tina4ruby 3.13.6 → 3.13.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4cfc3ef750c6d75e22a7c26c3695e5e9a50c841d868b663dbbd0f0b3aaf58987
-  data.tar.gz: 2e6d763e7662cb24e13e3dbdb7147709b5d69a5e1d5fca893f68a36a0bde9f76
+  metadata.gz: 6526c615d8d8dd6c8bdba089bceb5969917b2c4400d44886f3c3d757ad4ef14f
+  data.tar.gz: ddebcbd9f847f2660b6ed32e6f7ef86b7e3bd5aa1df3f37f2827d4a2549d9efb
 SHA512:
-  metadata.gz: f340ff33f11ec9e0c3c4cb577fb6eff61d5d674a69ca714fb7adf2e610e08f37201ec582c8e1e854ea31e52700195a7ed6308a4c102b0ff99ea1ebe362f0d6b0
-  data.tar.gz: 5f0d2ab921df913639914dfdb0799691353201b8bb12997524322181cbd22266ac537e409045212cf7c56a8cfb5db1d4a350f90adc3cf3dc53d817213c2a0b2d
+  metadata.gz: 066d4124d585f5e79c3b41e3a763dc655c68d45e5c4afb19c01e0c5dc50fec29f50e21c0fe2eb3b6c8a9941664e45134eb46ef21c42827298c729a77801e766e
+  data.tar.gz: '0148be259f7b00d815abfc04b35f7bbca09e0e5561ff24e72e4a94a4e9e2c7d94236f67949e31d48daba76d383550a12f0c67d690a03a107db7642ef2a9e5570'

data/lib/tina4/rack_app.rb

@@ -774,14 +774,40 @@ module Tina4
     def handle_500(error, env = nil)
       Tina4::Log.error("500 Internal Server Error: #{error.message}")
       Tina4::Log.error(error.backtrace&.first(10)&.join("\n"))
+
+      # v3.13.7: surface route failures to observability (centralised
+      # logging, APM, Sentry) BEFORE rendering the 500. Listeners get
+      # the canonical {exception:, request:} pair — same shape as
+      # Python / PHP / Node. Listener exceptions are swallowed +
+      # warning-logged so a broken listener can't break the 500 page.
+      begin
+        request = env && env["tina4.request"]
+        Tina4::Events.emit("tina4.request.error", {
+          exception: error,
+          request:   request
+        })
+      rescue StandardError => listener_err
+        begin
+          Tina4::Log.warning(
+            "Listener for tina4.request.error raised: " \
+            "#{listener_err.class}: #{listener_err.message}"
+          )
+        rescue StandardError
+          # Log failures must never block the 500 render.
+        end
+      end
+
       if dev_mode?
         # Rich error overlay with stack trace, source context, and line numbers
         body = Tina4::ErrorOverlay.render_error_overlay(error, request: env)
       else
+        # v3.13.7 SECURITY (CWE-209): production response body must NOT
+        # contain the stack trace. The trace stays in Log.error above
+        # and reaches observability via the tina4.request.error event.
         body = Tina4::Template.render_error(500, {
-          "error_message" => "#{error.message}\n#{error.backtrace&.first(10)&.join("\n")}",
+          "error_message" => "",
           "request_id" => SecureRandom.hex(6)
-        }) rescue "500 Internal Server Error: #{error.message}"
+        }) rescue "500 Internal Server Error"
       end
       [500, { "content-type" => "text/html" }, [body]]
     end

data/lib/tina4/templates/errors/500.twig

@@ -27,7 +27,7 @@ body { font-family: system-ui, -apple-system, sans-serif; background: #0f172a; c
         <div class="error-title">Server Error</div>
     </div>
     <div class="error-msg">Something went wrong while processing your request.</div>
-    <pre class="error-trace">{{ error_message }}</pre>
+    {% if error_message %}<pre class="error-trace">{{ error_message }}</pre>{% endif %}
     <div class="error-footer">
         <span class="error-hint">Fix the error and save to auto-reload</span>
         <span class="error-id">{{ request_id }}</span>

data/lib/tina4/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Tina4
-  VERSION = "3.13.6"
+  VERSION = "3.13.7"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: tina4ruby
 version: !ruby/object:Gem::Version
-  version: 3.13.6
+  version: 3.13.7
 platform: ruby
 authors:
 - Tina4 Team