• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

ruby-grape / grape / 29200448895 / 32
97%
master: 97%

Build:
DEFAULT BRANCH: master
Ran 12 Jul 2026 04:37PM UTC
Files 168
Run time 4s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

12 Jul 2026 04:36PM UTC coverage: 47.758% (+0.1%) from 47.655%
29200448895.32

push

github

web-flow
Add Grape::Mountable marker to identify a Grape app (#2793)

* Add Grape::Mountable marker to identify a Grape app

Grape distinguished a mounted Grape app from a bare Rack app by duck-typing
on an incidental internal method (`respond_to?(:inheritable_setting)`).
That is brittle: Grape::API and Grape::API::Instance share no common
ancestor and don't even respond to the same methods (mount_instance vs
inheritable_setting/endpoints), so there was no single predicate and the
checks keyed on a settings method that has nothing to do with mountability.

Introduce a Grape::Mountable marker extended by both Grape::API and
Grape::API::Instance, giving one explicit `is_a?(Grape::Mountable)`
predicate. Route the identity checks through it: Endpoint#bare_rack_app?
(used for forward_match) and the mount branch in DSL::Routing.

Capability checks that go on to call a stage-specific method are left as
respond_to? on purpose (a Mountable does not respond to every such method):
`respond_to?(:mount_instance)` still gates the remountable-class stage,
`respond_to?(:endpoints)` still guards reading endpoints, and the settings
inheritance check still guards calling inheritable_setting.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Harden mounted-app auth surface and error HTML escaping

Two security-relevant fixes surfaced by a review of Grape::API:

- Grape::Middleware::Error#rack_response only escaped the error message
  when the response content-type was exactly 'text/html', so a
  parameterized value such as 'text/html; charset=utf-8' skipped escaping
  and could reflect an unescaped message into an HTML response. Compare the
  media type only.

- A bare Rack app mounted with `mount` is called directly and never goes
  through the endpoint middleware stack, so an API's authentication
  middleware does not wrap it and the mount is reachable unauthenticated.
  Mounted Grape APIs are unaffected. Warn at compile time when a bare Rack
  app is mounted under co... (continued)

164 of 1228 branches covered (13.36%)

Branch coverage included in aggregate %.

2179 of 3678 relevant lines covered (59.24%)

1.01 hits per line

Source Files on job run-4.0-gemfiles/multi_json_1_20.gemfile - 29200448895.32
  • Tree
  • List 168
  • Changed 6
  • Source Changed 6
  • Coverage Changed 6
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses
  • Back to Build 29200448895
  • db3e3e9d on github
  • Prev Job for on master (#29200240078.17)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc