unicorn-lockdown 1.1.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0f0b84f88c8502c942f5b15b50bb7ac6946de87ef31ee14cf96e9d71b569b8a3
-  data.tar.gz: 69d55260a85368464b5dbb0b9b24120eacb3d9f95f07c4be765f8d913b8e7f2d
+  metadata.gz: 1d6578be3b39fdc48fdc0acaab810ef3029bc4e3f6484ecd3585d8dbf5b11d67
+  data.tar.gz: 6e7f7ceff3497829eb86504d03c2cf243a331ced69331da2c8d18ec518366ff9
 SHA512:
-  metadata.gz: 2622fa1ea4b31f117037175273420574269b8f976e905d39a76137aefb4da44e94e13e1ec121db5a9d21fcef901dc3d5fec42434c36d5dd5cc21640d64379131
-  data.tar.gz: 032dbedbb2e5eab750fb10ae6f9ef0cb108fdedac239bf3adead2faa637bddfb8613a1d9a865730d449e2d4d6d334f35bab5b762f5b97bf4e946872ebdbf1d63
+  metadata.gz: 171877502073283aaefaf6724065ea3057dca70c6bc2e84363c093c57be916421b72d631b54e52aaed2ad4a332b31ac07d8560307efda170372458f4e7d27331
+  data.tar.gz: 357794d05df3022e0511b20db4dc72b6021e176b217b085959fdf8bce4eada097dca3a41c80576c312ddd54c640329decda5a6402a09b1d3481d4a4d4bbe9bdb

data/CHANGELOG

@@ -1,3 +1,21 @@
+= 1.3.0 (2024-05-22)
+
+* Eagerly require strscan to avoid issues if it is lazy loaded by rack's multipart parser (jeremyevans)
+
+* Avoid string literal modifications to avoid warnings on Ruby 3.4 (jeremyevans)
+
+* Remove X-XSS-Protection from generated nginx files, as MDN now recommends against it (jeremyevans)
+
+= 1.2.0 (2022-11-16)
+
+* Remove access_log format from generated nginx configurations (jeremyevans)
+
+* Create and unveil the coverage directory when using SimpleCov with Unveiler (jeremyevans)
+
+* Add getpw to default master_execpledge, necessary on OpenBSD 7.2+ (jeremyevans)
+
+* Support OpenBSD 7.2 daemon_execdir for setting directory (jeremyevans)
+
 = 1.1.0 (2022-07-18)
 
 * Make unveiler still pledge if SimpleCov is loaded, but update pledge promises (jeremyevans)

data/files/rc.unicorn

@@ -2,20 +2,12 @@
 
 daemon="/usr/local/bin/unicorn"
 daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
-
-[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
-[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
+rc_stop_signal=QUIT
 
 . /etc/rc.d/rc.subr
 
 pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
-
-rc_start() {
-  ${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
-}
-
-rc_stop() {
-   pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}" 
-}
+[ -n "${daemon_execdir}" ] || _rc_err "$0: daemon_execdir is not set"
+[ -n "${unicorn_app}" ] || _rc_err "$0: unicorn_app is not set"
 
 rc_cmd $1

data/files/rc.unicorn.71

@@ -0,0 +1,21 @@
+[ -z "${unicorn_conf}" ] && unicorn_conf=unicorn.conf
+
+daemon="/usr/local/bin/unicorn"
+daemon_flags="-c ${unicorn_conf} -D ${rackup_file}"
+
+[ -n "${unicorn_dir}" ] || rc_err "$0: unicorn_dir is not set"
+[ -n "${unicorn_app}" ] || rc_err "$0: unicorn_app is not set"
+
+. /etc/rc.d/rc.subr
+
+pexp="ruby[0-9][0-9]: unicorn-$unicorn_app-master .*"
+
+rc_start() {
+  ${rcexec} "cd ${unicorn_dir} && ${daemon} ${daemon_flags}"
+}
+
+rc_stop() {
+   pkill -QUIT -T "${daemon_rtable}" -xf "${pexp}" 
+}
+
+rc_cmd $1

data/files/unicorn_lockdown_add.rb

@@ -146,7 +146,7 @@ Unicorn.lockdown(self,
   # More pledges may be needed depending on application
   :pledge=>'rpath prot_exec inet unix flock',
   :master_pledge=>'rpath prot_exec cpath wpath inet proc exec',
-  :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock',
+  :master_execpledge=>'stdio rpath prot_exec inet unix cpath wpath unveil flock getpw',
 
   # More unveils may be needed depending on application
   :unveil=>{
@@ -169,7 +169,7 @@ upstream #{app}_unicorn {
 }
 server {
     server_name #{app};
-    access_log #{nginx_access_log_file} main;
+    access_log #{nginx_access_log_file};
     error_log #{nginx_error_log_file} warn;
     root #{dir}/public;
     error_page   500 503 /500.html;
@@ -180,7 +180,6 @@ server {
     proxy_redirect    off;
     add_header X-Content-Type-Options nosniff;
     add_header X-Frame-Options deny;
-    add_header X-XSS-Protection "1; mode=block";
     try_files $uri @#{app}_unicorn;
     location @#{app}_unicorn {
         proxy_pass http://#{app}_unicorn;
@@ -212,12 +211,17 @@ end
 # Setup /etc/rc.d/unicorn_* file for daemon management
 unless File.file?(rc_file)
   puts "Creating #{rc_file}"
+
+  # :nocov:
+  dir_var = `/usr/bin/uname -r` < '7.2' ? 'unicorn_dir' : 'daemon_execdir'
+  # :nocov:
+
   File.binwrite(rc_file, <<END)
 #!/bin/ksh
 
 daemon_user=#{user}
+#{dir_var}=#{dir}
 unicorn_app=#{app}
-unicorn_dir=#{dir}
 #{unicorn}#{rackup}
 . /etc/rc.d/rc.unicorn
 END

data/files/unicorn_lockdown_setup.rb

@@ -68,7 +68,11 @@ end
 # Setup rc.unicorn file
 unless File.file?(rc_unicorn_file)
   puts "Creating #{rc_unicorn_file}"
-  File.binwrite(rc_unicorn_file, File.binread(File.join(File.dirname(__dir__), 'files', 'rc.unicorn')))
+  filename = File.join(File.dirname(__dir__), 'files', 'rc.unicorn')
+  # :nocov:
+  filename << ".71" if `/usr/bin/uname -r` < '7.2'
+  # :nocov:
+  File.binwrite(rc_unicorn_file, File.binread(filename))
   File.chmod(0644, rc_unicorn_file)
   chown.(root_id, root_id, rc_unicorn_file)
 end

data/lib/unicorn-lockdown.rb

@@ -8,10 +8,13 @@
 require 'pledge'
 require 'unveil'
 
+# Eagerly require strscan, lazily loaded by rack's multipart parser
+require 'strscan'
+
 # Load common encodings
-"\255".force_encoding('ISO8859-1').encode('UTF-8')
-''.force_encoding('UTF-16LE')
-''.force_encoding('UTF-16BE')
+"\255".dup.force_encoding('ISO8859-1').encode('UTF-8')
+''.dup.force_encoding('UTF-16LE')
+''.dup.force_encoding('UTF-16BE')
 
 class Unicorn::HttpServer
   # The file name in which to store request information.

data/lib/unveiler.rb

@@ -1,10 +1,13 @@
 require 'pledge'
 require 'unveil'
 
+# Eagerly require strscan, lazily loaded by rack's multipart parser
+require 'strscan'
+
 # Load encodings
-"\255".force_encoding('ISO8859-1').encode('UTF-8')
-''.force_encoding('UTF-16LE')
-''.force_encoding('UTF-16BE')
+"\255".dup.force_encoding('ISO8859-1').encode('UTF-8')
+''.dup.force_encoding('UTF-16LE')
+''.dup.force_encoding('UTF-16BE')
 
 # Don't run external diff program for failures
 Minitest::Assertions.diff = false if defined?(Minitest::Assertions)
@@ -27,16 +30,35 @@ module Unveiler
       end
     end
 
-    Pledge.unveil(unveil)
-
     # :nocov:
     if defined?(SimpleCov)
     # :nocov:
-      # If running coverage tests, add necessary pledges for
+      # If running coverage tests, add necessary pledges and unveils for
       # coverage testing to work.
+      dir = SimpleCov.coverage_dir
+      unveil[dir] = 'rwc'
+
+      # Unveil read access to the entire current directory, since any part
+      # that has covered code needs to be read to generate the coverage
+      # information.
+      unveil['.'] = 'r'
+
+      if defined?(Gem)
+        # Unveil access to the simplecov-html gem, since that is used by default
+        # to build the coverage pages.
+        unveil['simplecov-html'] = :gem
+      end
+
+      # :nocov:
+      # Must create directory before attempting to unveil it.
+      # When running unveiler tests, the coverage directory is already created.
+      Dir.mkdir(dir) unless File.directory?(dir)
+      # :nocov:
+
       pledge = (pledge.split + %w'rpath wpath cpath flock').uniq.join(' ')
     end
 
+    Pledge.unveil(unveil)
     Pledge.pledge(pledge)
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unicorn-lockdown
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.3.0
 platform: ruby
 authors:
 - Jeremy Evans
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-07-18 00:00:00.000000000 Z
+date: 2024-05-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pledge
@@ -94,7 +94,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email: code@jeremyevans.net
 executables:
 - unicorn-lockdown-add
@@ -108,6 +108,7 @@ files:
 - bin/unicorn-lockdown-add
 - bin/unicorn-lockdown-setup
 - files/rc.unicorn
+- files/rc.unicorn.71
 - files/unicorn_lockdown_add.rb
 - files/unicorn_lockdown_setup.rb
 - lib/rack/email_exceptions.rb
@@ -122,7 +123,7 @@ metadata:
   changelog_uri: https://github.com/jeremyevans/unicorn-lockdown/blob/master/CHANGELOG
   mailing_list_uri: https://github.com/jeremyevans/unicorn-lockdown/discussions
   source_code_uri: https://github.com/jeremyevans/unicorn-lockdown
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -137,8 +138,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
-signing_key: 
+rubygems_version: 3.5.9
+signing_key:
 specification_version: 4
 summary: Helper library for running Unicorn with fork+exec/unveil/pledge on OpenBSD
 test_files: []