view_component 3.24.0 → 3.25.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e50fc0d9c23700e9ca13233ffda7dd983deeaf93200325e81a25852866c115f5
-  data.tar.gz: c326352446cf7303cf0a5fb4967ffb391fdf363a272f31d88a9a074619230668
+  metadata.gz: 17958e9ab2fbfbce6d2d397332fb0683315d805bb2ca94920a570fcf544c43e8
+  data.tar.gz: 76b1b5f122715ac0086e78b8010dc5f03e9fad57180ce444c68f556b148d1a59
 SHA512:
-  metadata.gz: 61d508fd6b1ad6b4c53d85e55e972567b3cd08139380d48966f39be19e04803f480b368f3bdf82f9597ab4f487d2f9141bcf7ffff25b2542fbe4312d7c0d53e8
-  data.tar.gz: 546ec854a8ec8f8fbb611a4d45d4d645fcae74f4a5f467a4531d7492ac05695270eeb369f0eca180d67b7b29a427e0053ad456fc037d5fbc9e950d4012aa4d66
+  metadata.gz: 1ef7030f4690849614463924c9f10953609ef1a74508718cbe5d5f5049256ffcc51c67671a1b95a770bd96c0cd0b3b1f0f438bf56c3ba2265b252d1072f3faad
+  data.tar.gz: b54825e954ceef4e0f45bbc71cc59f92689275f02da9707e46c3fb30b30eb280b9e01b0b3585b3e6996da92dd5ce2c822d9dd839373e8a89660203a665a0ebb3

data/app/controllers/view_components_system_test_controller.rb

@@ -1,9 +1,13 @@
 # frozen_string_literal: true
 
+require "view_component/errors"
+
 class ViewComponentsSystemTestController < ActionController::Base # :nodoc:
   before_action :validate_test_env
   before_action :validate_file_path
 
+  rescue_from ViewComponent::SystemTestControllerNefariousPathError, with: :render_not_found
+
   def self.temp_dir
     @_tmpdir ||= FileUtils.mkdir_p("./tmp/view_components/").first
   end
@@ -14,6 +18,10 @@ class ViewComponentsSystemTestController < ActionController::Base # :nodoc:
 
   private
 
+  def render_not_found
+    head :not_found
+  end
+
   def validate_test_env
     raise ViewComponent::SystemTestControllerOnlyAllowedInTestError unless Rails.env.test?
   end
@@ -23,7 +31,8 @@ class ViewComponentsSystemTestController < ActionController::Base # :nodoc:
   def validate_file_path
     base_path = ::File.realpath(self.class.temp_dir)
     @path = ::File.realpath(params.permit(:file)[:file], base_path)
-    unless @path.start_with?(base_path)
+    allowed_prefix = "#{base_path}#{::File::SEPARATOR}"
+    unless @path == base_path || @path.start_with?(allowed_prefix)
       raise ViewComponent::SystemTestControllerNefariousPathError
     end
   end

data/docs/CHANGELOG.md

@@ -10,6 +10,24 @@ nav_order: 6
 
 ## main
 
+## 3.25.0
+
+* Support Rails `render_in` options signature. Rails [#50623](https://github.com/rails/rails/pull/50623) changed the `render_in` signature from `render_in(view_context, &block)` to `render_in(view_context, **options, &block)`. `ViewComponent::Base#render_in`, `ViewComponent::Collection#render_in`, and `ViewComponent::Instrumentation#render_in` now accept `**options`, restoring compatibility with Rails main and silencing the deprecation warning.
+
+    *Joel Hawksley*
+
+* Fix stale render context on reused component instances. A `ViewComponent::Base` instance memoized its controller, helpers, request, view context, lookup context, view flow, and requested format/variant on first render via `||=`. Rendering the same instance a second time (intentionally or via aliasing) reused that stale context, which could leak data across requests, sessions, or users. `#render_in` now resets these ivars on every call so each render derives its context from the current view.
+
+    *Joel Hawksley*
+
+* Fix path traversal vulnerability in `ViewComponentsSystemTestController` where sibling directories sharing a string prefix with the allowed temp directory could bypass the path containment check. The `start_with?` check has been replaced with a separator-aware prefix check, and nefarious path errors now return a 404 instead of an unhandled exception.
+
+    *Joel Hawksley*
+
+* Fix preview route vulnerability where inherited methods on `ViewComponent::Preview` (such as `render_with_template`) could be invoked via the preview URL, allowing arbitrary internal Rails templates to be rendered with attacker-controlled locals and request parameters. `render_args` now raises `AbstractController::ActionNotFound` for any example not explicitly declared on the preview subclass.
+
+    *Joel Hawksley*
+
 ## 3.24.0
 
 * Add Rails 8.1 support to ViewComponent v3.

data/lib/view_component/base.rb

@@ -65,38 +65,49 @@ module ViewComponent
     # @param view_context [ActionView::Base] The original view context.
     # @return [void]
     def set_original_view_context(view_context)
-      self.__vc_original_view_context = view_context
+      # Stash on a separate ivar that survives `__vc_reset_render_state!` so a
+      # parent component can call `set_original_view_context` immediately before
+      # `render_in` without having that value clobbered by the per-render reset.
+      @__vc_pending_original_view_context = view_context
     end
 
     # Entrypoint for rendering components.
     #
     # - `view_context`: ActionView context from calling view
+    # - `options`: optional render options (e.g., locals)
     # - `block`: optional block to be captured within the view context
     #
     # Returns HTML that has been escaped by the respective template handler.
     #
     # @return [String]
-    def render_in(view_context, &block)
+    def render_in(view_context, **options, &block)
       self.class.compile(raise_errors: true)
 
+      __vc_reset_render_state!
+
       @view_context = view_context
-      self.__vc_original_view_context ||= view_context
+      self.__vc_original_view_context =
+        if instance_variable_defined?(:@__vc_pending_original_view_context)
+          remove_instance_variable(:@__vc_pending_original_view_context)
+        else
+          view_context
+        end
 
       @output_buffer = ActionView::OutputBuffer.new
 
-      @lookup_context ||= view_context.lookup_context
+      @lookup_context = view_context.lookup_context
 
       # required for path helpers in older Rails versions
-      @view_renderer ||= view_context.view_renderer
+      @view_renderer = view_context.view_renderer
 
       # For content_for
-      @view_flow ||= view_context.view_flow
+      @view_flow = view_context.view_flow
 
       # For i18n
       @virtual_path ||= virtual_path
 
       # For template variants (+phone, +desktop, etc.)
-      @__vc_variant ||= @lookup_context.variants.first
+      @__vc_variant = @lookup_context.variants.first
 
       # For caching, such as #cache_if
       @current_template = nil unless defined?(@current_template)
@@ -211,7 +222,7 @@ module ViewComponent
     # @private
     def render(options = {}, args = {}, &block)
       if options.respond_to?(:set_original_view_context)
-        options.set_original_view_context(self.__vc_original_view_context)
+        options.set_original_view_context(__vc_original_view_context)
         super
       else
         __vc_original_view_context.render(options, args, &block)
@@ -394,6 +405,23 @@ module ViewComponent
     # "ApplicationComponent" if defined, "ViewComponent::Base" otherwise.
     #
 
+    # Resets every render-scoped instance variable derived from the calling view
+    # context so a reused instance cannot leak controller/helper/request/format
+    # state from a previous render. Slot state (`@__vc_set_slots`,
+    # `@__vc_content_set_by_with_content`) is intentionally preserved because it
+    # is populated by callers _before_ `render_in` runs (e.g. via `with_*`
+    # slot setters or `with_content`).
+    def __vc_reset_render_state!
+      %i[
+        @__vc_controller
+        @__vc_helpers
+        @__vc_request
+        @__vc_original_view_context
+      ].each do |ivar|
+        remove_instance_variable(ivar) if instance_variable_defined?(ivar)
+      end
+    end
+
     # Configuration for generators.
     #
     # All options under this namespace default to `false` unless otherwise

data/lib/view_component/collection.rb

@@ -16,27 +16,13 @@ module ViewComponent
       self.__vc_original_view_context = view_context
     end
 
-    def render_in(view_context, &block)
+    def render_in(view_context, **options, &block)
       components.map do |component|
         component.set_original_view_context(__vc_original_view_context)
-        component.render_in(view_context, &block)
+        component.render_in(view_context, **options, &block)
       end.join(rendered_spacer(view_context)).html_safe
     end
 
-    def components
-      return @components if defined? @components
-
-      iterator = ActionView::PartialIteration.new(@collection.size)
-
-      component.validate_collection_parameter!(validate_default: true)
-
-      @components = @collection.map do |item|
-        component.new(**component_options(item, iterator)).tap do |component|
-          iterator.iterate!
-        end
-      end
-    end
-
     def each(&block)
       components.each(&block)
     end
@@ -49,6 +35,20 @@ module ViewComponent
 
     private
 
+    # Always rebuild child component instances per render to avoid leaking
+    # request-scoped state from a previous render into a later one.
+    def components
+      iterator = ActionView::PartialIteration.new(@collection.size)
+
+      component.validate_collection_parameter!(validate_default: true)
+
+      @collection.map do |item|
+        component.new(**component_options(item, iterator)).tap do |_|
+          iterator.iterate!
+        end
+      end
+    end
+
     def initialize(component, object, spacer_component, **options)
       @component = component
       @collection = collection_variable(object || [])
@@ -74,7 +74,7 @@ module ViewComponent
 
     def rendered_spacer(view_context)
       if @spacer_component
-        @spacer_component.set_original_view_context(__vc_original_view_context)
+        @spacer_component.set_original_view_context(__vc_original_view_context) if @spacer_component.respond_to?(:set_original_view_context)
         @spacer_component.render_in(view_context)
       else
         ""

data/lib/view_component/instrumentation.rb

@@ -8,7 +8,7 @@ module ViewComponent # :nodoc:
       mod.prepend(self) unless ancestors.include?(ViewComponent::Instrumentation)
     end
 
-    def render_in(view_context, &block)
+    def render_in(view_context, **options, &block)
       ActiveSupport::Notifications.instrument(
         notification_name,
         {

data/lib/view_component/preview.rb

@@ -42,6 +42,8 @@ module ViewComponent # :nodoc:
 
       # Returns the arguments for rendering of the component in its layout
       def render_args(example, params: {})
+        raise AbstractController::ActionNotFound, "#{example} is not a valid preview example" unless examples.include?(example.to_s)
+
         example_params_names = instance_method(example).parameters.map(&:last)
         provided_params = params.slice(*example_params_names).to_h.symbolize_keys
         result = provided_params.empty? ? new.public_send(example) : new.public_send(example, **provided_params)

data/lib/view_component/slot.rb

@@ -53,7 +53,7 @@ module ViewComponent
 
       @content =
         if __vc_component_instance?
-          @__vc_component_instance.__vc_original_view_context = @parent.__vc_original_view_context
+          @__vc_component_instance.set_original_view_context(@parent.__vc_original_view_context)
 
           if defined?(@__vc_content_block)
             # render_in is faster than `parent.render`

data/lib/view_component/version.rb

@@ -3,7 +3,7 @@
 module ViewComponent
   module VERSION
     MAJOR = 3
-    MINOR = 24
+    MINOR = 25
     PATCH = 0
     PRE = nil
 

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: view_component
 version: !ruby/object:Gem::Version
-  version: 3.24.0
+  version: 3.25.0
 platform: ruby
 authors:
 - ViewComponent Team
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2026-06-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -449,118 +450,8 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.0.1
-- !ruby/object:Gem::Dependency
-  name: net-imap
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: net-pop
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: net-smtp
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: base64
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: bigdecimal
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: drb
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: mutex_m
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: propshaft
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.1.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 1.1.0
+description: 
+email: 
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -641,6 +532,7 @@ metadata:
   allowed_push_host: https://rubygems.org
   source_code_uri: https://github.com/viewcomponent/view_component
   changelog_uri: https://github.com/ViewComponent/view_component/blob/main/docs/CHANGELOG.md
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -655,7 +547,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.2
+rubygems_version: 3.0.3.1
+signing_key: 
 specification_version: 4
 summary: A framework for building reusable, testable & encapsulated view components
   in Ruby on Rails.