Tests 2023

CHANGELOG.md

@@ -1,3 +1,8 @@
+## 2.5.0
+
+* Fixed dangerous YAML loading vulnerability
+* Rebuilt integration tests
+
 ## 2.3.2
 
 * Fix sqlite3 adapter error

geokit-rails.gemspec

@@ -20,14 +20,15 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'rails', '>= 3.0'
   spec.add_dependency 'geokit', '~> 1.5'
   spec.add_development_dependency "bundler", "> 1.0"
-  spec.add_development_dependency "simplecov", "~> 0.16.1"
+  spec.add_development_dependency "simplecov", ">= 0.16.1"
   spec.add_development_dependency "simplecov-rcov"
+  spec.add_development_dependency 'net-http'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'test-unit'
   spec.add_development_dependency "mocha", "~> 0.9"
-  spec.add_development_dependency 'coveralls'
-  spec.add_development_dependency "mysql2", "~> 0.2"
-  spec.add_development_dependency "activerecord-mysql2spatial-adapter"
-  spec.add_development_dependency "pg", "~> 0.10"
+  spec.add_development_dependency 'coveralls_reborn'
+  spec.add_development_dependency "mysql2", ">= 0.2"
+  # spec.add_development_dependency "activerecord-mysql2spatial-adapter"
+  spec.add_development_dependency "pg", ">= 0.10"
   spec.add_development_dependency "sqlite3"
 end

lib/geokit-rails/ip_geocode_lookup.rb

@@ -12,11 +12,7 @@ module IpGeocodeLookup
     # Class method to mix into active record.
     module ClassMethods # :nodoc:
       def geocode_ip_address(filter_options = {})
-        if respond_to? :before_action
-          before_action :store_ip_location, filter_options
-        else
-          before_filter :store_ip_location, filter_options
-        end
+        before_action :store_ip_location, filter_options
       end
     end
 
@@ -28,13 +24,14 @@ def geocode_ip_address(filter_options = {})
     # get the value.
     def store_ip_location
       session[:geo_location] ||= retrieve_location_from_cookie_or_service
-      cookies[:geo_location] = { :value => session[:geo_location].to_yaml, :expires => 30.days.from_now } if session[:geo_location]
+      cookies[:geo_location] = { :value => session[:geo_location].to_json, :expires => 30.days.from_now } if session[:geo_location]
     end
 
     # Uses the stored location value from the cookie if it exists.  If
     # no cookie exists, calls out to the web service to get the location.
     def retrieve_location_from_cookie_or_service
-      return GeoLoc.new(YAML.load(cookies[:geo_location])) if cookies[:geo_location]
+      # return GeoLoc.new(YAML.load(cookies[:geo_location])) if cookies[:geo_location]
+      return GeoLoc.new(JSON.parse(cookies[:geo_location])) if cookies[:geo_location]
       location = Geocoders::MultiGeocoder.geocode(get_ip_address)
       return location.success ? location : nil
     end

lib/geokit-rails/version.rb

@@ -1,3 +1,3 @@
 module GeokitRails
-  VERSION = "2.4.0.pre"
+  VERSION = "2.5.0"
 end

test/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require_relative "config/application"
+
+Rails.application.load_tasks

test/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1 @@
+/* Application styles */

test/dummy/app/channels/application_cable/channel.rb

@@ -0,0 +1,4 @@
+module ApplicationCable
+  class Channel < ActionCable::Channel::Base
+  end
+end

test/dummy/app/channels/application_cable/connection.rb

@@ -0,0 +1,4 @@
+module ApplicationCable
+  class Connection < ActionCable::Connection::Base
+  end
+end

test/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+  attr_accessor :remote_ip
+end

test/dummy/app/controllers/location_aware_controller.rb

@@ -0,0 +1,43 @@
+class LocationAwareController < ApplicationController #:nodoc: all
+  before_action :set_ip, only: [:index,:cookietest,:sessiontest]
+  before_action :set_ip_bad, only: [:failtest]
+  before_action :setup, only: [:cookietest,:sessiontest]
+  geocode_ip_address
+
+  def index
+    render plain: ''
+  end
+
+  def cookietest
+    cookies[:geo_location] = @success.to_json
+    render plain: ''
+  end
+
+  def sessiontest
+    session[:geo_location] = @success.to_json
+    render plain: ''
+  end
+
+  def failtest
+    render plain: ''
+  end
+
+  def rescue_action(e) raise e end;
+  private
+  def set_ip
+    request.remote_ip = "good ip"
+  end
+  def set_ip_bad
+    request.remote_ip = "bad ip"
+  end
+  def setup
+    @success = Geokit::GeoLoc.new
+    @success.provider = "hostip"
+    @success.lat = 41.7696
+    @success.lng = -88.4588
+    @success.city = "Sugar Grove"
+    @success.state = "IL"
+    @success.country_code = "US"
+    @success.success = true
+  end
+end

test/dummy/app/helpers/application_helper.rb

@@ -0,0 +1,2 @@
+module ApplicationHelper
+end

test/dummy/app/jobs/application_job.rb

@@ -0,0 +1,7 @@
+class ApplicationJob < ActiveJob::Base
+  # Automatically retry jobs that encountered a deadlock
+  # retry_on ActiveRecord::Deadlocked
+
+  # Most jobs are safe to ignore if the underlying records are no longer available
+  # discard_on ActiveJob::DeserializationError
+end

test/dummy/app/mailers/application_mailer.rb

@@ -0,0 +1,4 @@
+class ApplicationMailer < ActionMailer::Base
+  default from: "[email protected]"
+  layout "mailer"
+end

test/dummy/app/models/application_record.rb

@@ -0,0 +1,3 @@
+class ApplicationRecord < ActiveRecord::Base
+  primary_abstract_class
+end

test/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Dummy</title>
+    <meta name="viewport" content="width=device-width,initial-scale=1">
+    <%= csrf_meta_tags %>
+    <%= csp_meta_tag %>
+
+    <%= stylesheet_link_tag "application" %>
+  </head>
+
+  <body>
+    <%= yield %>
+  </body>
+</html>

test/dummy/app/views/layouts/mailer.html.erb

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+    <style>
+      /* Email styles need to be inline */
+    </style>
+  </head>
+
+  <body>
+    <%= yield %>
+  </body>
+</html>

test/dummy/app/views/layouts/mailer.text.erb

@@ -0,0 +1 @@
+<%= yield %>

test/dummy/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path("../config/application", __dir__)
+require_relative "../config/boot"
+require "rails/commands"

test/dummy/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative "../config/boot"
+require "rake"
+Rake.application.run

test/dummy/bin/setup

@@ -0,0 +1,33 @@
+#!/usr/bin/env ruby
+require "fileutils"
+
+# path to your application root.
+APP_ROOT = File.expand_path("..", __dir__)
+
+def system!(*args)
+  system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+FileUtils.chdir APP_ROOT do
+  # This script is a way to set up or update your development environment automatically.
+  # This script is idempotent, so that you can run it at any time and get an expectable outcome.
+  # Add necessary setup steps to this file.
+
+  puts "== Installing dependencies =="
+  system! "gem install bundler --conservative"
+  system("bundle check") || system!("bundle install")
+
+  # puts "\n== Copying sample files =="
+  # unless File.exist?("config/database.yml")
+  #   FileUtils.cp "config/database.yml.sample", "config/database.yml"
+  # end
+
+  puts "\n== Preparing database =="
+  system! "bin/rails db:prepare"
+
+  puts "\n== Removing old logs and tempfiles =="
+  system! "bin/rails log:clear tmp:clear"
+
+  puts "\n== Restarting application server =="
+  system! "bin/rails restart"
+end

test/dummy/config.ru

@@ -0,0 +1,6 @@
+# This file is used by Rack-based servers to start the application.
+
+require_relative "config/environment"
+
+run Rails.application
+Rails.application.load_server

test/dummy/config/application.rb

@@ -0,0 +1,22 @@
+require_relative "boot"
+
+require "rails/all"
+
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups)
+require "geokit-rails"
+
+module Dummy
+  class Application < Rails::Application
+    config.load_defaults Rails::VERSION::STRING.to_f
+
+    # Configuration for the application, engines, and railties goes here.
+    #
+    # These settings can be overridden in specific environments using the files
+    # in config/environments, which are processed later.
+    #
+    # config.time_zone = "Central Time (US & Canada)"
+    # config.eager_load_paths << Rails.root.join("extras")
+  end
+end

test/dummy/config/boot.rb

@@ -0,0 +1,5 @@
+# Set up gems listed in the Gemfile.
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../../Gemfile", __dir__)
+
+require "bundler/setup" if File.exist?(ENV["BUNDLE_GEMFILE"])
+$LOAD_PATH.unshift File.expand_path("../../../lib", __dir__)

test/dummy/config/cable.yml

@@ -0,0 +1,10 @@
+development:
+  adapter: async
+
+test:
+  adapter: test
+
+production:
+  adapter: redis
+  url: <%= ENV.fetch("REDIS_URL") { "redis://localhost:6379/1" } %>
+  channel_prefix: dummy_production

test/dummy/config/database.yml

@@ -0,0 +1,25 @@
+# SQLite. Versions 3.8.0 and up are supported.
+#   gem install sqlite3
+#
+#   Ensure the SQLite 3 gem is defined in your Gemfile
+#   gem "sqlite3"
+#
+default: &default
+  adapter: sqlite3
+  pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
+  timeout: 5000
+
+development:
+  <<: *default
+  database: db/development.sqlite3
+
+# Warning: The database defined as "test" will be erased and
+# re-generated from your development database when you run "rake".
+# Do not set this db to the same as development or production.
+test:
+  <<: *default
+  database: db/test.sqlite3
+
+production:
+  <<: *default
+  database: db/production.sqlite3

test/dummy/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the Rails application.
+require_relative "application"
+
+# Initialize the Rails application.
+Rails.application.initialize!

test/dummy/config/environments/development.rb

@@ -0,0 +1,68 @@
+require "active_support/core_ext/integer/time"
+
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # In the development environment your application's code is reloaded any time
+  # it changes. This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+
+  # Do not eager load code on boot.
+  config.eager_load = false
+
+  # Show full error reports.
+  config.consider_all_requests_local = true
+
+  # Enable server timing
+  config.server_timing = true
+
+  # Enable/disable caching. By default caching is disabled.
+  # Run rails dev:cache to toggle caching.
+  if Rails.root.join("tmp/caching-dev.txt").exist?
+    config.action_controller.perform_caching = true
+    config.action_controller.enable_fragment_cache_logging = true
+
+    config.cache_store = :memory_store
+    config.public_file_server.headers = {
+      "Cache-Control" => "public, max-age=#{2.days.to_i}"
+    }
+  else
+    config.action_controller.perform_caching = false
+
+    config.cache_store = :null_store
+  end
+
+  # Store uploaded files on the local file system (see config/storage.yml for options).
+  config.active_storage.service = :local
+
+  # Don't care if the mailer can't send.
+  config.action_mailer.raise_delivery_errors = false
+
+  config.action_mailer.perform_caching = false
+
+  # Print deprecation notices to the Rails logger.
+  config.active_support.deprecation = :log
+
+  # Raise exceptions for disallowed deprecations.
+  config.active_support.disallowed_deprecation = :raise
+
+  # Tell Active Support which deprecation messages to disallow.
+  config.active_support.disallowed_deprecation_warnings = []
+
+  # Raise an error on page load if there are pending migrations.
+  config.active_record.migration_error = :page_load
+
+  # Highlight code that triggered database queries in logs.
+  config.active_record.verbose_query_logs = true
+
+
+  # Raises error for missing translations.
+  # config.i18n.raise_on_missing_translations = true
+
+  # Annotate rendered view with file names.
+  # config.action_view.annotate_rendered_view_with_filenames = true
+
+  # Uncomment if you wish to allow Action Cable access from any origin.
+  # config.action_cable.disable_request_forgery_protection = true
+end