Bot releases are hidden (Show)
This release fixes several bugs, adds compatibility with Gradle's configuration caching, and updates two dependencies with critical vulnerabilities.
We hope you enjoy Ratpack 1.8.1.
Ratpack 1.8.0 is now available!
This release adds support for configuring a proxy to utilize with the HttpClient
for outgoing requests, additional convenience methods for Promise.retry
, a number of dependency updates, and other improvements .
The following core dependencies have been upgraded:
Ratpack's HttpClient
can now be configured to utilize a proxy server when sending requests using the HttpClientSpec. proxy
method. Configuring the proxy requires specifying the host
and port
of the proxy. Optionally, the configured proxy can be bypassed for a set of destinations. This set uses the same pattern matching utilized by the core Java libraries and specified here: https://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html. It should be noted that the HttpClient
does not respect the http.proxyHost
, http.proxyPort
, and http.nonProxyHosts
system properties.
In this release, Promise.retry
has been extended to allow for specifying a Predicate
to indicate when the RetryPolicy
should be evaluated.
There are also a few other new convenience methods added to support easier development and testing of Ratpack applications.
Thanks to all who contributed.
We hope you enjoy Ratpack 1.8.
--
Team Ratpack
This release includes a fix for a security vulnerability. This upgrade is recommended for all Ratpack users.
Versions of Ratpack 0.9.10 through and including 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (aka. XSS),
in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data.
This vulnerability only exists in the handler that renders an internal server error as a readable HTML page which is activates when Ratpack is running in development mode. This mode is only activate by user request (i.e. setting development(true)
in the ServerConfig
, setting RATPACK_DEVELOPMENT=true
in the environment), or when Ratpack detects it is running in an IDE (i.e. IntelliJ), being run by the Groovy shell, or attached to a debugger. By default, Ratpack sets development(false)
when packaged as a Jar.
Users should verify that they are not running Ratpack with development mode activated in production environments.
We would like to thank Jonathan Leitschuh for reporting this vulnerability.
Please see the security advisory for this issue for more information.
Published by ldaley about 5 years ago
This release includes several minor bug fixes, and a fix for a security vulnerability. This upgrade is recommended for everyone using 1.7.x.
Versions of Ratpack 0.9.1 through and including 1.7.4 are vulnerable to HTTP Response Splitting,
if untrusted and unsanitized data is used to populate the headers of a HTTP response.
An attacker can utilize this vulnerability to have the server issue any HTTP response they specify.
If your application uses arbitrary user input as the value of a response header it is vulnerable.
If your application does not use arbitrary values as response header values, it is not vulnerable.
Previously, Ratpack did not validate response header values.
Now, adding a header value that contains the header value termination characters produces a runtime exception.
As there is no mechanism for escaping or encoding the termination characters in a value, a runtime exception is necessary.
As potentially dangerous values now cause runtime exceptions,
it is a good idea to continue to validate and sanitize any user supplied values being used as response headers.
We would like to thank Jonathan Leitschuh for reporting this vulnerability.
Please see the security advisory for this issue for more information.
Published by ldaley about 5 years ago
This release includes a fix for using Gradle's continuous build functionality when running on Java 9 or later. This upgrade is recommended for everyone using 1.7.x.
This release includes a fix for HttpClient
idle timeout that was introduced in Ratpack 1.7.0. Specifically, this timeout was incorrectly applying to in-use HTTP connections from the pool that were idle waiting for a server response. This fixes this behavior and clarifies that idleTimeout
applies only to connections that are not currently acquired from the pool. This upgrade is recommended for everyone using 1.7.x.
Ratpack 1.7.1 is now available!
This patch release fixes a bug with idle connection timeouts for Ratpack's HttpClient
(introduced in 1.7.0
) which prevented timeouts larger than 1 second to be specified.
No other changes were introduced.
--
Team Ratpack
Ratpack 1.7.0 is now available!
This release adds support of idle timeouts when using connection pooling in HttpClient
, an improved Promise.retry
interface, a few dependency updates, deprecation of the ratpack-pac4j
, ratpack-rx
, and ratpack-thymeleaf
modules and other improvements and bug fixes.
The following core dependencies have been upgraded:
The idle timeout for Ratpack's HttpClient
can now be configured using the HttpClientSpec.idleTimeout
method. Specifying a non-zero value for this timeout will allow Ratpack to close unused connections.
The new Promise.retry
method provides a mechanism for encoding complex retry logic in Promise
behavior. With the addition of this method, the previous retry
methods have been deprecated.
Ratpack will now use the native OpenSSL
libraries if available on the runtime system.
The new MockApi
and HandlerFactory
classes provided additional fixtures for writing tests for Ratpack applications. Combined with a mocking framework such as Spock, they allow for declaring remote API behaviors for an application, inline to a test.
As of this release the ratpack-pac4j
library that is released as part of this project is officially deprecated and will be removed in Ratpack 2.0. Support for the latest version of Pac4j are provided via the ratpack-pac4j
module maintained by the Pac4j team.
As of this release the ratpack-rx
and ratpack-thymeleaf
libraries that are released as part of this project are officially deprecated and will be removed in Ratpack 2.0. Users should migrate to the ratpack-rx2
and ratpack-thymeleaf3
libraries.
There are also many other new convenience methods, bug fixes and generally cool stuff added in this release.
Thanks to all who contributed.
We hope you enjoy Ratpack 1.7.
--
Team Ratpack
This release fixes a security vulnerability around session ID generation and is recommended for all users.
The issue stems from the default session ID generator using a cryptographically weak pseudo random number generator in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs. 1.6.1 uses system entropy when generating values to make the values non determinable.
If you are using client side sessions, your application is not vulnerable as the session ID is not used.
If you are using a version earlier than 1.6, you can fix the the issue by binding a custom SessionIdGenerator
implementation based on the new version.
Special thanks to Jonathan Leitschuh for discovering and reporting this vulnerability.
Just in time to ring in 2019, Ratpack 1.6.0 is now available!
This release adds integration with additional reactive programming libraries and many improvements that allow Ratpack to integrate more seamlessly with external libraries.
The following core dependencies have been upgraded:
The new ratpack-reactor
module adds support for integrating Ratpack with Project Reactor types.
The new ratpack-rx2
module adds support for integrating Ratpack with version 2 of RxJava. This is a new module to support the new types introduced in RxJava 2.0.
The new ratpack-thymeleaf3
module adds support for integrating Ratpack with version 3 of Thymeleaf templating.
The new ratpack-gson
module adds support for parsing request bodies and rendering responses using Google's Gson library.
The new Promise.flatOp
method allows for mapping a Promise
directly into an `Operation.
The new Promise.mapError
and Promise.flatMapError
which allow for providing a conditional Predicate
for the mapping.
The ability to configure request and response interceptors for Ratpack's HttpClient
through the HttpClientSpec.requestIntercept
, HttpClientSpec.responseIntercept(Action)
, HttpClientSpec.responseIntercept(Operation)
, and HttpClientSpec.errorIntercept
methods.
Create a new HttpClient
instance by by inheriting from another instance using the HttpClient.copyWith
method.
Improvements in Ratpack's integration with Retrofit by allowing the underlying HttpClient
to be specified with the RatpackRetrofit.Builder.httpClient
method. This allows for utilizing Retrofit outside of a Ratpack HTTP request (e.g. from a background service)
Forked executions can now obtain references to their parent executions through the Execution.getParent()
and [Execution.maybeParent()
] (https://ratpack.io/manual/1.6.0/api/ratpack/exec/Execution.html#maybeParent--) methods.
Applications can now register their own JVM shutdown hook to perform custom behaviors instead of Ratpack's default hook. Applications using a custom hook can disabled the default hook by setting ServerConfigBuilder.registerShutdownHook(false)
The ratpack-dropwizard-metrics
module now supports exporting metrics to Prometheus (DropwizardMetricsConfig.prometheusCollection(true)
) and collecting metrics on ByteBuf
(DropwizardMetricsConfig.byteBufAllocator(Action)
) and HttpClient
(DropwizardMetricsConfig.httpClient(Action)
)
There are also many other new convenience methods, bug fixes and generally cool stuff added in this release.
Thanks to all who contributed.
We hope you enjoy Ratpack 1.6.
--
Team Ratpack
These are the release notes for a Ratpack 1.6.0 release candidate.
Please see the pending release notes for the final release for the complete list of closed issues.
This fourth release candidate of Ratpack 1.6 fixes:
These are the release notes for a Ratpack 1.6.0 release candidate.
Please see the pending release notes for the final release for the complete list of closed issues.
This third release candidate of Ratpack 1.6 fixes:
TypedData.getBytes()
and fixes the implementation to return only valid bytes from the buffer. Removes the previously added TypedData.copyBytes()
method, removes the deprecation from `TypedData.KQueue
transport in NettyThese are the release notes for a Ratpack 1.6.0 release candidate.
Please see the pending release notes for the final release for the complete list of closed issues.
This second release candidate of Ratpack 1.6 fixes:
These are the release notes for a Ratpack 1.6.0 release candidate.
Please see the pending release notes for the final release for the complete list of closed issues.
A little over a year from our last minor release, and 6 months since our last patch, Ratpack 1.6.0 is now available.
This release adds integration with additional reactive programming libraries and many improvements that allow Ratpack to integrate more seamlessly with external libraries.
The following core dependencies have been upgraded:
The new ratpack-reactor
module adds support for integrating Ratpack with Project Reactor types.
The new ratpack-rx2
module adds support for integrating Ratpack with version 2 of RxJava. This is a new module to support the new types introduced in RxJava 2.0.
The new ratpack-thymeleaf3
module adds support for integrating Ratpack with version 3 of Thymeleaf templating.
The new ratpack-gson
module adds support for parsing request bodies and rendering responses using Google's Gson library.
The new Promise.flatOp
method allows for mapping a Promise
directly into an `Operation.
The new Promise.mapError
and Promise.flatMapError
which allow for providing a conditional Predicate
for the mapping.
The ability to configure request and response interceptors for Ratpack's HttpClient
through the HttpClientSpec.requestIntercept
, HttpClientSpec.responseIntercept(Action)
, HttpClientSpec.responseIntercept(Operation)
, and HttpClientSpec.errorIntercept
methods.
Create a new HttpClient
instance by by inheriting from another instance using the HttpClient.copyWith
method.
Improvements in Ratpack's integration with Retrofit by allowing the underlying HttpClient
to be specified with the RatpackRetrofit.Builder.httpClient
method. This allows for utilizing Retrofit outside of a Ratpack HTTP request (e.g. from a background service)
Forked executions can now obtain references to their parent executions through the Execution.getParent()
and [Execution.maybeParent()
] (https://ratpack.io/manual/1.6.0/api/ratpack/exec/Execution.html#maybeParent--) methods.
Applications can now register their own JVM shutdown hook to perform custom behaviors instead of Ratpack's default hook. Applications using a custom hook can disabled the default hook by setting ServerConfigBuilder.registerShutdownHook(false)
The ratpack-dropwizard-metrics
module now supports exporting metrics to Prometheus (DropwizardMetricsConfig.prometheusCollection(true)
) and collecting metrics on ByteBuf
(DropwizardMetricsConfig.byteBufAllocator(Action)
) and HttpClient
(DropwizardMetricsConfig.httpClient(Action)
)
There are also many other new convenience methods, bug fixes and generally cool stuff added in this release.
Thanks to all who contributed.
We hope you enjoy Ratpack 1.6.
--
Team Ratpack