• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

ruby-grape / grape
97%
master: 97%

Build:
Build:
LAST BUILD BRANCH: fix/recompile-settings-mutation-race
DEFAULT BRANCH: master
Repo Added 04 Apr 2013 06:08AM UTC
Files 167
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH security/mounted-rack-auth-and-html-escape
branch: security/mounted-rack-auth-and-html-escape
CHANGE BRANCH
x
Reset
  • security/mounted-rack-auth-and-html-escape
  • DateFormat
  • Handle_json_array
  • ISSUE-2321
  • Issue-1908
  • active_support_6_1_minimal
  • add-agents-md
  • add_irb_in_gemfile_for_bundle_console_warning
  • add_rack_3_2_gemfile
  • add_rails_8_1_on_ci
  • add_ruby_3_4
  • add_ruby_4_0_cli
  • api_override_singleton_methods
  • benchmark/results-machine-spec
  • body-metadata
  • bugfix/1577
  • bugfix/1970
  • bugfix/1986
  • bugfix/2041
  • bugfix/autoload
  • bugfix/memory-leak
  • build_with_registry
  • chore/agents-md-style-rules
  • chore/cleanup-on-compilation
  • chore/coercion-tests
  • chore/drop-middleware-globals
  • chore/guard-clause-cleanup
  • chore/json-parse-fallback
  • chore/min-ruby-3.3
  • chore/normalize-eql-aliases
  • chore/primitive-coercer-spec
  • chore/prune-requires
  • chore/raise-dependency-lower-bounds
  • chore/readability-guard-clauses
  • chore/readability-pass
  • clean_up_useless_dependencies
  • cleanup-deprecated-code
  • compiled_endpoints
  • contract_scope_validator_public_schema
  • cookies_delegation
  • crush_desclared_params
  • custom-validator-namespace-lookup
  • declared_params_optional_array
  • deprecated_endpoint_return
  • doc
  • doc/remove_manual_toc_and_toc_danger_check
  • doc/remove_toc
  • doc/update_reload_documentation_for_current_Rails_versions
  • docs/format-removal-note
  • docs/readme-typos-and-fixnum-cleanup
  • draft/middleware-options-data
  • drop_namespace_description
  • drop_ruby_3_0_as_7_0
  • drop_support_ruby_2_7_0
  • dynamic_registration
  • empty_string_and_bool
  • enable_branch_coverage
  • enable_frozen_string_literal_ci
  • endpoint_api_kwarg
  • endpoint_app_kwarg
  • endpoint_cleanup
  • endpoint_http_methods_kwarg
  • endpoint_path_kwarg
  • entity-dsl
  • erik/remove-faulty-documentation-about-blank-values
  • exclude_ruby_3_2_rails_edge
  • explicit_route_options
  • exposes-to-s
  • extract_entity_dsl_and_kwargs_with
  • extract_testing_module
  • extract_translation
  • failing_spec_for_1967
  • faster_normalize_path
  • feature/endpoint-logger
  • feature/error-formatter-kwargs-2527
  • feature/grape-api-setup-var-array
  • feature/hash-oneof-2385
  • feature/return_of_return
  • feature/warn-on-helper-overrides
  • feature_rack_lint
  • fix-636
  • fix-badges
  • fix-before-each-nil-nomethoderror
  • fix-docs
  • fix-helper-inheritance
  • fix-options-const-defined-object-fallback
  • fix-typo
  • fix/2748-structured-message-leak
  • fix/2763-multijson-deprecations
  • fix/auth-base-subclass-issue-2669
  • fix/avoid_multiple_mounts_pollution
  • fix/cascade_reading_api_level
  • fix/custom-type-coercer-symbolize-collection
  • fix/json-load-create-additions
  • fix/json-use-parse
  • fix/multixml-deprecation
  • fix/recompile-settings-mutation-race
  • fix/reduce_base_route_array_allocation
  • fix/rescue-from-internal-errors-2482
  • fix/router-request-time-map-mutation
  • fix/sendfile_test_fix
  • fix/variant-collection-coercer-to-s
  • fix_2566_memory_leak
  • fix_all_media_types_regression
  • fix_before_each_no_method_error
  • fix_coercer_cache
  • fix_danger_workflow
  • fix_endpoint_status_when_not_calling_error!
  • fix_gh_workflow_annotations_warnings
  • fix_helpers_methods_in_public_scope
  • fix_leaky_slash
  • fix_middleware_keywords
  • fix_param_scope_thread_safety
  • fix_registry_warning_message
  • fix_require_logger
  • fix_routes_memoization
  • fix_shared_params_empty_args
  • fix_style_optional_boolean_parameter
  • format_header_best_q_match
  • forward_match_kwarg
  • funding
  • happy_rubocop
  • head_route_on_route_class
  • hook-readme
  • instance_to_s_delegation
  • issue-1775
  • issue-2385
  • lazy_block
  • lazy_compile
  • less_active_support_concern
  • less_parse_nested_query
  • master
  • migrate-danger-pr-comment
  • migrate-to-dry-configurable
  • mountable_apis
  • namespace_route_param_explicit_kwargs
  • optimize/parameters-extract-options-non-mutating
  • optimize_api_documentation
  • patch-1
  • perf/avoid-empty-hash-merges
  • perf/build-headers-each-header
  • perf/instrument-only-when-subscribed
  • perf/lazy-base-inheritable-new-values
  • perf/lazy-inheritable-setting-fields
  • perf/lazy-param-scope-tracker
  • perf/lazy-response-cookies
  • perf/precompute-middleware-caches
  • perf/request-hot-path-polish
  • perf/router-transaction-no-proc
  • perf/routing-args-in-place-merge
  • perf/skip-empty-validation-errors-alloc
  • perf/skip-redundant-routing-args-write
  • perf/skip-validation-backtrace
  • perf/stackable-empty-singleton
  • perf/versioner-path-prefix
  • private_namespace_reverse_stackable_with_hash
  • private_within_namespace
  • rack_request_error
  • real-api-integration-test
  • reduce_array_alloc_on_setup
  • refactor/api-instance-dsl-modules
  • refactor/attrs_iterator
  • refactor/auth-dsl-kwargs
  • refactor/available-media-types-attr-reader
  • refactor/base-validator-encapsulation
  • refactor/coerce-options-data
  • refactor/de-morgan-conditions
  • refactor/declared-params-handler
  • refactor/declared_availability
  • refactor/define-method-cleanup
  • refactor/drop-indifferent-and-reverse-merge-requires
  • refactor/dsl-group-validators-dry
  • refactor/endpoint-options-data
  • refactor/endpoint-options-route-enabled
  • refactor/error-response-data
  • refactor/error-response-value-object
  • refactor/extract-handler-case-when
  • refactor/extract-path-normalizer
  • refactor/guard-clauses-style
  • refactor/inline-mustermann-grape
  • refactor/lazy-base-ancestor
  • refactor/middleware-cleanups
  • refactor/named_kwargs_params_scope
  • refactor/params-dsl-using-except-kwargs
  • refactor/precomputed-content-types-move
  • refactor/replace-tap-usages
  • refactor/rescue-from-explicit-first-arg
  • refactor/rescue-handler-dedup
  • refactor/router-pattern-delegation
  • refactor/router-simplification
  • refactor/shared-options-data
  • refactor/stateless-attributes-iterator
  • refactor/validates-pure-helpers
  • refactor/validation-errors-drop-enumerable
  • refactor/validations-spec-self-validate
  • refactor/version-guard-clause
  • refactor_available_media_types_in_header_middleware
  • refactor_declared_params_handling
  • refactor_http_headers
  • refactor_mime_type_for
  • refactor_route_setting_internal_usage
  • refactor_setting_get_or_set
  • refs/heads/master
  • refs/tags/v1.7.1
  • refs/tags/v1.8.0
  • refs/tags/v2.0.0
  • regression/json-error-formatter-double-wrap
  • release/3.2.1
  • remove-unused-constant
  • remove_deprecated_param_builder_extensions
  • remove_guard
  • remove_instance_variable_defined
  • remove_namespace_reverse_stackable_from_public_interface
  • remove_namespace_stackable_and_inheritable_from_public_space
  • remove_namespace_stackable_with_hash_from_public_interface
  • remove_non_supported_jsonapi
  • remove_obsolete_docker_compose_version
  • remove_path_dup
  • remove_pattern_format
  • remove_settings_unset_functions
  • remove_strict_hash_configuration
  • remove_test_prof
  • replace_try_by_respond_to
  • rescue_from
  • resolve_performace_issue_with_given
  • revert-1953-chore/micto-optimization-3
  • revert-2726-refactor/stateless-attributes-iterator
  • revert-2774-forward_match_kwarg
  • revert-wrong-commit
  • revisit_auth_middleware
  • revisit_endpoint_helpers_and_new
  • revisit_middleware_default_options
  • revisit_validators
  • robust_mounted_app_comparison
  • route_attributes_kwargs
  • route_match_params_via_pattern
  • ruby3_handling_argument_delegation
  • ruby_3_1_shorthand_kwargs
  • ruby_optimizations
  • ruby_style_send
  • skip_instrumentation_no_validators
  • skip_run_filters_on_empty
  • small_refactor_versioner_middleware
  • spec-only-rack-class
  • test/grape-swagger-integration
  • try_pattern_instead_of_respond_to
  • untangle_route_params
  • update_min_ruby_version_and_rubocop
  • update_return_upgrading_notes_and_simplify_execute
  • update_rubocop
  • update_rubocop_1_71_2
  • update_rubocop_1_88
  • update_rubocop_and_autocorrect
  • upgrade-mustermann
  • upgrade-rubocop
  • upgrading-description
  • use_forwardable
  • use_require_relative_in_gemspec
  • v0.19.2
  • v1.0.0
  • v1.0.1
  • v1.0.2
  • v1.0.3
  • v1.1.0
  • v1.2.0
  • v1.2.1
  • v1.2.2
  • v1.2.3
  • v1.2.4
  • v1.2.5
  • v1.3.0
  • v1.3.1
  • v1.3.2
  • v1.3.3
  • v1.4.0
  • v1.5.0
  • v1.5.1
  • v2.1.0
  • v2.1.1
  • v2.1.2
  • v2.1.3
  • v2.2.0
  • v2.3.0
  • v2.4.0
  • v3.0.0
  • v3.0.1
  • v3.1.0
  • v3.1.1
  • v3.2.0
  • v3.2.1
  • v3.3.0
  • v3.3.1
  • v3.3.1_release
  • v3.3.2
  • v3.3.2_release
  • valid_encoding_before_scrubing
  • validators_bad_encoding

10 Jul 2026 12:07PM UTC coverage: 96.649% (-0.01%) from 96.661%
29091580878

Pull #2789

github

ericproulx
Harden mounted-app auth surface and error HTML escaping

Two security-relevant fixes surfaced by a review of Grape::API:

- Grape::Middleware::Error#rack_response only escaped the error message
  when the response content-type was exactly 'text/html', so a
  parameterized value such as 'text/html; charset=utf-8' skipped escaping
  and could reflect an unescaped message into an HTML response. Compare the
  media type only.

- A bare Rack app mounted with `mount` is called directly and never goes
  through the endpoint middleware stack, so an API's authentication
  middleware does not wrap it and the mount is reachable unauthenticated.
  Mounted Grape APIs are unaffected. Warn at compile time when a bare Rack
  app is mounted under configured authentication so the bypass isn't silent.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Pull Request #2789: Harden mounted-app auth surface and error HTML escaping

1132 of 1228 branches covered (92.18%)

Branch coverage included in aggregate %.

8 of 8 new or added lines in 2 files covered. (100.0%)

3598 of 3666 relevant lines covered (98.15%)

23346.63 hits per line

Relevant lines Covered
Build:
Build:
3666 RELEVANT LINES 3598 COVERED LINES
23346.63 HITS PER LINE
Source Files on security/mounted-rack-auth-and-html-escape
  • Tree
  • List 167
  • Changed 2
  • Source Changed 2
  • Coverage Changed 2
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses

Recent builds

Builds Branch Commit Type Ran Committer Via Coverage
29091580878 security/mounted-rack-auth-and-html-escape Harden mounted-app auth surface and error HTML escaping Two security-relevant fixes surfaced by a review of Grape::API: - Grape::Middleware::Error#rack_response only escaped the error message when the response content-type was exactly 'text/ht... Pull #2789 10 Jul 2026 12:08PM UTC ericproulx github
96.65
29091554593 security/mounted-rack-auth-and-html-escape Harden mounted-app auth surface and error HTML escaping Two security-relevant fixes surfaced by a review of Grape::API: - Grape::Middleware::Error#rack_response only escaped the error message when the response content-type was exactly 'text/ht... Pull #2789 10 Jul 2026 12:07PM UTC ericproulx github
96.65
See All Builds (3208)
  • Repo on GitHub
  • CI Project
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc