actionpack 5.2.3

data/lib/action_dispatch/http/filter_parameters.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require "action_dispatch/http/parameter_filter"
+
+module ActionDispatch
+  module Http
+    # Allows you to specify sensitive parameters which will be replaced from
+    # the request log by looking in the query string of the request and all
+    # sub-hashes of the params hash to filter. Filtering only certain sub-keys
+    # from a hash is possible by using the dot notation: 'credit_card.number'.
+    # If a block is given, each key and value of the params hash and all
+    # sub-hashes is passed to it, where the value or the key can be replaced using
+    # String#replace or similar method.
+    #
+    #   env["action_dispatch.parameter_filter"] = [:password]
+    #   => replaces the value to all keys matching /password/i with "[FILTERED]"
+    #
+    #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
+    #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
+    #
+    #   env["action_dispatch.parameter_filter"] = [ "credit_card.code" ]
+    #   => replaces { credit_card: {code: "xxxx"} } with "[FILTERED]", does not
+    #   change { file: { code: "xxxx"} }
+    #
+    #   env["action_dispatch.parameter_filter"] = -> (k, v) do
+    #     v.reverse! if k =~ /secret/i
+    #   end
+    #   => reverses the value to all keys matching /secret/i
+    module FilterParameters
+      ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
+      NULL_PARAM_FILTER = ParameterFilter.new # :nodoc:
+      NULL_ENV_FILTER   = ParameterFilter.new ENV_MATCH # :nodoc:
+
+      def initialize
+        super
+        @filtered_parameters = nil
+        @filtered_env        = nil
+        @filtered_path       = nil
+      end
+
+      # Returns a hash of parameters with all sensitive data replaced.
+      def filtered_parameters
+        @filtered_parameters ||= parameter_filter.filter(parameters)
+      end
+
+      # Returns a hash of request.env with all sensitive data replaced.
+      def filtered_env
+        @filtered_env ||= env_filter.filter(@env)
+      end
+
+      # Reconstructs a path with all sensitive GET parameters replaced.
+      def filtered_path
+        @filtered_path ||= query_string.empty? ? path : "#{path}?#{filtered_query_string}"
+      end
+
+    private
+
+      def parameter_filter # :doc:
+        parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
+          return NULL_PARAM_FILTER
+        }
+      end
+
+      def env_filter # :doc:
+        user_key = fetch_header("action_dispatch.parameter_filter") {
+          return NULL_ENV_FILTER
+        }
+        parameter_filter_for(Array(user_key) + ENV_MATCH)
+      end
+
+      def parameter_filter_for(filters) # :doc:
+        ParameterFilter.new(filters)
+      end
+
+      KV_RE   = "[^&;=]+"
+      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
+      def filtered_query_string # :doc:
+        query_string.gsub(PAIR_RE) do |_|
+          parameter_filter.filter($1 => $2).first.join("=")
+        end
+      end
+    end
+  end
+end

data/lib/action_dispatch/http/filter_redirect.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  module Http
+    module FilterRedirect
+      FILTERED = "[FILTERED]".freeze # :nodoc:
+
+      def filtered_location # :nodoc:
+        if location_filter_match?
+          FILTERED
+        else
+          location
+        end
+      end
+
+    private
+
+      def location_filters
+        if request
+          request.get_header("action_dispatch.redirect_filter") || []
+        else
+          []
+        end
+      end
+
+      def location_filter_match?
+        location_filters.any? do |filter|
+          if String === filter
+            location.include?(filter)
+          elsif Regexp === filter
+            location =~ filter
+          end
+        end
+      end
+    end
+  end
+end

data/lib/action_dispatch/http/headers.rb

@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  module Http
+    # Provides access to the request's HTTP headers from the environment.
+    #
+    #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
+    #   headers = ActionDispatch::Http::Headers.from_hash(env)
+    #   headers["Content-Type"] # => "text/plain"
+    #   headers["User-Agent"] # => "curl/7.43.0"
+    #
+    # Also note that when headers are mapped to CGI-like variables by the Rack
+    # server, both dashes and underscores are converted to underscores. This
+    # ambiguity cannot be resolved at this stage anymore. Both underscores and
+    # dashes have to be interpreted as if they were originally sent as dashes.
+    #
+    #   # GET / HTTP/1.1
+    #   # ...
+    #   # User-Agent: curl/7.43.0
+    #   # X_Custom_Header: token
+    #
+    #   headers["X_Custom_Header"] # => nil
+    #   headers["X-Custom-Header"] # => "token"
+    class Headers
+      CGI_VARIABLES = Set.new(%W[
+        AUTH_TYPE
+        CONTENT_LENGTH
+        CONTENT_TYPE
+        GATEWAY_INTERFACE
+        HTTPS
+        PATH_INFO
+        PATH_TRANSLATED
+        QUERY_STRING
+        REMOTE_ADDR
+        REMOTE_HOST
+        REMOTE_IDENT
+        REMOTE_USER
+        REQUEST_METHOD
+        SCRIPT_NAME
+        SERVER_NAME
+        SERVER_PORT
+        SERVER_PROTOCOL
+        SERVER_SOFTWARE
+      ]).freeze
+
+      HTTP_HEADER = /\A[A-Za-z0-9-]+\z/
+
+      include Enumerable
+
+      def self.from_hash(hash)
+        new ActionDispatch::Request.new hash
+      end
+
+      def initialize(request) # :nodoc:
+        @req = request
+      end
+
+      # Returns the value for the given key mapped to @env.
+      def [](key)
+        @req.get_header env_name(key)
+      end
+
+      # Sets the given value for the key mapped to @env.
+      def []=(key, value)
+        @req.set_header env_name(key), value
+      end
+
+      # Add a value to a multivalued header like Vary or Accept-Encoding.
+      def add(key, value)
+        @req.add_header env_name(key), value
+      end
+
+      def key?(key)
+        @req.has_header? env_name(key)
+      end
+      alias :include? :key?
+
+      DEFAULT = Object.new # :nodoc:
+
+      # Returns the value for the given key mapped to @env.
+      #
+      # If the key is not found and an optional code block is not provided,
+      # raises a <tt>KeyError</tt> exception.
+      #
+      # If the code block is provided, then it will be run and
+      # its result returned.
+      def fetch(key, default = DEFAULT)
+        @req.fetch_header(env_name(key)) do
+          return default unless default == DEFAULT
+          return yield if block_given?
+          raise KeyError, key
+        end
+      end
+
+      def each(&block)
+        @req.each_header(&block)
+      end
+
+      # Returns a new Http::Headers instance containing the contents of
+      # <tt>headers_or_env</tt> and the original instance.
+      def merge(headers_or_env)
+        headers = @req.dup.headers
+        headers.merge!(headers_or_env)
+        headers
+      end
+
+      # Adds the contents of <tt>headers_or_env</tt> to original instance
+      # entries; duplicate keys are overwritten with the values from
+      # <tt>headers_or_env</tt>.
+      def merge!(headers_or_env)
+        headers_or_env.each do |key, value|
+          @req.set_header env_name(key), value
+        end
+      end
+
+      def env; @req.env.dup; end
+
+      private
+
+        # Converts an HTTP header name to an environment variable name if it is
+        # not contained within the headers hash.
+        def env_name(key)
+          key = key.to_s
+          if key =~ HTTP_HEADER
+            key = key.upcase.tr("-", "_")
+            key = "HTTP_" + key unless CGI_VARIABLES.include?(key)
+          end
+          key
+        end
+    end
+  end
+end

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -0,0 +1,175 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/module/attribute_accessors"
+
+module ActionDispatch
+  module Http
+    module MimeNegotiation
+      extend ActiveSupport::Concern
+
+      included do
+        mattr_accessor :ignore_accept_header, default: false
+      end
+
+      # The MIME type of the HTTP request, such as Mime[:xml].
+      def content_mime_type
+        fetch_header("action_dispatch.request.content_type") do |k|
+          v = if get_header("CONTENT_TYPE") =~ /^([^,\;]*)/
+            Mime::Type.lookup($1.strip.downcase)
+          else
+            nil
+          end
+          set_header k, v
+        end
+      end
+
+      def content_type
+        content_mime_type && content_mime_type.to_s
+      end
+
+      def has_content_type? # :nodoc:
+        get_header "CONTENT_TYPE"
+      end
+
+      # Returns the accepted MIME type for the request.
+      def accepts
+        fetch_header("action_dispatch.request.accepts") do |k|
+          header = get_header("HTTP_ACCEPT").to_s.strip
+
+          v = if header.empty?
+            [content_mime_type]
+          else
+            Mime::Type.parse(header)
+          end
+          set_header k, v
+        end
+      end
+
+      # Returns the MIME type for the \format used in the request.
+      #
+      #   GET /posts/5.xml   | request.format => Mime[:xml]
+      #   GET /posts/5.xhtml | request.format => Mime[:html]
+      #   GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
+      #
+      def format(view_path = [])
+        formats.first || Mime::NullType.instance
+      end
+
+      def formats
+        fetch_header("action_dispatch.request.formats") do |k|
+          params_readable = begin
+                              parameters[:format]
+                            rescue ActionController::BadRequest
+                              false
+                            end
+
+          v = if params_readable
+            Array(Mime[parameters[:format]])
+          elsif use_accept_header && valid_accept_header
+            accepts
+          elsif extension_format = format_from_path_extension
+            [extension_format]
+          elsif xhr?
+            [Mime[:js]]
+          else
+            [Mime[:html]]
+          end
+
+          v = v.select do |format|
+            format.symbol || format.ref == "*/*"
+          end
+
+          set_header k, v
+        end
+      end
+
+      # Sets the \variant for template.
+      def variant=(variant)
+        variant = Array(variant)
+
+        if variant.all? { |v| v.is_a?(Symbol) }
+          @variant = ActiveSupport::ArrayInquirer.new(variant)
+        else
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols. " \
+            "For security reasons, never directly set the variant to a user-provided value, " \
+            "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
+            "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
+        end
+      end
+
+      def variant
+        @variant ||= ActiveSupport::ArrayInquirer.new
+      end
+
+      # Sets the \format by string extension, which can be used to force custom formats
+      # that are not controlled by the extension.
+      #
+      #   class ApplicationController < ActionController::Base
+      #     before_action :adjust_format_for_iphone
+      #
+      #     private
+      #       def adjust_format_for_iphone
+      #         request.format = :iphone if request.env["HTTP_USER_AGENT"][/iPhone/]
+      #       end
+      #   end
+      def format=(extension)
+        parameters[:format] = extension.to_s
+        set_header "action_dispatch.request.formats", [Mime::Type.lookup_by_extension(parameters[:format])]
+      end
+
+      # Sets the \formats by string extensions. This differs from #format= by allowing you
+      # to set multiple, ordered formats, which is useful when you want to have a fallback.
+      #
+      # In this example, the :iphone format will be used if it's available, otherwise it'll fallback
+      # to the :html format.
+      #
+      #   class ApplicationController < ActionController::Base
+      #     before_action :adjust_format_for_iphone_with_html_fallback
+      #
+      #     private
+      #       def adjust_format_for_iphone_with_html_fallback
+      #         request.formats = [ :iphone, :html ] if request.env["HTTP_USER_AGENT"][/iPhone/]
+      #       end
+      #   end
+      def formats=(extensions)
+        parameters[:format] = extensions.first.to_s
+        set_header "action_dispatch.request.formats", extensions.collect { |extension|
+          Mime::Type.lookup_by_extension(extension)
+        }
+      end
+
+      # Returns the first MIME type that matches the provided array of MIME types.
+      def negotiate_mime(order)
+        formats.each do |priority|
+          if priority == Mime::ALL
+            return order.first
+          elsif order.include?(priority)
+            return priority
+          end
+        end
+
+        order.include?(Mime::ALL) ? format : nil
+      end
+
+      private
+
+        BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
+
+        def valid_accept_header # :doc:
+          (xhr? && (accept.present? || content_mime_type)) ||
+            (accept.present? && accept !~ BROWSER_LIKE_ACCEPTS)
+        end
+
+        def use_accept_header # :doc:
+          !self.class.ignore_accept_header
+        end
+
+        def format_from_path_extension # :doc:
+          path = get_header("action_dispatch.original_path") || get_header("PATH_INFO")
+          if match = path && path.match(/\.(\w+)\z/)
+            Mime[match.captures.first]
+          end
+        end
+    end
+  end
+end

data/lib/action_dispatch/http/mime_type.rb

@@ -0,0 +1,342 @@
+# frozen_string_literal: true
+
+# -*- frozen-string-literal: true -*-
+
+require "singleton"
+require "active_support/core_ext/string/starts_ends_with"
+
+module Mime
+  class Mimes
+    include Enumerable
+
+    def initialize
+      @mimes = []
+      @symbols = nil
+    end
+
+    def each
+      @mimes.each { |x| yield x }
+    end
+
+    def <<(type)
+      @mimes << type
+      @symbols = nil
+    end
+
+    def delete_if
+      @mimes.delete_if { |x| yield x }.tap { @symbols = nil }
+    end
+
+    def symbols
+      @symbols ||= map(&:to_sym)
+    end
+  end
+
+  SET              = Mimes.new
+  EXTENSION_LOOKUP = {}
+  LOOKUP           = {}
+
+  class << self
+    def [](type)
+      return type if type.is_a?(Type)
+      Type.lookup_by_extension(type)
+    end
+
+    def fetch(type)
+      return type if type.is_a?(Type)
+      EXTENSION_LOOKUP.fetch(type.to_s) { |k| yield k }
+    end
+  end
+
+  # Encapsulates the notion of a MIME type. Can be used at render time, for example, with:
+  #
+  #   class PostsController < ActionController::Base
+  #     def show
+  #       @post = Post.find(params[:id])
+  #
+  #       respond_to do |format|
+  #         format.html
+  #         format.ics { render body: @post.to_ics, mime_type: Mime::Type.lookup("text/calendar")  }
+  #         format.xml { render xml: @post }
+  #       end
+  #     end
+  #   end
+  class Type
+    attr_reader :symbol
+
+    @register_callbacks = []
+
+    # A simple helper class used in parsing the accept header.
+    class AcceptItem #:nodoc:
+      attr_accessor :index, :name, :q
+      alias :to_s :name
+
+      def initialize(index, name, q = nil)
+        @index = index
+        @name = name
+        q ||= 0.0 if @name == "*/*".freeze # Default wildcard match to end of list.
+        @q = ((q || 1.0).to_f * 100).to_i
+      end
+
+      def <=>(item)
+        result = item.q <=> @q
+        result = @index <=> item.index if result == 0
+        result
+      end
+    end
+
+    class AcceptList #:nodoc:
+      def self.sort!(list)
+        list.sort!
+
+        text_xml_idx = find_item_by_name list, "text/xml"
+        app_xml_idx = find_item_by_name list, Mime[:xml].to_s
+
+        # Take care of the broken text/xml entry by renaming or deleting it.
+        if text_xml_idx && app_xml_idx
+          app_xml = list[app_xml_idx]
+          text_xml = list[text_xml_idx]
+
+          app_xml.q = [text_xml.q, app_xml.q].max # Set the q value to the max of the two.
+          if app_xml_idx > text_xml_idx  # Make sure app_xml is ahead of text_xml in the list.
+            list[app_xml_idx], list[text_xml_idx] = text_xml, app_xml
+            app_xml_idx, text_xml_idx = text_xml_idx, app_xml_idx
+          end
+          list.delete_at(text_xml_idx)  # Delete text_xml from the list.
+        elsif text_xml_idx
+          list[text_xml_idx].name = Mime[:xml].to_s
+        end
+
+        # Look for more specific XML-based types and sort them ahead of app/xml.
+        if app_xml_idx
+          app_xml = list[app_xml_idx]
+          idx = app_xml_idx
+
+          while idx < list.length
+            type = list[idx]
+            break if type.q < app_xml.q
+
+            if type.name.ends_with? "+xml"
+              list[app_xml_idx], list[idx] = list[idx], app_xml
+              app_xml_idx = idx
+            end
+            idx += 1
+          end
+        end
+
+        list.map! { |i| Mime::Type.lookup(i.name) }.uniq!
+        list
+      end
+
+      def self.find_item_by_name(array, name)
+        array.index { |item| item.name == name }
+      end
+    end
+
+    class << self
+      TRAILING_STAR_REGEXP = /^(text|application)\/\*/
+      PARAMETER_SEPARATOR_REGEXP = /;\s*\w+="?\w+"?/
+
+      def register_callback(&block)
+        @register_callbacks << block
+      end
+
+      def lookup(string)
+        LOOKUP[string] || Type.new(string)
+      end
+
+      def lookup_by_extension(extension)
+        EXTENSION_LOOKUP[extension.to_s]
+      end
+
+      # Registers an alias that's not used on MIME type lookup, but can be referenced directly. Especially useful for
+      # rendering different HTML versions depending on the user agent, like an iPhone.
+      def register_alias(string, symbol, extension_synonyms = [])
+        register(string, symbol, [], extension_synonyms, true)
+      end
+
+      def register(string, symbol, mime_type_synonyms = [], extension_synonyms = [], skip_lookup = false)
+        new_mime = Type.new(string, symbol, mime_type_synonyms)
+
+        SET << new_mime
+
+        ([string] + mime_type_synonyms).each { |str| LOOKUP[str] = new_mime } unless skip_lookup
+        ([symbol] + extension_synonyms).each { |ext| EXTENSION_LOOKUP[ext.to_s] = new_mime }
+
+        @register_callbacks.each do |callback|
+          callback.call(new_mime)
+        end
+        new_mime
+      end
+
+      def parse(accept_header)
+        if !accept_header.include?(",")
+          accept_header = accept_header.split(PARAMETER_SEPARATOR_REGEXP).first
+          parse_trailing_star(accept_header) || [Mime::Type.lookup(accept_header)].compact
+        else
+          list, index = [], 0
+          accept_header.split(",").each do |header|
+            params, q = header.split(PARAMETER_SEPARATOR_REGEXP)
+
+            next unless params
+            params.strip!
+            next if params.empty?
+
+            params = parse_trailing_star(params) || [params]
+
+            params.each do |m|
+              list << AcceptItem.new(index, m.to_s, q)
+              index += 1
+            end
+          end
+          AcceptList.sort! list
+        end
+      end
+
+      def parse_trailing_star(accept_header)
+        parse_data_with_trailing_star($1) if accept_header =~ TRAILING_STAR_REGEXP
+      end
+
+      # For an input of <tt>'text'</tt>, returns <tt>[Mime[:json], Mime[:xml], Mime[:ics],
+      # Mime[:html], Mime[:css], Mime[:csv], Mime[:js], Mime[:yaml], Mime[:text]</tt>.
+      #
+      # For an input of <tt>'application'</tt>, returns <tt>[Mime[:html], Mime[:js],
+      # Mime[:xml], Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]</tt>.
+      def parse_data_with_trailing_star(type)
+        Mime::SET.select { |m| m =~ type }
+      end
+
+      # This method is opposite of register method.
+      #
+      # To unregister a MIME type:
+      #
+      #   Mime::Type.unregister(:mobile)
+      def unregister(symbol)
+        symbol = symbol.downcase
+        if mime = Mime[symbol]
+          SET.delete_if { |v| v.eql?(mime) }
+          LOOKUP.delete_if { |_, v| v.eql?(mime) }
+          EXTENSION_LOOKUP.delete_if { |_, v| v.eql?(mime) }
+        end
+      end
+    end
+
+    attr_reader :hash
+
+    def initialize(string, symbol = nil, synonyms = [])
+      @symbol, @synonyms = symbol, synonyms
+      @string = string
+      @hash = [@string, @synonyms, @symbol].hash
+    end
+
+    def to_s
+      @string
+    end
+
+    def to_str
+      to_s
+    end
+
+    def to_sym
+      @symbol
+    end
+
+    def ref
+      symbol || to_s
+    end
+
+    def ===(list)
+      if list.is_a?(Array)
+        (@synonyms + [ self ]).any? { |synonym| list.include?(synonym) }
+      else
+        super
+      end
+    end
+
+    def ==(mime_type)
+      return false unless mime_type
+      (@synonyms + [ self ]).any? do |synonym|
+        synonym.to_s == mime_type.to_s || synonym.to_sym == mime_type.to_sym
+      end
+    end
+
+    def eql?(other)
+      super || (self.class == other.class &&
+                @string    == other.string &&
+                @synonyms  == other.synonyms &&
+                @symbol    == other.symbol)
+    end
+
+    def =~(mime_type)
+      return false unless mime_type
+      regexp = Regexp.new(Regexp.quote(mime_type.to_s))
+      @synonyms.any? { |synonym| synonym.to_s =~ regexp } || @string =~ regexp
+    end
+
+    def html?
+      symbol == :html || @string =~ /html/
+    end
+
+    def all?; false; end
+
+    # TODO Change this to private once we've dropped Ruby 2.2 support.
+    # Workaround for Ruby 2.2 "private attribute?" warning.
+    protected
+
+      attr_reader :string, :synonyms
+
+    private
+
+      def to_ary; end
+      def to_a; end
+
+      def method_missing(method, *args)
+        if method.to_s.ends_with? "?"
+          method[0..-2].downcase.to_sym == to_sym
+        else
+          super
+        end
+      end
+
+      def respond_to_missing?(method, include_private = false)
+        (method.to_s.ends_with? "?") || super
+      end
+  end
+
+  class AllType < Type
+    include Singleton
+
+    def initialize
+      super "*/*", :all
+    end
+
+    def all?; true; end
+    def html?; true; end
+  end
+
+  # ALL isn't a real MIME type, so we don't register it for lookup with the
+  # other concrete types. It's a wildcard match that we use for `respond_to`
+  # negotiation internals.
+  ALL = AllType.instance
+
+  class NullType
+    include Singleton
+
+    def nil?
+      true
+    end
+
+    def ref; end
+
+    private
+      def respond_to_missing?(method, _)
+        method.to_s.ends_with? "?"
+      end
+
+      def method_missing(method, *args)
+        false if method.to_s.ends_with? "?"
+      end
+  end
+end
+
+require "action_dispatch/http/mime_types"