unpoly-rails 3.9.2 → 3.9.3

Sign up to get free protection for your applications and to get access to all the features.
@@ -5,13 +5,19 @@ module Unpoly
5
5
 
6
6
  def guard_json_decode(raw, &default)
7
7
  if raw.present?
8
- begin
9
- ActiveSupport::JSON.decode(raw)
10
- rescue ActiveSupport::JSON.parse_error
11
- # We would love to crash here, as it might indicate a bug in the frontend code.
12
- # Unfortunately security scanners may be spamming malformed JSON in X-Up headers,
13
- # DOSing us with error notifications.
14
- ::Rails.logger.error('unpoly-rails: Ignoring malformed JSON in X-Up header')
8
+ if raw.is_a?(String)
9
+ begin
10
+ ActiveSupport::JSON.decode(raw)
11
+ rescue ActiveSupport::JSON.parse_error
12
+ # We would love to crash here, as it might indicate a bug in the frontend code.
13
+ # Unfortunately security scanners may be spamming malformed JSON in X-Up headers,
14
+ # DOSing us with error notifications.
15
+ ::Rails.logger.error('unpoly-rails: Ignoring malformed JSON in X-Up header')
16
+ default&.call
17
+ end
18
+ else
19
+ # Security spammers may pass nested param values in params like _up_context_changes.
20
+ ::Rails.logger.error('unpoly-rails: Ignoring nested value in _up param')
15
21
  default&.call
16
22
  end
17
23
  else
@@ -3,6 +3,6 @@ module Unpoly
3
3
  ##
4
4
  # The current version of the unpoly-rails gem.
5
5
  # The first 3 digits should match the version of the Unpoly frontend code.
6
- VERSION = '3.9.2'
6
+ VERSION = '3.9.3'
7
7
  end
8
8
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: unpoly-rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.9.2
4
+ version: 3.9.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Henning Koch
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-10-04 00:00:00.000000000 Z
11
+ date: 2024-10-30 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: railties