RubyGems - sinatra - Versions diffs - 4.0.0 → 4.1.1 - Mend

sinatra 4.0.0 → 4.1.1

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +22 -2
data/Gemfile +7 -2
data/README.md +32 -10
data/VERSION +1 -1
data/lib/sinatra/base.rb +37 -14
data/lib/sinatra/indifferent_hash.rb +1 -1
data/lib/sinatra/middleware/logger.rb +21 -0
data/lib/sinatra/version.rb +1 -1
data/sinatra.gemspec +2 -1
metadata +32 -17

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 71d0bb379c736d6c251ceb424cac84dbe3a8b22d80a54473a0af1085b93b7dbf
-  data.tar.gz: 489d48a5e4f934127e04cdafa2d0d582c5143cc2a8f476239ea5b5b0f0e492c9
+  metadata.gz: 491154a9e29e4c218d9245fd73024818e7dfa6c75ba1d74220e46498841bb54e
+  data.tar.gz: 42259b9becde7268d9b95abc783d896c864a6c84b3e1dd6d40d7f351a350f626
 SHA512:
-  metadata.gz: fbe92c1867d3ebe8ddc3f707c4e9f9cf2b68bddf2556164b85083ac635650725d63f8c847b4c70d0ad2abf6793b5f1054918b0b7c4e04d303119867be84c3253
-  data.tar.gz: 0727d88e9f5574c304dd3f31c6107a2b3e1cde96914e258c86fee529a1e922b0ff1d023f109fcc3b232f010ae21d9bdb4c365001dc7c3f658c0bd75b95e8d24d
+  metadata.gz: 43a69c7f07afab191eacc80d7837d9bdbd81701a51973309395b47e9efacb010234a0a66e27503b6edc213f5f8321e426f2f8ad9f7cc7e247e908613d14081c6
+  data.tar.gz: f2fb4deeb5f8e44a5a6a59663080f143c2a1dac1d21a5ca8301728b265a8ba2fcf3e0815c692af0791230289d4ddaf548a317e2f4295cf24b45e5cdec47dc86e

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,23 @@
+## 4.1.1 / 2024-11-20
+* Fix: Restore WEBrick support ([#2067](https://github.com/sinatra/sinatra/pull/2067))
+## 4.1.0 / 2024-11-18
+* New: Add `host_authorization` setting ([#2053](https://github.com/sinatra/sinatra/pull/2053))
+  * Defaults to `.localhost`, `.test` and any IP address in development mode.
+  * Security: addresses [CVE-2024-21510](https://github.com/advisories/GHSA-hxx2-7vcw-mqr3).
+* Fix: Return an instance of `Sinatra::IndifferentHash` when calling `#except` ([#2044](https://github.com/sinatra/sinatra/pull/2044))
+* Fix: Address warning from `URI` for Ruby 3.4 ([#2060](https://github.com/sinatra/sinatra/pull/2060))
+* Fix: `rackup` no longer depends on WEBrick, recommend Puma instead ([`4a558503`](https://github.com/sinatra/sinatra/commit/4a558503a0ee41f26d4ebc07b478340e8a8a5ed6))
+* Fix: Zeitwerk 2.7.0+ compatibility ([#2050](https://github.com/sinatra/sinatra/pull/2050))
+* Fix: Address warning about Hash construction for Ruby 3.4 ([#2028](https://github.com/sinatra/sinatra/pull/2028))
+* Fix: Declare missing dependencies for Ruby 3.5 ([#2032](https://github.com/sinatra/sinatra/pull/2032))
+* Fix: Compatibility with `--enable-frozen-string-literal` ([#2033](https://github.com/sinatra/sinatra/pull/2033))
+* Fix: Rack 3.1 compatibility ([#2035](https://github.com/sinatra/sinatra/pull/2035))
+  * Don't depend on `Rack::Logger`
+  * Don't delete `content-length` header when `Rack::Files` is used
 ## 4.0.0. / 2024-01-19
 * New: Add support for Rack 3 ([#1857])
@@ -243,7 +263,7 @@
 * Fix issue with passed routes and provides Fixes [#1095](https://github.com/sinatra/sinatra/pull/1095) [#1606](https://github.com/sinatra/sinatra/pull/1606) by Mike Pastore, Jordan Owens
-* Add QuietLogger that excludes pathes from Rack::CommonLogger [1250](https://github.com/sinatra/sinatra/pull/1250) by Christoph Wagner
+* Add QuietLogger that excludes paths from Rack::CommonLogger [1250](https://github.com/sinatra/sinatra/pull/1250) by Christoph Wagner
 * Sinatra::Contrib dependency updates. Fixes [#1207](https://github.com/sinatra/sinatra/pull/1207) [#1411](https://github.com/sinatra/sinatra/pull/1411) by Mike Pastore
@@ -1609,7 +1629,7 @@ the 1.0 release:
    Hash structure. e.g., "post[title]=Hello&post[body]=World" yields
    params: {'post' => {'title' => 'Hello', 'body' => 'World'}}.
- * Regular expressions may now be used in route pattens; captures are
+ * Regular expressions may now be used in route patterns; captures are
    available at "params[:captures]".
  * New ":provides" route condition takes an array of mime types and

data/Gemfile CHANGED Viewed

@@ -22,6 +22,10 @@ puma_version = nil if puma_version.empty? || (puma_version == 'stable')
 puma_version = { github: 'puma/puma' } if puma_version == 'head'
 gem 'puma', puma_version
+zeitwerk_version = ENV['zeitwerk'].to_s
+zeitwerk_version = nil if zeitwerk_version.empty? || (zeitwerk_version == 'stable')
+gem 'zeitwerk', zeitwerk_version
 gem 'minitest', '~> 5.0'
 gem 'rack-test'
 gem 'rubocop', '~> 1.32.0', require: false
@@ -42,15 +46,16 @@ gem 'kramdown'
 gem 'liquid'
 gem 'markaby'
 gem 'nokogiri', '> 1.5.0'
+gem 'ostruct'
 gem 'pandoc-ruby', '~> 2.0.2'
 gem 'rabl'
 gem 'rdiscount', platforms: [:ruby]
 gem 'rdoc'
 gem 'redcarpet', platforms: [:ruby]
 gem 'simplecov', require: false
-gem 'slim', '~> 4'
+gem 'slim', '~> 5'
 gem 'yajl-ruby', platforms: [:ruby]
-gem 'zeitwerk'
+gem 'webrick'
 # sass-embedded depends on google-protobuf
 # which fails to be installed on JRuby and TruffleRuby under aarch64

data/README.md CHANGED Viewed

@@ -15,11 +15,10 @@ get '/' do
 end
 ```
-Install the gem:
+Install the gems needed:
 ```shell
-gem install sinatra
-gem install puma # or any other server
+gem install sinatra rackup puma
 ```
 And run with:
@@ -1993,6 +1992,33 @@ set :protection, :session => true
       <tt>"development"</tt> if not available.
     </dd>
+  <dt>host_authorization</dt>
+  <dd>
+    <p>
+      You can pass a hash of options to <tt>host_authorization</tt>,
+      to be used by the <tt>Rack::Protection::HostAuthorization</tt> middleware.
+    </p>
+    <p>
+      The middleware can block requests with unrecognized hostnames, to prevent DNS rebinding
+      and other host header attacks. It checks the <tt>Host</tt>, <tt>X-Forwarded-Host</tt>
+      and <tt>Forwarded</tt> headers.
+    </p>
+    <p>
+      Useful options are:
+      <ul>
+        <li><tt>permitted_hosts</tt> – an array of hostnames (and <tt>IPAddr</tt> objects) your app recognizes
+          <ul>
+            <li>in the <tt>development</tt> environment, it is set to <tt>.localhost</tt>, <tt>.test</tt> and any IPv4/IPv6 address</li>
+            <li>if empty, any hostname is permitted (the default for any other environment)</li>
+          </ul>
+        </li>
+        <li><tt>status</tt> – the HTTP status code used in the response when a request is blocked (defaults to <tt>403</tt>)</li>
+        <li><tt>message</tt> – the body used in the response when a request is blocked (defaults to <tt>Host not permitted</tt>)</li>
+        <li><tt>allow_if</tt> – supply a <tt>Proc</tt> to use custom allow/deny logic, the proc is passed the request environment</li>
+      </ul>
+    </p>
+  </dd>
   <dt>logging</dt>
     <dd>Use the logger.</dd>
@@ -2086,12 +2112,8 @@ set :protection, :session => true
   <dt>server_settings</dt>
     <dd>
-      If you are using a WEBrick web server, presumably for your development
-      environment, you can pass a hash of options to <tt>server_settings</tt>,
-      such as <tt>SSLEnable</tt> or <tt>SSLVerifyClient</tt>. However, web
-      servers such as Puma do not support this, so you can set
-      <tt>server_settings</tt> by defining it as a method when you call
-      <tt>configure</tt>.
+      You can pass a hash of options to <tt>server_settings</tt>,
+      such as <tt>Host</tt> or <tt>Port</tt>.
     </dd>
   <dt>sessions</dt>
@@ -2812,7 +2834,7 @@ _Paraphrasing from
 by Konstantin_
 Sinatra doesn't impose any concurrency model but leaves that to the
-underlying Rack handler (server) like Puma or WEBrick. Sinatra
+underlying Rack handler (server) like Puma or Falcon. Sinatra
 itself is thread-safe, so there won't be any problem if the Rack handler
 uses a threaded model of concurrency.

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 4.0.0
1	+ 4.1.1

data/lib/sinatra/base.rb CHANGED Viewed

@@ -14,6 +14,7 @@ require 'mustermann/sinatra'
 require 'mustermann/regular'
 # stdlib dependencies
+require 'ipaddr'
 require 'time'
 require 'uri'
@@ -22,6 +23,8 @@ require 'sinatra/indifferent_hash'
 require 'sinatra/show_exceptions'
 require 'sinatra/version'
+require_relative 'middleware/logger'
 module Sinatra
   # The request object. See Rack::Request for more info:
   # https://rubydoc.info/github/rack/rack/main/Rack/Request
@@ -61,7 +64,7 @@ module Sinatra
     alias secure? ssl?
     def forwarded?
-      @env.include? 'HTTP_X_FORWARDED_HOST'
+      !forwarded_authority.nil?
     end
     def safe?
@@ -294,7 +297,7 @@ module Sinatra
         def block.each; yield(call) end
         response.body = block
       elsif value
-        unless request.head? || value.is_a?(Rack::Files::Iterator) || value.is_a?(Stream)
+        unless request.head? || value.is_a?(Rack::Files::BaseIterator) || value.is_a?(Stream)
           headers.delete 'content-length'
         end
         response.body = value
@@ -972,7 +975,7 @@ module Sinatra
     include Helpers
     include Templates
-    URI_INSTANCE = URI::Parser.new
+    URI_INSTANCE = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
     attr_accessor :app, :env, :request, :response, :params
     attr_reader   :template_cache
@@ -1292,7 +1295,7 @@ module Sinatra
         /active_support/,                                   # active_support require hacks
         %r{bundler(/(?:runtime|inline))?\.rb},              # bundler require hacks
         /<internal:/,                                       # internal in ruby >= 1.9.2
-        %r{zeitwerk/kernel\.rb}                             # Zeitwerk kernel#require decorator
+        %r{zeitwerk/(core_ext/)?kernel\.rb}                 # Zeitwerk kernel#require decorator
       ].freeze
       attr_reader :routes, :filters, :templates, :errors, :on_start_callback, :on_stop_callback
@@ -1598,20 +1601,20 @@ module Sinatra
       alias stop! quit!
       # Run the Sinatra app as a self-hosted server using
-      # Puma, Falcon, or WEBrick (in that order). If given a block, will call
+      # Puma, Falcon (in that order). If given a block, will call
       # with the constructed handler once we have taken the stage.
       def run!(options = {}, &block)
         unless defined?(Rackup::Handler)
           rackup_warning = <<~MISSING_RACKUP
-            Sinatra could not start, the "rackup" gem was not found!
+            Sinatra could not start, the required gems weren't found!
-            Add it to your bundle with:
+            Add them to your bundle with:
-                bundle add rackup
+                bundle add rackup puma
-            or install it with:
+            or install them with:
-                gem install rackup
+                gem install rackup puma
           MISSING_RACKUP
           warn rackup_warning
@@ -1819,6 +1822,7 @@ module Sinatra
         setup_logging    builder
         setup_sessions   builder
         setup_protection builder
+        setup_host_authorization builder
       end
       def setup_middleware(builder)
@@ -1835,7 +1839,7 @@ module Sinatra
       end
       def setup_null_logger(builder)
-        builder.use Rack::NullLogger
+        builder.use Sinatra::Middleware::Logger, ::Logger::FATAL
       end
       def setup_common_logger(builder)
@@ -1844,9 +1848,9 @@ module Sinatra
       def setup_custom_logger(builder)
         if logging.respond_to? :to_int
-          builder.use Rack::Logger, logging
+          builder.use Sinatra::Middleware::Logger, logging
         else
-          builder.use Rack::Logger
+          builder.use Sinatra::Middleware::Logger
         end
       end
@@ -1867,6 +1871,10 @@ module Sinatra
         builder.use Rack::Protection, options
       end
+      def setup_host_authorization(builder)
+        builder.use Rack::Protection::HostAuthorization, host_authorization
+      end
       def setup_sessions(builder)
         return unless sessions?
@@ -1961,10 +1969,25 @@ module Sinatra
     set :running_server, nil
     set :handler_name, nil
     set :traps, true
-    set :server, %w[HTTP webrick]
+    set :server, %w[webrick]
     set :bind, proc { development? ? 'localhost' : '0.0.0.0' }
     set :port, Integer(ENV['PORT'] && !ENV['PORT'].empty? ? ENV['PORT'] : 4567)
     set :quiet, false
+    set :host_authorization, ->() do
+      if development?
+        {
+          permitted_hosts: [
+            "localhost",
+            ".localhost",
+            ".test",
+            IPAddr.new("0.0.0.0/0"),
+            IPAddr.new("::/0"),
+          ]
+        }
+      else
+        {}
+      end
+    end
     ruby_engine = defined?(RUBY_ENGINE) && RUBY_ENGINE

data/lib/sinatra/indifferent_hash.rb CHANGED Viewed

@@ -185,7 +185,7 @@ module Sinatra
     def except(*keys)
       keys.map!(&method(:convert_key))
-      super(*keys)
+      self.class[super(*keys)]
     end if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.0")
     private

data/lib/sinatra/middleware/logger.rb ADDED Viewed

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+require 'logger'
+module Sinatra
+  module Middleware
+    class Logger
+      def initialize(app, level = ::Logger::INFO)
+        @app, @level = app, level
+      end
+      def call(env)
+        logger = ::Logger.new(env[Rack::RACK_ERRORS])
+        logger.level = @level
+        env[Rack::RACK_LOGGER] = logger
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/sinatra/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Sinatra
-  VERSION = '4.0.0'
+  VERSION = '4.1.1'
 end

data/sinatra.gemspec CHANGED Viewed

@@ -45,9 +45,10 @@ RubyGems 2.0 or newer is required to protect against public gem pushes. You can
   s.required_ruby_version = '>= 2.7.8'
+  s.add_dependency 'logger', '>= 1.6.0'
   s.add_dependency 'mustermann', '~> 3.0'
   s.add_dependency 'rack', '>= 3.0.0', '< 4'
-  s.add_dependency 'rack-session', '>= 2.0.0', '< 3'
   s.add_dependency 'rack-protection', version
+  s.add_dependency 'rack-session', '>= 2.0.0', '< 3'
   s.add_dependency 'tilt', '~> 2.0'
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sinatra
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 4.1.1
 platform: ruby
 authors:
 - Blake Mizerany
@@ -11,8 +11,22 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-01-19 00:00:00.000000000 Z
+date: 2024-11-20 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
 - !ruby/object:Gem::Dependency
   name: mustermann
   requirement: !ruby/object:Gem::Requirement
@@ -47,6 +61,20 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '4'
+- !ruby/object:Gem::Dependency
+  name: rack-protection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 4.1.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 4.1.1
 - !ruby/object:Gem::Dependency
   name: rack-session
   requirement: !ruby/object:Gem::Requirement
@@ -67,20 +95,6 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '3'
-- !ruby/object:Gem::Dependency
-  name: rack-protection
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 4.0.0
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '='
-      - !ruby/object:Gem::Version
-        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: tilt
   requirement: !ruby/object:Gem::Requirement
@@ -125,6 +139,7 @@ files:
 - lib/sinatra/images/500.png
 - lib/sinatra/indifferent_hash.rb
 - lib/sinatra/main.rb
+- lib/sinatra/middleware/logger.rb
 - lib/sinatra/show_exceptions.rb
 - lib/sinatra/version.rb
 - sinatra.gemspec
@@ -159,7 +174,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Classy web-development dressed in a DSL