpet', platforms: [:ruby]
 gem 'simplecov', require: false
-gem 'slim', '~> 4'
+gem 'slim', '~> 5'
 gem 'yajl-ruby', platforms: [:ruby]
-gem 'zeitwerk'
 
 # sass-embedded depends on google-protobuf
 # which fails to be installed on JRuby and TruffleRuby under aarch64

data/README.md

@@ -15,11 +15,10 @@ get '/' do
 end
 ```
 
-Install the gem:
+Install the gems needed:
 
 ```shell
-gem install sinatra
-gem install puma # or any other server
+gem install sinatra rackup puma
 ```
 
 And run with:
@@ -1993,6 +1992,31 @@ set :protection, :session => true
       <tt>"development"</tt> if not available.
     </dd>
 
+  <dt>host_authorization</dt>
+  <dd>
+    You can pass a hash of options to <tt>host_authorization</tt>,
+    to be used by the <tt>Rack::Protection::HostAuthorization</tt> middleware.
+  <dd>
+  <dd>
+    The middleware can block requests with unrecognized hostnames, to prevent DNS rebinding
+    and other host header attacks. It checks the <tt>Host</tt>, <tt>X-Forwarded-Host</tt>
+    and <tt>Forwarded</tt> headers.
+  </dd>
+  <dd>
+    Useful options are:
+    <ul>
+      <li><tt>permitted_hosts</tt> – an array of hostnames (and <tt>IPAddr</tt> objects) your app recognizes
+        <ul>
+          <li>in the <tt>development</tt> environment, it is set to <tt>.localhost</tt>, <tt>.test</tt> and any IPv4/IPv6 address</li>
+          <li>if empty, any hostname is permitted (the default for any other environment)</li>
+        </ul>
+      </li>
+      <li><tt>status</tt> – the HTTP status code used in the response when a request is blocked (defaults to <tt>403</tt>)</li>
+      <li><tt>message</tt> – the body used in the response when a request is blocked (defaults to <tt>Host not permitted</tt>)</li>
+      <li><tt>allow_if</tt> – supply a <tt>Proc</tt> to use custom allow/deny logic, the proc is passed the request environment</li>
+    </ul>
+  </dd>
+
   <dt>logging</dt>
     <dd>Use the logger.</dd>
 
@@ -2086,12 +2110,8 @@ set :protection, :session => true
 
   <dt>server_settings</dt>
     <dd>
-      If you are using a WEBrick web server, presumably for your development
-      environment, you can pass a hash of options to <tt>server_settings</tt>,
-      such as <tt>SSLEnable</tt> or <tt>SSLVerifyClient</tt>. However, web
-      servers such as Puma do not support this, so you can set
-      <tt>server_settings</tt> by defining it as a method when you call
-      <tt>configure</tt>.
+      You can pass a hash of options to <tt>server_settings</tt>,
+      such as <tt>Host</tt> or <tt>Port</tt>.
     </dd>
 
   <dt>sessions</dt>
@@ -2812,7 +2832,7 @@ _Paraphrasing from
 by Konstantin_
 
 Sinatra doesn't impose any concurrency model but leaves that to the
-underlying Rack handler (server) like Puma or WEBrick. Sinatra
+underlying Rack handler (server) like Puma or Falcon. Sinatra
 itself is thread-safe, so there won't be any problem if the Rack handler
 uses a threaded model of concurrency.
 

data/VERSION

@@ -1 +1 @@
-4.0.0
+4.1.0

data/lib/sinatra/base.rb

@@ -14,6 +14,7 @@ require 'mustermann/sinatra'
 require 'mustermann/regular'
 
 # stdlib dependencies
+require 'ipaddr'
 require 'time'
 require 'uri'
 
@@ -22,6 +23,8 @@ require 'sinatra/indifferent_hash'
 require 'sinatra/show_exceptions'
 require 'sinatra/version'
 
+require_relative 'middleware/logger'
+
 module Sinatra
   # The request object. See Rack::Request for more info:
   # https://rubydoc.info/github/rack/rack/main/Rack/Request
@@ -61,7 +64,7 @@ module Sinatra
     alias secure? ssl?
 
     def forwarded?
-      @env.include? 'HTTP_X_FORWARDED_HOST'
+      !forwarded_authority.nil?
     end
 
     def safe?
@@ -294,7 +297,7 @@ module Sinatra
         def block.each; yield(call) end
         response.body = block
       elsif value
-        unless request.head? || value.is_a?(Rack::Files::Iterator) || value.is_a?(Stream)
+        unless request.head? || value.is_a?(Rack::Files::BaseIterator) || value.is_a?(Stream)
           headers.delete 'content-length'
         end
         response.body = value
@@ -972,7 +975,7 @@ module Sinatra
     include Helpers
     include Templates
 
-    URI_INSTANCE = URI::Parser.new
+    URI_INSTANCE = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
 
     attr_accessor :app, :env, :request, :response, :params
     attr_reader   :template_cache
@@ -1292,7 +1295,7 @@ module Sinatra
         /active_support/,                                   # active_support require hacks
         %r{bundler(/(?:runtime|inline))?\.rb},              # bundler require hacks
         /<internal:/,                                       # internal in ruby >= 1.9.2
-        %r{zeitwerk/kernel\.rb}                             # Zeitwerk kernel#require decorator
+        %r{zeitwerk/(core_ext/)?kernel\.rb}                 # Zeitwerk kernel#require decorator
       ].freeze
 
       attr_reader :routes, :filters, :templates, :errors, :on_start_callback, :on_stop_callback
@@ -1598,20 +1601,20 @@ module Sinatra
       alias stop! quit!
 
       # Run the Sinatra app as a self-hosted server using
-      # Puma, Falcon, or WEBrick (in that order). If given a block, will call
+      # Puma, Falcon (in that order). If given a block, will call
       # with the constructed handler once we have taken the stage.
       def run!(options = {}, &block)
         unless defined?(Rackup::Handler)
           rackup_warning = <<~MISSING_RACKUP
-            Sinatra could not start, the "rackup" gem was not found!
+            Sinatra could not start, the required gems weren't found!
 
-            Add it to your bundle with:
+            Add them to your bundle with:
 
-                bundle add rackup
+                bundle add rackup puma
 
-            or install it with:
+            or install them with:
 
-                gem install rackup
+                gem install rackup puma
 
           MISSING_RACKUP
           warn rackup_warning
@@ -1819,6 +1822,7 @@ module Sinatra
         setup_logging    builder
         setup_sessions   builder
         setup_protection builder
+        setup_host_authorization builder
       end
 
       def setup_middleware(builder)
@@ -1835,7 +1839,7 @@ module Sinatra
       end
 
       def setup_null_logger(builder)
-        builder.use Rack::NullLogger
+        builder.use Sinatra::Middleware::Logger, ::Logger::FATAL
       end
 
       def setup_common_logger(builder)
@@ -1844,9 +1848,9 @@ module Sinatra
 
       def setup_custom_logger(builder)
         if logging.respond_to? :to_int
-          builder.use Rack::Logger, logging
+          builder.use Sinatra::Middleware::Logger, logging
         else
-          builder.use Rack::Logger
+          builder.use Sinatra::Middleware::Logger
         end
       end
 
@@ -1867,6 +1871,10 @@ module Sinatra
         builder.use Rack::Protection, options
       end
 
+      def setup_host_authorization(builder)
+        builder.use Rack::Protection::HostAuthorization, host_authorization
+      end
+
       def setup_sessions(builder)
         return unless sessions?
 
@@ -1961,10 +1969,25 @@ module Sinatra
     set :running_server, nil
     set :handler_name, nil
     set :traps, true
-    set :server, %w[HTTP webrick]
+    set :server, %w[]
     set :bind, proc { development? ? 'localhost' : '0.0.0.0' }
     set :port, Integer(ENV['PORT'] && !ENV['PORT'].empty? ? ENV['PORT'] : 4567)
     set :quiet, false
+    set :host_authorization, ->() do
+      if development?
+        {
+          permitted_hosts: [
+            "localhost",
+            ".localhost",
+            ".test",
+            IPAddr.new("0.0.0.0/0"),
+            IPAddr.new("::/0"),
+          ]
+        }
+      else
+        {}
+      end
+    end
 
     ruby_engine = defined?(RUBY_ENGINE) && RUBY_ENGINE
 

data/lib/sinatra/indifferent_hash.rb

@@ -185,7 +185,7 @@ module Sinatra
     def except(*keys)
       keys.map!(&method(:convert_key))
 
-      super(*keys)
+      self.class[super(*keys)]
     end if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.0")
 
     private

data/lib/sinatra/middleware/logger.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'logger'
+
+module Sinatra
+  module Middleware
+    class Logger
+      def initialize(app, level = ::Logger::INFO)
+        @app, @level = app, level
+      end
+
+      def call(env)
+        logger = ::Logger.new(env[Rack::RACK_ERRORS])
+        logger.level = @level
+
+        env[Rack::RACK_LOGGER] = logger
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/sinatra/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Sinatra
-  VERSION = '4.0.0'
+  VERSION = '4.1.0'
 end

data/sinatra.gemspec

@@ -45,9 +45,10 @@ RubyGems 2.0 or newer is required to protect against public gem pushes. You can
 
   s.required_ruby_version = '>= 2.7.8'
 
+  s.add_dependency 'logger', '>= 1.6.0'
   s.add_dependency 'mustermann', '~> 3.0'
   s.add_dependency 'rack', '>= 3.0.0', '< 4'
-  s.add_dependency 'rack-session', '>= 2.0.0', '< 3'
   s.add_dependency 'rack-protection', version
+  s.add_dependency 'rack-session', '>= 2.0.0', '< 3'
   s.add_dependency 'tilt', '~> 2.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sinatra
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 4.1.0
 platform: ruby
 authors:
 - Blake Mizerany
@@ -11,8 +11,22 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-01-19 00:00:00.000000000 Z
+date: 2024-11-18 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
 - !ruby/object:Gem::Dependency
   name: mustermann
   requirement: !ruby/object:Gem::Requirement
@@ -47,6 +61,20 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '4'
+- !ruby/object:Gem::Dependency
+  name: rack-protection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 4.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 4.1.0
 - !ruby/object:Gem::Dependency
   name: rack-session
   requirement: !ruby/object:Gem::Requirement
@@ -67,20 +95,6 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
-- !ruby/object:Gem::Dependency
-  name: rack-protection
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 4.0.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: tilt
   requirement: !ruby/object:Gem::Requirement
@@ -125,6 +139,7 @@ files:
 - lib/sinatra/images/500.png
 - lib/sinatra/indifferent_hash.rb
 - lib/sinatra/main.rb
+- lib/sinatra/middleware/logger.rb
 - lib/sinatra/show_exceptions.rb
 - lib/sinatra/version.rb
 - sinatra.gemspec
@@ -159,7 +174,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
+rubygems_version: 3.5.22
 signing_key: 
 specification_version: 4
 summary: Classy web-development dressed in a DSL