RubyGems - unicorn-lockdown - Versions diffs - 1.1.0 → 1.3.0 - Mend

unicorn-lockdown 1.1.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/CHANGELOG +18 -0
data/files/rc.unicorn +3 -11
data/files/rc.unicorn.71 +21 -0
data/files/unicorn_lockdown_add.rb +8 -4
data/files/unicorn_lockdown_setup.rb +5 -1
data/lib/unicorn-lockdown.rb +6 -3
data/lib/unveiler.rb +28 -6
metadata +8 -7

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f0b84f88c8502c942f5b15b50bb7ac6946de87ef31ee14cf96e9d71b569b8a3
-  data.tar.gz: 69d55260a85368464b5dbb0b9b24120eacb3d9f95f07c4be765f8d913b8e7f2d
+  metadata.gz: 1d6578be3b39fdc48fdc0acaab810ef3029bc4e3f6484ecd3585d8dbf5b11d67
+  data.tar.gz: 6e7f7ceff3497829eb86504d03c2cf243a331ced69331da2c8d18ec518366ff9
 SHA512:
-  metadata.gz: 2622fa1ea4b31f117037175273420574269b8f976e905d39a76137aefb4da44e94e13e1ec121db5a9d21fcef901dc3d5fec42434c36d5dd5cc21640d64379131
-  data.tar.gz: 032dbedbb2e5eab750fb10ae6f9ef0cb108fdedac239bf3adead2faa637bddfb8613a1d9a865730d449e2d4d6d334f35bab5b762f5b97bf4e946872ebdbf1d63
+  metadata.gz: 171877502073283aaefaf6724065ea3057dca70c6bc2e84363c093c57be916421b72d631b54e52aaed2ad4a332b31ac07d8560307efda170372458f4e7d27331
+  data.tar.gz: 357794d05df3022e0511b20db4dc72b6021e176b217b085959fdf8bce4eada097dca3a41c80576c312ddd54c640329decda5a6402a09b1d3481d4a4d4bbe9bdb

data/CHANGELOG CHANGED Viewed

@@ -1,3 +1,21 @@
+= 1.3.0 (2024-05-22)
+* Eagerly require strscan to avoid issues if it is lazy loaded by rack's multipart parser (jeremyevans)
+* Avoid string literal modifications to avoid warnings on Ruby 3.4 (jeremyevans)
+* Remove X-XSS-Protection from generated nginx files, as MDN now recommends against it (jeremyevans)
+= 1.2.0 (2022-11-16)
+* Remove access_log format from generated nginx configurations (jeremyevans)
+* Create and unveil the coverage directory when using SimpleCov with Unveiler (jeremyevans)
+* Add getpw to default master_execpledge, necessary on OpenBSD 7.2+ (jeremyevans)
+* Support OpenBSD 7.2 daemon_execdir for setting directory (jeremyevans)
 = 1.1.0 (2022-07-18)
 * Make unveiler still pledge if SimpleCov is loaded, but update pledge promises (jeremyevans)

data/files/rc.unicorn CHANGED Viewed

@@ -2,20 +2,12 @@
 daemon="/usr/local/bin/unicorn"
 daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
-[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
-[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
+rc_stop_signal=QUIT
 . /etc/rc.d/rc.subr
 pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
-rc_start() {
-  ${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
-}
-rc_stop() {
-   pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}"
-}
+[ -n "${daemon_execdir}" ] || _rc_err "$0: daemon_execdir is not set"
+[ -n "${unicorn_app}" ] || _rc_err "$0: unicorn_app is not set"
 rc_cmd $1

data/files/rc.unicorn.71 ADDED Viewed

@@ -0,0 +1,21 @@
+[ -z "${unicorn_conf}" ] && unicorn_conf=unicorn.conf
+daemon="/usr/local/bin/unicorn"
+daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
+[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
+[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
+. /etc/rc.d/rc.subr
+pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
+rc_start() {
+  ${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
+}
+rc_stop() {
+   pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}"
+}
+rc_cmd $1

data/files/unicorn_lockdown_add.rb CHANGED Viewed

@@ -146,7 +146,7 @@ Unicorn.lockdown(self,
   # More pledges may be needed depending on application
   :pledge=>'rpath prot_exec inet unix flock',
   :master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
-  :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock',
+  :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock getpw',
   # More unveils may be needed depending on application
   :unveil=>{
@@ -169,7 +169,7 @@ upstream #{app}_unicorn {
 }
 server {
     server_name #{app};
-    access_log #{nginx_access_log_file} main;
+    access_log #{nginx_access_log_file};
     error_log #{nginx_error_log_file} warn;
     root #{dir}/public;
     error_page   500 503 /500.html;
@@ -180,7 +180,6 @@ server {
     proxy_redirect    off;
     add_header X-Content-Type-Options nosniff;
     add_header X-Frame-Options deny;
-    add_header X-XSS-Protection "1; mode=block";
     try_files $uri @#{app}_unicorn;
     location @#{app}_unicorn {
         proxy_pass http://#{app}_unicorn;
@@ -212,12 +211,17 @@ end
 # Setup /etc/rc.d/unicorn_* file for daemon management
 unless File.file?(rc_file)
   puts "Creating #{rc_file}"
+  # :nocov:
+  dir_var = `/usr/bin/uname -r` < '7.2' ? 'unicorn_dir' : 'daemon_execdir'
+  # :nocov:
   File.binwrite(rc_file, <<END)
 #!/bin/ksh
 daemon_user=#{user}
+#{dir_var}=#{dir}
 unicorn_app=#{app}
-unicorn_dir=#{dir}
 #{unicorn}#{rackup}
 . /etc/rc.d/rc.unicorn
 END

data/files/unicorn_lockdown_setup.rb CHANGED Viewed

@@ -68,7 +68,11 @@ end
 # Setup rc.unicorn file
 unless File.file?(rc_unicorn_file)
   puts "Creating #{rc_unicorn_file}"
-  File.binwrite(rc_unicorn_file, File.binread(File.join(File.dirname(__dir__), 'files', 'rc.unicorn')))
+  filename = File.join(File.dirname(__dir__), 'files', 'rc.unicorn')
+  # :nocov:
+  filename << ".71" if `/usr/bin/uname -r` < '7.2'
+  # :nocov:
+  File.binwrite(rc_unicorn_file, File.binread(filename))
   File.chmod(0644, rc_unicorn_file)
   chown.(root_id, root_id, rc_unicorn_file)
 end

data/lib/unicorn-lockdown.rb CHANGED Viewed

@@ -8,10 +8,13 @@
 require 'pledge'
 require 'unveil'
+# Eagerly require strscan, lazily loaded by rack's multipart parser
+require 'strscan'
 # Load common encodings
-"\255".force_encoding('ISO8859-1').encode('UTF-8')
-''.force_encoding('UTF-16LE')
-''.force_encoding('UTF-16BE')
+"\255".dup.force_encoding('ISO8859-1').encode('UTF-8')
+''.dup.force_encoding('UTF-16LE')
+''.dup.force_encoding('UTF-16BE')
 class Unicorn::HttpServer
   # The file name in which to store request information.

data/lib/unveiler.rb CHANGED Viewed

@@ -1,10 +1,13 @@
 require 'pledge'
 require 'unveil'
+# Eagerly require strscan, lazily loaded by rack's multipart parser
+require 'strscan'
 # Load encodings
-"\255".force_encoding('ISO8859-1').encode('UTF-8')
-''.force_encoding('UTF-16LE')
-''.force_encoding('UTF-16BE')
+"\255".dup.force_encoding('ISO8859-1').encode('UTF-8')
+''.dup.force_encoding('UTF-16LE')
+''.dup.force_encoding('UTF-16BE')
 # Don't run external diff program for failures
 Minitest::Assertions.diff = false if defined?(Minitest::Assertions)
@@ -27,16 +30,35 @@ module Unveiler
       end
     end
-    Pledge.unveil(unveil)
     # :nocov:
     if defined?(SimpleCov)
     # :nocov:
-      # If running coverage tests, add necessary pledges for
+      # If running coverage tests, add necessary pledges and unveils for
       # coverage testing to work.
+      dir = SimpleCov.coverage_dir
+      unveil[dir] = 'rwc'
+      # Unveil read access to the entire current directory, since any part
+      # that has covered code needs to be read to generate the coverage
+      # information.
+      unveil['.'] = 'r'
+      if defined?(Gem)
+        # Unveil access to the simplecov-html gem, since that is used by default
+        # to build the coverage pages.
+        unveil['simplecov-html'] = :gem
+      end
+      # :nocov:
+      # Must create directory before attempting to unveil it.
+      # When running unveiler tests, the coverage directory is already created.
+      Dir.mkdir(dir) unless File.directory?(dir)
+      # :nocov:
       pledge = (pledge.split + %w'rpath wpath cpath flock').uniq.join(' ')
     end
+    Pledge.unveil(unveil)
     Pledge.pledge(pledge)
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unicorn-lockdown
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Jeremy Evans
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-07-18 00:00:00.000000000 Z
+date: 2024-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pledge
@@ -94,7 +94,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description:
+description:
 email: code@jeremyevans.net
 executables:
 - unicorn-lockdown-add
@@ -108,6 +108,7 @@ files:
 - bin/unicorn-lockdown-add
 - bin/unicorn-lockdown-setup
 - files/rc.unicorn
+- files/rc.unicorn.71
 - files/unicorn_lockdown_add.rb
 - files/unicorn_lockdown_setup.rb
 - lib/rack/email_exceptions.rb
@@ -122,7 +123,7 @@ metadata:
   changelog_uri: https://github.com/jeremyevans/unicorn-lockdown/blob/master/CHANGELOG
   mailing_list_uri: https://github.com/jeremyevans/unicorn-lockdown/discussions
   source_code_uri: https://github.com/jeremyevans/unicorn-lockdown
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -137,8 +138,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
-signing_key:
+rubygems_version: 3.5.9
+signing_key:
 specification_version: 4
 summary: Helper library for running Unicorn with fork+exec/unveil/pledge on OpenBSD
 test_files: []