web-console 2.3.0 → 4.2.0

data/lib/web_console/extensions.rb

@@ -1,23 +1,34 @@
-ActionDispatch::DebugExceptions.class_eval do
-  def render_exception_with_web_console(request, exception)
-    render_exception_without_web_console(request, exception).tap do
-      # Retain superficial Rails 5 compatibility.
-      env = Hash === request ? request : request.env
+# frozen_string_literal: true
 
-      error = ActionDispatch::ExceptionWrapper.new(env, exception).exception
+module Kernel
+  module_function
 
-      # Get the original exception if ExceptionWrapper decides to follow it.
-      env['web_console.exception'] = error
+  # Instructs Web Console to render a console in the specified binding.
+  #
+  # If +binding+ isn't explicitly given it will default to the binding of the
+  # previous frame. E.g. the one that invoked +console+.
+  #
+  # Raises +DoubleRenderError+ if a more than one +console+ invocation per
+  # request is detected.
+  def console(binding = Bindex.current_bindings.second)
+    raise WebConsole::DoubleRenderError if Thread.current[:__web_console_binding]
 
-      # ActionView::Template::Error bypass ExceptionWrapper original
-      # exception following. The backtrace in the view is generated from
-      # reaching out to original_exception in the view.
-      if error.is_a?(ActionView::Template::Error)
-        env['web_console.exception'] = error.original_exception
-      end
-    end
+    Thread.current[:__web_console_binding] = binding
+
+    # Make sure nothing is rendered from the view helper. Otherwise
+    # you're gonna see unexpected #<Binding:0x007fee4302b078> in the
+    # templates.
+    nil
   end
+end
 
-  alias_method :render_exception_without_web_console, :render_exception
-  alias_method :render_exception, :render_exception_with_web_console
+class Binding
+  # Instructs Web Console to render a console in the current binding, without
+  # the need to unroll the stack.
+  #
+  # Raises +DoubleRenderError+ if a more than one +console+ invocation per
+  # request is detected.
+  def console
+    Kernel.console(self)
+  end
 end

data/lib/web_console/injector.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module WebConsole
+  # Injects content into a Rack body.
+  class Injector
+    def initialize(body, headers)
+      @body = "".dup
+
+      body.each { |part| @body << part }
+      body.close if body.respond_to?(:close)
+
+      @headers = headers
+    end
+
+    def inject(content)
+      # Set Content-Length header to the size of the current body
+      # + the extra content. Otherwise the response will be truncated.
+      if @headers["Content-Length"]
+        @headers["Content-Length"] = (@body.bytesize + content.bytesize).to_s
+      end
+
+      [
+        if position = @body.rindex("</body>")
+          [ @body.insert(position, content) ]
+        else
+          [ @body << content ]
+        end,
+        @headers
+      ]
+    end
+  end
+end

data/lib/web_console/interceptor.rb

@@ -0,0 +1,18 @@
+module WebConsole
+  module Interceptor
+    def self.call(request, exception)
+      backtrace_cleaner = request.get_header("action_dispatch.backtrace_cleaner")
+      error = ActionDispatch::ExceptionWrapper.new(backtrace_cleaner, exception).exception
+
+      # Get the original exception if ExceptionWrapper decides to follow it.
+      Thread.current[:__web_console_exception] = error
+
+      # ActionView::Template::Error bypass ExceptionWrapper original
+      # exception following. The backtrace in the view is generated from
+      # reaching out to original_exception in the view.
+      if error.is_a?(ActionView::Template::Error)
+        Thread.current[:__web_console_exception] = error.cause
+      end
+    end
+  end
+end

data/lib/web_console/locales/en.yml

@@ -1,7 +1,7 @@
 en:
   errors:
     unavailable_session: |
-      Session %{id} is is no longer available in memory.
+      Session %{id} is no longer available in memory.
 
       If you happen to run on a multi-process server (like Unicorn or Puma) the process
       this request hit doesn't store %{id} in memory. Consider turning the number of

data/lib/web_console/middleware.rb

@@ -1,14 +1,13 @@
-require 'active_support/core_ext/string/strip'
+# frozen_string_literal: true
+
+require "active_support/core_ext/string/strip"
 
 module WebConsole
   class Middleware
-    TEMPLATES_PATH = File.expand_path('../templates', __FILE__)
-
-    cattr_accessor :mount_point
-    @@mount_point = '/__web_console'
+    TEMPLATES_PATH = File.expand_path("../templates", __FILE__)
 
-    cattr_accessor :whiny_requests
-    @@whiny_requests = true
+    cattr_accessor :mount_point, default: "/__web_console"
+    cattr_accessor :whiny_requests, default: true
 
     def initialize(app)
       @app = app
@@ -17,7 +16,7 @@ module WebConsole
     def call(env)
       app_exception = catch :app_exception do
         request = create_regular_or_whiny_request(env)
-        return @app.call(env) unless request.from_whitelited_ip?
+        return call_app(env) unless request.permitted?
 
         if id = id_for_repl_session_update(request)
           return update_repl_session(id, request)
@@ -25,49 +24,46 @@ module WebConsole
           return change_stack_trace(id, request)
         end
 
-        status, headers, body = @app.call(env)
 
-        if exception = env['web_console.exception']
-          session = Session.from_exception(exception)
-        elsif binding = env['web_console.binding']
-          session = Session.from_binding(binding)
-        end
+        status, headers, body = call_app(env)
 
-        if session && acceptable_content_type?(headers)
-          response = Response.new(body, status, headers)
-          template = Template.new(env, session)
+        if (session = Session.from(Thread.current)) && acceptable_content_type?(headers)
+          headers["X-Web-Console-Session-Id"] = session.id
+          headers["X-Web-Console-Mount-Point"] = mount_point
 
-          response.headers["X-Web-Console-Session-Id"] = session.id
-          response.headers["X-Web-Console-Mount-Point"] = mount_point
-          response.write(template.render('index'))
-          response.finish
-        else
-          [ status, headers, body ]
+          template = Template.new(env, session)
+          body, headers = Injector.new(body, headers).inject(template.render("index"))
         end
+
+        [ status, headers, body ]
       end
     rescue => e
       WebConsole.logger.error("\n#{e.class}: #{e}\n\tfrom #{e.backtrace.join("\n\tfrom ")}")
       raise e
     ensure
+      # Clean up the fiber locals after the session creation. Object#console
+      # uses those to communicate the current binding or exception to the middleware.
+      Thread.current[:__web_console_exception] = nil
+      Thread.current[:__web_console_binding] = nil
+
       raise app_exception if Exception === app_exception
     end
 
     private
 
       def acceptable_content_type?(headers)
-        Mime::Type.parse(headers['Content-Type']).first == Mime::HTML
+        headers["Content-Type"].to_s.include?("html")
       end
 
       def json_response(opts = {})
         status  = opts.fetch(:status, 200)
-        headers = { 'Content-Type' => 'application/json; charset = utf-8' }
+        headers = { "Content-Type" => "application/json; charset = utf-8" }
         body    = yield.to_json
 
-        Rack::Response.new(body, status, headers).finish
+        [ status, headers, [ body ] ]
       end
 
       def json_response_with_session(id, request, opts = {})
-        return respond_with_unacceptable_request unless request.acceptable?
         return respond_with_unavailable_session(id) unless session = Session.find(id)
 
         json_response(opts) { yield session }
@@ -104,13 +100,17 @@ module WebConsole
 
       def update_repl_session(id, request)
         json_response_with_session(id, request) do |session|
-          { output: session.eval(request.params[:input]) }
+          if input = request.params[:input]
+            { output: session.eval(input) }
+          elsif input = request.params[:context]
+            { context: session.context(input) }
+          end
         end
       end
 
       def change_stack_trace(id, request)
         json_response_with_session(id, request) do |session|
-          session.switch_binding_to(request.params[:frame_id])
+          session.switch_binding_to(request.params[:frame_id], request.params[:exception_object_id])
 
           { ok: true }
         end
@@ -118,13 +118,13 @@ module WebConsole
 
       def respond_with_unavailable_session(id)
         json_response(status: 404) do
-          { output: format(I18n.t('errors.unavailable_session'), id: id)}
+          { output: format(I18n.t("errors.unavailable_session"), id: id) }
         end
       end
 
       def respond_with_unacceptable_request
         json_response(status: 406) do
-          { output: I18n.t('errors.unacceptable_request') }
+          { output: I18n.t("errors.unacceptable_request") }
         end
       end
 

data/lib/web_console/permissions.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require "ipaddr"
+
+module WebConsole
+  class Permissions
+    # IPv4 and IPv6 localhost should be always allowed.
+    ALWAYS_PERMITTED_NETWORKS = %w( 127.0.0.0/8 ::1 )
+
+    def initialize(networks = nil)
+      @networks = normalize_networks(networks).map(&method(:coerce_network_to_ipaddr)).uniq
+    end
+
+    def include?(network)
+      @networks.any? { |permission| permission.include?(network.to_s) }
+    rescue IPAddr::InvalidAddressError
+      false
+    end
+
+    def to_s
+      @networks.map(&method(:human_readable_ipaddr)).join(", ")
+    end
+
+    private
+
+      def normalize_networks(networks)
+        Array(networks).concat(ALWAYS_PERMITTED_NETWORKS)
+      end
+
+      def coerce_network_to_ipaddr(network)
+        if network.is_a?(IPAddr)
+          network
+        else
+          IPAddr.new(network)
+        end
+      end
+
+      def human_readable_ipaddr(ipaddr)
+        ipaddr.to_range.to_s.split("..").uniq.join("/")
+      end
+  end
+end

data/lib/web_console/railtie.rb

@@ -1,32 +1,28 @@
-require 'rails/railtie'
+# frozen_string_literal: true
+
+require "rails/railtie"
 
 module WebConsole
   class Railtie < ::Rails::Railtie
     config.web_console = ActiveSupport::OrderedOptions.new
-    config.web_console.whitelisted_ips = %w( 127.0.0.1 ::1 )
-
-    initializer 'web_console.initialize' do
-      require 'web_console/extensions'
 
-      ActiveSupport.on_load(:action_view) do
-        ActionView::Base.send(:include, Helper)
-      end
+    initializer "web_console.initialize" do
+      require "bindex"
+      require "web_console/extensions"
 
-      ActiveSupport.on_load(:action_controller) do
-        ActionController::Base.send(:include, Helper)
-      end
+      ActionDispatch::DebugExceptions.register_interceptor(Interceptor)
     end
 
-    initializer 'web_console.development_only' do
+    initializer "web_console.development_only" do
       unless (config.web_console.development_only == false) || Rails.env.development?
         abort <<-END.strip_heredoc
-          Web Console is activated in the #{Rails.env} environment, which is
+          Web Console is activated in the #{Rails.env} environment. This is
           usually a mistake. To ensure it's only activated in development
           mode, move it to the development group of your Gemfile:
 
               gem 'web-console', group: :development
 
-          If you still want to run it the #{Rails.env} environment (and know
+          If you still want to run it in the #{Rails.env} environment (and know
           what you are doing), put this in your Rails application
           configuration:
 
@@ -35,36 +31,54 @@ module WebConsole
       end
     end
 
-    initializer 'web_console.insert_middleware' do |app|
+    initializer "web_console.insert_middleware" do |app|
       app.middleware.insert_before ActionDispatch::DebugExceptions, Middleware
     end
 
-    initializer 'web_console.mount_point' do
+    initializer "web_console.mount_point" do
       if mount_point = config.web_console.mount_point
-        Middleware.mount_point = mount_point.chomp('/')
+        Middleware.mount_point = mount_point.chomp("/")
+      end
+
+      if root = Rails.application.config.relative_url_root
+        Middleware.mount_point = File.join(root, Middleware.mount_point)
       end
     end
 
-    initializer 'web_console.template_paths' do
+    initializer "web_console.template_paths" do
       if template_paths = config.web_console.template_paths
         Template.template_paths.unshift(*Array(template_paths))
       end
     end
 
-    initializer 'web_console.whitelisted_ips' do
-      if whitelisted_ips = config.web_console.whitelisted_ips
-        Request.whitelisted_ips = Whitelist.new(whitelisted_ips)
+    initializer "web_console.permissions" do
+      permissions = web_console_permissions
+      Request.permissions = Permissions.new(permissions)
+    end
+
+    def web_console_permissions
+      case
+      when config.web_console.permissions
+        config.web_console.permissions
+      when config.web_console.allowed_ips
+        config.web_console.allowed_ips
+      when config.web_console.whitelisted_ips
+        ActiveSupport::Deprecation.warn(<<-MSG.squish)
+          The config.web_console.whitelisted_ips is deprecated and will be ignored in future release of web_console.
+          Please use config.web_console.allowed_ips instead.
+        MSG
+        config.web_console.whitelisted_ips
       end
     end
 
-    initializer 'web_console.whiny_requests' do
+    initializer "web_console.whiny_requests" do
       if config.web_console.key?(:whiny_requests)
         Middleware.whiny_requests = config.web_console.whiny_requests
       end
     end
 
-    initializer 'i18n.load_path' do
-      config.i18n.load_path.concat(Dir[File.expand_path('../locales/*.yml', __FILE__)])
+    initializer "i18n.load_path" do
+      config.i18n.load_path.concat(Dir[File.expand_path("../locales/*.yml", __FILE__)])
     end
   end
 end

data/lib/web_console/request.rb

@@ -1,29 +1,17 @@
+# frozen_string_literal: true
+
 module WebConsole
-  # Web Console tailored request object.
   class Request < ActionDispatch::Request
-    # Configurable set of whitelisted networks.
-    cattr_accessor :whitelisted_ips
-    @@whitelisted_ips = Whitelist.new
-
-    # Define a vendor MIME type. We can call it using Mime::WEB_CONSOLE_V2 constant.
-    Mime::Type.register 'application/vnd.web-console.v2', :web_console_v2
+    cattr_accessor :permissions, default: Permissions.new
 
-    # Returns whether a request came from a whitelisted IP.
-    #
-    # For a request to hit Web Console features, it needs to come from a white
-    # listed IP.
-    def from_whitelited_ip?
-      whitelisted_ips.include?(strict_remote_ip)
+    def permitted?
+      permissions.include?(strict_remote_ip)
     end
 
-    # Determines the remote IP using our much stricter whitelist.
     def strict_remote_ip
-      GetSecureIp.new(self, whitelisted_ips).to_s
-    end
-
-    # Returns whether the request is acceptable.
-    def acceptable?
-      xhr? && accepts.any? { |mime| Mime::WEB_CONSOLE_V2 == mime }
+      GetSecureIp.new(self, permissions).to_s
+    rescue ActionDispatch::RemoteIp::IpSpoofAttackError
+      "[Spoofed]"
     end
 
     private

data/lib/web_console/session.rb

@@ -1,16 +1,17 @@
+# frozen_string_literal: true
+
 module WebConsole
-  # A session lets you persist wrap an +Evaluator+ instance in memory
-  # associated with multiple bindings.
+  # A session lets you persist an +Evaluator+ instance in memory associated
+  # with multiple bindings.
   #
   # Each newly created session is persisted into memory and you can find it
-  # later its +id+.
+  # later by its +id+.
   #
   # A session may be associated with multiple bindings. This is used by the
   # error pages only, as currently, this is the only client that needs to do
   # that.
   class Session
-    cattr_reader :inmemory_storage
-    @@inmemory_storage = {}
+    cattr_reader :inmemory_storage, default: {}
 
     class << self
       # Finds a persisted session in memory by its id.
@@ -21,24 +22,30 @@ module WebConsole
         inmemory_storage[id]
       end
 
-      # Create a Session from an exception.
-      def from_exception(exc)
-        new(exc.bindings)
-      end
-
-      # Create a Session from a single binding.
-      def from_binding(binding)
-        new(binding)
+      # Create a Session from an binding or exception in a storage.
+      #
+      # The storage is expected to respond to #[]. The binding is expected in
+      # :__web_console_binding and the exception in :__web_console_exception.
+      #
+      # Can return nil, if no binding or exception have been preserved in the
+      # storage.
+      def from(storage)
+        if exc = storage[:__web_console_exception]
+          new(ExceptionMapper.follow(exc))
+        elsif binding = storage[:__web_console_binding]
+          new([[binding]])
+        end
       end
     end
 
     # An unique identifier for every REPL.
     attr_reader :id
 
-    def initialize(bindings)
+    def initialize(exception_mappers)
       @id = SecureRandom.hex(16)
-      @bindings = Array(bindings)
-      @evaluator = Evaluator.new(@bindings[0])
+
+      @exception_mappers = exception_mappers
+      @evaluator         = Evaluator.new(@current_binding = exception_mappers.first.first)
 
       store_into_memory
     end
@@ -53,8 +60,15 @@ module WebConsole
     # Switches the current binding to the one at specified +index+.
     #
     # Returns nothing.
-    def switch_binding_to(index)
-      @evaluator = Evaluator.new(@bindings[index.to_i])
+    def switch_binding_to(index, exception_object_id)
+      bindings = ExceptionMapper.find_binding(@exception_mappers, exception_object_id)
+
+      @evaluator = Evaluator.new(@current_binding = bindings[index.to_i])
+    end
+
+    # Returns context of the current binding
+    def context(objpath)
+      Context.new(@current_binding).extract(objpath)
     end
 
     private

data/lib/web_console/source_location.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class SourceLocation
+  def initialize(binding)
+    @binding = binding
+  end
+
+  if RUBY_VERSION >= "2.6"
+    def path() @binding.source_location.first end
+    def lineno() @binding.source_location.last end
+  else
+    def path() @binding.eval("__FILE__") end
+    def lineno() @binding.eval("__LINE__") end
+  end
+end

data/lib/web_console/tasks/extensions.rake

@@ -1,23 +1,25 @@
+# frozen_string_literal: true
+
 namespace :ext do
-  rootdir = Pathname('extensions')
+  rootdir = Pathname("extensions")
 
-  desc 'Build Chrome Extension'
-  task chrome: 'chrome:build'
+  desc "Build Chrome Extension"
+  task chrome: "chrome:build"
 
   namespace :chrome do
-    dist   = Pathname('dist/crx')
+    dist   = Pathname("dist/crx")
     extdir = rootdir.join(dist)
-    manifest_json = rootdir.join('chrome/manifest.json')
+    manifest_json = rootdir.join("chrome/manifest.json")
 
     directory extdir
 
-    task build: [ extdir, 'lib:templates' ] do
+    task build: [ extdir, "lib:templates" ] do
       cd rootdir do
-        cp_r [ 'img/', 'tmp/lib/' ], dist
+        cp_r [ "img/", "tmp/lib/" ], dist
         `cd chrome && git ls-files`.split("\n").each do |src|
           dest = dist.join(src)
           mkdir_p dest.dirname
-          cp Pathname('chrome').join(src), dest
+          cp Pathname("chrome").join(src), dest
         end
       end
     end
@@ -34,7 +36,7 @@ namespace :ext do
       cd(extdir) { sh "zip -r ../crx-web-console-#{version}.zip ./" }
     end
 
-    desc 'Launch a browser with the chrome extension.'
+    desc "Launch a browser with the chrome extension."
     task run: [ :build ] do
       cd(rootdir) { sh "sh ./script/run_chrome.sh --load-extension=#{dist}" }
     end
@@ -45,15 +47,15 @@ namespace :ext do
   end
 
   namespace :lib do
-    templates = Pathname('lib/web_console/templates')
-    tmplib    = rootdir.join('tmp/lib/')
-    js_erb    = FileList.new(templates.join('**/*.js.erb'))
+    templates = Pathname("lib/web_console/templates")
+    tmplib    = rootdir.join("tmp/lib/")
+    js_erb    = FileList.new(templates.join("**/*.js.erb"))
     dirs      = js_erb.pathmap("%{^#{templates},#{tmplib}}d")
 
     task templates: dirs + js_erb.pathmap("%{^#{templates},#{tmplib}}X")
 
     dirs.each { |d| directory d }
-    rule '.js' => [ "%{^#{tmplib},#{templates}}X.js.erb" ] do |t|
+    rule ".js" => [ "%{^#{tmplib},#{templates}}X.js.erb" ] do |t|
       File.write(t.name, WebConsole::Testing::ERBPrecompiler.new(t.source).build)
     end
   end

data/lib/web_console/tasks/templates.rake

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+namespace :templates do
+  desc "Run tests for templates"
+  task test: [ :daemonize, :npm, :rackup, :wait, :mocha, :kill, :exit ]
+  task serve: [ :npm, :rackup ]
+
+  workdir = Pathname(EXPANDED_CWD).join("test/templates")
+  pid     = Pathname(Dir.tmpdir).join("web_console_test.pid")
+  runner  = URI.parse("http://#{ENV['IP'] || '127.0.0.1'}:#{ENV['PORT'] || 29292}/html/test_runner.html")
+  rackup  = "rackup --host #{runner.host} --port #{runner.port}"
+  result  = nil
+  browser = "phantomjs"
+
+  def need_to_wait?(uri)
+    Net::HTTP.start(uri.host, uri.port) { |http| http.get(uri.path) }
+  rescue Errno::ECONNREFUSED
+    retry if yield
+  end
+
+  task :daemonize do
+    rackup += " -D --pid #{pid}"
+  end
+
+  task npm: [ :phantomjs ] do
+    Dir.chdir(workdir) { system "npm install --silent" }
+  end
+
+  task :phantomjs do
+    unless system("which #{browser} >/dev/null")
+      browser = "./node_modules/.bin/phantomjs"
+      Dir.chdir(workdir) { system("test -f #{browser} || npm install --silent phantomjs-prebuilt") }
+    end
+  end
+
+  task :rackup do
+    Dir.chdir(workdir) { system rackup }
+  end
+
+  task :wait do
+    cnt = 0
+    need_to_wait?(runner) { sleep 1; cnt += 1; cnt < 5 }
+  end
+
+  task :mocha do
+    Dir.chdir(workdir) { result = system("#{browser} ./node_modules/mocha-phantomjs-core/mocha-phantomjs-core.js #{runner} dot") }
+  end
+
+  task :kill do
+    system "kill #{File.read pid}"
+  end
+
+  task :exit do
+    exit result
+  end
+end