sprockets 2.6.0 → 4.2.2

data/lib/sprockets/server.rb

@@ -1,11 +1,26 @@
+# frozen_string_literal: true
+require 'set'
 require 'time'
-require 'uri'
+require 'rack'
 
 module Sprockets
   # `Server` is a concern mixed into `Environment` and
-  # `Index` that provides a Rack compatible `call`
+  # `CachedEnvironment` that provides a Rack compatible `call`
   # interface and url generation helpers.
   module Server
+    # Supported HTTP request methods.
+    ALLOWED_REQUEST_METHODS = ['GET', 'HEAD'].to_set.freeze
+
+    # :stopdoc:
+    if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3")
+      X_CASCADE = "X-Cascade"
+      VARY = "Vary"
+    else
+      X_CASCADE = "x-cascade"
+      VARY = "vary"
+    end
+    # :startdoc:
+
     # `call` implements the Rack 1.x specification which accepts an
     # `env` Hash and returns a three item tuple with the status code,
     # headers, and body.
@@ -23,19 +38,18 @@ module Sprockets
       start_time = Time.now.to_f
       time_elapsed = lambda { ((Time.now.to_f - start_time) * 1000).to_i }
 
-      msg = "Served asset #{env['PATH_INFO']} -"
+      unless ALLOWED_REQUEST_METHODS.include? env['REQUEST_METHOD']
+        return method_not_allowed_response
+      end
 
-      # Mark session as "skipped" so no `Set-Cookie` header is set
-      env['rack.session.options'] ||= {}
-      env['rack.session.options'][:defer] = true
-      env['rack.session.options'][:skip] = true
+      msg = "Served asset #{env['PATH_INFO']} -"
 
       # Extract the path from everything after the leading slash
-      path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
+      full_path = Rack::Utils.unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
+      path = full_path
 
-      # URLs containing a `".."` are rejected for security reasons.
-      if forbidden_request?(path)
-        return forbidden_response
+      unless path.valid_encoding?
+        return bad_request_response(env)
       end
 
       # Strip fingerprint
@@ -43,39 +57,69 @@ module Sprockets
         path = path.sub("-#{fingerprint}", '')
       end
 
-      # Look up the asset.
-      asset = find_asset(path, :bundle => !body_only?(env))
-
-      # `find_asset` returns nil if the asset doesn't exist
-      if asset.nil?
-        logger.info "#{msg} 404 Not Found (#{time_elapsed.call}ms)"
+      # URLs containing a `".."` are rejected for security reasons.
+      if forbidden_request?(path)
+        return forbidden_response(env)
+      end
 
-        # Return a 404 Not Found
-        not_found_response
+      if fingerprint
+        if_match = fingerprint
+      elsif env['HTTP_IF_MATCH']
+        if_match = env['HTTP_IF_MATCH'][/"(\w+)"$/, 1]
+      end
 
-      # Check request headers `HTTP_IF_NONE_MATCH` against the asset digest
-      elsif etag_match?(asset, env)
-        logger.info "#{msg} 304 Not Modified (#{time_elapsed.call}ms)"
+      if env['HTTP_IF_NONE_MATCH']
+        if_none_match = env['HTTP_IF_NONE_MATCH'][/"(\w+)"$/, 1]
+      end
 
-        # Return a 304 Not Modified
-        not_modified_response(asset, env)
+      # Look up the asset.
+      asset = find_asset(path)
+
+      # Fallback to looking up the asset with the full path.
+      # This will make assets that are hashed with webpack or
+      # other js bundlers work consistently between production
+      # and development pipelines.
+      if asset.nil? && (asset = find_asset(full_path))
+        if_match = asset.etag if fingerprint
+        fingerprint = asset.etag
+      end
 
+      if asset.nil?
+        status = :not_found
+      elsif fingerprint && asset.etag != fingerprint
+        status = :not_found
+      elsif if_match && asset.etag != if_match
+        status = :precondition_failed
+      elsif if_none_match && asset.etag == if_none_match
+        status = :not_modified
       else
-        logger.info "#{msg} 200 OK (#{time_elapsed.call}ms)"
+        status = :ok
+      end
 
-        # Return a 200 with the asset contents
+      case status
+      when :ok
+        logger.info "#{msg} 200 OK (#{time_elapsed.call}ms)"
         ok_response(asset, env)
+      when :not_modified
+        logger.info "#{msg} 304 Not Modified (#{time_elapsed.call}ms)"
+        not_modified_response(env, if_none_match)
+      when :not_found
+        logger.info "#{msg} 404 Not Found (#{time_elapsed.call}ms)"
+        not_found_response(env)
+      when :precondition_failed
+        logger.info "#{msg} 412 Precondition Failed (#{time_elapsed.call}ms)"
+        precondition_failed_response(env)
       end
     rescue Exception => e
       logger.error "Error compiling asset #{path}:"
       logger.error "#{e.class.name}: #{e.message}"
 
-      case content_type_of(path)
-      when "application/javascript"
+      case File.extname(path)
+      when ".js"
         # Re-throw JavaScript asset exceptions to the browser
         logger.info "#{msg} 500 Internal Server Error\n\n"
         return javascript_exception_response(e)
-      when "text/css"
+      when ".css"
         # Display CSS asset exceptions in the browser
         logger.info "#{msg} 500 Internal Server Error\n\n"
         return css_exception_response(e)
@@ -90,25 +134,72 @@ module Sprockets
         #
         #     http://example.org/assets/../../../etc/passwd
         #
-        path.include?("..")
+        path.include?("..") || absolute_path?(path) || path.include?("://")
+      end
+
+      def head_request?(env)
+        env['REQUEST_METHOD'] == 'HEAD'
+      end
+
+      # Returns a 200 OK response tuple
+      def ok_response(asset, env)
+        if head_request?(env)
+          [ 200, headers(env, asset, 0), [] ]
+        else
+          [ 200, headers(env, asset, asset.length), asset ]
+        end
+      end
+
+      # Returns a 304 Not Modified response tuple
+      def not_modified_response(env, etag)
+        [ 304, cache_headers(env, etag), [] ]
+      end
+
+      # Returns a 400 Forbidden response tuple
+      def bad_request_response(env)
+        if head_request?(env)
+          [ 400, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "0" }, [] ]
+        else
+          [ 400, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "11" }, [ "Bad Request" ] ]
+        end
       end
 
       # Returns a 403 Forbidden response tuple
-      def forbidden_response
-        [ 403, { "Content-Type" => "text/plain", "Content-Length" => "9" }, [ "Forbidden" ] ]
+      def forbidden_response(env)
+        if head_request?(env)
+          [ 403, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "0" }, [] ]
+        else
+          [ 403, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "9" }, [ "Forbidden" ] ]
+        end
       end
 
       # Returns a 404 Not Found response tuple
-      def not_found_response
-        [ 404, { "Content-Type" => "text/plain", "Content-Length" => "9", "X-Cascade" => "pass" }, [ "Not found" ] ]
+      def not_found_response(env)
+        if head_request?(env)
+          [ 404, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "0", X_CASCADE => "pass" }, [] ]
+        else
+          [ 404, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "9", X_CASCADE => "pass" }, [ "Not found" ] ]
+        end
+      end
+
+      def method_not_allowed_response
+        [ 405, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "18" }, [ "Method Not Allowed" ] ]
+      end
+
+      def precondition_failed_response(env)
+        if head_request?(env)
+          [ 412, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "0", X_CASCADE => "pass" }, [] ]
+        else
+          [ 412, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "19", X_CASCADE => "pass" }, [ "Precondition Failed" ] ]
+        end
       end
 
       # Returns a JavaScript response that re-throws a Ruby exception
       # in the browser
       def javascript_exception_response(exception)
-        err  = "#{exception.class.name}: #{exception.message}"
+        err  = "#{exception.class.name}: #{exception.message}\n  (in #{exception.backtrace[0]})"
         body = "throw Error(#{err.inspect})"
-        [ 200, { "Content-Type" => "application/javascript", "Content-Length" => Rack::Utils.bytesize(body).to_s }, [ body ] ]
+        [ 200, { Rack::CONTENT_TYPE => "application/javascript", Rack::CONTENT_LENGTH => body.bytesize.to_s }, [ body ] ]
       end
 
       # Returns a CSS response that hides all elements on the page and
@@ -161,7 +252,7 @@ module Sprockets
           }
         CSS
 
-        [ 200, { "Content-Type" => "text/css;charset=utf-8", "Content-Length" => Rack::Utils.bytesize(body).to_s }, [ body ] ]
+        [ 200, { Rack::CONTENT_TYPE => "text/css; charset=utf-8", Rack::CONTENT_LENGTH => body.bytesize.to_s }, [ body ] ]
       end
 
       # Escape special characters for use inside a CSS content("...") string
@@ -173,75 +264,52 @@ module Sprockets
           gsub('/',  '\\\\002f ')
       end
 
-      # Compare the requests `HTTP_IF_NONE_MATCH` against the assets digest
-      def etag_match?(asset, env)
-        env["HTTP_IF_NONE_MATCH"] == etag(asset)
-      end
+      def cache_headers(env, etag)
+        headers = {}
 
-      # Test if `?body=1` or `body=true` query param is set
-      def body_only?(env)
-        env["QUERY_STRING"].to_s =~ /body=(1|t)/
-      end
+        # Set caching headers
+        headers[Rack::CACHE_CONTROL] = +"public"
+        headers[Rack::ETAG]          = %("#{etag}")
 
-      # Returns a 304 Not Modified response tuple
-      def not_modified_response(asset, env)
-        [ 304, {}, [] ]
-      end
+        # If the request url contains a fingerprint, set a long
+        # expires on the response
+        if path_fingerprint(env["PATH_INFO"])
+          headers[Rack::CACHE_CONTROL] << ", max-age=31536000, immutable"
 
-      # Returns a 200 OK response tuple
-      def ok_response(asset, env)
-        [ 200, headers(env, asset, asset.length), asset ]
+        # Otherwise set `must-revalidate` since the asset could be modified.
+        else
+          headers[Rack::CACHE_CONTROL] << ", must-revalidate"
+          headers[VARY] = "Accept-Encoding"
+        end
+
+        headers
       end
 
       def headers(env, asset, length)
-        Hash.new.tap do |headers|
-          # Set content type and length headers
-          headers["Content-Type"]   = asset.content_type
-          headers["Content-Length"] = length.to_s
-
-          # Set caching headers
-          headers["Cache-Control"]  = "public"
-          headers["Last-Modified"]  = asset.mtime.httpdate
-          headers["ETag"]           = etag(asset)
-
-          # If the request url contains a fingerprint, set a long
-          # expires on the response
-          if path_fingerprint(env["PATH_INFO"])
-            headers["Cache-Control"] << ", max-age=31536000"
-
-          # Otherwise set `must-revalidate` since the asset could be modified.
-          else
-            headers["Cache-Control"] << ", must-revalidate"
+        headers = {}
+
+        # Set content length header
+        headers[Rack::CONTENT_LENGTH] = length.to_s
+
+        # Set content type header
+        if type = asset.content_type
+          # Set charset param for text/* mime types
+          if type.start_with?("text/") && asset.charset
+            type += "; charset=#{asset.charset}"
           end
+          headers[Rack::CONTENT_TYPE] = type
         end
+
+        headers.merge(cache_headers(env, asset.etag))
       end
 
-      # Gets digest fingerprint.
+      # Gets ETag fingerprint.
       #
       #     "foo-0aa2105d29558f3eb790d411d7d8fb66.js"
       #     # => "0aa2105d29558f3eb790d411d7d8fb66"
       #
       def path_fingerprint(path)
-        path[/-([0-9a-f]{7,40})\.[^.]+$/, 1]
-      end
-
-      # URI.unescape is deprecated on 1.9. We need to use URI::Parser
-      # if its available.
-      if defined? URI::DEFAULT_PARSER
-        def unescape(str)
-          str = URI::DEFAULT_PARSER.unescape(str)
-          str.force_encoding(Encoding.default_internal) if Encoding.default_internal
-          str
-        end
-      else
-        def unescape(str)
-          URI.unescape(str)
-        end
-      end
-
-      # Helper to quote the assets digest for use as an ETag.
-      def etag(asset)
-        %("#{asset.digest}")
+        path[/-([0-9a-zA-Z]{7,128})\.[^.]+\z/, 1]
       end
   end
 end

data/lib/sprockets/source_map_processor.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+require 'set'
+
+module Sprockets
+
+  # The purpose of this class is to generate a source map file
+  # that can be read and understood by browsers.
+  #
+  # When a file is passed in it will have a `application/js-sourcemap+json`
+  # or `application/css-sourcemap+json` mime type. The filename will be
+  # match the original asset. The original asset is loaded. As it
+  # gets processed by Sprockets it will acquire all information
+  # needed to build a source map file in the `asset.to_hash[:metadata][:map]`
+  # key.
+  #
+  # The output is an asset with a properly formatted source map file:
+  #
+  #   {
+  #     "version": 3,
+  #     "sources": ["foo.js"],
+  #     "names":   [ ],
+  #     "mappings": "AAAA,GAAIA"
+  #   }
+  #
+  class SourceMapProcessor
+    def self.call(input)
+      links = Set.new(input[:metadata][:links])
+      env = input[:environment]
+
+      uri, _ = env.resolve!(input[:filename], accept: self.original_content_type(input[:content_type]))
+      asset  = env.load(uri)
+      map    = asset.metadata[:map]
+
+      # TODO: Because of the default piplene hack we have to apply dependencies
+      #       from compiled asset to the source map, otherwise the source map cache
+      #       will never detect the changes from directives
+      dependencies = Set.new(input[:metadata][:dependencies])
+      dependencies.merge(asset.metadata[:dependencies])
+
+      map["file"] = PathUtils.split_subpath(input[:load_path], input[:filename])
+      sources = map["sections"] ? map["sections"].map { |s| s["map"]["sources"] }.flatten : map["sources"]
+
+      sources.each do |source|
+        source = PathUtils.join(File.dirname(map["file"]), source)
+        uri, _ = env.resolve!(source)
+        links << uri
+      end
+
+      json = JSON.generate(map)
+
+      { data: json, links: links, dependencies: dependencies }
+    end
+
+    def self.original_content_type(source_map_content_type, error_when_not_found: true)
+      case source_map_content_type
+      when "application/js-sourcemap+json"
+        "application/javascript"
+      when "application/css-sourcemap+json"
+        "text/css"
+      else
+        fail(source_map_content_type) if error_when_not_found
+        source_map_content_type
+      end
+    end
+  end
+end