sprockets 2.3.2 → 3.0.0

data/lib/sprockets/server.rb

@@ -1,9 +1,9 @@
 require 'time'
-require 'uri'
+require 'rack/utils'
 
 module Sprockets
   # `Server` is a concern mixed into `Environment` and
-  # `Index` that provides a Rack compatible `call`
+  # `CachedEnvironment` that provides a Rack compatible `call`
   # interface and url generation helpers.
   module Server
     # `call` implements the Rack 1.x specification which accepts an
@@ -23,59 +23,84 @@ module Sprockets
       start_time = Time.now.to_f
       time_elapsed = lambda { ((Time.now.to_f - start_time) * 1000).to_i }
 
-      msg = "Served asset #{env['PATH_INFO']} -"
+      if env['REQUEST_METHOD'] != 'GET'
+        return method_not_allowed_response
+      end
 
-      # Mark session as "skipped" so no `Set-Cookie` header is set
-      env['rack.session.options'] ||= {}
-      env['rack.session.options'][:defer] = true
-      env['rack.session.options'][:skip] = true
+      msg = "Served asset #{env['PATH_INFO']} -"
 
       # Extract the path from everything after the leading slash
-      path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
-
-      # URLs containing a `".."` are rejected for security reasons.
-      if forbidden_request?(path)
-        return forbidden_response
-      end
+      path = Rack::Utils.unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
 
       # Strip fingerprint
       if fingerprint = path_fingerprint(path)
         path = path.sub("-#{fingerprint}", '')
       end
 
+      # URLs containing a `".."` are rejected for security reasons.
+      if forbidden_request?(path)
+        return forbidden_response
+      end
+
       # Look up the asset.
-      asset = find_asset(path, :bundle => !body_only?(env))
+      options = {}
+      options[:pipeline] = :self if body_only?(env)
 
-      # `find_asset` returns nil if the asset doesn't exist
-      if asset.nil?
-        logger.info "#{msg} 404 Not Found (#{time_elapsed.call}ms)"
+      asset = find_asset(path, options)
 
-        # Return a 404 Not Found
-        not_found_response
+      # 2.x/3.x compatibility hack. Just ignore fingerprints on ?body=1 requests.
+      # 3.x/4.x prefers strong validation of fingerprint to body contents, but
+      # 2.x just ignored it.
+      if asset && parse_asset_uri(asset.uri)[1][:pipeline] == "self"
+        fingerprint = nil
+      end
 
-      # Check request headers `HTTP_IF_NONE_MATCH` against the asset digest
-      elsif etag_match?(asset, env)
-        logger.info "#{msg} 304 Not Modified (#{time_elapsed.call}ms)"
+      if fingerprint
+        if_match = fingerprint
+      elsif env['HTTP_IF_MATCH']
+        if_match = env['HTTP_IF_MATCH'][/^"(\w+)"$/, 1]
+      end
 
-        # Return a 304 Not Modified
-        not_modified_response(asset, env)
+      if env['HTTP_IF_NONE_MATCH']
+        if_none_match = env['HTTP_IF_NONE_MATCH'][/^"(\w+)"$/, 1]
+      end
 
+      if asset.nil?
+        status = :not_found
+      elsif fingerprint && asset.etag != fingerprint
+        status = :not_found
+      elsif if_match && asset.etag != if_match
+        status = :precondition_failed
+      elsif if_none_match && asset.etag == if_none_match
+        status = :not_modified
       else
-        logger.info "#{msg} 200 OK (#{time_elapsed.call}ms)"
+        status = :ok
+      end
 
-        # Return a 200 with the asset contents
+      case status
+      when :ok
+        logger.info "#{msg} 200 OK (#{time_elapsed.call}ms)"
         ok_response(asset, env)
+      when :not_modified
+        logger.info "#{msg} 304 Not Modified (#{time_elapsed.call}ms)"
+        not_modified_response(env, if_none_match)
+      when :not_found
+        logger.info "#{msg} 404 Not Found (#{time_elapsed.call}ms)"
+        not_found_response
+      when :precondition_failed
+        logger.info "#{msg} 412 Precondition Failed (#{time_elapsed.call}ms)"
+        precondition_failed_response
       end
     rescue Exception => e
       logger.error "Error compiling asset #{path}:"
       logger.error "#{e.class.name}: #{e.message}"
 
-      case content_type_of(path)
-      when "application/javascript"
+      case File.extname(path)
+      when ".js"
         # Re-throw JavaScript asset exceptions to the browser
         logger.info "#{msg} 500 Internal Server Error\n\n"
         return javascript_exception_response(e)
-      when "text/css"
+      when ".css"
         # Display CSS asset exceptions in the browser
         logger.info "#{msg} 500 Internal Server Error\n\n"
         return css_exception_response(e)
@@ -90,7 +115,17 @@ module Sprockets
         #
         #     http://example.org/assets/../../../etc/passwd
         #
-        path.include?("..")
+        path.include?("..") || absolute_path?(path)
+      end
+
+      # Returns a 200 OK response tuple
+      def ok_response(asset, env)
+        [ 200, headers(env, asset, asset.length), asset ]
+      end
+
+      # Returns a 304 Not Modified response tuple
+      def not_modified_response(env, etag)
+        [ 304, cache_headers(env, etag), [] ]
       end
 
       # Returns a 403 Forbidden response tuple
@@ -103,12 +138,20 @@ module Sprockets
         [ 404, { "Content-Type" => "text/plain", "Content-Length" => "9", "X-Cascade" => "pass" }, [ "Not found" ] ]
       end
 
+      def method_not_allowed_response
+        [ 405, { "Content-Type" => "text/plain", "Content-Length" => "18" }, [ "Method Not Allowed" ] ]
+      end
+
+      def precondition_failed_response
+        [ 412, { "Content-Type" => "text/plain", "Content-Length" => "19", "X-Cascade" => "pass" }, [ "Precondition Failed" ] ]
+      end
+
       # Returns a JavaScript response that re-throws a Ruby exception
       # in the browser
       def javascript_exception_response(exception)
-        err  = "#{exception.class.name}: #{exception.message}"
+        err  = "#{exception.class.name}: #{exception.message}\n  (in #{exception.backtrace[0]})"
         body = "throw Error(#{err.inspect})"
-        [ 200, { "Content-Type" => "application/javascript", "Content-Length" => Rack::Utils.bytesize(body).to_s }, [ body ] ]
+        [ 200, { "Content-Type" => "application/javascript", "Content-Length" => body.bytesize.to_s }, [ body ] ]
       end
 
       # Returns a CSS response that hides all elements on the page and
@@ -161,7 +204,7 @@ module Sprockets
           }
         CSS
 
-        [ 200, { "Content-Type" => "text/css;charset=utf-8", "Content-Length" => Rack::Utils.bytesize(body).to_s }, [ body ] ]
+        [ 200, { "Content-Type" => "text/css; charset=utf-8", "Content-Length" => body.bytesize.to_s }, [ body ] ]
       end
 
       # Escape special characters for use inside a CSS content("...") string
@@ -173,75 +216,57 @@ module Sprockets
           gsub('/',  '\\\\002f ')
       end
 
-      # Compare the requests `HTTP_IF_NONE_MATCH` against the assets digest
-      def etag_match?(asset, env)
-        env["HTTP_IF_NONE_MATCH"] == etag(asset)
-      end
-
       # Test if `?body=1` or `body=true` query param is set
       def body_only?(env)
         env["QUERY_STRING"].to_s =~ /body=(1|t)/
       end
 
-      # Returns a 304 Not Modified response tuple
-      def not_modified_response(asset, env)
-        [ 304, {}, [] ]
-      end
+      def cache_headers(env, etag)
+        headers = {}
 
-      # Returns a 200 OK response tuple
-      def ok_response(asset, env)
-        [ 200, headers(env, asset, asset.length), asset ]
+        # Set caching headers
+        headers["Cache-Control"] = "public"
+        headers["ETag"]          = %("#{etag}")
+
+        # If the request url contains a fingerprint, set a long
+        # expires on the response
+        if path_fingerprint(env["PATH_INFO"])
+          headers["Cache-Control"] << ", max-age=31536000"
+
+        # Otherwise set `must-revalidate` since the asset could be modified.
+        else
+          headers["Cache-Control"] << ", must-revalidate"
+          headers["Vary"] = "Accept-Encoding"
+        end
+
+        headers
       end
 
       def headers(env, asset, length)
-        Hash.new.tap do |headers|
-          # Set content type and length headers
-          headers["Content-Type"]   = asset.content_type
-          headers["Content-Length"] = length.to_s
-
-          # Set caching headers
-          headers["Cache-Control"]  = "public"
-          headers["Last-Modified"]  = asset.mtime.httpdate
-          headers["ETag"]           = etag(asset)
-
-          # If the request url contains a fingerprint, set a long
-          # expires on the response
-          if path_fingerprint(env["PATH_INFO"])
-            headers["Cache-Control"] << ", max-age=31536000"
-
-          # Otherwise set `must-revalidate` since the asset could be modified.
-          else
-            headers["Cache-Control"] << ", must-revalidate"
+        headers = {}
+
+        # Set content length header
+        headers["Content-Length"] = length.to_s
+
+        # Set content type header
+        if type = asset.content_type
+          # Set charset param for text/* mime types
+          if type.start_with?("text/") && asset.charset
+            type += "; charset=#{asset.charset}"
           end
+          headers["Content-Type"] = type
         end
+
+        headers.merge(cache_headers(env, asset.etag))
       end
 
-      # Gets digest fingerprint.
+      # Gets ETag fingerprint.
       #
       #     "foo-0aa2105d29558f3eb790d411d7d8fb66.js"
       #     # => "0aa2105d29558f3eb790d411d7d8fb66"
       #
       def path_fingerprint(path)
-        path[/-([0-9a-f]{7,40})\.[^.]+$/, 1]
-      end
-
-      # URI.unescape is deprecated on 1.9. We need to use URI::Parser
-      # if its available.
-      if defined? URI::DEFAULT_PARSER
-        def unescape(str)
-          str = URI::DEFAULT_PARSER.unescape(str)
-          str.force_encoding(Encoding.default_internal) if Encoding.default_internal
-          str
-        end
-      else
-        def unescape(str)
-          URI.unescape(str)
-        end
-      end
-
-      # Helper to quote the assets digest for use as an ETag.
-      def etag(asset)
-        %("#{asset.digest}")
+        path[/-([0-9a-f]{7,128})\.[^.]+\z/, 1]
       end
   end
 end

data/lib/sprockets/transformers.rb

@@ -0,0 +1,145 @@
+require 'sprockets/http_utils'
+require 'sprockets/processor_utils'
+require 'sprockets/utils'
+
+module Sprockets
+  module Transformers
+    include HTTPUtils, ProcessorUtils, Utils
+
+    # Public: Two level mapping of a source mime type to a target mime type.
+    #
+    #   environment.transformers
+    #   # => { 'text/coffeescript' => {
+    #            'application/javascript' => ConvertCoffeeScriptToJavaScript
+    #          }
+    #        }
+    #
+    def transformers
+      config[:transformers]
+    end
+
+    # Public: Register a transformer from and to a mime type.
+    #
+    # from - String mime type
+    # to   - String mime type
+    # proc - Callable block that accepts an input Hash.
+    #
+    # Examples
+    #
+    #   register_transformer 'text/coffeescript', 'application/javascript',
+    #     ConvertCoffeeScriptToJavaScript
+    #
+    #   register_transformer 'image/svg+xml', 'image/png', ConvertSvgToPng
+    #
+    # Returns nothing.
+    def register_transformer(from, to, proc)
+      self.config = hash_reassoc(config, :registered_transformers, from) do |transformers|
+        transformers.merge(to => proc)
+      end
+      compute_transformers!
+    end
+
+    # Internal: Resolve target mime type that the source type should be
+    # transformed to.
+    #
+    # type   - String from mime type
+    # accept - String accept type list (default: '*/*')
+    #
+    # Examples
+    #
+    #   resolve_transform_type('text/plain', 'text/plain')
+    #   # => 'text/plain'
+    #
+    #   resolve_transform_type('image/svg+xml', 'image/png, image/*')
+    #   # => 'image/png'
+    #
+    #   resolve_transform_type('text/css', 'image/png')
+    #   # => nil
+    #
+    # Returns String mime type or nil is no type satisfied the accept value.
+    def resolve_transform_type(type, accept)
+      find_best_mime_type_match(accept || '*/*', [type].compact + config[:transformers][type].keys)
+    end
+
+    # Internal: Expand accept type list to include possible transformed types.
+    #
+    # parsed_accepts - Array of accept q values
+    #
+    # Examples
+    #
+    #   expand_transform_accepts([['application/javascript', 1.0]])
+    #   # => [['application/javascript', 1.0], ['text/coffeescript', 0.8]]
+    #
+    # Returns an expanded Array of q values.
+    def expand_transform_accepts(parsed_accepts)
+      accepts = []
+      parsed_accepts.each do |(type, q)|
+        accepts.push([type, q])
+        config[:inverted_transformers][type].each do |subtype|
+          accepts.push([subtype, q * 0.8])
+        end
+      end
+      accepts
+    end
+
+    # Internal: Compose multiple transformer steps into a single processor
+    # function.
+    #
+    # transformers - Two level Hash of a source mime type to a target mime type
+    # types - Array of mime type steps
+    #
+    # Returns Processor.
+    def compose_transformers(transformers, types)
+      if types.length < 2
+        raise ArgumentError, "too few transform types: #{types.inspect}"
+      end
+
+      i = 0
+      processors = []
+
+      loop do
+        src = types[i]
+        dst = types[i+1]
+        break unless src && dst
+
+        unless processor = transformers[src][dst]
+          raise ArgumentError, "missing transformer for type: #{src} to #{dst}"
+        end
+        processors.concat config[:postprocessors][src]
+        processors << processor
+        processors.concat config[:preprocessors][dst]
+
+        i += 1
+      end
+
+      if processors.size > 1
+        compose_processors(*processors.reverse)
+      elsif processors.size == 1
+        processors.first
+      end
+    end
+
+    private
+      def compute_transformers!
+        registered_transformers = self.config[:registered_transformers]
+        transformers = Hash.new { {} }
+        inverted_transformers = Hash.new { Set.new }
+
+        registered_transformers.keys.flat_map do |key|
+          dfs_paths([key]) { |k| registered_transformers[k].keys }
+        end.each do |types|
+          src, dst = types.first, types.last
+          processor = compose_transformers(registered_transformers, types)
+
+          transformers[src] = {} unless transformers.key?(src)
+          transformers[src][dst] = processor
+
+          inverted_transformers[dst] = Set.new unless inverted_transformers.key?(dst)
+          inverted_transformers[dst] << src
+        end
+
+        self.config = hash_reassoc(config, :transformers) { transformers }
+        self.config = hash_reassoc(config, :inverted_transformers) { inverted_transformers }
+      end
+  end
+end

data/lib/sprockets/uglifier_compressor.rb

@@ -0,0 +1,63 @@
+require 'sprockets/autoload'
+
+module Sprockets
+  # Public: Uglifier/Uglify compressor.
+  #
+  # To accept the default options
+  #
+  #     environment.register_bundle_processor 'application/javascript',
+  #       Sprockets::UglifierCompressor
+  #
+  # Or to pass options to the Uglifier class.
+  #
+  #     environment.register_bundle_processor 'application/javascript',
+  #       Sprockets::UglifierCompressor.new(comments: :copyright)
+  #
+  class UglifierCompressor
+    VERSION = '1'
+
+    # Public: Return singleton instance with default options.
+    #
+    # Returns UglifierCompressor object.
+    def self.instance
+      @instance ||= new
+    end
+
+    def self.call(input)
+      instance.call(input)
+    end
+
+    def self.cache_key
+      instance.cache_key
+    end
+
+    attr_reader :cache_key
+
+    def initialize(options = {})
+      # Feature detect Uglifier 2.0 option support
+      if Autoload::Uglifier::DEFAULTS[:copyright]
+        # Uglifier < 2.x
+        options[:copyright] ||= false
+      else
+        # Uglifier >= 2.x
+        options[:copyright] ||= :none
+      end
+
+      @uglifier = Autoload::Uglifier.new(options)
+
+      @cache_key = [
+        self.class.name,
+        Autoload::Uglifier::VERSION,
+        VERSION,
+        options
+      ].freeze
+    end
+
+    def call(input)
+      data = input[:data]
+      input[:cache].fetch(@cache_key + [data]) do
+        @uglifier.compile(data)
+      end
+    end
+  end
+end

data/lib/sprockets/uri_utils.rb

@@ -0,0 +1,190 @@
+require 'uri'
+
+module Sprockets
+  # Internal: Asset URI related parsing utilities. Mixed into Environment.
+  #
+  # An Asset URI identifies the compiled Asset result. It shares the file:
+  # scheme and requires an absolute path.
+  #
+  # Other query parameters
+  #
+  # type - String output content type. Otherwise assumed from file extension.
+  #        This maybe different than the extension if the asset is transformed
+  #        from one content type to another. For an example .coffee -> .js.
+  #
+  # id - Unique fingerprint of the entire asset and all its metadata. Assets
+  #      will only have the same id if they serialize to an identical value.
+  #
+  # pipeline - String name of pipeline.
+  #
+  # encoding - A content encoding such as "gzip" or "deflate". NOT a charset
+  #            like "utf-8".
+  #
+  module URIUtils
+    extend self
+
+    # Internal: Parse URI into component parts.
+    #
+    # uri - String uri
+    #
+    # Returns Array of components.
+    def split_uri(uri)
+      URI.split(uri)
+    end
+
+    # Internal: Join URI component parts into String.
+    #
+    # Returns String.
+    def join_uri(scheme, userinfo, host, port, registry, path, opaque, query, fragment)
+      URI::Generic.new(scheme, userinfo, host, port, registry, path, opaque, query, fragment).to_s
+    end
+
+    # Internal: Parse file: URI into component parts.
+    #
+    # uri - String uri
+    #
+    # Returns [scheme, host, path, query].
+    def split_file_uri(uri)
+      scheme, _, host, _, _, path, _, query, _ = URI.split(uri)
+
+      path = URI::Generic::DEFAULT_PARSER.unescape(path)
+      path.force_encoding(Encoding::UTF_8)
+
+      # Hack for parsing Windows "file:///C:/Users/IEUser" paths
+      path = path.gsub(/^\/([a-zA-Z]:)/, '\1')
+
+      [scheme, host, path, query]
+    end
+
+    # Internal: Join file: URI component parts into String.
+    #
+    # Returns String.
+    def join_file_uri(scheme, host, path, query)
+      str = "#{scheme}://"
+      str << host if host
+      path = "/#{path}" unless path.start_with?("/")
+      str << URI::Generic::DEFAULT_PARSER.escape(path)
+      str << "?#{query}" if query
+      str
+    end
+
+    # Internal: Check if String is a valid Asset URI.
+    #
+    # str - Possible String asset URI.
+    #
+    # Returns true or false.
+    def valid_asset_uri?(str)
+      # Quick prefix check before attempting a full parse
+      str.start_with?("file://") && parse_asset_uri(str) ? true : false
+    rescue URI::InvalidURIError
+      false
+    end
+
+    # Internal: Parse Asset URI.
+    #
+    # Examples
+    #
+    #   parse("file:///tmp/js/application.coffee?type=application/javascript")
+    #   # => "/tmp/js/application.coffee", {type: "application/javascript"}
+    #
+    # uri - String asset URI
+    #
+    # Returns String path and Hash of symbolized parameters.
+    def parse_asset_uri(uri)
+      scheme, _, path, query = split_file_uri(uri)
+
+      unless scheme == 'file'
+        raise URI::InvalidURIError, "expected file:// scheme: #{uri}"
+      end
+
+      return path, parse_uri_query_params(query)
+    end
+
+    # Internal: Build Asset URI.
+    #
+    # Examples
+    #
+    #   build("/tmp/js/application.coffee", type: "application/javascript")
+    #   # => "file:///tmp/js/application.coffee?type=application/javascript"
+    #
+    # path   - String file path
+    # params - Hash of optional parameters
+    #
+    # Returns String URI.
+    def build_asset_uri(path, params = {})
+      join_file_uri("file", nil, path, encode_uri_query_params(params))
+    end
+
+    # Internal: Parse file-digest dependency URI.
+    #
+    # Examples
+    #
+    #   parse("file-digest:/tmp/js/application.js")
+    #   # => "/tmp/js/application.js"
+    #
+    # uri - String file-digest URI
+    #
+    # Returns String path.
+    def parse_file_digest_uri(uri)
+      scheme, _, path, _ = split_file_uri(uri)
+
+      unless scheme == 'file-digest'
+        raise URI::InvalidURIError, "expected file-digest scheme: #{uri}"
+      end
+
+      path
+    end
+
+    # Internal: Build file-digest dependency URI.
+    #
+    # Examples
+    #
+    #   build("/tmp/js/application.js")
+    #   # => "file-digest:/tmp/js/application.js"
+    #
+    # path - String file path
+    #
+    # Returns String URI.
+    def build_file_digest_uri(path)
+      join_file_uri("file-digest", nil, path, nil)
+    end
+
+    # Internal: Serialize hash of params into query string.
+    #
+    # params - Hash of params to serialize
+    #
+    # Returns String query or nil if empty.
+    def encode_uri_query_params(params)
+      query = []
+
+      params.each do |key, value|
+        case value
+        when Integer
+          query << "#{key}=#{value}"
+        when String, Symbol
+          query << "#{key}=#{URI::Generic::DEFAULT_PARSER.escape(value.to_s)}"
+        when TrueClass
+          query << "#{key}"
+        when FalseClass, NilClass
+        else
+          raise TypeError, "unexpected type: #{value.class}"
+        end
+      end
+
+      "#{query.join('&')}" if query.any?
+    end
+
+    # Internal: Parse query string into hash of params
+    #
+    # query - String query string
+    #
+    # Return Hash of params.
+    def parse_uri_query_params(query)
+      query.to_s.split('&').reduce({}) do |h, p|
+        k, v = p.split('=', 2)
+        v = URI::Generic::DEFAULT_PARSER.unescape(v) if v
+        h.merge(k.to_sym => v || true)
+      end
+    end
+  end
+end