actionpack 6.0.0

data/lib/action_dispatch/middleware/executor.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "rack/body_proxy"
+
+module ActionDispatch
+  class Executor
+    def initialize(app, executor)
+      @app, @executor = app, executor
+    end
+
+    def call(env)
+      state = @executor.run!
+      begin
+        response = @app.call(env)
+        returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }
+      ensure
+        state.complete! unless returned
+      end
+    end
+  end
+end

data/lib/action_dispatch/middleware/flash.rb

@@ -0,0 +1,300 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/hash/keys"
+
+module ActionDispatch
+  # The flash provides a way to pass temporary primitive-types (String, Array, Hash) between actions. Anything you place in the flash will be exposed
+  # to the very next action and then cleared out. This is a great way of doing notices and alerts, such as a create
+  # action that sets <tt>flash[:notice] = "Post successfully created"</tt> before redirecting to a display action that can
+  # then expose the flash to its template. Actually, that exposure is automatically done.
+  #
+  #   class PostsController < ActionController::Base
+  #     def create
+  #       # save post
+  #       flash[:notice] = "Post successfully created"
+  #       redirect_to @post
+  #     end
+  #
+  #     def show
+  #       # doesn't need to assign the flash notice to the template, that's done automatically
+  #     end
+  #   end
+  #
+  #   show.html.erb
+  #     <% if flash[:notice] %>
+  #       <div class="notice"><%= flash[:notice] %></div>
+  #     <% end %>
+  #
+  # Since the +notice+ and +alert+ keys are a common idiom, convenience accessors are available:
+  #
+  #   flash.alert = "You must be logged in"
+  #   flash.notice = "Post successfully created"
+  #
+  # This example places a string in the flash. And of course, you can put as many as you like at a time too. If you want to pass
+  # non-primitive types, you will have to handle that in your application. Example: To show messages with links, you will have to
+  # use sanitize helper.
+  #
+  # Just remember: They'll be gone by the time the next action has been performed.
+  #
+  # See docs on the FlashHash class for more details about the flash.
+  class Flash
+    KEY = "action_dispatch.request.flash_hash"
+
+    module RequestMethods
+      # Access the contents of the flash. Use <tt>flash["notice"]</tt> to
+      # read a notice you put there or <tt>flash["notice"] = "hello"</tt>
+      # to put a new one.
+      def flash
+        flash = flash_hash
+        return flash if flash
+        self.flash = Flash::FlashHash.from_session_value(session["flash"])
+      end
+
+      def flash=(flash)
+        set_header Flash::KEY, flash
+      end
+
+      def flash_hash # :nodoc:
+        get_header Flash::KEY
+      end
+
+      def commit_flash # :nodoc:
+        session    = self.session || {}
+        flash_hash = self.flash_hash
+
+        if flash_hash && (flash_hash.present? || session.key?("flash"))
+          session["flash"] = flash_hash.to_session_value
+          self.flash = flash_hash.dup
+        end
+
+        if (!session.respond_to?(:loaded?) || session.loaded?) && # reset_session uses {}, which doesn't implement #loaded?
+            session.key?("flash") && session["flash"].nil?
+          session.delete("flash")
+        end
+      end
+
+      def reset_session # :nodoc:
+        super
+        self.flash = nil
+      end
+    end
+
+    class FlashNow #:nodoc:
+      attr_accessor :flash
+
+      def initialize(flash)
+        @flash = flash
+      end
+
+      def []=(k, v)
+        k = k.to_s
+        @flash[k] = v
+        @flash.discard(k)
+        v
+      end
+
+      def [](k)
+        @flash[k.to_s]
+      end
+
+      # Convenience accessor for <tt>flash.now[:alert]=</tt>.
+      def alert=(message)
+        self[:alert] = message
+      end
+
+      # Convenience accessor for <tt>flash.now[:notice]=</tt>.
+      def notice=(message)
+        self[:notice] = message
+      end
+    end
+
+    class FlashHash
+      include Enumerable
+
+      def self.from_session_value(value) #:nodoc:
+        case value
+        when FlashHash # Rails 3.1, 3.2
+          flashes = value.instance_variable_get(:@flashes)
+          if discard = value.instance_variable_get(:@used)
+            flashes.except!(*discard)
+          end
+          new(flashes, flashes.keys)
+        when Hash # Rails 4.0
+          flashes = value["flashes"]
+          if discard = value["discard"]
+            flashes.except!(*discard)
+          end
+          new(flashes, flashes.keys)
+        else
+          new
+        end
+      end
+
+      # Builds a hash containing the flashes to keep for the next request.
+      # If there are none to keep, returns +nil+.
+      def to_session_value #:nodoc:
+        flashes_to_keep = @flashes.except(*@discard)
+        return nil if flashes_to_keep.empty?
+        { "discard" => [], "flashes" => flashes_to_keep }
+      end
+
+      def initialize(flashes = {}, discard = []) #:nodoc:
+        @discard = Set.new(stringify_array(discard))
+        @flashes = flashes.stringify_keys
+        @now     = nil
+      end
+
+      def initialize_copy(other)
+        if other.now_is_loaded?
+          @now = other.now.dup
+          @now.flash = self
+        end
+        super
+      end
+
+      def []=(k, v)
+        k = k.to_s
+        @discard.delete k
+        @flashes[k] = v
+      end
+
+      def [](k)
+        @flashes[k.to_s]
+      end
+
+      def update(h) #:nodoc:
+        @discard.subtract stringify_array(h.keys)
+        @flashes.update h.stringify_keys
+        self
+      end
+
+      def keys
+        @flashes.keys
+      end
+
+      def key?(name)
+        @flashes.key? name.to_s
+      end
+
+      def delete(key)
+        key = key.to_s
+        @discard.delete key
+        @flashes.delete key
+        self
+      end
+
+      def to_hash
+        @flashes.dup
+      end
+
+      def empty?
+        @flashes.empty?
+      end
+
+      def clear
+        @discard.clear
+        @flashes.clear
+      end
+
+      def each(&block)
+        @flashes.each(&block)
+      end
+
+      alias :merge! :update
+
+      def replace(h) #:nodoc:
+        @discard.clear
+        @flashes.replace h.stringify_keys
+        self
+      end
+
+      # Sets a flash that will not be available to the next action, only to the current.
+      #
+      #     flash.now[:message] = "Hello current action"
+      #
+      # This method enables you to use the flash as a central messaging system in your app.
+      # When you need to pass an object to the next action, you use the standard flash assign (<tt>[]=</tt>).
+      # When you need to pass an object to the current action, you use <tt>now</tt>, and your object will
+      # vanish when the current action is done.
+      #
+      # Entries set via <tt>now</tt> are accessed the same way as standard entries: <tt>flash['my-key']</tt>.
+      #
+      # Also, brings two convenience accessors:
+      #
+      #   flash.now.alert = "Beware now!"
+      #   # Equivalent to flash.now[:alert] = "Beware now!"
+      #
+      #   flash.now.notice = "Good luck now!"
+      #   # Equivalent to flash.now[:notice] = "Good luck now!"
+      def now
+        @now ||= FlashNow.new(self)
+      end
+
+      # Keeps either the entire current flash or a specific flash entry available for the next action:
+      #
+      #    flash.keep            # keeps the entire flash
+      #    flash.keep(:notice)   # keeps only the "notice" entry, the rest of the flash is discarded
+      def keep(k = nil)
+        k = k.to_s if k
+        @discard.subtract Array(k || keys)
+        k ? self[k] : self
+      end
+
+      # Marks the entire flash or a single flash entry to be discarded by the end of the current action:
+      #
+      #     flash.discard              # discard the entire flash at the end of the current action
+      #     flash.discard(:warning)    # discard only the "warning" entry at the end of the current action
+      def discard(k = nil)
+        k = k.to_s if k
+        @discard.merge Array(k || keys)
+        k ? self[k] : self
+      end
+
+      # Mark for removal entries that were kept, and delete unkept ones.
+      #
+      # This method is called automatically by filters, so you generally don't need to care about it.
+      def sweep #:nodoc:
+        @discard.each { |k| @flashes.delete k }
+        @discard.replace @flashes.keys
+      end
+
+      # Convenience accessor for <tt>flash[:alert]</tt>.
+      def alert
+        self[:alert]
+      end
+
+      # Convenience accessor for <tt>flash[:alert]=</tt>.
+      def alert=(message)
+        self[:alert] = message
+      end
+
+      # Convenience accessor for <tt>flash[:notice]</tt>.
+      def notice
+        self[:notice]
+      end
+
+      # Convenience accessor for <tt>flash[:notice]=</tt>.
+      def notice=(message)
+        self[:notice] = message
+      end
+
+      protected
+        def now_is_loaded?
+          @now
+        end
+
+      private
+        def stringify_array(array) # :doc:
+          array.map do |item|
+            item.kind_of?(Symbol) ? item.to_s : item
+          end
+        end
+    end
+
+    def self.new(app) app; end
+  end
+
+  class Request
+    prepend Flash::RequestMethods
+  end
+end

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require "action_dispatch/http/request"
+
+module ActionDispatch
+  # This middleware guards from DNS rebinding attacks by explicitly permitting
+  # the hosts a request can be sent to.
+  #
+  # When a request comes to an unauthorized host, the +response_app+
+  # application will be executed and rendered. If no +response_app+ is given, a
+  # default one will run, which responds with +403 Forbidden+.
+  class HostAuthorization
+    class Permissions # :nodoc:
+      def initialize(hosts)
+        @hosts = sanitize_hosts(hosts)
+      end
+
+      def empty?
+        @hosts.empty?
+      end
+
+      def allows?(host)
+        @hosts.any? do |allowed|
+          allowed === host
+        rescue
+          # IPAddr#=== raises an error if you give it a hostname instead of
+          # IP. Treat similar errors as blocked access.
+          false
+        end
+      end
+
+      private
+
+        def sanitize_hosts(hosts)
+          Array(hosts).map do |host|
+            case host
+            when Regexp then sanitize_regexp(host)
+            when String then sanitize_string(host)
+            else host
+            end
+          end
+        end
+
+        def sanitize_regexp(host)
+          /\A#{host}\z/
+        end
+
+        def sanitize_string(host)
+          if host.start_with?(".")
+            /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/
+          else
+            host
+          end
+        end
+    end
+
+    DEFAULT_RESPONSE_APP = -> env do
+      request = Request.new(env)
+
+      format = request.xhr? ? "text/plain" : "text/html"
+      template = DebugView.new(host: request.host)
+      body = template.render(template: "rescues/blocked_host", layout: "rescues/layout")
+
+      [403, {
+        "Content-Type" => "#{format}; charset=#{Response.default_charset}",
+        "Content-Length" => body.bytesize.to_s,
+      }, [body]]
+    end
+
+    def initialize(app, hosts, response_app = nil)
+      @app = app
+      @permissions = Permissions.new(hosts)
+      @response_app = response_app || DEFAULT_RESPONSE_APP
+    end
+
+    def call(env)
+      return @app.call(env) if @permissions.empty?
+
+      request = Request.new(env)
+
+      if authorized?(request)
+        mark_as_authorized(request)
+        @app.call(env)
+      else
+        @response_app.call(env)
+      end
+    end
+
+    private
+
+      def authorized?(request)
+        origin_host = request.get_header("HTTP_HOST").to_s.sub(/:\d+\z/, "")
+        forwarded_host = request.x_forwarded_host.to_s.split(/,\s?/).last.to_s.sub(/:\d+\z/, "")
+
+        @permissions.allows?(origin_host) &&
+          (forwarded_host.blank? || @permissions.allows?(forwarded_host))
+      end
+
+      def mark_as_authorized(request)
+        request.set_header("action_dispatch.authorized_host", request.host)
+      end
+  end
+end

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  # When called, this middleware renders an error page. By default if an HTML
+  # response is expected it will render static error pages from the <tt>/public</tt>
+  # directory. For example when this middleware receives a 500 response it will
+  # render the template found in <tt>/public/500.html</tt>.
+  # If an internationalized locale is set, this middleware will attempt to render
+  # the template in <tt>/public/500.<locale>.html</tt>. If an internationalized template
+  # is not found it will fall back on <tt>/public/500.html</tt>.
+  #
+  # When a request with a content type other than HTML is made, this middleware
+  # will attempt to convert error information into the appropriate response type.
+  class PublicExceptions
+    attr_accessor :public_path
+
+    def initialize(public_path)
+      @public_path = public_path
+    end
+
+    def call(env)
+      request      = ActionDispatch::Request.new(env)
+      status       = request.path_info[1..-1].to_i
+      begin
+        content_type = request.formats.first
+      rescue Mime::Type::InvalidMimeType
+        content_type = Mime[:text]
+      end
+      body = { status: status, error: Rack::Utils::HTTP_STATUS_CODES.fetch(status, Rack::Utils::HTTP_STATUS_CODES[500]) }
+
+      render(status, content_type, body)
+    end
+
+    private
+
+      def render(status, content_type, body)
+        format = "to_#{content_type.to_sym}" if content_type
+        if format && body.respond_to?(format)
+          render_format(status, content_type, body.public_send(format))
+        else
+          render_html(status)
+        end
+      end
+
+      def render_format(status, content_type, body)
+        [status, { "Content-Type" => "#{content_type}; charset=#{ActionDispatch::Response.default_charset}",
+                  "Content-Length" => body.bytesize.to_s }, [body]]
+      end
+
+      def render_html(status)
+        path = "#{public_path}/#{status}.#{I18n.locale}.html"
+        path = "#{public_path}/#{status}.html" unless (found = File.exist?(path))
+
+        if found || File.exist?(path)
+          render_format(status, "text/html", File.read(path))
+        else
+          [404, { "X-Cascade" => "pass" }, []]
+        end
+      end
+  end
+end