asset pipeline in rails 3.2.9.rc2 fails to require assets with dot in the filename, claiming recursive require #8099

Closed
apeiros opened this Issue Nov 2, 2012 · 24 comments

Projects

None yet

9 participants

@apeiros
apeiros commented Nov 2, 2012

To recreate:
Have two files in your app/assets/stylesheets, application.sass and foo.bar.sass, the application.sass containing only a /*= require foo.bar */ and the foo.bar.sass being empty, you'll get the following exception when precompiling:

/RAILS_ROOT/app/assets/stylesheets/application/foo.bar.sass has already been required
  (in /RAILS_ROOT/app/assets/stylesheets/application/foo.bar.sass)

Were you using 3.2.8 prior to try the rc?

Owner

Which sprockets version do you have installed?

apeiros commented Nov 2, 2012

Bundler says Using sprockets (2.8.1), I hope that's the information you seek. And yes, I used 3.2.8 prior to 3.2.9.rc2.

Owner

I hit this error in an app with 3-2-stable but I didn't investigate it further

Owner

@josh mind to give us some enlightenment?

@guilleiguaran guilleiguaran was assigned Nov 3, 2012
Owner

I'm investigating this, I think this is caused by: sstephenson/sprockets@abe94ac

Owner

The problem can be reproduced with this app: https://github.com/guilleiguaran/sprocketsissue

Member
josh commented Nov 9, 2012

Remove sass-rails and this isn't a problem.

Owner
jeremy commented Nov 27, 2012

Looks like sass-rails' Sprockets::SassImporter does some funky relative path globbing. Assuming that's what @josh is referring to since Sprockets has its own SassImporter now.

46bit commented Jan 8, 2013

Using https://github.com/guilleiguaran/sprocketsissue under Rails 3.2.9 and 3.2.10 fails to reproduce this issue, so it appears to have been fixed when @guilleiguaran closed it.

Suggest reclose?

Owner

@46Bit yes, this is fixed in 3.2.9 and 3.2.10 since we downgraded sprockets to 2.2.x but we still having the problem moving rails 3.2.x to use the last version of sprockets (2.8.x)

Contributor

@rafaelfranca @josh @guilleiguaran I am still not really following, what is blocking us from unlocking 3.2.14 ... there is at least one security hole patched in 2.3.1 and a backport is a poor solution cause people need to know about it.

Owner

@SamSaffron the unique blocker is this issue, I would love if you or someone else is able to fix it ❤️

Contributor

@guilleiguaran no repro here both in dev and with precompile

  • updates rails to latest stable
  • hacked up version of local latest sprockets
  • updates all gems to latest

rake assets:precompile works
also works in debug, scaffolded a resource.

Suggest it may have been fixed upstream. cc @josh @rafaelfranca

My Gemfile:

source 'https://rubygems.org'

gem 'rails', '3.2.13'
gem 'sprockets', :path => '/home/sam/Source/sprockets'

# Bundle edge Rails instead:
# gem 'rails', :git => 'git://github.com/rails/rails.git'

gem 'sqlite3'


# Gems used only for assets and not required
# in production environments by default.
group :assets do
  gem 'sass-rails',   '~> 3.2.3'
  gem 'coffee-rails', '~> 3.2.1'

  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
  # gem 'therubyracer', :platforms => :ruby

  gem 'uglifier', '>= 1.0.3'
end

gem 'jquery-rails'

# To use ActiveModel has_secure_password
# gem 'bcrypt-ruby', '~> 3.0.0'

# To use Jbuilder templates for JSON
# gem 'jbuilder'

# Use unicorn as the app server
# gem 'unicorn'

# Deploy with Capistrano
# gem 'capistrano'

# To use debugger
# gem 'debugger'

This Gemfile.lock diff:

@ -1,112 +1,117 @@
+PATH
+  remote: /home/sam/Source/sprockets
+  specs:
+    sprockets (2.2.1)
+      hike (~> 1.2)
+      multi_json (~> 1.0)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (3.2.9.rc2)
-      actionpack (= 3.2.9.rc2)
-      mail (~> 2.4.4)
-    actionpack (3.2.9.rc2)
-      activemodel (= 3.2.9.rc2)
-      activesupport (= 3.2.9.rc2)
+    actionmailer (3.2.13)
+      actionpack (= 3.2.13)
+      mail (~> 2.5.3)
+    actionpack (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.4)
-      rack (~> 1.4.0)
+      rack (~> 1.4.5)
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
-      sprockets (~> 2.2)
-    activemodel (3.2.9.rc2)
-      activesupport (= 3.2.9.rc2)
+      sprockets (~> 2.2.1)
+    activemodel (3.2.13)
+      activesupport (= 3.2.13)
       builder (~> 3.0.0)
-    activerecord (3.2.9.rc2)
-      activemodel (= 3.2.9.rc2)
-      activesupport (= 3.2.9.rc2)
+    activerecord (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.9.rc2)
-      activemodel (= 3.2.9.rc2)
-      activesupport (= 3.2.9.rc2)
-    activesupport (3.2.9.rc2)
-      i18n (~> 0.6)
+    activeresource (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
+    activesupport (3.2.13)
+      i18n (= 0.6.1)
       multi_json (~> 1.0)
     arel (3.0.2)
     builder (3.0.4)
     coffee-rails (3.2.2)
       coffee-script (>= 2.2.0)
       railties (~> 3.2.0)
     coffee-script (2.2.0)
       coffee-script-source
       execjs
-    coffee-script-source (1.4.0)
+    coffee-script-source (1.6.2)
     erubis (2.7.0)
     execjs (1.4.0)
       multi_json (~> 1.0)
-    hike (1.2.1)
+    hike (1.2.2)
     i18n (0.6.1)
     journey (1.0.4)
-    jquery-rails (2.1.3)
-      railties (>= 3.1.0, < 5.0)
-      thor (~> 0.14)
-    json (1.7.5)
-    mail (2.4.4)
+    jquery-rails (2.2.1)
+      railties (>= 3.0, < 5.0)
+      thor (>= 0.14, < 2.0)
+    json (1.7.7)
+    mail (2.5.3)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
-    mime-types (1.19)
-    multi_json (1.3.7)
+    mime-types (1.22)
+    multi_json (1.7.2)
     polyglot (0.3.3)
-    rack (1.4.1)
+    rack (1.4.5)
     rack-cache (1.2)
       rack (>= 0.4)
-    rack-ssl (1.3.2)
+    rack-ssl (1.3.3)
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (3.2.9.rc2)
-      actionmailer (= 3.2.9.rc2)
-      actionpack (= 3.2.9.rc2)
-      activerecord (= 3.2.9.rc2)
-      activeresource (= 3.2.9.rc2)
-      activesupport (= 3.2.9.rc2)
+    rails (3.2.13)
+      actionmailer (= 3.2.13)
+      actionpack (= 3.2.13)
+      activerecord (= 3.2.13)
+      activeresource (= 3.2.13)
+      activesupport (= 3.2.13)
       bundler (~> 1.0)
-      railties (= 3.2.9.rc2)
-    railties (3.2.9.rc2)
-      actionpack (= 3.2.9.rc2)
-      activesupport (= 3.2.9.rc2)
+      railties (= 3.2.13)
+    railties (3.2.13)
+      actionpack (= 3.2.13)
+      activesupport (= 3.2.13)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
       thor (>= 0.14.6, < 2.0)
-    rake (0.9.2.2)
-    rdoc (3.12)
+    rake (10.0.4)
+    rdoc (3.12.2)
       json (~> 1.4)
-    sass (3.2.2)
-    sass-rails (3.2.5)
+    sass (3.2.7)
+    sass-rails (3.2.6)
       railties (~> 3.2.0)
       sass (>= 3.1.10)
       tilt (~> 1.3)
-    sprockets (2.8.1)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
-      rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
-    sqlite3 (1.3.6)
-    thor (0.16.0)
-    tilt (1.3.3)
+    sqlite3 (1.3.7)
+    thor (0.18.1)
+    tilt (1.3.7)
     treetop (1.4.12)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.35)
-    uglifier (1.3.0)
+    tzinfo (0.3.37)
+    uglifier (2.0.1)
       execjs (>= 0.3.0)
       multi_json (~> 1.0, >= 1.0.2)

 PLATFORMS
   ruby

 DEPENDENCIES
   coffee-rails (~> 3.2.1)
   jquery-rails
-  rails (= 3.2.9.rc2)
+  rails (= 3.2.13)
   sass-rails (~> 3.2.3)
+  sprockets!
   sqlite3
   uglifier (>= 1.0.3)
Owner

@SamSaffron good news. But I still not confident to relax the sprockets dependency in a stable branch. People don't try release candidates and if we have a security issue and need to release a new 3.2.x version people can have regressions because of sprockets.

Contributor

@rafaelfranca I follow, this is not a simple situation, the tricky thing to balance on the other side is that the currently pinned version of sprockets has known security vulnerabilities

Owner

the security issues was fixed in recent version of sprockets? (can you provide commit link?) 😁

Contributor

@guilleiguaran according to the change log on sprockets: https://github.com/sstephenson/sprockets

2.3.1

Security: Check path for forbidden access after unescaping

Owner

@SamSaffron right, I was aware of it and I asked for backports for old versions of sprockets used by rails.

We're safe in Rails with 62b74b1 and 03e2895

Owner

version 2.2.1 (used right now in 3-2-stable) is safe also

Owner

anyway, I'm 👍 about the version bump but I understand the concerns of @rafaelfranca, we have reverted the version bump for dependencies in previous versions of rails.

Contributor

I totally get the reluctance to relax the dependency lock here, its a you are damned if you do, damned if you don't situation.

For now we are forking and fudging version numbers at Discourse, will report back if we notice any issues.

Contributor

anyway @guilleiguaran this bug should be closed, unless someone else is able to repro with latest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment