actionpack 5.2.3

data/lib/action_dispatch.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+#--
+# Copyright (c) 2004-2018 David Heinemeier Hansson
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#++
+
+require "active_support"
+require "active_support/rails"
+require "active_support/core_ext/module/attribute_accessors"
+
+require "action_pack"
+require "rack"
+
+module Rack
+  autoload :Test, "rack/test"
+end
+
+module ActionDispatch
+  extend ActiveSupport::Autoload
+
+  class IllegalStateError < StandardError
+  end
+
+  eager_autoload do
+    autoload_under "http" do
+      autoload :ContentSecurityPolicy
+      autoload :Request
+      autoload :Response
+    end
+  end
+
+  autoload_under "middleware" do
+    autoload :RequestId
+    autoload :Callbacks
+    autoload :Cookies
+    autoload :DebugExceptions
+    autoload :DebugLocks
+    autoload :ExceptionWrapper
+    autoload :Executor
+    autoload :Flash
+    autoload :PublicExceptions
+    autoload :Reloader
+    autoload :RemoteIp
+    autoload :ShowExceptions
+    autoload :SSL
+    autoload :Static
+  end
+
+  autoload :Journey
+  autoload :MiddlewareStack, "action_dispatch/middleware/stack"
+  autoload :Routing
+
+  module Http
+    extend ActiveSupport::Autoload
+
+    autoload :Cache
+    autoload :Headers
+    autoload :MimeNegotiation
+    autoload :Parameters
+    autoload :ParameterFilter
+    autoload :Upload
+    autoload :UploadedFile, "action_dispatch/http/upload"
+    autoload :URL
+  end
+
+  module Session
+    autoload :AbstractStore,     "action_dispatch/middleware/session/abstract_store"
+    autoload :CookieStore,       "action_dispatch/middleware/session/cookie_store"
+    autoload :MemCacheStore,     "action_dispatch/middleware/session/mem_cache_store"
+    autoload :CacheStore,        "action_dispatch/middleware/session/cache_store"
+  end
+
+  mattr_accessor :test_app
+
+  autoload_under "testing" do
+    autoload :Assertions
+    autoload :Integration
+    autoload :IntegrationTest, "action_dispatch/testing/integration"
+    autoload :TestProcess
+    autoload :TestRequest
+    autoload :TestResponse
+    autoload :AssertionResponse
+  end
+
+  autoload :SystemTestCase, "action_dispatch/system_test_case"
+end
+
+autoload :Mime, "action_dispatch/http/mime_type"
+
+ActiveSupport.on_load(:action_view) do
+  ActionView::Base.default_formats ||= Mime::SET.symbols
+  ActionView::Template::Types.delegate_to Mime
+end

data/lib/action_dispatch/http/cache.rb

@@ -0,0 +1,222 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  module Http
+    module Cache
+      module Request
+        HTTP_IF_MODIFIED_SINCE = "HTTP_IF_MODIFIED_SINCE".freeze
+        HTTP_IF_NONE_MATCH     = "HTTP_IF_NONE_MATCH".freeze
+
+        def if_modified_since
+          if since = get_header(HTTP_IF_MODIFIED_SINCE)
+            Time.rfc2822(since) rescue nil
+          end
+        end
+
+        def if_none_match
+          get_header HTTP_IF_NONE_MATCH
+        end
+
+        def if_none_match_etags
+          if_none_match ? if_none_match.split(/\s*,\s*/) : []
+        end
+
+        def not_modified?(modified_at)
+          if_modified_since && modified_at && if_modified_since >= modified_at
+        end
+
+        def etag_matches?(etag)
+          if etag
+            validators = if_none_match_etags
+            validators.include?(etag) || validators.include?("*")
+          end
+        end
+
+        # Check response freshness (Last-Modified and ETag) against request
+        # If-Modified-Since and If-None-Match conditions. If both headers are
+        # supplied, both must match, or the request is not considered fresh.
+        def fresh?(response)
+          last_modified = if_modified_since
+          etag          = if_none_match
+
+          return false unless last_modified || etag
+
+          success = true
+          success &&= not_modified?(response.last_modified) if last_modified
+          success &&= etag_matches?(response.etag) if etag
+          success
+        end
+      end
+
+      module Response
+        attr_reader :cache_control
+
+        def last_modified
+          if last = get_header(LAST_MODIFIED)
+            Time.httpdate(last)
+          end
+        end
+
+        def last_modified?
+          has_header? LAST_MODIFIED
+        end
+
+        def last_modified=(utc_time)
+          set_header LAST_MODIFIED, utc_time.httpdate
+        end
+
+        def date
+          if date_header = get_header(DATE)
+            Time.httpdate(date_header)
+          end
+        end
+
+        def date?
+          has_header? DATE
+        end
+
+        def date=(utc_time)
+          set_header DATE, utc_time.httpdate
+        end
+
+        # This method sets a weak ETag validator on the response so browsers
+        # and proxies may cache the response, keyed on the ETag. On subsequent
+        # requests, the If-None-Match header is set to the cached ETag. If it
+        # matches the current ETag, we can return a 304 Not Modified response
+        # with no body, letting the browser or proxy know that their cache is
+        # current. Big savings in request time and network bandwidth.
+        #
+        # Weak ETags are considered to be semantically equivalent but not
+        # byte-for-byte identical. This is perfect for browser caching of HTML
+        # pages where we don't care about exact equality, just what the user
+        # is viewing.
+        #
+        # Strong ETags are considered byte-for-byte identical. They allow a
+        # browser or proxy cache to support Range requests, useful for paging
+        # through a PDF file or scrubbing through a video. Some CDNs only
+        # support strong ETags and will ignore weak ETags entirely.
+        #
+        # Weak ETags are what we almost always need, so they're the default.
+        # Check out #strong_etag= to provide a strong ETag validator.
+        def etag=(weak_validators)
+          self.weak_etag = weak_validators
+        end
+
+        def weak_etag=(weak_validators)
+          set_header "ETag", generate_weak_etag(weak_validators)
+        end
+
+        def strong_etag=(strong_validators)
+          set_header "ETag", generate_strong_etag(strong_validators)
+        end
+
+        def etag?; etag; end
+
+        # True if an ETag is set and it's a weak validator (preceded with W/)
+        def weak_etag?
+          etag? && etag.starts_with?('W/"')
+        end
+
+        # True if an ETag is set and it isn't a weak validator (not preceded with W/)
+        def strong_etag?
+          etag? && !weak_etag?
+        end
+
+      private
+
+        DATE          = "Date".freeze
+        LAST_MODIFIED = "Last-Modified".freeze
+        SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public private must-revalidate])
+
+        def generate_weak_etag(validators)
+          "W/#{generate_strong_etag(validators)}"
+        end
+
+        def generate_strong_etag(validators)
+          %("#{ActiveSupport::Digest.hexdigest(ActiveSupport::Cache.expand_cache_key(validators))}")
+        end
+
+        def cache_control_segments
+          if cache_control = _cache_control
+            cache_control.delete(" ").split(",")
+          else
+            []
+          end
+        end
+
+        def cache_control_headers
+          cache_control = {}
+
+          cache_control_segments.each do |segment|
+            directive, argument = segment.split("=", 2)
+
+            if SPECIAL_KEYS.include? directive
+              key = directive.tr("-", "_")
+              cache_control[key.to_sym] = argument || true
+            else
+              cache_control[:extras] ||= []
+              cache_control[:extras] << segment
+            end
+          end
+
+          cache_control
+        end
+
+        def prepare_cache_control!
+          @cache_control = cache_control_headers
+        end
+
+        DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate".freeze
+        NO_CACHE              = "no-cache".freeze
+        PUBLIC                = "public".freeze
+        PRIVATE               = "private".freeze
+        MUST_REVALIDATE       = "must-revalidate".freeze
+
+        def handle_conditional_get!
+          # Normally default cache control setting is handled by ETag
+          # middleware. But, if an etag is already set, the middleware
+          # defaults to `no-cache` unless a default `Cache-Control` value is
+          # previously set. So, set a default one here.
+          if (etag? || last_modified?) && !self._cache_control
+            self._cache_control = DEFAULT_CACHE_CONTROL
+          end
+        end
+
+        def merge_and_normalize_cache_control!(cache_control)
+          control = {}
+          cc_headers = cache_control_headers
+          if extras = cc_headers.delete(:extras)
+            cache_control[:extras] ||= []
+            cache_control[:extras] += extras
+            cache_control[:extras].uniq!
+          end
+
+          control.merge! cc_headers
+          control.merge! cache_control
+
+          if control.empty?
+            # Let middleware handle default behavior
+          elsif control[:no_cache]
+            options = []
+            options << PUBLIC if control[:public]
+            options << NO_CACHE
+            options.concat(control[:extras]) if control[:extras]
+
+            self._cache_control = options.join(", ")
+          else
+            extras  = control[:extras]
+            max_age = control[:max_age]
+
+            options = []
+            options << "max-age=#{max_age.to_i}" if max_age
+            options << (control[:public] ? PUBLIC : PRIVATE)
+            options << MUST_REVALIDATE if control[:must_revalidate]
+            options.concat(extras) if extras
+
+            self._cache_control = options.join(", ")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/action_dispatch/http/content_security_policy.rb

@@ -0,0 +1,272 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/object/deep_dup"
+
+module ActionDispatch #:nodoc:
+  class ContentSecurityPolicy
+    class Middleware
+      CONTENT_TYPE = "Content-Type".freeze
+      POLICY = "Content-Security-Policy".freeze
+      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only".freeze
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = ActionDispatch::Request.new env
+        _, headers, _ = response = @app.call(env)
+
+        return response unless html_response?(headers)
+        return response if policy_present?(headers)
+
+        if policy = request.content_security_policy
+          nonce = request.content_security_policy_nonce
+          context = request.controller_instance || request
+          headers[header_name(request)] = policy.build(context, nonce)
+        end
+
+        response
+      end
+
+      private
+
+        def html_response?(headers)
+          if content_type = headers[CONTENT_TYPE]
+            content_type =~ /html/
+          end
+        end
+
+        def header_name(request)
+          if request.content_security_policy_report_only
+            POLICY_REPORT_ONLY
+          else
+            POLICY
+          end
+        end
+
+        def policy_present?(headers)
+          headers[POLICY] || headers[POLICY_REPORT_ONLY]
+        end
+    end
+
+    module Request
+      POLICY = "action_dispatch.content_security_policy".freeze
+      POLICY_REPORT_ONLY = "action_dispatch.content_security_policy_report_only".freeze
+      NONCE_GENERATOR = "action_dispatch.content_security_policy_nonce_generator".freeze
+      NONCE = "action_dispatch.content_security_policy_nonce".freeze
+
+      def content_security_policy
+        get_header(POLICY)
+      end
+
+      def content_security_policy=(policy)
+        set_header(POLICY, policy)
+      end
+
+      def content_security_policy_report_only
+        get_header(POLICY_REPORT_ONLY)
+      end
+
+      def content_security_policy_report_only=(value)
+        set_header(POLICY_REPORT_ONLY, value)
+      end
+
+      def content_security_policy_nonce_generator
+        get_header(NONCE_GENERATOR)
+      end
+
+      def content_security_policy_nonce_generator=(generator)
+        set_header(NONCE_GENERATOR, generator)
+      end
+
+      def content_security_policy_nonce
+        if content_security_policy_nonce_generator
+          if nonce = get_header(NONCE)
+            nonce
+          else
+            set_header(NONCE, generate_content_security_policy_nonce)
+          end
+        end
+      end
+
+      private
+
+        def generate_content_security_policy_nonce
+          content_security_policy_nonce_generator.call(self)
+        end
+    end
+
+    MAPPINGS = {
+      self:           "'self'",
+      unsafe_eval:    "'unsafe-eval'",
+      unsafe_inline:  "'unsafe-inline'",
+      none:           "'none'",
+      http:           "http:",
+      https:          "https:",
+      data:           "data:",
+      mediastream:    "mediastream:",
+      blob:           "blob:",
+      filesystem:     "filesystem:",
+      report_sample:  "'report-sample'",
+      strict_dynamic: "'strict-dynamic'",
+      ws:             "ws:",
+      wss:            "wss:"
+    }.freeze
+
+    DIRECTIVES = {
+      base_uri:        "base-uri",
+      child_src:       "child-src",
+      connect_src:     "connect-src",
+      default_src:     "default-src",
+      font_src:        "font-src",
+      form_action:     "form-action",
+      frame_ancestors: "frame-ancestors",
+      frame_src:       "frame-src",
+      img_src:         "img-src",
+      manifest_src:    "manifest-src",
+      media_src:       "media-src",
+      object_src:      "object-src",
+      script_src:      "script-src",
+      style_src:       "style-src",
+      worker_src:      "worker-src"
+    }.freeze
+
+    NONCE_DIRECTIVES = %w[script-src].freeze
+
+    private_constant :MAPPINGS, :DIRECTIVES, :NONCE_DIRECTIVES
+
+    attr_reader :directives
+
+    def initialize
+      @directives = {}
+      yield self if block_given?
+    end
+
+    def initialize_copy(other)
+      @directives = other.directives.deep_dup
+    end
+
+    DIRECTIVES.each do |name, directive|
+      define_method(name) do |*sources|
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
+
+    def block_all_mixed_content(enabled = true)
+      if enabled
+        @directives["block-all-mixed-content"] = true
+      else
+        @directives.delete("block-all-mixed-content")
+      end
+    end
+
+    def plugin_types(*types)
+      if types.first
+        @directives["plugin-types"] = types
+      else
+        @directives.delete("plugin-types")
+      end
+    end
+
+    def report_uri(uri)
+      @directives["report-uri"] = [uri]
+    end
+
+    def require_sri_for(*types)
+      if types.first
+        @directives["require-sri-for"] = types
+      else
+        @directives.delete("require-sri-for")
+      end
+    end
+
+    def sandbox(*values)
+      if values.empty?
+        @directives["sandbox"] = true
+      elsif values.first
+        @directives["sandbox"] = values
+      else
+        @directives.delete("sandbox")
+      end
+    end
+
+    def upgrade_insecure_requests(enabled = true)
+      if enabled
+        @directives["upgrade-insecure-requests"] = true
+      else
+        @directives.delete("upgrade-insecure-requests")
+      end
+    end
+
+    def build(context = nil, nonce = nil)
+      build_directives(context, nonce).compact.join("; ")
+    end
+
+    private
+      def apply_mappings(sources)
+        sources.map do |source|
+          case source
+          when Symbol
+            apply_mapping(source)
+          when String, Proc
+            source
+          else
+            raise ArgumentError, "Invalid content security policy source: #{source.inspect}"
+          end
+        end
+      end
+
+      def apply_mapping(source)
+        MAPPINGS.fetch(source) do
+          raise ArgumentError, "Unknown content security policy source mapping: #{source.inspect}"
+        end
+      end
+
+      def build_directives(context, nonce)
+        @directives.map do |directive, sources|
+          if sources.is_a?(Array)
+            if nonce && nonce_directive?(directive)
+              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+            else
+              "#{directive} #{build_directive(sources, context).join(' ')}"
+            end
+          elsif sources
+            directive
+          else
+            nil
+          end
+        end
+      end
+
+      def build_directive(sources, context)
+        sources.map { |source| resolve_source(source, context) }
+      end
+
+      def resolve_source(source, context)
+        case source
+        when String
+          source
+        when Symbol
+          source.to_s
+        when Proc
+          if context.nil?
+            raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}"
+          else
+            resolved = context.instance_exec(&source)
+            resolved.is_a?(Symbol) ? apply_mapping(resolved) : resolved
+          end
+        else
+          raise RuntimeError, "Unexpected content security policy source: #{source.inspect}"
+        end
+      end
+
+      def nonce_directive?(directive)
+        NONCE_DIRECTIVES.include?(directive)
+      end
+  end
+end