actionpack 3.2.22.5 → 5.2.4

data/lib/action_dispatch/http/filter_parameters.rb

@@ -1,16 +1,16 @@
-require 'active_support/core_ext/object/blank'
-require 'active_support/core_ext/hash/keys'
-require 'active_support/core_ext/object/duplicable'
+# frozen_string_literal: true
+
+require "action_dispatch/http/parameter_filter"
 
 module ActionDispatch
   module Http
     # Allows you to specify sensitive parameters which will be replaced from
     # the request log by looking in the query string of the request and all
-    # subhashes of the params hash to filter. If a block is given, each key and
-    # value of the params hash and all subhashes is passed to it, the value
-    # or key can be replaced using String#replace or similar method.
-    #
-    # Examples:
+    # sub-hashes of the params hash to filter. Filtering only certain sub-keys
+    # from a hash is possible by using the dot notation: 'credit_card.number'.
+    # If a block is given, each key and value of the params hash and all
+    # sub-hashes is passed to it, where the value or the key can be replaced using
+    # String#replace or similar method.
     #
     #   env["action_dispatch.parameter_filter"] = [:password]
     #   => replaces the value to all keys matching /password/i with "[FILTERED]"
@@ -18,51 +18,67 @@ module ActionDispatch
     #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
     #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
     #
-    #   env["action_dispatch.parameter_filter"] = lambda do |k,v|
+    #   env["action_dispatch.parameter_filter"] = [ "credit_card.code" ]
+    #   => replaces { credit_card: {code: "xxxx"} } with "[FILTERED]", does not
+    #   change { file: { code: "xxxx"} }
+    #
+    #   env["action_dispatch.parameter_filter"] = -> (k, v) do
     #     v.reverse! if k =~ /secret/i
     #   end
     #   => reverses the value to all keys matching /secret/i
-    #
     module FilterParameters
-      extend ActiveSupport::Concern
+      ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
+      NULL_PARAM_FILTER = ParameterFilter.new # :nodoc:
+      NULL_ENV_FILTER   = ParameterFilter.new ENV_MATCH # :nodoc:
 
-      # Return a hash of parameters with all sensitive data replaced.
+      def initialize
+        super
+        @filtered_parameters = nil
+        @filtered_env        = nil
+        @filtered_path       = nil
+      end
+
+      # Returns a hash of parameters with all sensitive data replaced.
       def filtered_parameters
         @filtered_parameters ||= parameter_filter.filter(parameters)
       end
 
-      # Return a hash of request.env with all sensitive data replaced.
+      # Returns a hash of request.env with all sensitive data replaced.
       def filtered_env
         @filtered_env ||= env_filter.filter(@env)
       end
 
-      # Reconstructed a path with all sensitive GET parameters replaced.
+      # Reconstructs a path with all sensitive GET parameters replaced.
       def filtered_path
         @filtered_path ||= query_string.empty? ? path : "#{path}?#{filtered_query_string}"
       end
 
-    protected
+    private
 
-      def parameter_filter
-        parameter_filter_for(@env["action_dispatch.parameter_filter"])
+      def parameter_filter # :doc:
+        parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
+          return NULL_PARAM_FILTER
+        }
       end
 
-      def env_filter
-        parameter_filter_for(Array.wrap(@env["action_dispatch.parameter_filter"]) << /RAW_POST_DATA/)
+      def env_filter # :doc:
+        user_key = fetch_header("action_dispatch.parameter_filter") {
+          return NULL_ENV_FILTER
+        }
+        parameter_filter_for(Array(user_key) + ENV_MATCH)
       end
 
-      def parameter_filter_for(filters)
+      def parameter_filter_for(filters) # :doc:
         ParameterFilter.new(filters)
       end
 
-      KV_RE   = '[^&;=]+'
+      KV_RE   = "[^&;=]+"
       PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
-      def filtered_query_string
+      def filtered_query_string # :doc:
         query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter([[$1, $2]]).first.join("=")
+          parameter_filter.filter($1 => $2).first.join("=")
         end
       end
-
     end
   end
 end

data/lib/action_dispatch/http/filter_redirect.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  module Http
+    module FilterRedirect
+      FILTERED = "[FILTERED]".freeze # :nodoc:
+
+      def filtered_location # :nodoc:
+        if location_filter_match?
+          FILTERED
+        else
+          location
+        end
+      end
+
+    private
+
+      def location_filters
+        if request
+          request.get_header("action_dispatch.redirect_filter") || []
+        else
+          []
+        end
+      end
+
+      def location_filter_match?
+        location_filters.any? do |filter|
+          if String === filter
+            location.include?(filter)
+          elsif Regexp === filter
+            location =~ filter
+          end
+        end
+      end
+    end
+  end
+end

data/lib/action_dispatch/http/headers.rb

@@ -1,30 +1,131 @@
+# frozen_string_literal: true
+
 module ActionDispatch
   module Http
-    class Headers < ::Hash
-      @@env_cache = Hash.new { |h,k| h[k] = "HTTP_#{k.upcase.gsub(/-/, '_')}" }
+    # Provides access to the request's HTTP headers from the environment.
+    #
+    #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
+    #   headers = ActionDispatch::Http::Headers.from_hash(env)
+    #   headers["Content-Type"] # => "text/plain"
+    #   headers["User-Agent"] # => "curl/7.43.0"
+    #
+    # Also note that when headers are mapped to CGI-like variables by the Rack
+    # server, both dashes and underscores are converted to underscores. This
+    # ambiguity cannot be resolved at this stage anymore. Both underscores and
+    # dashes have to be interpreted as if they were originally sent as dashes.
+    #
+    #   # GET / HTTP/1.1
+    #   # ...
+    #   # User-Agent: curl/7.43.0
+    #   # X_Custom_Header: token
+    #
+    #   headers["X_Custom_Header"] # => nil
+    #   headers["X-Custom-Header"] # => "token"
+    class Headers
+      CGI_VARIABLES = Set.new(%W[
+        AUTH_TYPE
+        CONTENT_LENGTH
+        CONTENT_TYPE
+        GATEWAY_INTERFACE
+        HTTPS
+        PATH_INFO
+        PATH_TRANSLATED
+        QUERY_STRING
+        REMOTE_ADDR
+        REMOTE_HOST
+        REMOTE_IDENT
+        REMOTE_USER
+        REQUEST_METHOD
+        SCRIPT_NAME
+        SERVER_NAME
+        SERVER_PORT
+        SERVER_PROTOCOL
+        SERVER_SOFTWARE
+      ]).freeze
+
+      HTTP_HEADER = /\A[A-Za-z0-9-]+\z/
+
+      include Enumerable
 
-      def initialize(*args)
+      def self.from_hash(hash)
+        new ActionDispatch::Request.new hash
+      end
+
+      def initialize(request) # :nodoc:
+        @req = request
+      end
 
-        if args.size == 1 && args[0].is_a?(Hash)
-          super()
-          update(args[0])
-        else
-          super
+      # Returns the value for the given key mapped to @env.
+      def [](key)
+        @req.get_header env_name(key)
+      end
+
+      # Sets the given value for the key mapped to @env.
+      def []=(key, value)
+        @req.set_header env_name(key), value
+      end
+
+      # Add a value to a multivalued header like Vary or Accept-Encoding.
+      def add(key, value)
+        @req.add_header env_name(key), value
+      end
+
+      def key?(key)
+        @req.has_header? env_name(key)
+      end
+      alias :include? :key?
+
+      DEFAULT = Object.new # :nodoc:
+
+      # Returns the value for the given key mapped to @env.
+      #
+      # If the key is not found and an optional code block is not provided,
+      # raises a <tt>KeyError</tt> exception.
+      #
+      # If the code block is provided, then it will be run and
+      # its result returned.
+      def fetch(key, default = DEFAULT)
+        @req.fetch_header(env_name(key)) do
+          return default unless default == DEFAULT
+          return yield if block_given?
+          raise KeyError, key
         end
       end
 
-      def [](header_name)
-        if include?(header_name)
-          super
-        else
-          super(env_name(header_name))
+      def each(&block)
+        @req.each_header(&block)
+      end
+
+      # Returns a new Http::Headers instance containing the contents of
+      # <tt>headers_or_env</tt> and the original instance.
+      def merge(headers_or_env)
+        headers = @req.dup.headers
+        headers.merge!(headers_or_env)
+        headers
+      end
+
+      # Adds the contents of <tt>headers_or_env</tt> to original instance
+      # entries; duplicate keys are overwritten with the values from
+      # <tt>headers_or_env</tt>.
+      def merge!(headers_or_env)
+        headers_or_env.each do |key, value|
+          @req.set_header env_name(key), value
         end
       end
 
+      def env; @req.env.dup; end
+
       private
-        # Converts a HTTP header name to an environment variable name.
-        def env_name(header_name)
-          @@env_cache[header_name]
+
+        # Converts an HTTP header name to an environment variable name if it is
+        # not contained within the headers hash.
+        def env_name(key)
+          key = key.to_s
+          if key =~ HTTP_HEADER
+            key = key.upcase.tr("-", "_")
+            key = "HTTP_" + key unless CGI_VARIABLES.include?(key)
+          end
+          key
         end
     end
   end

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -1,24 +1,25 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/module/attribute_accessors"
+
 module ActionDispatch
   module Http
     module MimeNegotiation
       extend ActiveSupport::Concern
 
       included do
-        mattr_accessor :ignore_accept_header
-        self.ignore_accept_header = false
+        mattr_accessor :ignore_accept_header, default: false
       end
 
-      # The MIME type of the HTTP request, such as Mime::XML.
-      #
-      # For backward compatibility, the post \format is extracted from the
-      # X-Post-Data-Format HTTP header if present.
+      # The MIME type of the HTTP request, such as Mime[:xml].
       def content_mime_type
-        @env["action_dispatch.request.content_type"] ||= begin
-          if @env['CONTENT_TYPE'] =~ /^([^,\;]*)/
+        fetch_header("action_dispatch.request.content_type") do |k|
+          v = if get_header("CONTENT_TYPE") =~ /^([^,\;]*)/
             Mime::Type.lookup($1.strip.downcase)
           else
             nil
           end
+          set_header k, v
         end
       end
 
@@ -26,47 +27,85 @@ module ActionDispatch
         content_mime_type && content_mime_type.to_s
       end
 
+      def has_content_type? # :nodoc:
+        get_header "CONTENT_TYPE"
+      end
+
       # Returns the accepted MIME type for the request.
       def accepts
-        @env["action_dispatch.request.accepts"] ||= begin
-          header = @env['HTTP_ACCEPT'].to_s.strip
+        fetch_header("action_dispatch.request.accepts") do |k|
+          header = get_header("HTTP_ACCEPT").to_s.strip
 
-          if header.empty?
+          v = if header.empty?
             [content_mime_type]
           else
             Mime::Type.parse(header)
           end
+          set_header k, v
         end
       end
 
       # Returns the MIME type for the \format used in the request.
       #
-      #   GET /posts/5.xml   | request.format => Mime::XML
-      #   GET /posts/5.xhtml | request.format => Mime::HTML
-      #   GET /posts/5       | request.format => Mime::HTML or MIME::JS, or request.accepts.first
+      #   GET /posts/5.xml   | request.format => Mime[:xml]
+      #   GET /posts/5.xhtml | request.format => Mime[:html]
+      #   GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
       #
       def format(view_path = [])
-        formats.first
+        formats.first || Mime::NullType.instance
       end
 
       def formats
-        @env["action_dispatch.request.formats"] ||=
-          if parameters[:format]
+        fetch_header("action_dispatch.request.formats") do |k|
+          params_readable = begin
+                              parameters[:format]
+                            rescue ActionController::BadRequest
+                              false
+                            end
+
+          v = if params_readable
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
             accepts
+          elsif extension_format = format_from_path_extension
+            [extension_format]
           elsif xhr?
-            [Mime::JS]
+            [Mime[:js]]
           else
-            [Mime::HTML]
+            [Mime[:html]]
+          end
+
+          v = v.select do |format|
+            format.symbol || format.ref == "*/*"
           end
+
+          set_header k, v
+        end
+      end
+
+      # Sets the \variant for template.
+      def variant=(variant)
+        variant = Array(variant)
+
+        if variant.all? { |v| v.is_a?(Symbol) }
+          @variant = ActiveSupport::ArrayInquirer.new(variant)
+        else
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols. " \
+            "For security reasons, never directly set the variant to a user-provided value, " \
+            "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
+            "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
+        end
+      end
+
+      def variant
+        @variant ||= ActiveSupport::ArrayInquirer.new
       end
 
       # Sets the \format by string extension, which can be used to force custom formats
       # that are not controlled by the extension.
       #
       #   class ApplicationController < ActionController::Base
-      #     before_filter :adjust_format_for_iphone
+      #     before_action :adjust_format_for_iphone
       #
       #     private
       #       def adjust_format_for_iphone
@@ -75,12 +114,31 @@ module ActionDispatch
       #   end
       def format=(extension)
         parameters[:format] = extension.to_s
-        @env["action_dispatch.request.formats"] = [Mime::Type.lookup_by_extension(parameters[:format])]
+        set_header "action_dispatch.request.formats", [Mime::Type.lookup_by_extension(parameters[:format])]
       end
 
-      # Receives an array of mimes and return the first user sent mime that
-      # matches the order array.
+      # Sets the \formats by string extensions. This differs from #format= by allowing you
+      # to set multiple, ordered formats, which is useful when you want to have a fallback.
       #
+      # In this example, the :iphone format will be used if it's available, otherwise it'll fallback
+      # to the :html format.
+      #
+      #   class ApplicationController < ActionController::Base
+      #     before_action :adjust_format_for_iphone_with_html_fallback
+      #
+      #     private
+      #       def adjust_format_for_iphone_with_html_fallback
+      #         request.formats = [ :iphone, :html ] if request.env["HTTP_USER_AGENT"][/iPhone/]
+      #       end
+      #   end
+      def formats=(extensions)
+        parameters[:format] = extensions.first.to_s
+        set_header "action_dispatch.request.formats", extensions.collect { |extension|
+          Mime::Type.lookup_by_extension(extension)
+        }
+      end
+
+      # Returns the first MIME type that matches the provided array of MIME types.
       def negotiate_mime(order)
         formats.each do |priority|
           if priority == Mime::ALL
@@ -90,21 +148,28 @@ module ActionDispatch
           end
         end
 
-        order.include?(Mime::ALL) ? formats.first : nil
+        order.include?(Mime::ALL) ? format : nil
       end
 
-      protected
+      private
 
-      BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
+        BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
 
-      def valid_accept_header
-        (xhr? && (accept.present? || content_mime_type)) ||
-          (accept.present? && accept !~ BROWSER_LIKE_ACCEPTS)
-      end
+        def valid_accept_header # :doc:
+          (xhr? && (accept.present? || content_mime_type)) ||
+            (accept.present? && accept !~ BROWSER_LIKE_ACCEPTS)
+        end
 
-      def use_accept_header
-        !self.class.ignore_accept_header
-      end
+        def use_accept_header # :doc:
+          !self.class.ignore_accept_header
+        end
+
+        def format_from_path_extension # :doc:
+          path = get_header("action_dispatch.original_path") || get_header("PATH_INFO")
+          if match = path && path.match(/\.(\w+)\z/)
+            Mime[match.captures.first]
+          end
+        end
     end
   end
 end