view_component 4.8.0 → 4.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/controllers/view_components_system_test_controller.rb +10 -1
- data/docs/CHANGELOG.md +14 -0
- data/lib/view_component/compiler.rb +1 -2
- data/lib/view_component/engine.rb +5 -1
- data/lib/view_component/preview.rb +2 -0
- data/lib/view_component/slot.rb +0 -1
- data/lib/view_component/test_helpers.rb +8 -9
- data/lib/view_component/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bd12f6e6a2acbb991781956cb7677076cc652b7f90519649d6d5503073feb364
|
|
4
|
+
data.tar.gz: bd5b8a5ef52c8f88c718c534f75626a208cba7a77f2bbced2cf22fcde70a226d
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d580739f741633eb2db4f16a45a21ad0b23118021383395fb4435ff63a381b2fb08b800a1acb2b997f7d6e7f6d28f654e55d6a14cd261944b8820787b988751c
|
|
7
|
+
data.tar.gz: 40592ea9f341b2cd8c11971028825e6456bf5092799f69d7cfc753443c5c6672208c102522c3ec47cfbbdf282049251800f14a8dfc6a7895c3c4e8a4b275be75
|
|
@@ -8,18 +8,27 @@ class ViewComponentsSystemTestController < ActionController::Base # :nodoc:
|
|
|
8
8
|
@_tmpdir ||= FileUtils.mkdir_p("./tmp/view_components/").first
|
|
9
9
|
end
|
|
10
10
|
|
|
11
|
+
rescue_from ViewComponent::SystemTestControllerNefariousPathError, with: :render_not_found
|
|
12
|
+
|
|
11
13
|
def system_test_entrypoint
|
|
12
14
|
render file: @path
|
|
13
15
|
end
|
|
14
16
|
|
|
15
17
|
private
|
|
16
18
|
|
|
19
|
+
def render_not_found
|
|
20
|
+
head :not_found
|
|
21
|
+
end
|
|
22
|
+
|
|
17
23
|
# Ensure that the file path is valid and doesn't target files outside
|
|
18
24
|
# the expected directory (e.g. via a path traversal or symlink attack)
|
|
19
25
|
def validate_file_path
|
|
20
26
|
base_path = ::File.realpath(self.class.temp_dir)
|
|
21
27
|
@path = ::File.realpath(params.permit(:file)[:file], base_path)
|
|
22
|
-
|
|
28
|
+
allowed_prefix = "#{base_path}#{::File::SEPARATOR}"
|
|
29
|
+
unless @path == base_path || @path.start_with?(allowed_prefix)
|
|
30
|
+
raise ViewComponent::SystemTestControllerNefariousPathError
|
|
31
|
+
end
|
|
23
32
|
end
|
|
24
33
|
end
|
|
25
34
|
end
|
data/docs/CHANGELOG.md
CHANGED
|
@@ -10,6 +10,20 @@ nav_order: 6
|
|
|
10
10
|
|
|
11
11
|
## main
|
|
12
12
|
|
|
13
|
+
## 4.9.0
|
|
14
|
+
|
|
15
|
+
* Fix path traversal vulnerability in `ViewComponentsSystemTestController` where sibling directories sharing a string prefix with the allowed temp directory could bypass the path containment check. The `start_with?` check has been replaced with a separator-aware prefix check, and nefarious path errors now return a 404 instead of an unhandled exception.
|
|
16
|
+
|
|
17
|
+
*Joel Hawksley*
|
|
18
|
+
|
|
19
|
+
* Fix preview route vulnerability where inherited methods on `ViewComponent::Preview` (such as `render_with_template`) could be invoked via the preview URL, allowing arbitrary internal Rails templates to be rendered with attacker-controlled locals and request parameters. `render_args` now raises `AbstractController::ActionNotFound` for any example not explicitly declared on the preview subclass.
|
|
20
|
+
|
|
21
|
+
*Joel Hawksley*
|
|
22
|
+
|
|
23
|
+
* Add `yard-lint` to CI.
|
|
24
|
+
|
|
25
|
+
*Joel Hawksley*
|
|
26
|
+
|
|
13
27
|
## 4.8.0
|
|
14
28
|
|
|
15
29
|
* Add `compile.view_component` ActiveSupport::Notifications event for eager compilation at boot time.
|
|
@@ -57,9 +57,8 @@ module ViewComponent
|
|
|
57
57
|
end
|
|
58
58
|
end
|
|
59
59
|
|
|
60
|
+
# @param requested_details [ActionView::TemplateDetails::Requested] i.e. locales, formats, variants
|
|
60
61
|
# @return all matching compiled templates, in priority order based on the requested details from LookupContext
|
|
61
|
-
#
|
|
62
|
-
# @param [ActionView::TemplateDetails::Requested] requested_details i.e. locales, formats, variants
|
|
63
62
|
def find_templates_for(requested_details)
|
|
64
63
|
filtered_templates = @templates.select do |template|
|
|
65
64
|
template.details.matches?(requested_details)
|
|
@@ -81,7 +81,11 @@ module ViewComponent
|
|
|
81
81
|
ActiveSupport.on_load(:after_initialize) do
|
|
82
82
|
if Rails.application.config.eager_load
|
|
83
83
|
ActiveSupport::Notifications.instrument("compile.view_component") do
|
|
84
|
-
ViewComponent::Base.descendants.each
|
|
84
|
+
ViewComponent::Base.descendants.each do |component|
|
|
85
|
+
next if component.anonymous?
|
|
86
|
+
|
|
87
|
+
component.__vc_compile
|
|
88
|
+
end
|
|
85
89
|
end
|
|
86
90
|
end
|
|
87
91
|
end
|
|
@@ -40,6 +40,8 @@ module ViewComponent # :nodoc:
|
|
|
40
40
|
|
|
41
41
|
# Returns the arguments for rendering of the component in its layout
|
|
42
42
|
def render_args(example, params: {})
|
|
43
|
+
raise AbstractController::ActionNotFound, "#{example} is not a valid preview example" unless examples.include?(example.to_s)
|
|
44
|
+
|
|
43
45
|
example_params_names = instance_method(example).parameters.map(&:last)
|
|
44
46
|
provided_params = params.slice(*example_params_names).to_h.symbolize_keys
|
|
45
47
|
result = provided_params.empty? ? new.public_send(example) : new.public_send(example, **provided_params)
|
data/lib/view_component/slot.rb
CHANGED
|
@@ -71,17 +71,16 @@ module ViewComponent
|
|
|
71
71
|
# assert_text("Hello, World!")
|
|
72
72
|
# ```
|
|
73
73
|
#
|
|
74
|
-
# Note: `#rendered_preview` expects a preview to be defined with the same class
|
|
75
|
-
# name as the calling test, but with `Test` replaced with `Preview`:
|
|
76
|
-
#
|
|
77
|
-
# MyComponentTest -> MyComponentPreview etc.
|
|
78
|
-
#
|
|
79
|
-
# In RSpec, `Preview` is appended to `described_class`.
|
|
80
|
-
#
|
|
81
74
|
# @param name [String] The name of the preview to be rendered.
|
|
82
75
|
# @param from [ViewComponent::Preview] The class of the preview to be rendered.
|
|
83
76
|
# @param params [Hash] Parameters to be passed to the preview.
|
|
84
77
|
# @return [Nokogiri::HTML5]
|
|
78
|
+
# @note `#rendered_preview` expects a preview to be defined with the same class
|
|
79
|
+
# name as the calling test, but with `Test` replaced with `Preview`:
|
|
80
|
+
#
|
|
81
|
+
# MyComponentTest -> MyComponentPreview etc.
|
|
82
|
+
#
|
|
83
|
+
# In RSpec, `Preview` is appended to `described_class`.
|
|
85
84
|
def render_preview(name, from: __vc_test_helpers_preview_class, params: {})
|
|
86
85
|
previews_controller = __vc_test_helpers_build_controller(Rails.application.config.view_component.previews.controller.constantize)
|
|
87
86
|
|
|
@@ -125,7 +124,7 @@ module ViewComponent
|
|
|
125
124
|
# end
|
|
126
125
|
# ```
|
|
127
126
|
#
|
|
128
|
-
# @param variants [Symbol
|
|
127
|
+
# @param variants [Array<Symbol>] The variants to be set for the provided block.
|
|
129
128
|
def with_variant(*variants)
|
|
130
129
|
old_variants = vc_test_controller.view_context.lookup_context.variants
|
|
131
130
|
|
|
@@ -162,7 +161,7 @@ module ViewComponent
|
|
|
162
161
|
# end
|
|
163
162
|
# ```
|
|
164
163
|
#
|
|
165
|
-
# @param formats [Symbol
|
|
164
|
+
# @param formats [Array<Symbol>] The format(s) to be set for the provided block.
|
|
166
165
|
def with_format(*formats)
|
|
167
166
|
old_formats = vc_test_controller.view_context.lookup_context.formats
|
|
168
167
|
|