web-console 3.7.0 → 4.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1e0540ac7a81a49deaad0b10cd764ca4d02ca2e9a630ef6d775051dec6e5ef55
-  data.tar.gz: 80352b0d87ea7718cd08597c159d67edbafb2e5f9e46f674f48d1011a7118fc1
+  metadata.gz: 1e582f6eaaeff0b5fd7bedde53a6101c43eb8b5b86cda5f2a0e5a535b10c7bfc
+  data.tar.gz: 5ed7fe9a6bbb404eb7c1a9d4e594a559ca7e65f5184f342a1882cb33152aac2b
 SHA512:
-  metadata.gz: e954cedb636a015d9cb86ddc60e4e97e44f61df6d7eaac89144c2b7b39207883117186c81420d2e90719f42d9acc6d397842f6750600b04681db47093c4e506a
-  data.tar.gz: c091ef07d8462544f8f8367143a5b1ef8579a901cb1cfd88e463a2a37e3955f8c769f7a3206b2b4da442db27c3743a5e86ce9c69f82a6f954d1301d4e7629055
+  metadata.gz: 9805b430a93e04d8b1865efbb1c10824cd198f79fe8ba3bb2e4b934de2eed777f09c13200d3f07a4db82cf09285c8ea6e60b505186d86ac0d52e45ab937f3130
+  data.tar.gz: ac73f59d7603a019b5a0c96cb7d2583ee8280198dbd719a071c7b77af71650cfd7333c7bb481f98552ba7ed933ddbc3ee00e235292a4c337e2520d71e10975a9

data/CHANGELOG.markdown

@@ -2,6 +2,40 @@
 
 ## master (unreleased)
 
+## 4.1.0
+
+* [#304](https://github.com/rails/web-console/pull/304) Add support for Rails 6.1 ([@stephannv])
+* [#298](https://github.com/rails/web-console/pull/298) Prevent deprecation warnings by removing template formats ([@mikelkew])
+* [#297](https://github.com/rails/web-console/pull/297) Use MutationObserver instead of Mutation Events ([@mikelkew])
+* [#296](https://github.com/rails/web-console/pull/296) Add CSP nonce to injected scripts and styles ([@mikelkew])
+
+## 4.0.4
+
+* [fb483743](https://github.com/rails/web-console/commit/fb483743a6a2a4168cdc0b2e03f48fc393991b73) Fix a crash on webrick with Rack 2.2.3 ([@gsamokovarov])
+
+## 4.0.3
+
+* [#291](https://github.com/rails/web-console/pull/291) Deprecate config.web_console.whitelisted_ips ([@JuanitoFatas])
+* [#290](https://github.com/rails/web-console/pull/290) Fix Content-Length for rack >= 2.1.0 ([@p8])
+
+## 4.0.2
+
+* [#285](https://github.com/rails/web-console/pull/285) Increase timeout on paste ([@celvro])
+
+## 4.0.1
+
+* [#279](https://github.com/rails/web-console/pull/279) Fix initial config.web_console.permissions value ([@patorash])
+
+## 4.0.0
+
+* [61ce65b5](https://github.com/rails/web-console/commit/61ce65b599f56809de1bd8da6590a80acbd92017) Move to config.web_console.permissions ([@gsamokovarov])
+* [96127ac1](https://github.com/rails/web-console/commit/96127aac143e1e653fffdc4bb65e1ce0b5ff342d) Introduce Binding#console as an alternative interface ([@gsamokovarov])
+* [d4591ca5](https://github.com/rails/web-console/commit/d4591ca5396ed15a08818f3da11134852a485b27) Introduce Rails 6 support ([@gsamokovarov])
+* [f97d8a88](https://github.com/rails/web-console/commit/f97d8a889a38366485e5c5e8985995c19bf61d13) Introduce Ruby 2.6 support ([@gsamokovarov])
+* [d6deacd9](https://github.com/rails/web-console/commit/d6deacd9d5fcaabf3e3051d6985b53f924f86956) Drop Rails 5 support ([@gsamokovarov])
+* [90fda878](https://github.com/rails/web-console/commit/90fda8789d402f05647c18f8cdf8e5c3d01692dd) Drop Ruby 2.4 support ([@gsamokovarov])
+* [#265](https://github.com/rails/web-console/pull/265) Add support for nested exceptions ([@yuki24])
+
 ## 3.7.0
 
 * [#263](https://github.com/rails/web-console/pull/263) Show binding changes ([@causztic])
@@ -118,6 +152,8 @@ go to 3.1.0 instead.
 * [#84](https://github.com/rails/web-console/pull/84) Allow Rails 5 as dependency in gemspec ([@jonatack])
 * [#69](https://github.com/rails/web-console/pull/69) Introduce middleware for request dispatch and console rendering ([@gsamokovarov])
 
+[@stephannv]: https://github.com/stephannv
+[@mikelkew]: https://github.com/mikelkew
 [@jonatack]: https://github.com/jonatack
 [@ryandao]: https://github.com/ryandao
 [@jeffnv]: https://github.com/jeffnv
@@ -138,3 +174,8 @@ go to 3.1.0 instead.
 [@fl0l0u]: https://github.com/fl0l0u
 [@timomeh]: https://github.com/timomeh
 [@causztic]: https://github.com/causztic
+[@yuki24]: https://github.com/yuki24
+[@patorash]: https://github.com/patorash
+[@celvro]: https://github.com/celvro
+[@JuanitoFatas]: https://github.com/JuanitoFatas
+[@p8]: https://github.com/p8

data/README.markdown

@@ -1,7 +1,8 @@
 <p align=right>
-  Documentation for:
+  <strong>Current version: 4.1.0</strong> Documentation for:
   <a href=https://github.com/rails/web-console/tree/v1.0.4>v1.0.4</a>
   <a href=https://github.com/rails/web-console/tree/v2.2.1>v2.2.1</a>
+  <a href=https://github.com/rails/web-console/tree/v3.7.0>v3.7.0</a>
 </p>
 
 # Web Console [![Build Status](https://travis-ci.org/rails/web-console.svg?branch=master)](https://travis-ci.org/rails/web-console)
@@ -16,7 +17,7 @@ _Web Console_ is a debugging tool for your Ruby on Rails applications.
 
 ## Installation
 
-Add the following to your `Gemfile`.
+Add the following to your `Gemfile`:
 
 ```ruby
 group :development do
@@ -27,8 +28,8 @@ end
 ## Usage
 
 The web console allows you to create an interactive Ruby session in your
-browser. Those sessions are launched automatically in case of an error, but
-they can also be launched manually in any page.
+browser. Those sessions are launched automatically in case of an error and can
+also be launched manually in any page.
 
 For example, calling `console` in a view will display a console in the current
 page in the context of the view binding.
@@ -56,30 +57,30 @@ have multiple ones, `WebConsole::DoubleRenderError` will be raised.
 
 ## Configuration
 
-_Web Console_ allows you to execute arbitrary code on the server, so you
-should be very careful, who you give access to.
+_Web Console_ allows you to execute arbitrary code on the server. Therefore, be
+very careful who you give access to.
 
-### config.web_console.whitelisted_ips
+### config.web_console.permissions
 
 By default, only requests coming from IPv4 and IPv6 localhosts are allowed.
 
-`config.web_console.whitelisted_ips` lets you control which IP's have access to
+`config.web_console.permissions` lets you control which IP's have access to
 the console.
 
-You can whitelist single IP's or whole networks. Say you want to share your
-console with `192.168.0.100`. You can do this:
+You can allow single IP's or whole networks. Say you want to share your
+console with `192.168.0.100`:
 
 ```ruby
 class Application < Rails::Application
-  config.web_console.whitelisted_ips = '192.168.0.100'
+  config.web_console.permissions = '192.168.0.100'
 end
 ```
 
-If you want to whitelist the whole private network, you can do:
+If you want to allow the whole private network:
 
 ```ruby
 Rails.application.configure do
-  config.web_console.whitelisted_ips = '192.168.0.0/16'
+  config.web_console.permissions = '192.168.0.0/16'
 end
 ```
 
@@ -88,8 +89,8 @@ case in 2.0.
 
 ### config.web_console.whiny_requests
 
-When a console cannot be shown for a given IP address or content type, a
-messages like the following is printed in the server logs:
+When a console cannot be shown for a given IP address or content type,
+messages such as the following is printed in the server logs:
 
 > Cannot render console from 192.168.1.133! Allowed networks:
 > 127.0.0.0/127.255.255.255, ::1
@@ -104,7 +105,7 @@ end
 
 ### config.web_console.template_paths
 
-If you want to style the console yourself, you can place `style.css` at a
+If you want to style the console yourself, then you can place `style.css` at a
 directory pointed by `config.web_console.template_paths`:
 
 ```ruby
@@ -119,8 +120,8 @@ may override.
 ### config.web_console.mount_point
 
 Usually the middleware of _Web Console_ is mounted at `/__web_console`.
-If you want to change the path for some reasons, you can specify it
-by `config.web_console.mount_point`:
+If there is a need to change the path, then you can specify it by
+`config.web_console.mount_point`:
 
 ```ruby
 Rails.application.configure do
@@ -132,7 +133,7 @@ end
 
 ### Where did /console go?
 
-The remote terminal emulator was extracted in its own gem that is no longer
+The remote terminal emulator was extracted in its own gem which is no longer
 bundled with _Web Console_.
 
 If you miss this feature, check out [rvt].
@@ -140,11 +141,11 @@ If you miss this feature, check out [rvt].
 ### Why do I constantly get unavailable session errors?
 
 All of _Web Console_ sessions are stored in memory. If you happen to run on a
-multi-process server (like Unicorn) you may get unavailable session errors
+multi-process server (like Unicorn), you may encounter unavailable session errors
 while the server is still running. This is because a request may hit a
 different worker (process) that doesn't have the desired session in memory.
 To avoid that, if you use such servers in development, configure them so they
-server requests only out of one process.
+serve requests only out of one process.
 
 #### Passenger
 

data/lib/web_console.rb

@@ -11,12 +11,14 @@ module WebConsole
   autoload :ExceptionMapper
   autoload :Session
   autoload :Injector
+  autoload :Interceptor
   autoload :Request
   autoload :WhinyRequest
-  autoload :Whitelist
+  autoload :Permissions
   autoload :Template
   autoload :Middleware
   autoload :Context
+  autoload :SourceLocation
 
   autoload_at "web_console/errors" do
     autoload :Error

data/lib/web_console/evaluator.rb

@@ -8,9 +8,11 @@ module WebConsole
   # return a string and will format exception output.
   class Evaluator
     # Cleanses exceptions raised inside #eval.
-    cattr_reader :cleaner
-    @@cleaner = ActiveSupport::BacktraceCleaner.new
-    @@cleaner.add_silencer { |line| line.start_with?(File.expand_path("..", __FILE__)) }
+    cattr_reader :cleaner, default: begin
+      cleaner = ActiveSupport::BacktraceCleaner.new
+      cleaner.add_silencer { |line| line.start_with?(File.expand_path("..", __FILE__)) }
+      cleaner
+    end
 
     def initialize(binding = TOPLEVEL_BINDING)
       @binding = binding

data/lib/web_console/exception_mapper.rb

@@ -2,9 +2,28 @@
 
 module WebConsole
   class ExceptionMapper
+    attr_reader :exc
+
+    def self.follow(exc)
+      mappers = [new(exc)]
+
+      while cause = (cause || exc).cause
+        mappers << new(cause)
+      end
+
+      mappers
+    end
+
+    def self.find_binding(mappers, exception_object_id)
+      mappers.detect do |exception_mapper|
+        exception_mapper.exc.object_id == exception_object_id.to_i
+      end || mappers.first
+    end
+
     def initialize(exception)
       @backtrace = exception.backtrace
       @bindings = exception.bindings
+      @exc = exception
     end
 
     def first
@@ -22,13 +41,15 @@ module WebConsole
         line = line.to_i
 
         @bindings.find do |binding|
-          binding.eval("__FILE__") == file && binding.eval("__LINE__") == line
+          source_location = SourceLocation.new(binding)
+          source_location.path == file && source_location.lineno == line
         end
       end
 
       def guess_the_first_application_binding
         @bindings.find do |binding|
-          binding.eval("__FILE__").to_s.start_with?(Rails.root.to_s)
+          source_location = SourceLocation.new(binding)
+          source_location.path.to_s.start_with?(Rails.root.to_s)
         end
       end
   end

data/lib/web_console/extensions.rb

@@ -8,8 +8,8 @@ module Kernel
   # If +binding+ isn't explicitly given it will default to the binding of the
   # previous frame. E.g. the one that invoked +console+.
   #
-  # Raises DoubleRenderError if a double +console+ invocation per request is
-  # detected.
+  # Raises +DoubleRenderError+ if a more than one +console+ invocation per
+  # request is detected.
   def console(binding = Bindex.current_bindings.second)
     raise WebConsole::DoubleRenderError if Thread.current[:__web_console_binding]
 
@@ -22,26 +22,13 @@ module Kernel
   end
 end
 
-module ActionDispatch
-  class DebugExceptions
-    def render_exception_with_web_console(request, exception)
-      render_exception_without_web_console(request, exception).tap do
-        backtrace_cleaner = request.get_header("action_dispatch.backtrace_cleaner")
-        error = ExceptionWrapper.new(backtrace_cleaner, exception).exception
-
-        # Get the original exception if ExceptionWrapper decides to follow it.
-        Thread.current[:__web_console_exception] = error
-
-        # ActionView::Template::Error bypass ExceptionWrapper original
-        # exception following. The backtrace in the view is generated from
-        # reaching out to original_exception in the view.
-        if error.is_a?(ActionView::Template::Error)
-          Thread.current[:__web_console_exception] = error.cause
-        end
-      end
-    end
-
-    alias_method :render_exception_without_web_console, :render_exception
-    alias_method :render_exception, :render_exception_with_web_console
+class Binding
+  # Instructs Web Console to render a console in the current binding, without
+  # the need to unroll the stack.
+  #
+  # Raises +DoubleRenderError+ if a more than one +console+ invocation per
+  # request is detected.
+  def console
+    Kernel.console(self)
   end
 end

data/lib/web_console/injector.rb

@@ -13,9 +13,11 @@ module WebConsole
     end
 
     def inject(content)
-      # Remove any previously set Content-Length header because we modify
-      # the body. Otherwise the response will be truncated.
-      @headers.delete("Content-Length")
+      # Set Content-Length header to the size of the current body
+      # + the extra content. Otherwise the response will be truncated.
+      if @headers["Content-Length"]
+        @headers["Content-Length"] = (@body.bytesize + content.bytesize).to_s
+      end
 
       [
         if position = @body.rindex("</body>")

data/lib/web_console/interceptor.rb

@@ -0,0 +1,18 @@
+module WebConsole
+  module Interceptor
+    def self.call(request, exception)
+      backtrace_cleaner = request.get_header("action_dispatch.backtrace_cleaner")
+      error = ActionDispatch::ExceptionWrapper.new(backtrace_cleaner, exception).exception
+
+      # Get the original exception if ExceptionWrapper decides to follow it.
+      Thread.current[:__web_console_exception] = error
+
+      # ActionView::Template::Error bypass ExceptionWrapper original
+      # exception following. The backtrace in the view is generated from
+      # reaching out to original_exception in the view.
+      if error.is_a?(ActionView::Template::Error)
+        Thread.current[:__web_console_exception] = error.cause
+      end
+    end
+  end
+end

data/lib/web_console/middleware.rb

@@ -6,11 +6,8 @@ module WebConsole
   class Middleware
     TEMPLATES_PATH = File.expand_path("../templates", __FILE__)
 
-    cattr_accessor :mount_point
-    @@mount_point = "/__web_console"
-
-    cattr_accessor :whiny_requests
-    @@whiny_requests = true
+    cattr_accessor :mount_point, default: "/__web_console"
+    cattr_accessor :whiny_requests, default: true
 
     def initialize(app)
       @app = app
@@ -19,7 +16,7 @@ module WebConsole
     def call(env)
       app_exception = catch :app_exception do
         request = create_regular_or_whiny_request(env)
-        return call_app(env) unless request.from_whitelisted_ip?
+        return call_app(env) unless request.permitted?
 
         if id = id_for_repl_session_update(request)
           return update_repl_session(id, request)
@@ -27,6 +24,7 @@ module WebConsole
           return change_stack_trace(id, request)
         end
 
+
         status, headers, body = call_app(env)
 
         if (session = Session.from(Thread.current)) && acceptable_content_type?(headers)
@@ -54,7 +52,7 @@ module WebConsole
     private
 
       def acceptable_content_type?(headers)
-        Mime::Type.parse(headers["Content-Type"].to_s).first == Mime[:html]
+        headers["Content-Type"].to_s.include?("html")
       end
 
       def json_response(opts = {})
@@ -66,7 +64,6 @@ module WebConsole
       end
 
       def json_response_with_session(id, request, opts = {})
-        return respond_with_unacceptable_request unless request.acceptable?
         return respond_with_unavailable_session(id) unless session = Session.find(id)
 
         json_response(opts) { yield session }
@@ -113,7 +110,7 @@ module WebConsole
 
       def change_stack_trace(id, request)
         json_response_with_session(id, request) do |session|
-          session.switch_binding_to(request.params[:frame_id])
+          session.switch_binding_to(request.params[:frame_id], request.params[:exception_object_id])
 
           { ok: true }
         end

data/lib/web_console/{whitelist.rb → permissions.rb}

@@ -3,20 +3,16 @@
 require "ipaddr"
 
 module WebConsole
-  # Whitelist of allowed networks that can access Web Console.
-  #
-  # Networks are represented by standard IPAddr and can be either IPv4 or IPv6
-  # networks.
-  class Whitelist
-    # IPv4 and IPv6 localhost should be always whitelisted.
-    ALWAYS_WHITELISTED_NETWORKS = %w( 127.0.0.0/8 ::1 )
+  class Permissions
+    # IPv4 and IPv6 localhost should be always allowed.
+    ALWAYS_PERMITTED_NETWORKS = %w( 127.0.0.0/8 ::1 )
 
     def initialize(networks = nil)
       @networks = normalize_networks(networks).map(&method(:coerce_network_to_ipaddr)).uniq
     end
 
     def include?(network)
-      @networks.any? { |whitelist| whitelist.include?(network.to_s) }
+      @networks.any? { |permission| permission.include?(network.to_s) }
     rescue IPAddr::InvalidAddressError
       false
     end
@@ -28,7 +24,7 @@ module WebConsole
     private
 
       def normalize_networks(networks)
-        Array(networks).concat(ALWAYS_WHITELISTED_NETWORKS)
+        Array(networks).concat(ALWAYS_PERMITTED_NETWORKS)
       end
 
       def coerce_network_to_ipaddr(network)

data/lib/web_console/railtie.rb

@@ -5,11 +5,12 @@ require "rails/railtie"
 module WebConsole
   class Railtie < ::Rails::Railtie
     config.web_console = ActiveSupport::OrderedOptions.new
-    config.web_console.whitelisted_ips = %w( 127.0.0.1 ::1 )
 
     initializer "web_console.initialize" do
       require "bindex"
       require "web_console/extensions"
+
+      ActionDispatch::DebugExceptions.register_interceptor(Interceptor)
     end
 
     initializer "web_console.development_only" do
@@ -50,9 +51,23 @@ module WebConsole
       end
     end
 
-    initializer "web_console.whitelisted_ips" do
-      if whitelisted_ips = config.web_console.whitelisted_ips
-        Request.whitelisted_ips = Whitelist.new(whitelisted_ips)
+    initializer "web_console.permissions" do
+      permissions = web_console_permissions
+      Request.permissions = Permissions.new(permissions)
+    end
+
+    def web_console_permissions
+      case
+      when config.web_console.permissions
+        config.web_console.permissions
+      when config.web_console.allowed_ips
+        config.web_console.allowed_ips
+      when config.web_console.whitelisted_ips
+        ActiveSupport::Deprecation.warn(<<-MSG.squish)
+          The config.web_console.whitelisted_ips is deprecated and will be ignored in future release of web_console.
+          Please use config.web_console.allowed_ips instead.
+        MSG
+        config.web_console.whitelisted_ips
       end
     end
 

data/lib/web_console/request.rb

@@ -1,35 +1,19 @@
 # frozen_string_literal: true
 
 module WebConsole
-  # Web Console tailored request object.
   class Request < ActionDispatch::Request
-    # Configurable set of whitelisted networks.
-    cattr_accessor :whitelisted_ips
-    @@whitelisted_ips = Whitelist.new
+    cattr_accessor :permissions, default: Permissions.new
 
-    # Define a vendor MIME type. We can call it using Mime[:web_console_v2].
-    Mime::Type.register "application/vnd.web-console.v2", :web_console_v2
-
-    # Returns whether a request came from a whitelisted IP.
-    #
-    # For a request to hit Web Console features, it needs to come from a white
-    # listed IP.
-    def from_whitelisted_ip?
-      whitelisted_ips.include?(strict_remote_ip)
+    def permitted?
+      permissions.include?(strict_remote_ip)
     end
 
-    # Determines the remote IP using our much stricter whitelist.
     def strict_remote_ip
-      GetSecureIp.new(self, whitelisted_ips).to_s
+      GetSecureIp.new(self, permissions).to_s
     rescue ActionDispatch::RemoteIp::IpSpoofAttackError
       "[Spoofed]"
     end
 
-    # Returns whether the request is acceptable.
-    def acceptable?
-      xhr? && accepts.any? { |mime| Mime[:web_console_v2] == mime }
-    end
-
     private
 
       class GetSecureIp < ActionDispatch::RemoteIp::GetIp

data/lib/web_console/session.rb

@@ -11,8 +11,7 @@ module WebConsole
   # error pages only, as currently, this is the only client that needs to do
   # that.
   class Session
-    cattr_reader :inmemory_storage
-    @@inmemory_storage = {}
+    cattr_reader :inmemory_storage, default: {}
 
     class << self
       # Finds a persisted session in memory by its id.
@@ -32,9 +31,9 @@ module WebConsole
       # storage.
       def from(storage)
         if exc = storage[:__web_console_exception]
-          new(ExceptionMapper.new(exc))
+          new(ExceptionMapper.follow(exc))
         elsif binding = storage[:__web_console_binding]
-          new([binding])
+          new([[binding]])
         end
       end
     end
@@ -42,10 +41,11 @@ module WebConsole
     # An unique identifier for every REPL.
     attr_reader :id
 
-    def initialize(bindings)
+    def initialize(exception_mappers)
       @id = SecureRandom.hex(16)
-      @bindings = bindings
-      @evaluator = Evaluator.new(@current_binding = bindings.first)
+
+      @exception_mappers = exception_mappers
+      @evaluator         = Evaluator.new(@current_binding = exception_mappers.first.first)
 
       store_into_memory
     end
@@ -60,8 +60,10 @@ module WebConsole
     # Switches the current binding to the one at specified +index+.
     #
     # Returns nothing.
-    def switch_binding_to(index)
-      @evaluator = Evaluator.new(@current_binding = @bindings[index.to_i])
+    def switch_binding_to(index, exception_object_id)
+      bindings = ExceptionMapper.find_binding(@exception_mappers, exception_object_id)
+
+      @evaluator = Evaluator.new(@current_binding = bindings[index.to_i])
     end
 
     # Returns context of the current binding

data/lib/web_console/source_location.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class SourceLocation
+  def initialize(binding)
+    @binding = binding
+  end
+
+  if RUBY_VERSION >= "2.6"
+    def path() @binding.source_location.first end
+    def lineno() @binding.source_location.last end
+  else
+    def path() @binding.eval("__FILE__") end
+    def lineno() @binding.eval("__LINE__") end
+  end
+end

data/lib/web_console/template.rb

@@ -7,8 +7,7 @@ module WebConsole
   # Rails error pages.
   class Template
     # Lets you customize the default templates folder location.
-    cattr_accessor :template_paths
-    @@template_paths = [ File.expand_path("../templates", __FILE__) ]
+    cattr_accessor :template_paths, default: [ File.expand_path("../templates", __FILE__) ]
 
     def initialize(env, session)
       @env = env
@@ -18,7 +17,7 @@ module WebConsole
 
     # Render a template (inferred from +template_paths+) as a plain string.
     def render(template)
-      view = View.new(template_paths, instance_values)
+      view = View.with_empty_template_cache.with_view_paths(template_paths, instance_values)
       view.render(template: template, layout: false)
     end
   end

data/lib/web_console/templates/console.js.erb

@@ -251,12 +251,14 @@ Autocomplete.prototype.removeView = function() {
 }
 
 // HTML strings for dynamic elements.
-var consoleInnerHtml = <%= render_inlined_string '_inner_console_markup.html' %>;
-var promptBoxHtml = <%= render_inlined_string '_prompt_box_markup.html' %>;
+var consoleInnerHtml = <%= render_inlined_string '_inner_console_markup' %>;
+var promptBoxHtml = <%= render_inlined_string '_prompt_box_markup' %>;
 // CSS
-var consoleStyleCss = <%= render_inlined_string 'style.css' %>;
+var consoleStyleCss = <%= render_inlined_string 'style' %>;
 // Insert a style element with the unique ID
 var styleElementId = 'sr02459pvbvrmhco';
+// Nonce to use for CSP
+var styleElementNonce = '<%= @nonce %>';
 
 // REPLConsole Constructor
 function REPLConsole(config) {
@@ -380,8 +382,13 @@ REPLConsole.prototype.install = function(container) {
     var clientHeightStart   = consoleOuter.clientHeight;
 
     var doDrag = function(e) {
-      container.style.height = (startHeight + startY - e.clientY) + 'px';
+      var height = startHeight + startY - e.clientY;
       consoleOuter.scrollTop = scrollTopStart + (clientHeightStart - consoleOuter.clientHeight);
+      if (height > document.documentElement.clientHeight) {
+        container.style.height = document.documentElement.clientHeight;
+      } else {
+        container.style.height = height + 'px';
+      }
       shiftConsoleActions();
     };
 
@@ -411,6 +418,14 @@ REPLConsole.prototype.install = function(container) {
     }
   }
 
+  var observer = new MutationObserver(function(mutationsList) {
+    for (let mutation of mutationsList) {
+      if (mutation.type === 'childList' && mutation.addedNodes.length > 0) {
+        shiftConsoleActions();
+      }
+    }
+  });
+
   // Initialize
   this.container = container;
   this.outer = consoleOuter;
@@ -422,7 +437,7 @@ REPLConsole.prototype.install = function(container) {
 
   findChild(container, 'resizer').addEventListener('mousedown', resizeContainer);
   findChild(consoleActions, 'close-button').addEventListener('click', closeContainer);
-  consoleOuter.addEventListener('DOMNodeInserted', shiftConsoleActions);
+  observer.observe(consoleOuter, { childList: true, subtree: true });
 
   REPLConsole.currentSession = this;
 };
@@ -436,6 +451,9 @@ REPLConsole.prototype.insertCss = function() {
   style.type = 'text/css';
   style.innerHTML = consoleStyleCss;
   style.id = styleElementId;
+  if (styleElementNonce.length > 0) {
+    style.nonce = styleElementNonce;
+  }
   document.getElementsByTagName('head')[0].appendChild(style);
 };
 
@@ -755,7 +773,7 @@ REPLConsole.prototype.onKeyDown = function(ev) {
         _this.addToInput(_this.clipboard.value);
         _this.clipboard.value = "";
         _this.clipboard.blur();
-      }, 10);
+      }, 100);
     }
   }
 
@@ -871,10 +889,14 @@ REPLConsole.prototype.scrollToBottom = function() {
 };
 
 // Change the binding of the console.
-REPLConsole.prototype.switchBindingTo = function(frameId, callback) {
+REPLConsole.prototype.switchBindingTo = function(frameId, exceptionObjectId, callback) {
   var url = this.getSessionUrl('trace');
   var params = "frame_id=" + encodeURIComponent(frameId);
 
+  if (exceptionObjectId) {
+    params = params + "&exception_object_id=" + encodeURIComponent(exceptionObjectId);
+  }
+
   var _this = this;
   postRequest(url, params, function() {
     var text = "Context has changed to: " + callback();
@@ -915,7 +937,6 @@ REPLConsole.request = function request(method, url, params, callback) {
   xhr.open(method, url, true);
   xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
   xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
-  xhr.setRequestHeader("Accept", "<%= Mime[:web_console_v2] %>");
   xhr.send(params);
 
   xhr.onreadystatechange = function() {

data/lib/web_console/templates/error_page.js.erb

@@ -8,9 +8,10 @@ for (var i = 0; i < traceFrames.length; i++) {
     e.preventDefault();
     var target = e.target;
     var frameId = target.dataset.frameId;
+    var exceptionObjectId = target.dataset.exceptionObjectId;
 
     // Change the binding of the console.
-    changeBinding(frameId, function() {
+    changeBinding(frameId, exceptionObjectId, function() {
       // Rails already handles toggling the select class
       selectedFrame = target;
       return target.innerHTML;
@@ -22,8 +23,8 @@ for (var i = 0; i < traceFrames.length; i++) {
 }
 
 // Change the binding of the current session and prompt the user.
-function changeBinding(frameId, callback) {
-  REPLConsole.currentSession.switchBindingTo(frameId, callback);
+function changeBinding(frameId, exceptionObjectId, callback) {
+  REPLConsole.currentSession.switchBindingTo(frameId, exceptionObjectId, callback);
 }
 
 function changeSourceExtract(frameId) {

data/lib/web_console/templates/layouts/javascript.erb

@@ -1,4 +1,4 @@
-<script type="text/javascript" data-template="<%= @template %>">
+<script type="text/javascript" data-template="<%= @template %>" nonce="<%= @nonce %>">
 (function() {
   <%= yield %>
 }).call(this);

data/lib/web_console/templates/style.css.erb

@@ -1,34 +1,182 @@
-.console .pos-absolute { position: absolute; }
-.console .pos-fixed { position: fixed; }
-.console .pos-right { right: 0; }
-.console .border-box { box-sizing: border-box; }
-.console .layer { width: 100%; height: 100%; }
-.console .layer.console-outer { z-index: 1; }
-.console .layer.resizer { z-index: 2; }
-.console { position: fixed; left: 0; bottom: 0; width: 100%; height: 148px; padding: 0; margin: 0; background: none repeat scroll 0% 0% #333; z-index: 9999; }
-.console .console-outer { overflow: auto; padding-top: 4px; }
-.console .console-inner { font-family: monospace; font-size: 11px; width: 100%; height: 100%; overflow: none; background: #333; }
-.console .console-prompt-box { color: #FFF; }
-.console .console-message { color: #1AD027; margin: 0; border: 0; white-space: pre-wrap; background-color: #333; padding: 0; }
-.console .console-message.error-message { color: #FC9; }
-.console .console-message.notification-message { color: #99F; }
-.console .console-message.auto-complete { word-break: break-all; }
-.console .console-message.auto-complete .keyword { margin-right: 11px; }
-.console .console-message.auto-complete .keyword.selected { background: #FFF; color: #000; }
-.console .console-message.auto-complete .hidden { display: none; }
-.console .console-message.auto-complete .trimmed { display: none; }
-.console .console-hint { color: #096; }
-.console .console-focus .console-cursor { background: #FEFEFE; color: #333; font-weight: bold; }
-.console .resizer { background: #333; width: 100%; height: 4px; cursor: ns-resize; }
-.console .console-actions { padding-right: 3px; }
-.console .console-actions .button { float: left; }
-.console .button { cursor: pointer; border-radius: 1px; font-family: monospace; font-size: 13px; width: 14px; height: 14px; line-height: 14px; text-align: center; color: #CCC; }
-.console .button:hover { background: #666; color: #FFF; }
-.console .button.close-button:hover { background: #966; }
-.console .clipboard { height: 0px; padding: 0px; margin: 0px; width: 0px; margin-left: -1000px; }
-.console .console-prompt-label { display: inline; color: #FFF; background: none repeat scroll 0% 0% #333; border: 0; padding: 0; }
-.console .console-prompt-display { display: inline; color: #FFF; background: none repeat scroll 0% 0% #333; border: 0; padding: 0; }
-.console.full-screen { height: 100%; }
-.console.full-screen .console-outer { padding-top: 3px; }
-.console.full-screen .resizer { display: none; }
-.console.full-screen .close-button { display: none; }
+.console .pos-absolute {
+  position: absolute;
+}
+
+.console .pos-fixed {
+  position: fixed;
+}
+
+.console .pos-right {
+  right: 0;
+}
+
+.console .border-box {
+  box-sizing: border-box;
+}
+
+.console .layer {
+  width: 100%;
+  height: 100%;
+}
+
+.console .layer.console-outer {
+  z-index: 1;
+}
+
+.console .layer.resizer {
+  z-index: 2;
+}
+
+.console {
+  position: fixed;
+  left: 0;
+  bottom: 0;
+  width: 100%;
+  height: 148px;
+  padding: 0;
+  margin: 0;
+  background: none repeat scroll 0% 0% #333;
+  z-index: 9999;
+}
+
+.console .console-outer {
+  overflow: auto;
+  padding-top: 4px;
+}
+
+.console .console-inner {
+  font-family: monospace;
+  font-size: 11px;
+  width: 100%;
+  height: 100%;
+  overflow: unset;
+  background: #333;
+}
+
+.console .console-prompt-box {
+  color: #fff;
+}
+
+.console .console-message {
+  color: #1ad027;
+  margin: 0;
+  border: 0;
+  white-space: pre-wrap;
+  background-color: #333;
+  padding: 0;
+}
+
+.console .console-message.error-message {
+  color: #fc9;
+}
+
+.console .console-message.notification-message {
+  color: #99f;
+}
+
+.console .console-message.auto-complete {
+  word-break: break-all;
+}
+
+.console .console-message.auto-complete .keyword {
+  margin-right: 11px;
+}
+
+.console .console-message.auto-complete .keyword.selected {
+  background: #fff;
+  color: #000;
+}
+
+.console .console-message.auto-complete .hidden {
+  display: none;
+}
+
+.console .console-message.auto-complete .trimmed {
+  display: none;
+}
+
+.console .console-hint {
+  color: #096;
+}
+
+.console .console-focus .console-cursor {
+  background: #fefefe;
+  color: #333;
+  font-weight: bold;
+}
+
+.console .resizer {
+  background: #333;
+  width: 100%;
+  height: 4px;
+  cursor: ns-resize;
+}
+
+.console .console-actions {
+  padding-right: 3px;
+}
+
+.console .console-actions .button {
+  float: left;
+}
+
+.console .button {
+  cursor: pointer;
+  border-radius: 1px;
+  font-family: monospace;
+  font-size: 13px;
+  width: 14px;
+  height: 14px;
+  line-height: 14px;
+  text-align: center;
+  color: #ccc;
+}
+
+.console .button:hover {
+  background: #666;
+  color: #fff;
+}
+
+.console .button.close-button:hover {
+  background: #966;
+}
+
+.console .clipboard {
+  height: 0px;
+  padding: 0px;
+  margin: 0px;
+  width: 0px;
+  margin-left: -1000px;
+}
+
+.console .console-prompt-label {
+  display: inline;
+  color: #fff;
+  background: none repeat scroll 0% 0% #333;
+  border: 0;
+  padding: 0;
+}
+
+.console .console-prompt-display {
+  display: inline;
+  color: #fff;
+  background: none repeat scroll 0% 0% #333;
+  border: 0;
+  padding: 0;
+}
+
+.console.full-screen {
+  height: 100%;
+}
+
+.console.full-screen .console-outer {
+  padding-top: 3px;
+}
+
+.console.full-screen .resizer {
+  display: none;
+}
+
+.console.full-screen .close-button {
+  display: none;
+}

data/lib/web_console/testing/fake_middleware.rb

@@ -3,7 +3,6 @@
 require "action_view"
 require "web_console"
 require "web_console/testing/helper"
-Mime = { web_console_v2: "fake" }
 
 module WebConsole
   module Testing

data/lib/web_console/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module WebConsole
-  VERSION = "3.7.0"
+  VERSION = "4.1.0"
 end

data/lib/web_console/view.rb

@@ -22,6 +22,7 @@ module WebConsole
     # leaking globals, unless you explicitly want to.
     def render_javascript(template)
       assign(template: template)
+      assign(nonce: @env["action_dispatch.content_security_policy_nonce"])
       render(template: template, layout: "layouts/javascript")
     end
 

data/lib/web_console/whiny_request.rb

@@ -3,13 +3,13 @@
 module WebConsole
   # Noisy wrapper around +Request+.
   #
-  # If any calls to +from_whitelisted_ip?+ and +acceptable_content_type?+
+  # If any calls to +permitted?+ and +acceptable_content_type?+
   # return false, an info log message will be displayed in users' logs.
   class WhinyRequest < SimpleDelegator
-    def from_whitelisted_ip?
-      whine_unless request.from_whitelisted_ip? do
+    def permitted?
+      whine_unless request.permitted? do
         "Cannot render console from #{request.strict_remote_ip}! " \
-          "Allowed networks: #{request.whitelisted_ips}"
+          "Allowed networks: #{request.permissions}"
       end
     end
 

metadata

@@ -1,17 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: web-console
 version: !ruby/object:Gem::Version
-  version: 3.7.0
+  version: 4.1.0
 platform: ruby
 authors:
 - Charlie Somerville
 - Genadi Samokovarov
 - Guillermo Iguaran
 - Ryan Dao
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-09-02 00:00:00.000000000 Z
+date: 2020-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -19,42 +19,42 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: 6.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: 6.0.0
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: 6.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: 6.0.0
 - !ruby/object:Gem::Dependency
   name: actionview
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: 6.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: 6.0.0
 - !ruby/object:Gem::Dependency
   name: bindex
   requirement: !ruby/object:Gem::Requirement
@@ -69,7 +69,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.4.0
-description: 
+description:
 email:
 - charlie@charliesomerville.com
 - gsamokovarov@gmail.com
@@ -91,11 +91,14 @@ files:
 - lib/web_console/exception_mapper.rb
 - lib/web_console/extensions.rb
 - lib/web_console/injector.rb
+- lib/web_console/interceptor.rb
 - lib/web_console/locales/en.yml
 - lib/web_console/middleware.rb
+- lib/web_console/permissions.rb
 - lib/web_console/railtie.rb
 - lib/web_console/request.rb
 - lib/web_console/session.rb
+- lib/web_console/source_location.rb
 - lib/web_console/tasks/extensions.rake
 - lib/web_console/tasks/templates.rake
 - lib/web_console/template.rb
@@ -116,12 +119,11 @@ files:
 - lib/web_console/version.rb
 - lib/web_console/view.rb
 - lib/web_console/whiny_request.rb
-- lib/web_console/whitelist.rb
 homepage: https://github.com/rails/web-console
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -129,16 +131,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.2.2
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.0.3
+signing_key:
 specification_version: 4
 summary: A debugging tool for your Ruby on Rails applications.
 test_files: []