kanbanworkflowstimelinescrumrubyroadmapproject-planningproject-managementopenprojectangularissue-trackerifcgantt-chartganttbug-trackerboardsbcf
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
103 lines
3.2 KiB
103 lines
3.2 KiB
# Fixes an arbitrary file disclosure bug in sprockets
|
|
# see: https://groups.google.com/forum/#!topic/rubyonrails-security/wQBeGXqGs3E
|
|
# This initializer can be removes as soon as we use sprockets v2.12.X
|
|
|
|
module Sprockets
|
|
module Server
|
|
# `call` implements the Rack 1.x specification which accepts an
|
|
# `env` Hash and returns a three item tuple with the status code,
|
|
# headers, and body.
|
|
#
|
|
# Mapping your environment at a url prefix will serve all assets
|
|
# in the path.
|
|
#
|
|
# map "/assets" do
|
|
# run Sprockets::Environment.new
|
|
# end
|
|
#
|
|
# A request for `"/assets/foo/bar.js"` will search your
|
|
# environment for `"foo/bar.js"`.
|
|
def call(env)
|
|
start_time = Time.now.to_f
|
|
time_elapsed = lambda { ((Time.now.to_f - start_time) * 1000).to_i }
|
|
|
|
msg = "Served asset #{env['PATH_INFO']} -"
|
|
|
|
# Mark session as "skipped" so no `Set-Cookie` header is set
|
|
env['rack.session.options'] ||= {}
|
|
env['rack.session.options'][:defer] = true
|
|
env['rack.session.options'][:skip] = true
|
|
|
|
# Extract the path from everything after the leading slash
|
|
path = unescape(env['PATH_INFO'].to_s.sub(/^\//, ''))
|
|
|
|
# Strip fingerprint
|
|
if fingerprint = path_fingerprint(path)
|
|
path = path.sub("-#{fingerprint}", '')
|
|
end
|
|
|
|
# URLs containing a `".."` are rejected for security reasons.
|
|
if forbidden_request?(path)
|
|
return forbidden_response
|
|
end
|
|
|
|
# Look up the asset.
|
|
asset = find_asset(path, bundle: !body_only?(env))
|
|
|
|
# `find_asset` returns nil if the asset doesn't exist
|
|
if asset.nil?
|
|
logger.info "#{msg} 404 Not Found (#{time_elapsed.call}ms)"
|
|
|
|
# Return a 404 Not Found
|
|
not_found_response
|
|
|
|
# Check request headers `HTTP_IF_NONE_MATCH` against the asset digest
|
|
elsif etag_match?(asset, env)
|
|
logger.info "#{msg} 304 Not Modified (#{time_elapsed.call}ms)"
|
|
|
|
# Return a 304 Not Modified
|
|
not_modified_response(asset, env)
|
|
|
|
else
|
|
logger.info "#{msg} 200 OK (#{time_elapsed.call}ms)"
|
|
|
|
# Return a 200 with the asset contents
|
|
ok_response(asset, env)
|
|
end
|
|
rescue Exception => e
|
|
logger.error "Error compiling asset #{path}:"
|
|
logger.error "#{e.class.name}: #{e.message}"
|
|
|
|
case content_type_of(path)
|
|
when "application/javascript"
|
|
# Re-throw JavaScript asset exceptions to the browser
|
|
logger.info "#{msg} 500 Internal Server Error\n\n"
|
|
return javascript_exception_response(e)
|
|
when "text/css"
|
|
# Display CSS asset exceptions in the browser
|
|
logger.info "#{msg} 500 Internal Server Error\n\n"
|
|
return css_exception_response(e)
|
|
else
|
|
raise
|
|
end
|
|
end
|
|
|
|
private
|
|
def forbidden_request?(path)
|
|
# Prevent access to files elsewhere on the file system
|
|
#
|
|
# http://example.org/assets/../../../etc/passwd
|
|
#
|
|
path.include?("..") || Pathname.new(path).absolute?
|
|
end
|
|
|
|
# Gets digest fingerprint.
|
|
#
|
|
# "foo-0aa2105d29558f3eb790d411d7d8fb66.js"
|
|
# # => "0aa2105d29558f3eb790d411d7d8fb66"
|
|
#
|
|
def path_fingerprint(path)
|
|
path[/-([0-9a-f]{7,40})\.[^.]+\z/, 1]
|
|
end
|
|
end
|
|
end
|
|
|