wunderbar 1.3.4 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: faf3ed56159ea9aae14376907dd0c17efabb7560f08b886b1f4f781be5b630af
-  data.tar.gz: f0a40ec22da2f77faf6b97c6a156198430a4afe12d96baacd37c8c489bcc037b
+  metadata.gz: 01faf4f44e9f567cf1ab080f8f4a54879c0eb6b5d07e0ad6d265ede2cbd4b86f
+  data.tar.gz: a0db8a63944a68305a337a1eb5cef8114f5f88034e7a9c451cd37228ad97bc40
 SHA512:
-  metadata.gz: fba3b4c3676b35938fc132792a5fb8d73ea949fe3d76b9a4a05a2b83a2d24e3b933ce993b45e36717dc9877c8a2a429af80dceab4313dfaa3ef8eb63cdba4380
-  data.tar.gz: f9d3f47d1f81627649f98ebfeda570f84dadb9f33e9839a06584f31c52da587b98ca9be027f411a805f82c09979bb96e92882be0a8907dd743193fbf4c51f8ee
+  metadata.gz: d104318bd2e0e2ee9cd721c3b49790ede15b4459dbe253bc58b9108b6fc91fcb077e932a399b9194417a5dc31c62500684db424db534b4b72c1c709e2defedc1
+  data.tar.gz: e2d9ca6b2bec1fdb12a253e1ca9df2f73296388c60ee2b165c63305216a353fc0fe37e3ede10c48b6524b7391e060230ca53fa8f393b4d24b957f225da3363a2

data/README.md

@@ -366,26 +366,7 @@ Secure by default
 
 Wunderbar will properly escape all HTML and JSON output, eliminating problems
 of HTML or JavaScript injection.  This includes calls to `_` to insert text
-directly.  Unless `nokogiri` was previously required (see [optional
-dependencies](#optional-dependencies) below), calls to insert markup
-(`_{...}`) will escape the markup if the input is `tainted` and not explicitly
-marked as `html-safe?` (when using Rails).
-
-For Ruby version < 2.6.0:
-
-> For all environments other than Rails, unless you call `Wunderbar.unsafe!` at
-> the top of your script, Wunderbar will also set
-> [`$SAFE=1`](http://www.ruby-doc.org/docs/ProgrammingRuby/html/taint.html)
-> before processing requests.  This means that you will need to
-> [`untaint`](ruby-doc.org/core/Object.html#method-i-untaint) all inputs
-> received from external sources before you make system calls or access the file
-> system.
-
-A special feature that effectively is only available in the Rails environment:
-if the first argument to call that creates an element is `html_safe?`, then
-that argument will be treated as a markup instead of as text.  This allows one
-to make calls like `_td link_to...` without placing the call to `link_to` in a
-block.
+directly. 
 
 Globals provided
 ---
@@ -454,7 +435,6 @@ The following gems, if installed, will produce cleaner and prettier output:
 * `nokogumbo` also cleans up HTML fragments inserted via `<<` and `_{}`.  If
   this gem is available, it will be preferred over direct usage of `nokogiri`.
 * `escape` prettier quoting of `system` commands
-* `sanitize` will remove unsafe markup from tainted input
 
 Related efforts
 ---

data/lib/wunderbar/asset.rb

@@ -30,14 +30,14 @@ module Wunderbar
       return @path if @path or @contents
 
       if @options[:name]
-        source = (@options[:file] || __FILE__).untaint
+        source = @options[:file] || __FILE__
         @mtime = File.mtime(source)
         @path = @options[:name]
 
         # look for asset in site
         if ENV['DOCUMENT_ROOT']
-          root = File.join(ENV['DOCUMENT_ROOT'], 'assets').untaint
-          dest = File.expand_path(@path, root).untaint
+          root = File.join(ENV['DOCUMENT_ROOT'], 'assets')
+          dest = File.expand_path(@path, root)
           if File.exist?(dest) and File.size(dest) == File.size(source)
             @path = "/assets/#{@path}"
             return @path
@@ -45,7 +45,7 @@ module Wunderbar
         end
 
         # look for asset in app
-        dest = File.expand_path(@path, Asset.root).untaint
+        dest = File.expand_path(@path, Asset.root)
         if File.exist?(dest) and File.size(dest) == File.size(source)
           return @path
         end
@@ -103,7 +103,7 @@ module Wunderbar
     @path = '../' * env['PATH_INFO'].to_s.count('/') + 'assets'
     @root ||= nil
     @root = File.dirname(env['SCRIPT_FILENAME']) if env['SCRIPT_FILENAME']
-    @root = File.expand_path((@root || Dir.pwd) + "/assets").untaint
+    @root = File.expand_path((@root || Dir.pwd) + "/assets")
 
     # Options: typically :name plus either :file or :contents
     #   :name => name to be used for the asset

data/lib/wunderbar/builder.rb

@@ -51,14 +51,14 @@ module Wunderbar
         secret = command - flat
         begin
           # if available, use escape as it does prettier quoting
-          raise LoadError if $SAFE > 0 and not defined? Escape
+          raise LoadError if not defined? Escape
           require 'escape'
           echo = Escape.shell_command(command.compact - secret)
         rescue LoadError
           # std-lib function that gets the job done
           echo = Shellwords.join(command.compact - secret)
         end
-        command = flat.compact.map(&:dup).map(&:untaint)
+        command = flat.compact
       else
         echo = command
         command = [command]

data/lib/wunderbar/cgi-methods.rb

@@ -120,7 +120,7 @@ module Wunderbar
       # asset support for Rack
       request = (scope.respond_to? :request) ? scope.request : nil
       if request and request.path =~ %r{/assets/\w[-.\w]+}
-        path = ('.' + scope.request.path).untaint
+        path = '.' + scope.request.path
         headers = {'type' => 'text/plain'}
         headers['type'] = 'application/javascript' if path =~ /\.js$/
         out?(scope, headers) { File.read path if File.exist? path }

data/lib/wunderbar/coderay.rb

@@ -2,15 +2,6 @@ require 'wunderbar'
 require 'coderay'
 require 'nokogiri'
 
-# workaround for https://github.com/rubychan/coderay/pull/159
-module CodeRay::PluginHost
-  alias_method :old_plugin_path, :plugin_path
-  def plugin_path *args
-    args.first.untaint if args.first == CodeRay::CODERAY_PATH
-    old_plugin_path(*args)
-  end
-end
-
 module Wunderbar
   class HtmlMarkup
     def _coderay(*args)

data/lib/wunderbar/environment.rb

@@ -5,40 +5,6 @@ module Wunderbar
     TEXT      = ARGV.delete('--text')
   end
 
-  # Ruby 2.6.0 gets rid of $SAFE > 1; unfortunately in the process it
-  # treats $SAFE = 1 as a higher level; @FAFE = 1 no longer is limited
-  # to taintness checks, it not treats all File operations as unsafe
-  @@unsafe = (RUBY_VERSION.split('.').map(&:to_i) <=> [2, 6, 0]) == 1
-
-  def self.unsafe!(mode=true)
-    @@unsafe=mode
-  end
-
-  def self.safe?
-    if not @@unsafe and $SAFE == 0
-      # some gems (e.g. em-websocket-0.3.6) insert unsafe entries into the
-      # path, and that prevents requires from succeeding.  If it looks like
-      # we are about to make a transition to $SAFE=1, clean up that mess
-      # before proceeding.
-      #
-      # the goal of $SAFE is not to protect us against software which was
-      # installed by the owner of the site, but from injection attacks
-      # contained within data provided by users of the site.
-      $:.each_with_index do |path, index|
-        if path.tainted?
-          $:[index] = File.expand_path(path.dup.untaint).untaint
-        end
-      end
-
-      # avoid: "Insecure PATH - (SecurityError)" when using Bundler
-      if defined? Bundler
-        ENV['PATH'] = ENV['PATH'].dup.untaint
-      end
-    end
-
-    not @@unsafe
-  end
-
   class Scope
     attr_accessor :env
     def initialize(env)

data/lib/wunderbar/html-methods.rb

@@ -133,7 +133,7 @@ module Wunderbar
         # * Proxied Rack server.  Document base may be relate to the
         #   HTTP_X_WUNDERBAR_BASE 
         #
-        cwd = File.realpath(Dir.pwd.untaint)
+        cwd = File.realpath(Dir.pwd)
         base = @_scope.env['DOCUMENT_ROOT'] if @_scope.env.respond_to? :[]
         base ||= cwd
         href = (head.children[1].attrs[:href] || '')
@@ -189,8 +189,8 @@ module Wunderbar
       name = name.to_s.gsub('_', '-')
 
       if flag != '!'
-        if String === args.first and args.first.respond_to? :html_safe?
-          if args.first.html_safe? and not block and args.first =~ /[>&]/
+        if String === args.first
+          if not block and args.first =~ /[>&]/
             markup = args.shift
             block = Proc.new {_ {markup}}
           end
@@ -362,11 +362,7 @@ module Wunderbar
     def _(text=nil, &block)
       unless block
         if text
-          if text.respond_to? :html_safe? and text.html_safe?
-            _ {text}
-          else
-            @_x.indented_text! text.to_s
-          end
+          _ {text}
         end
         return @_x
       end
@@ -374,20 +370,13 @@ module Wunderbar
       children = instance_eval(&block)
 
       if String === children
-        safe = !children.tainted?
-        safe ||= children.html_safe? if children.respond_to? :html_safe?
-        safe &&= defined? Nokogiri
-        ok = safe || defined? Sanitize
-        safe = true
-
-        if ok and (children.include? '<' or children.include? '&')
+        if children.include? '<' or children.include? '&'
           if defined? Nokogiri::HTML5.fragment
             doc = Nokogiri::HTML5.fragment(children.to_s)
           else
             doc = Nokogiri::HTML.fragment(children.to_s)
           end
 
-          Sanitize.new.clean_node! doc.dup.untaint if not safe
           children = doc.children.to_a
 
           # ignore leading whitespace

data/lib/wunderbar/job-control.rb

@@ -25,7 +25,7 @@ module Wunderbar
       # clear environment of cgi cruft
       require 'cgi'
       ENV.keys.select {|key| key =~ /^HTTP_/}.each do |key|
-        ENV.delete key.dup.untaint
+        ENV.delete key
       end
       ::CGI::QueryExtension.public_instance_methods.each do |method|
         ENV.delete method.to_s.upcase

data/lib/wunderbar/rack.rb

@@ -17,8 +17,6 @@ module Wunderbar
           Rack::Mime::MIME_TYPES[File.extname(env['PATH_INFO'])]
         @_response.set_header('Content-Type', mime) if mime
         @_response.write(file[:content] || file[:source].call)
-      elsif Wunderbar.safe? and $SAFE==0
-        Proc.new { $SAFE=1; Wunderbar::CGI.call(self) }.call
       else
         Wunderbar::CGI.call(self)
       end

data/lib/wunderbar/react.rb

@@ -35,17 +35,3 @@ class Wunderbar::Render
       "</pre>"
   end
 end
-
-# Monkeypatch to address https://github.com/sstephenson/execjs/pull/180
-require 'execjs'
-class ExecJS::ExternalRuntime::Context
-  alias_method :w_write_to_tempfile, :write_to_tempfile
-  def write_to_tempfile(*args)
-    tmpfile = w_write_to_tempfile(*args).path.untaint
-    tmpfile = Struct.new(:path, :to_str).new(tmpfile, tmpfile)
-    def tmpfile.unlink
-      File.unlink path
-    end
-    tmpfile
-  end
-end

data/lib/wunderbar/render.rb

@@ -82,14 +82,12 @@ class Wunderbar::XmlMarkup
 
         src = File.join(base, src) if not base.empty?
         src = src.sub(/\?.*$/, '') # strip queries (typically mtimes)
-        src.untaint
 
-        name = File.expand_path(src, @_scope.settings.public_folder.untaint)
-        name.untaint unless src.tainted?
+        name = File.expand_path(src, @_scope.settings.public_folder)
         if File.exist? name
           result = File.read(name)
         else
-          file = File.expand_path(src+'.rb', @_scope.settings.views.untaint)
+          file = File.expand_path(src+'.rb', @_scope.settings.views)
           result = Wunderbar::Asset.convert(file)
         end
       else
@@ -113,11 +111,11 @@ class Wunderbar::XmlMarkup
         scripts.unshift script.contents
       elsif script.path
         if script.path.start_with? '/'
-          path = (ENV['DOCUMENT_ROOT'] + script.path).untaint
+          path = ENV['DOCUMENT_ROOT'] + script.path
         else
-          path = File.expand_path(script.path, Wunderbar::Asset.root).untaint
+          path = File.expand_path(script.path, Wunderbar::Asset.root)
         end
-        setup << File.read(script.options[:server].untaint || path)
+        setup << File.read(script.options[:server] || path)
       end
     end
 

data/lib/wunderbar/sinatra.rb

@@ -82,22 +82,14 @@ module Wunderbar
         builder.set_variables_from_params(locals)
 
         if not block
-          builder.instance_eval(data.untaint, eval_file)
+          builder.instance_eval(data, eval_file)
         elsif not data
           builder.instance_eval(&block)
         else
           context = builder.get_binding do
             builder.instance_eval {_(&block)}
           end
-          context.eval(data.untaint, eval_file)
-        end
-      end
-
-      def _evaluate_safely(*args, &block)
-        if Wunderbar.safe? and $SAFE==0
-          Proc.new { $SAFE=1; _evaluate(*args, &block) }.call
-        else
-          _evaluate(*args, &block)
+          context.eval(data, eval_file)
         end
       end
     end
@@ -108,7 +100,7 @@ module Wunderbar
       def evaluate(scope, locals, &block)
         builder = HtmlMarkup.new(scope)
         begin
-          _evaluate_safely(builder, scope, locals, &block)
+          _evaluate(builder, scope, locals, &block)
         rescue Exception => exception
           scope.response.status = Wunderbar::ServerError.status
           builder.clear!
@@ -132,7 +124,7 @@ module Wunderbar
       def evaluate(scope, locals, &block)
         builder = JsonBuilder.new(scope)
         begin
-          result = _evaluate_safely(builder, scope, locals, &block)
+          result = _evaluate(builder, scope, locals, &block)
 
           # if no output was produced, use the result
           builder._! result if builder.target? == {} and result
@@ -154,7 +146,7 @@ module Wunderbar
       def evaluate(scope, locals, &block)
         builder = TextBuilder.new(scope)
         begin
-          result = _evaluate_safely(builder, scope, locals, &block)
+          result = _evaluate(builder, scope, locals, &block)
 
           # if no output was produced, use the result
           builder._ result.to_s if builder.target!.empty? and result
@@ -240,13 +232,12 @@ Tilt.register 'xhtml.rb', Wunderbar::Template::Xhtml
 helpers Wunderbar::SinatraHelpers
 
 if Dir.exist? settings.public_folder
-  Wunderbar::Asset.root = File.join(settings.public_folder, 'assets').untaint
+  Wunderbar::Asset.root = File.join(settings.public_folder, 'assets')
 end
 
 Wunderbar::Asset.virtual = true
 
 get "/#{Wunderbar::Asset.path}/:name" do |name|
-  name.untaint if name =~ /^([-\w]\.?)+$/
   file = "#{Wunderbar::Asset.root}/#{name}"
   _text do
     if File.exist? file

data/lib/wunderbar/version.rb

@@ -1,8 +1,8 @@
 module Wunderbar
   module VERSION #:nodoc:
     MAJOR = 1
-    MINOR = 3
-    TINY  = 4
+    MINOR = 4
+    TINY  = 0
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

data/lib/wunderbar/vue.rb

@@ -14,7 +14,7 @@ class Wunderbar::Render
     path = `which nodejs`.chomp
     path = `which node`.chomp if path.empty?
     raise RuntimeError.new('Unable to locate nodejs') if path.empty?
-    @nodejs = path.untaint
+    @nodejs = path
   end
 
   def self.server(common)
@@ -50,7 +50,7 @@ class Wunderbar::Render
       stdout += "\n<pre>#{CGI.escapeHTML(stderr)}</pre>"
     end
 
-    stdout.untaint
+    stdout
   rescue => e
     Wunderbar.error e
     "<pre>#{CGI.escapeHTML(e.message)}</pre>"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: wunderbar
 version: !ruby/object:Gem::Version
-  version: 1.3.4
+  version: 1.4.0
 platform: ruby
 authors:
 - Sam Ruby