actionpack 3.2.22.5 → 5.2.4

data/lib/action_dispatch/railtie.rb

@@ -1,34 +1,55 @@
+# frozen_string_literal: true
+
 require "action_dispatch"
+require "active_support/messages/rotation_configuration"
 
 module ActionDispatch
-  class Railtie < Rails::Railtie
+  class Railtie < Rails::Railtie # :nodoc:
     config.action_dispatch = ActiveSupport::OrderedOptions.new
     config.action_dispatch.x_sendfile_header = nil
     config.action_dispatch.ip_spoofing_check = true
     config.action_dispatch.show_exceptions = true
-    config.action_dispatch.best_standards_support = true
     config.action_dispatch.tld_length = 1
     config.action_dispatch.ignore_accept_header = false
-    config.action_dispatch.rescue_templates = { }
-    config.action_dispatch.rescue_responses = { }
+    config.action_dispatch.rescue_templates = {}
+    config.action_dispatch.rescue_responses = {}
     config.action_dispatch.default_charset = nil
+    config.action_dispatch.rack_cache = false
+    config.action_dispatch.http_auth_salt = "http authentication"
+    config.action_dispatch.signed_cookie_salt = "signed cookie"
+    config.action_dispatch.encrypted_cookie_salt = "encrypted cookie"
+    config.action_dispatch.encrypted_signed_cookie_salt = "signed encrypted cookie"
+    config.action_dispatch.authenticated_encrypted_cookie_salt = "authenticated encrypted cookie"
+    config.action_dispatch.use_authenticated_cookie_encryption = false
+    config.action_dispatch.perform_deep_munge = true
 
-    config.action_dispatch.rack_cache = {
-      :metastore => "rails:/",
-      :entitystore => "rails:/",
-      :verbose => false
+    config.action_dispatch.default_headers = {
+      "X-Frame-Options" => "SAMEORIGIN",
+      "X-XSS-Protection" => "1; mode=block",
+      "X-Content-Type-Options" => "nosniff",
+      "X-Download-Options" => "noopen",
+      "X-Permitted-Cross-Domain-Policies" => "none",
+      "Referrer-Policy" => "strict-origin-when-cross-origin"
     }
 
+    config.action_dispatch.cookies_rotations = ActiveSupport::Messages::RotationConfiguration.new
+
+    config.eager_load_namespaces << ActionDispatch
+
     initializer "action_dispatch.configure" do |app|
       ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
       ActionDispatch::Request.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
+      ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge
       ActionDispatch::Response.default_charset = app.config.action_dispatch.default_charset || app.config.encoding
+      ActionDispatch::Response.default_headers = app.config.action_dispatch.default_headers
 
       ActionDispatch::ExceptionWrapper.rescue_responses.merge!(config.action_dispatch.rescue_responses)
       ActionDispatch::ExceptionWrapper.rescue_templates.merge!(config.action_dispatch.rescue_templates)
 
       config.action_dispatch.always_write_cookie = Rails.env.development? if config.action_dispatch.always_write_cookie.nil?
       ActionDispatch::Cookies::CookieJar.always_write_cookie = config.action_dispatch.always_write_cookie
+
+      ActionDispatch.test_app = app
     end
   end
 end

data/lib/action_dispatch/request/session.rb

@@ -0,0 +1,234 @@
+# frozen_string_literal: true
+
+require "rack/session/abstract/id"
+
+module ActionDispatch
+  class Request
+    # Session is responsible for lazily loading the session from store.
+    class Session # :nodoc:
+      ENV_SESSION_KEY         = Rack::RACK_SESSION # :nodoc:
+      ENV_SESSION_OPTIONS_KEY = Rack::RACK_SESSION_OPTIONS # :nodoc:
+
+      # Singleton object used to determine if an optional param wasn't specified.
+      Unspecified = Object.new
+
+      # Creates a session hash, merging the properties of the previous session if any.
+      def self.create(store, req, default_options)
+        session_was = find req
+        session     = Request::Session.new(store, req)
+        session.merge! session_was if session_was
+
+        set(req, session)
+        Options.set(req, Request::Session::Options.new(store, default_options))
+        session
+      end
+
+      def self.find(req)
+        req.get_header ENV_SESSION_KEY
+      end
+
+      def self.set(req, session)
+        req.set_header ENV_SESSION_KEY, session
+      end
+
+      class Options #:nodoc:
+        def self.set(req, options)
+          req.set_header ENV_SESSION_OPTIONS_KEY, options
+        end
+
+        def self.find(req)
+          req.get_header ENV_SESSION_OPTIONS_KEY
+        end
+
+        def initialize(by, default_options)
+          @by       = by
+          @delegate = default_options.dup
+        end
+
+        def [](key)
+          @delegate[key]
+        end
+
+        def id(req)
+          @delegate.fetch(:id) {
+            @by.send(:extract_session_id, req)
+          }
+        end
+
+        def []=(k, v);        @delegate[k] = v; end
+        def to_hash;          @delegate.dup; end
+        def values_at(*args); @delegate.values_at(*args); end
+      end
+
+      def initialize(by, req)
+        @by       = by
+        @req      = req
+        @delegate = {}
+        @loaded   = false
+        @exists   = nil # We haven't checked yet.
+      end
+
+      def id
+        options.id(@req)
+      end
+
+      def options
+        Options.find @req
+      end
+
+      def destroy
+        clear
+        options = self.options || {}
+        @by.send(:delete_session, @req, options.id(@req), options)
+
+        # Load the new sid to be written with the response.
+        @loaded = false
+        load_for_write!
+      end
+
+      # Returns value of the key stored in the session or
+      # +nil+ if the given key is not found in the session.
+      def [](key)
+        load_for_read!
+        @delegate[key.to_s]
+      end
+
+      # Returns true if the session has the given key or false.
+      def has_key?(key)
+        load_for_read!
+        @delegate.key?(key.to_s)
+      end
+      alias :key? :has_key?
+      alias :include? :has_key?
+
+      # Returns keys of the session as Array.
+      def keys
+        load_for_read!
+        @delegate.keys
+      end
+
+      # Returns values of the session as Array.
+      def values
+        load_for_read!
+        @delegate.values
+      end
+
+      # Writes given value to given key of the session.
+      def []=(key, value)
+        load_for_write!
+        @delegate[key.to_s] = value
+      end
+
+      # Clears the session.
+      def clear
+        load_for_write!
+        @delegate.clear
+      end
+
+      # Returns the session as Hash.
+      def to_hash
+        load_for_read!
+        @delegate.dup.delete_if { |_, v| v.nil? }
+      end
+      alias :to_h :to_hash
+
+      # Updates the session with given Hash.
+      #
+      #   session.to_hash
+      #   # => {"session_id"=>"e29b9ea315edf98aad94cc78c34cc9b2"}
+      #
+      #   session.update({ "foo" => "bar" })
+      #   # => {"session_id"=>"e29b9ea315edf98aad94cc78c34cc9b2", "foo" => "bar"}
+      #
+      #   session.to_hash
+      #   # => {"session_id"=>"e29b9ea315edf98aad94cc78c34cc9b2", "foo" => "bar"}
+      def update(hash)
+        load_for_write!
+        @delegate.update stringify_keys(hash)
+      end
+
+      # Deletes given key from the session.
+      def delete(key)
+        load_for_write!
+        @delegate.delete key.to_s
+      end
+
+      # Returns value of the given key from the session, or raises +KeyError+
+      # if can't find the given key and no default value is set.
+      # Returns default value if specified.
+      #
+      #   session.fetch(:foo)
+      #   # => KeyError: key not found: "foo"
+      #
+      #   session.fetch(:foo, :bar)
+      #   # => :bar
+      #
+      #   session.fetch(:foo) do
+      #     :bar
+      #   end
+      #   # => :bar
+      def fetch(key, default = Unspecified, &block)
+        load_for_read!
+        if default == Unspecified
+          @delegate.fetch(key.to_s, &block)
+        else
+          @delegate.fetch(key.to_s, default, &block)
+        end
+      end
+
+      def inspect
+        if loaded?
+          super
+        else
+          "#<#{self.class}:0x#{(object_id << 1).to_s(16)} not yet loaded>"
+        end
+      end
+
+      def exists?
+        return @exists unless @exists.nil?
+        @exists = @by.send(:session_exists?, @req)
+      end
+
+      def loaded?
+        @loaded
+      end
+
+      def empty?
+        load_for_read!
+        @delegate.empty?
+      end
+
+      def merge!(other)
+        load_for_write!
+        @delegate.merge!(other)
+      end
+
+      def each(&block)
+        to_hash.each(&block)
+      end
+
+      private
+
+        def load_for_read!
+          load! if !loaded? && exists?
+        end
+
+        def load_for_write!
+          load! unless loaded?
+        end
+
+        def load!
+          id, session = @by.load_session @req
+          options[:id] = id
+          @delegate.replace(stringify_keys(session))
+          @loaded = true
+        end
+
+        def stringify_keys(other)
+          other.each_with_object({}) { |(key, value), hash|
+            hash[key.to_s] = value
+          }
+        end
+    end
+  end
+end

data/lib/action_dispatch/request/utils.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/hash/indifferent_access"
+
+module ActionDispatch
+  class Request
+    class Utils # :nodoc:
+      mattr_accessor :perform_deep_munge, default: true
+
+      def self.each_param_value(params, &block)
+        case params
+        when Array
+          params.each { |element| each_param_value(element, &block) }
+        when Hash
+          params.each_value { |value| each_param_value(value, &block) }
+        when String
+          block.call params
+        end
+      end
+
+      def self.normalize_encode_params(params)
+        if perform_deep_munge
+          NoNilParamEncoder.normalize_encode_params params
+        else
+          ParamEncoder.normalize_encode_params params
+        end
+      end
+
+      def self.check_param_encoding(params)
+        case params
+        when Array
+          params.each { |element| check_param_encoding(element) }
+        when Hash
+          params.each_value { |value| check_param_encoding(value) }
+        when String
+          unless params.valid_encoding?
+            # Raise Rack::Utils::InvalidParameterError for consistency with Rack.
+            # ActionDispatch::Request#GET will re-raise as a BadRequest error.
+            raise Rack::Utils::InvalidParameterError, "Invalid encoding for parameter: #{params.scrub}"
+          end
+        end
+      end
+
+      class ParamEncoder # :nodoc:
+        # Convert nested Hash to HashWithIndifferentAccess.
+        def self.normalize_encode_params(params)
+          case params
+          when Array
+            handle_array params
+          when Hash
+            if params.has_key?(:tempfile)
+              ActionDispatch::Http::UploadedFile.new(params)
+            else
+              params.each_with_object({}) do |(key, val), new_hash|
+                new_hash[key] = normalize_encode_params(val)
+              end.with_indifferent_access
+            end
+          else
+            params
+          end
+        end
+
+        def self.handle_array(params)
+          params.map! { |el| normalize_encode_params(el) }
+        end
+      end
+
+      # Remove nils from the params hash.
+      class NoNilParamEncoder < ParamEncoder # :nodoc:
+        def self.handle_array(params)
+          list = super
+          list.compact!
+          list
+        end
+      end
+    end
+  end
+end

data/lib/action_dispatch/routing/endpoint.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  module Routing
+    class Endpoint # :nodoc:
+      def dispatcher?;   false; end
+      def redirect?;     false; end
+      def matches?(req);  true; end
+      def app;            self; end
+      def rack_app;        app; end
+
+      def engine?
+        rack_app.is_a?(Class) && rack_app < Rails::Engine
+      end
+    end
+  end
+end

data/lib/action_dispatch/routing/inspector.rb

@@ -0,0 +1,225 @@
+# frozen_string_literal: true
+
+require "delegate"
+require "active_support/core_ext/string/strip"
+
+module ActionDispatch
+  module Routing
+    class RouteWrapper < SimpleDelegator
+      def endpoint
+        app.dispatcher? ? "#{controller}##{action}" : rack_app.inspect
+      end
+
+      def constraints
+        requirements.except(:controller, :action)
+      end
+
+      def rack_app
+        app.rack_app
+      end
+
+      def path
+        super.spec.to_s
+      end
+
+      def name
+        super.to_s
+      end
+
+      def reqs
+        @reqs ||= begin
+          reqs = endpoint
+          reqs += " #{constraints}" unless constraints.empty?
+          reqs
+        end
+      end
+
+      def controller
+        parts.include?(:controller) ? ":controller" : requirements[:controller]
+      end
+
+      def action
+        parts.include?(:action) ? ":action" : requirements[:action]
+      end
+
+      def internal?
+        internal
+      end
+
+      def engine?
+        app.engine?
+      end
+    end
+
+    ##
+    # This class is just used for displaying route information when someone
+    # executes `rails routes` or looks at the RoutingError page.
+    # People should not use this class.
+    class RoutesInspector # :nodoc:
+      def initialize(routes)
+        @engines = {}
+        @routes = routes
+      end
+
+      def format(formatter, filter = nil)
+        routes_to_display = filter_routes(normalize_filter(filter))
+        routes = collect_routes(routes_to_display)
+        if routes.none?
+          formatter.no_routes(collect_routes(@routes))
+          return formatter.result
+        end
+
+        formatter.header routes
+        formatter.section routes
+
+        @engines.each do |name, engine_routes|
+          formatter.section_title "Routes for #{name}"
+          formatter.section engine_routes
+        end
+
+        formatter.result
+      end
+
+      private
+
+        def normalize_filter(filter)
+          if filter.is_a?(Hash) && filter[:controller]
+            { controller: /#{filter[:controller].underscore.sub(/_?controller\z/, "")}/ }
+          elsif filter
+            { controller: /#{filter}/, action: /#{filter}/, verb: /#{filter}/, name: /#{filter}/, path: /#{filter}/ }
+          end
+        end
+
+        def filter_routes(filter)
+          if filter
+            @routes.select do |route|
+              route_wrapper = RouteWrapper.new(route)
+              filter.any? { |default, value| route_wrapper.send(default) =~ value }
+            end
+          else
+            @routes
+          end
+        end
+
+        def collect_routes(routes)
+          routes.collect do |route|
+            RouteWrapper.new(route)
+          end.reject(&:internal?).collect do |route|
+            collect_engine_routes(route)
+
+            { name: route.name,
+              verb: route.verb,
+              path: route.path,
+              reqs: route.reqs }
+          end
+        end
+
+        def collect_engine_routes(route)
+          name = route.endpoint
+          return unless route.engine?
+          return if @engines[name]
+
+          routes = route.rack_app.routes
+          if routes.is_a?(ActionDispatch::Routing::RouteSet)
+            @engines[name] = collect_routes(routes.routes)
+          end
+        end
+    end
+
+    class ConsoleFormatter
+      def initialize
+        @buffer = []
+      end
+
+      def result
+        @buffer.join("\n")
+      end
+
+      def section_title(title)
+        @buffer << "\n#{title}:"
+      end
+
+      def section(routes)
+        @buffer << draw_section(routes)
+      end
+
+      def header(routes)
+        @buffer << draw_header(routes)
+      end
+
+      def no_routes(routes)
+        @buffer <<
+        if routes.none?
+          <<-MESSAGE.strip_heredoc
+          You don't have any routes defined!
+
+          Please add some routes in config/routes.rb.
+          MESSAGE
+        else
+          "No routes were found for this controller"
+        end
+        @buffer << "For more information about routes, see the Rails guide: http://guides.rubyonrails.org/routing.html."
+      end
+
+      private
+        def draw_section(routes)
+          header_lengths = ["Prefix", "Verb", "URI Pattern"].map(&:length)
+          name_width, verb_width, path_width = widths(routes).zip(header_lengths).map(&:max)
+
+          routes.map do |r|
+            "#{r[:name].rjust(name_width)} #{r[:verb].ljust(verb_width)} #{r[:path].ljust(path_width)} #{r[:reqs]}"
+          end
+        end
+
+        def draw_header(routes)
+          name_width, verb_width, path_width = widths(routes)
+
+          "#{"Prefix".rjust(name_width)} #{"Verb".ljust(verb_width)} #{"URI Pattern".ljust(path_width)} Controller#Action"
+        end
+
+        def widths(routes)
+          [routes.map { |r| r[:name].length }.max || 0,
+           routes.map { |r| r[:verb].length }.max || 0,
+           routes.map { |r| r[:path].length }.max || 0]
+        end
+    end
+
+    class HtmlTableFormatter
+      def initialize(view)
+        @view = view
+        @buffer = []
+      end
+
+      def section_title(title)
+        @buffer << %(<tr><th colspan="4">#{title}</th></tr>)
+      end
+
+      def section(routes)
+        @buffer << @view.render(partial: "routes/route", collection: routes)
+      end
+
+      # The header is part of the HTML page, so we don't construct it here.
+      def header(routes)
+      end
+
+      def no_routes(*)
+        @buffer << <<-MESSAGE.strip_heredoc
+          <p>You don't have any routes defined!</p>
+          <ul>
+            <li>Please add some routes in <tt>config/routes.rb</tt>.</li>
+            <li>
+              For more information about routes, please see the Rails guide
+              <a href="http://guides.rubyonrails.org/routing.html">Rails Routing from the Outside In</a>.
+            </li>
+          </ul>
+          MESSAGE
+      end
+
+      def result
+        @view.raw @view.render(layout: "routes/table") {
+          @view.raw @buffer.join("\n")
+        }
+      end
+    end
+  end
+end