actionpack 1.13.6 → 2.0.0

data/lib/action_controller/request_forgery_protection.rb

@@ -0,0 +1,126 @@
+module ActionController #:nodoc:
+  class InvalidAuthenticityToken < ActionControllerError #:nodoc:
+  end
+
+  module RequestForgeryProtection
+    def self.included(base)
+      base.class_eval do
+        class_inheritable_accessor :request_forgery_protection_options
+        self.request_forgery_protection_options = {}
+        helper_method :form_authenticity_token
+        helper_method :protect_against_forgery?
+      end
+      base.extend(ClassMethods)
+    end
+    
+    module ClassMethods
+      # Protect a controller's actions from CSRF attacks by ensuring that all forms are coming from the current web application, not 
+      # a forged link from another site. This is done by embedding a token based on the session (which an attacker wouldn't know) in 
+      # all forms and Ajax requests generated by Rails and then verifying the authenticity of that token in the controller. Only
+      # HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you'll have a different authentication
+      # scheme there anyway). Also, GET requests are not protected as these should be indempotent anyway.
+      #
+      # You turn this on with the #protect_from_forgery method, which will perform the check and raise 
+      # an ActionController::InvalidAuthenticityToken if the token doesn't match what was expected. And it will add 
+      # a _authenticity_token parameter to all forms that are automatically generated by Rails. You can customize the error message 
+      # given through public/422.html.
+      #
+      # Learn more about CSRF (Cross-Site Request Forgery) attacks:
+      #
+      # * http://isc.sans.org/diary.html?storyid=1750
+      # * http://en.wikipedia.org/wiki/Cross-site_request_forgery
+      #
+      # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
+      # There are a few guidelines you should follow:
+      # 
+      # * Keep your GET requests safe and idempotent.  More reading material:
+      #   * http://www.xml.com/pub/a/2002/04/24/deviant.html
+      #   * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
+      # * Make sure the session cookies that Rails creates are non-persistent.  Check in Firefox and look for "Expires: at end of session"
+      #
+      # If you need to construct a request yourself, but still want to take advantage of forgery protection, you can grab the 
+      # authenticity_token using the form_authenticity_token helper method and make it part of the parameters yourself.
+      #
+      # Example:
+      #
+      #   class FooController < ApplicationController
+      #     # uses the cookie session store (then you don't need a separate :secret)
+      #     protect_from_forgery :except => :index
+      #
+      #     # uses one of the other session stores that uses a session_id value.
+      #     protect_from_forgery :secret => 'my-little-pony', :except => :index
+      #
+      #     # you can disable csrf protection on controller-by-controller basis:
+      #     skip_before_filter :verify_authenticity_token
+      #   end
+      #
+      # Valid Options:
+      #
+      # * <tt>:only/:except</tt> - passed to the before_filter call.  Set which actions are verified.
+      # * <tt>:secret</tt> - Custom salt used to generate the form_authenticity_token.
+      #   Leave this off if you are using the cookie session store.
+      # * <tt>:digest</tt> - Message digest used for hashing.  Defaults to 'SHA1'
+      def protect_from_forgery(options = {})
+        self.request_forgery_protection_token ||= :authenticity_token
+        before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except)
+        request_forgery_protection_options.update(options)
+      end
+    end
+
+    protected
+      # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
+      def verify_authenticity_token
+        verified_request? || raise(ActionController::InvalidAuthenticityToken)
+      end
+      
+      # Returns true or false if a request is verified.  Checks:
+      #
+      # * is the format restricted?  By default, only HTML and AJAX requests are checked.
+      # * is it a GET request?  Gets should be safe and idempotent
+      # * Does the form_authenticity_token match the given _token value from the params?
+      def verified_request?
+        !protect_against_forgery?     ||
+          request.method == :get      ||
+          !verifiable_request_format? ||
+          form_authenticity_token == params[request_forgery_protection_token]
+      end
+    
+      def verifiable_request_format?
+        request.format.html? || request.format.js?
+      end
+    
+      # Sets the token value for the current session.  Pass a :secret option in #protect_from_forgery to add a custom salt to the hash.
+      def form_authenticity_token
+        @form_authenticity_token ||= if request_forgery_protection_options[:secret]
+          authenticity_token_from_session_id
+        elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest)
+          authenticity_token_from_cookie_session
+        elsif session.nil?
+          raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session."
+        else
+          raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call.  Set that or use a session store capable of generating its own keys (Cookie Session Store)."
+        end
+      end
+      
+      # Generates a unique digest using the session_id and the CSRF secret.
+      def authenticity_token_from_session_id
+        key = if request_forgery_protection_options[:secret].respond_to?(:call)
+          request_forgery_protection_options[:secret].call(@session)
+        else
+          request_forgery_protection_options[:secret]
+        end
+        digest = request_forgery_protection_options[:digest] ||= 'SHA1'
+        OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(digest), key.to_s, session.session_id.to_s)
+      end
+      
+      # No secret was given, so assume this is a cookie session store.
+      def authenticity_token_from_cookie_session
+        session[:csrf_id] ||= CGI::Session.generate_unique_id
+        session.dbman.generate_digest(session[:csrf_id])
+      end
+      
+      def protect_against_forgery?
+        allow_forgery_protection && request_forgery_protection_token
+      end
+  end
+end

data/lib/action_controller/request_profiler.rb

@@ -0,0 +1,138 @@
+require 'optparse'
+require 'action_controller/integration'
+
+module ActionController
+  class RequestProfiler
+    # Wrap up the integration session runner.
+    class Sandbox
+      include Integration::Runner
+
+      def self.benchmark(n, script)
+        new(script).benchmark(n)
+      end
+
+      def initialize(script_path)
+        @quiet = false
+        define_run_method(File.read(script_path))
+        reset!
+      end
+
+      def benchmark(n)
+        @quiet = true
+        print '  '
+        result = Benchmark.realtime do
+          n.times do |i|
+            run
+            print i % 10 == 0 ? 'x' : '.'
+            $stdout.flush
+          end
+        end
+        puts
+        result
+      ensure
+        @quiet = false
+      end
+
+      def say(message)
+        puts "  #{message}" unless @quiet
+      end
+
+      private
+        def define_run_method(script)
+          instance_eval "def run; #{script}; end", __FILE__, __LINE__
+        end
+    end
+
+
+    attr_reader :options
+
+    def initialize(options = {})
+      @options = default_options.merge(options)
+    end
+
+
+    def self.run(args = nil, options = {})
+      profiler = new(options)
+      profiler.parse_options(args) if args
+      profiler.run
+    end
+
+    def run
+      sandbox = Sandbox.new(options[:script])
+
+      puts 'Warming up once'
+
+      elapsed = warmup(sandbox)
+      puts '%.2f sec, %d requests, %d req/sec' % [elapsed, sandbox.request_count, sandbox.request_count / elapsed]
+      puts "\n#{options[:benchmark] ? 'Benchmarking' : 'Profiling'} #{options[:n]}x"
+
+      options[:benchmark] ? benchmark(sandbox) : profile(sandbox)
+    end
+
+    def profile(sandbox)
+      load_ruby_prof
+
+      results = RubyProf.profile { benchmark(sandbox) }
+
+      show_profile_results results
+      results
+    end
+
+    def benchmark(sandbox)
+      sandbox.request_count = 0
+      elapsed = sandbox.benchmark(options[:n]).to_f
+      count = sandbox.request_count.to_i
+      puts '%.2f sec, %d requests, %d req/sec' % [elapsed, count, count / elapsed]
+    end
+
+    def warmup(sandbox)
+      Benchmark.realtime { sandbox.run }
+    end
+
+    def default_options
+      { :n => 100, :open => 'open %s &' }
+    end
+
+    # Parse command-line options
+    def parse_options(args)
+      OptionParser.new do |opt|
+        opt.banner = "USAGE: #{$0} [options] [session script path]"
+
+        opt.on('-n', '--times [0000]', 'How many requests to process. Defaults to 100.') { |v| options[:n] = v.to_i }
+        opt.on('-b', '--benchmark', 'Benchmark instead of profiling') { |v| options[:benchmark] = v }
+        opt.on('--open [CMD]', 'Command to open profile results. Defaults to "open %s &"') { |v| options[:open] = v }
+        opt.on('-h', '--help', 'Show this help') { puts opt; exit }
+
+        opt.parse args
+
+        if args.empty?
+          puts opt
+          exit
+        end
+        options[:script] = args.pop
+      end
+    end
+
+    protected
+      def load_ruby_prof
+        begin
+          require 'ruby-prof'
+          #RubyProf.measure_mode = RubyProf::ALLOCATED_OBJECTS
+        rescue LoadError
+          abort '`gem install ruby-prof` to use the profiler'
+        end
+      end
+
+      def show_profile_results(results)
+        File.open "#{RAILS_ROOT}/tmp/profile-graph.html", 'w' do |file|
+          RubyProf::GraphHtmlPrinter.new(results).print(file)
+          `#{options[:open] % file.path}` if options[:open]
+        end
+
+        File.open "#{RAILS_ROOT}/tmp/profile-flat.txt", 'w' do |file|
+          RubyProf::FlatPrinter.new(results).print(file)
+          `#{options[:open] % file.path}` if options[:open]
+        end
+      end
+  end
+end

data/lib/action_controller/rescue.rb

@@ -1,22 +1,110 @@
 module ActionController #:nodoc:
-  # Actions that fail to perform as expected throw exceptions. These exceptions can either be rescued for the public view 
+  # Actions that fail to perform as expected throw exceptions. These exceptions can either be rescued for the public view
   # (with a nice user-friendly explanation) or for the developers view (with tons of debugging information). The developers view
-  # is already implemented by the Action Controller, but the public view should be tailored to your specific application. So too
-  # could the decision on whether something is a public or a developer request.
+  # is already implemented by the Action Controller, but the public view should be tailored to your specific application. 
+  # 
+  # The default behavior for public exceptions is to render a static html file with the name of the error code thrown.  If no such 
+  # file exists, an empty response is sent with the correct status code.
   #
-  # You can tailor the rescuing behavior and appearance by overwriting the following two stub methods.
+  # You can override what constitutes a local request by overriding the <tt>local_request?</tt> method in your own controller.
+  # Custom rescue behavior is achieved by overriding the <tt>rescue_action_in_public</tt> and <tt>rescue_action_locally</tt> methods.
   module Rescue
+    LOCALHOST = '127.0.0.1'.freeze
+
+    DEFAULT_RESCUE_RESPONSE = :internal_server_error
+    DEFAULT_RESCUE_RESPONSES = {
+      'ActionController::RoutingError'             => :not_found,
+      'ActionController::UnknownAction'            => :not_found,
+      'ActiveRecord::RecordNotFound'               => :not_found,
+      'ActiveRecord::StaleObjectError'             => :conflict,
+      'ActiveRecord::RecordInvalid'                => :unprocessable_entity,
+      'ActiveRecord::RecordNotSaved'               => :unprocessable_entity,
+      'ActionController::MethodNotAllowed'         => :method_not_allowed,
+      'ActionController::NotImplemented'           => :not_implemented,
+      'ActionController::InvalidAuthenticityToken' => :unprocessable_entity
+    }
+
+    DEFAULT_RESCUE_TEMPLATE = 'diagnostics'
+    DEFAULT_RESCUE_TEMPLATES = {
+      'ActionController::MissingTemplate' => 'missing_template',
+      'ActionController::RoutingError'    => 'routing_error',
+      'ActionController::UnknownAction'   => 'unknown_action',
+      'ActionView::TemplateError'         => 'template_error'
+    }
+
     def self.included(base) #:nodoc:
+      base.cattr_accessor :rescue_responses
+      base.rescue_responses = Hash.new(DEFAULT_RESCUE_RESPONSE)
+      base.rescue_responses.update DEFAULT_RESCUE_RESPONSES
+
+      base.cattr_accessor :rescue_templates
+      base.rescue_templates = Hash.new(DEFAULT_RESCUE_TEMPLATE)
+      base.rescue_templates.update DEFAULT_RESCUE_TEMPLATES
+
+      base.class_inheritable_array :rescue_handlers
+      base.rescue_handlers = []
+
       base.extend(ClassMethods)
       base.class_eval do
         alias_method_chain :perform_action, :rescue
       end
     end
 
-    module ClassMethods #:nodoc:
-      def process_with_exception(request, response, exception)
+    module ClassMethods
+      def process_with_exception(request, response, exception) #:nodoc:
         new.process(request, response, :rescue_action, exception)
       end
+
+      # Rescue exceptions raised in controller actions.
+      #
+      # <tt>rescue_from</tt> receives a series of exception classes or class
+      # names, and a trailing :with option with the name of a method or a Proc
+      # object to be called to handle them. Alternatively a block can be given.
+      #
+      # Handlers that take one argument will be called with the exception, so
+      # that the exception can be inspected when dealing with it.
+      #
+      # Handlers are inherited. They are searched from right to left, from
+      # bottom to top, and up the hierarchy. The handler of the first class for
+      # which exception.is_a?(klass) holds true is the one invoked, if any.
+      #
+      # class ApplicationController < ActionController::Base
+      #   rescue_from User::NotAuthorized, :with => :deny_access # self defined exception
+      #   rescue_from ActiveRecord::RecordInvalid, :with => :show_errors
+      #
+      #   rescue_from 'MyAppError::Base' do |exception|
+      #     render :xml => exception, :status => 500
+      #   end
+      #
+      #   protected
+      #     def deny_access
+      #       ...
+      #     end
+      #
+      #     def show_errors(exception)
+      #       exception.record.new_record? ? ...
+      #     end
+      # end
+      def rescue_from(*klasses, &block)
+        options = klasses.extract_options!
+        unless options.has_key?(:with)
+          block_given? ? options[:with] = block : raise(ArgumentError, "Need a handler. Supply an options hash that has a :with key as the last argument.")
+        end
+
+        klasses.each do |klass|
+          key = if klass.is_a?(Class) && klass <= Exception
+            klass.name
+          elsif klass.is_a?(String)
+            klass
+          else
+            raise(ArgumentError, "#{klass} is neither an Exception nor a String")
+          end
+
+          # Order is important, we put the pair at the end. When dealing with an
+          # exception we will follow the documented order going from right to left.
+          rescue_handlers << [key, options[:with]]
+        end
+      end
     end
 
     protected
@@ -25,6 +113,12 @@ module ActionController #:nodoc:
         log_error(exception) if logger
         erase_results if performed?
 
+        # Let the exception alter the response if it wants.
+        # For example, MethodNotAllowed sets the Allow header.
+        if exception.respond_to?(:handle_response!)
+          exception.handle_response!(response)
+        end
+
         if consider_all_requests_local || local_request?
           rescue_action_locally(exception)
         else
@@ -47,96 +141,118 @@ module ActionController #:nodoc:
         end
       end
 
-      # Overwrite to implement public exception handling (for requests answering false to <tt>local_request?</tt>).
+      # Overwrite to implement public exception handling (for requests answering false to <tt>local_request?</tt>).  By
+      # default will call render_optional_error_file.  Override this method to provide more user friendly error messages.s
       def rescue_action_in_public(exception) #:doc:
-        case exception
-          when RoutingError, UnknownAction
-            render_text(IO.read(File.join(RAILS_ROOT, 'public', '404.html')), "404 Not Found")
-          else
-            render_text(IO.read(File.join(RAILS_ROOT, 'public', '500.html')), "500 Internal Error")
+        render_optional_error_file response_code_for_rescue(exception)
+      end
+      
+      # Attempts to render a static error page based on the <tt>status_code</tt> thrown,
+      # or just return headers if no such file exists. For example, if a 500 error is 
+      # being handled Rails will first attempt to render the file at <tt>public/500.html</tt>. 
+      # If the file doesn't exist, the body of the response will be left empty.
+      def render_optional_error_file(status_code)
+        status = interpret_status(status_code)
+        path = "#{RAILS_ROOT}/public/#{status[0,3]}.html"
+        if File.exists?(path)
+          render :file => path, :status => status
+        else
+          head status
         end
       end
 
-      # Overwrite to expand the meaning of a local request in order to show local rescues on other occurrences than
-      # the remote IP being 127.0.0.1. For example, this could include the IP of the developer machine when debugging
-      # remotely.
+      # True if the request came from localhost, 127.0.0.1. Override this
+      # method if you wish to redefine the meaning of a local request to
+      # include remote IP addresses or other criteria.
       def local_request? #:doc:
-        [request.remote_addr, request.remote_ip] == ["127.0.0.1"] * 2
+        request.remote_addr == LOCALHOST and request.remote_ip == LOCALHOST
       end
 
-      # Renders a detailed diagnostics screen on action exceptions. 
+      # Render detailed diagnostics for unhandled exceptions rescued from
+      # a controller action.
       def rescue_action_locally(exception)
         add_variables_to_assigns
         @template.instance_variable_set("@exception", exception)
-        @template.instance_variable_set("@rescues_path", File.dirname(rescues_path("stub")))    
-        @template.send(:assign_variables_from_controller)
+        @template.instance_variable_set("@rescues_path", File.dirname(rescues_path("stub")))
+        @template.send!(:assign_variables_from_controller)
 
         @template.instance_variable_set("@contents", @template.render_file(template_path_for_local_rescue(exception), false))
-    
+
         response.content_type = Mime::HTML
-        render_file(rescues_path("layout"), response_code_for_rescue(exception))
+        render_for_file(rescues_path("layout"), response_code_for_rescue(exception))
       end
-    
-    private
-      def perform_action_with_rescue #:nodoc:
-        begin
-          perform_action_without_rescue
-        rescue Exception => exception  # errors from action performed
-          if defined?(Breakpoint) && params["BP-RETRY"]
-            msg = exception.backtrace.first
-            if md = /^(.+?):(\d+)(?::in `(.+)')?$/.match(msg) then
-              origin_file, origin_line = md[1], md[2].to_i
-
-              set_trace_func(lambda do |type, file, line, method, context, klass|
-                if file == origin_file and line == origin_line then
-                  set_trace_func(nil)
-                  params["BP-RETRY"] = false
-
-                  callstack = caller
-                  callstack.slice!(0) if callstack.first["rescue.rb"]
-                  file, line, method = *callstack.first.match(/^(.+?):(\d+)(?::in `(.*?)')?/).captures
-
-                  message = "Exception at #{file}:#{line}#{" in `#{method}'" if method}." # `� ( for ruby-mode)
-
-                  Breakpoint.handle_breakpoint(context, message, file, line)
-                end
-              end)
-
-              retry
-            end
-          end
 
-          rescue_action(exception)
+      # Tries to rescue the exception by looking up and calling a registered handler.
+      def rescue_action_with_handler(exception)
+        if handler = handler_for_rescue(exception)
+          if handler.arity != 0
+            handler.call(exception)
+          else
+            handler.call
+          end
+          true # don't rely on the return value of the handler
         end
       end
 
+    private
+      def perform_action_with_rescue #:nodoc:
+        perform_action_without_rescue
+      rescue Exception => exception  # errors from action performed
+        return if rescue_action_with_handler(exception)
+        
+        rescue_action(exception)
+      end
+
       def rescues_path(template_name)
-        File.dirname(__FILE__) + "/templates/rescues/#{template_name}.rhtml"
+        "#{File.dirname(__FILE__)}/templates/rescues/#{template_name}.erb"
       end
 
       def template_path_for_local_rescue(exception)
-        rescues_path(
-          case exception
-            when MissingTemplate then "missing_template"
-            when RoutingError then "routing_error"
-            when UnknownAction   then "unknown_action"
-            when ActionView::TemplateError then "template_error"
-            else "diagnostics"
-          end
-        )
+        rescues_path(rescue_templates[exception.class.name])
       end
-      
+
       def response_code_for_rescue(exception)
-        case exception
-          when UnknownAction, RoutingError 
-            "404 Page Not Found"
-          else
-            "500 Internal Error"
+        rescue_responses[exception.class.name]
+      end
+
+      def handler_for_rescue(exception)
+        # We go from right to left because pairs are pushed onto rescue_handlers
+        # as rescue_from declarations are found.
+        _, handler = *rescue_handlers.reverse.detect do |klass_name, handler|
+          # The purpose of allowing strings in rescue_from is to support the
+          # declaration of handler associations for exception classes whose
+          # definition is yet unknown.
+          #
+          # Since this loop needs the constants it would be inconsistent to
+          # assume they should exist at this point. An early raised exception
+          # could trigger some other handler and the array could include
+          # precisely a string whose corresponding constant has not yet been
+          # seen. This is why we are tolerant to unknown constants.
+          #
+          # Note that this tolerance only matters if the exception was given as
+          # a string, otherwise a NameError will be raised by the interpreter
+          # itself when rescue_from CONSTANT is executed.
+          klass = self.class.const_get(klass_name) rescue nil
+          klass ||= klass_name.constantize rescue nil
+          exception.is_a?(klass) if klass
+        end
+
+        case handler
+        when Symbol
+          method(handler)
+        when Proc
+          handler.bind(self)
         end
       end
-      
+
       def clean_backtrace(exception)
-        exception.backtrace.collect { |line| Object.const_defined?(:RAILS_ROOT) ? line.gsub(RAILS_ROOT, "") : line }
+        if backtrace = exception.backtrace
+          if defined?(RAILS_ROOT)
+            backtrace.map { |line| line.sub RAILS_ROOT, '' }
+          else
+            backtrace
+          end
+        end
       end
   end
 end