actionpack 4.0.13 → 4.1.0.beta1

data/lib/action_controller/metal/params_wrapper.rb

@@ -231,12 +231,7 @@ module ActionController
     # by the metal call stack.
     def process_action(*args)
       if _wrapper_enabled?
-        if request.parameters[_wrapper_key].present?
-          wrapped_hash = _extract_parameters(request.parameters)
-        else
-          wrapped_hash = _wrap_parameters request.request_parameters
-        end
-
+        wrapped_hash = _wrap_parameters request.request_parameters
         wrapped_keys = request.request_parameters.keys
         wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
 
@@ -264,16 +259,14 @@ module ActionController
 
       # Returns the list of parameters which will be selected for wrapped.
       def _wrap_parameters(parameters)
-        { _wrapper_key => _extract_parameters(parameters) }
-      end
-
-      def _extract_parameters(parameters)
-        if include_only = _wrapper_options.include
+        value = if include_only = _wrapper_options.include
           parameters.slice(*include_only)
         else
           exclude = _wrapper_options.exclude || []
           parameters.except(*(exclude + EXCLUDE_PARAMETERS))
         end
+
+        { _wrapper_key => value }
       end
 
       # Checks if we should perform parameters wrapping.

data/lib/action_controller/metal/rack_delegation.rb

@@ -6,7 +6,7 @@ module ActionController
     extend ActiveSupport::Concern
 
     delegate :headers, :status=, :location=, :content_type=,
-             :status, :location, :content_type, :_status_code, :to => "@_response"
+             :status, :location, :content_type, :to => "@_response"
 
     def dispatch(action, request)
       set_response!(request)

data/lib/action_controller/metal/redirecting.rb

@@ -64,7 +64,6 @@ module ActionController
     # behavior for this case by rescuing ActionController::RedirectBackError.
     def redirect_to(options = {}, response_status = {}) #:doc:
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
-      raise ActionControllerError.new("Cannot redirect to a parameter hash!") if options.is_a?(ActionController::Parameters)
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_status)
@@ -72,6 +71,26 @@ module ActionController
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.h(location)}\">redirected</a>.</body></html>"
     end
 
+    def _compute_redirect_to_location(options) #:nodoc:
+      case options
+      # The scheme name consist of a letter followed by any combination of
+      # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
+      # characters; and is terminated by a colon (":").
+      # See http://tools.ietf.org/html/rfc3986#section-3.1
+      # The protocol relative scheme starts with a double slash "//".
+      when /\A([a-z][a-z\d\-+\.]*:|\/\/).*/i
+        options
+      when String
+        request.protocol + request.host_with_port + options
+      when :back
+        request.headers["Referer"] or raise RedirectBackError
+      when Proc
+        _compute_redirect_to_location options.call
+      else
+        url_for(options)
+      end.delete("\0\r\n")
+    end
+
     private
       def _extract_redirect_to_status(options, response_status)
         if options.is_a?(Hash) && options.key?(:status)
@@ -82,24 +101,5 @@ module ActionController
           302
         end
       end
-
-      def _compute_redirect_to_location(options)
-        case options
-        # The scheme name consist of a letter followed by any combination of
-        # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
-        # characters; and is terminated by a colon (":").
-        # The protocol relative scheme starts with a double slash "//"
-        when %r{\A(\w[\w+.-]*:|//).*}
-          options
-        when String
-          request.protocol + request.host_with_port + options
-        when :back
-          request.headers["Referer"] or raise RedirectBackError
-        when Proc
-          _compute_redirect_to_location options.call
-        else
-          url_for(options)
-        end.delete("\0\r\n")
-      end
   end
 end

data/lib/action_controller/metal/renderers.rb

@@ -6,6 +6,12 @@ module ActionController
     Renderers.add(key, &block)
   end
 
+  class MissingRenderer < LoadError
+    def initialize(format)
+      super "No renderer defined for format: #{format}"
+    end
+  end
+
   module Renderers
     extend ActiveSupport::Concern
 
@@ -90,11 +96,8 @@ module ActionController
       json = json.to_json(options) unless json.kind_of?(String)
 
       if options[:callback].present?
-        if self.content_type.nil? || self.content_type == Mime::JSON
-          self.content_type = Mime::JS
-        end
-
-        "/**/#{options[:callback]}(#{json})"
+        self.content_type ||= Mime::JS
+        "#{options[:callback]}(#{json})"
       else
         self.content_type ||= Mime::JSON
         json

data/lib/action_controller/metal/rendering.rb

@@ -2,8 +2,6 @@ module ActionController
   module Rendering
     extend ActiveSupport::Concern
 
-    include AbstractController::Rendering
-
     # Before processing, set the request formats in current controller formats.
     def process_action(*) #:nodoc:
       self.formats = request.formats.map(&:ref).compact
@@ -12,29 +10,34 @@ module ActionController
 
     # Check for double render errors and set the content_type after rendering.
     def render(*args) #:nodoc:
-      raise ::AbstractController::DoubleRenderError if response_body
+      raise ::AbstractController::DoubleRenderError if self.response_body
       super
-      self.content_type ||= Mime[lookup_context.rendered_format].to_s
-      response_body
     end
 
     # Overwrite render_to_string because body can now be set to a rack body.
     def render_to_string(*)
-      if self.response_body = super
+      result = super
+      if result.respond_to?(:each)
         string = ""
-        response_body.each { |r| string << r }
+        result.each { |r| string << r }
         string
+      else
+        result
       end
-    ensure
-      self.response_body = nil
     end
 
-    def render_to_body(*)
-      super || " "
+    def render_to_body(options = {})
+      super || options[:text].presence || ' '
     end
 
     private
 
+    def _process_format(format)
+      super
+      # format is a Mime::NullType instance here then this condition can't be changed to `if format`
+      self.content_type ||= format.to_s unless format.nil?
+    end
+
     # Normalize arguments by catching blocks and setting them on :update.
     def _normalize_args(action=nil, options={}, &blk) #:nodoc:
       options = super

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -5,14 +5,24 @@ module ActionController #:nodoc:
   class InvalidAuthenticityToken < ActionControllerError #:nodoc:
   end
 
+  class InvalidCrossOriginRequest < ActionControllerError #:nodoc:
+  end
+
   # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
   # by including a token in the rendered html for your application. This token is
   # stored as a random string in the session, to which an attacker does not have
   # access. When a request reaches your application, \Rails verifies the received
   # token with the token in the session. Only HTML and JavaScript requests are checked,
   # so this will not protect your XML API (presumably you'll have a different
-  # authentication scheme there anyway). Also, GET requests are not protected as these
-  # should be idempotent.
+  # authentication scheme there anyway).
+  #
+  # GET requests are not protected since they don't have side effects like writing
+  # to the database and don't leak sensitive information. JavaScript requests are
+  # an exception: a third-party site can use a <script> tag to reference a JavaScript
+  # URL on your site. When your JavaScript response loads on their site, it executes.
+  # With carefully crafted JavaScript on their end, sensitive data in your JavaScript
+  # response may be extracted. To prevent this, only XmlHttpRequest (known as XHR or
+  # Ajax) requests are allowed to make GET requests for JavaScript responses.
   #
   # It's important to remember that XML or JSON requests are also affected and if
   # you're building an API you'll need something like:
@@ -65,17 +75,16 @@ module ActionController #:nodoc:
     module ClassMethods
       # Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
       #
+      #   class ApplicationController < ActionController::Base
+      #     protect_from_forgery
+      #   end
+      #
       #   class FooController < ApplicationController
       #     protect_from_forgery except: :index
       #
-      # You can disable csrf protection on controller-by-controller basis:
-      #
+      # You can disable CSRF protection on controller by skipping the verification before_action:
       #   skip_before_action :verify_authenticity_token
       #
-      # It can also be disabled for specific controller actions:
-      #
-      #   skip_before_action :verify_authenticity_token, except: [:create]
-      #
       # Valid Options:
       #
       # * <tt>:only/:except</tt> - Passed to the <tt>before_action</tt> call. Set which actions are verified.
@@ -89,6 +98,7 @@ module ActionController #:nodoc:
         self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
         self.request_forgery_protection_token ||= :authenticity_token
         prepend_before_action :verify_authenticity_token, options
+        append_after_action :verify_same_origin_request
       end
 
       private
@@ -169,18 +179,61 @@ module ActionController #:nodoc:
     end
 
     protected
+      # The actual before_action that is used to verify the CSRF token.
+      # Don't override this directly. Provide your own forgery protection
+      # strategy instead. If you override, you'll disable same-origin
+      # `<script>` verification.
+      #
+      # Lean on the protect_from_forgery declaration to mark which actions are
+      # due for same-origin request verification. If protect_from_forgery is
+      # enabled on an action, this before_action flags its after_action to
+      # verify that JavaScript responses are for XHR requests, ensuring they
+      # follow the browser's same-origin policy.
+      def verify_authenticity_token
+        mark_for_same_origin_verification!
+
+        if !verified_request?
+          logger.warn "Can't verify CSRF token authenticity" if logger
+          handle_unverified_request
+        end
+      end
+
       def handle_unverified_request
         forgery_protection_strategy.new(self).handle_unverified_request
       end
 
-      # The actual before_action that is used. Modify this to change how you handle unverified requests.
-      def verify_authenticity_token
-        unless verified_request?
-          logger.warn "Can't verify CSRF token authenticity" if logger
-          handle_unverified_request
+      CROSS_ORIGIN_JAVASCRIPT_WARNING = "Security warning: an embedded " \
+        "<script> tag on another site requested protected JavaScript. " \
+        "If you know what you're doing, go ahead and disable forgery " \
+        "protection on this action to permit cross-origin JavaScript embedding."
+      private_constant :CROSS_ORIGIN_JAVASCRIPT_WARNING
+
+      # If `verify_authenticity_token` was run (indicating that we have
+      # forgery protection enabled for this request) then also verify that
+      # we aren't serving an unauthorized cross-origin response.
+      def verify_same_origin_request
+        if marked_for_same_origin_verification? && non_xhr_javascript_response?
+          logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger
+          raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING
         end
       end
 
+      # GET requests are checked for cross-origin JavaScript after rendering.
+      def mark_for_same_origin_verification!
+        @marked_for_same_origin_verification = request.get?
+      end
+
+      # If the `verify_authenticity_token` before_action ran, verify that
+      # JavaScript responses are only served to same-origin GET requests.
+      def marked_for_same_origin_verification?
+        @marked_for_same_origin_verification ||= false
+      end
+
+      # Check for cross-origin JavaScript responses.
+      def non_xhr_javascript_response?
+        content_type =~ %r(\Atext/javascript) && !request.xhr?
+      end
+
       # Returns true or false if a request is verified. Checks:
       #
       # * is it a GET or HEAD request?  Gets should be safe and idempotent
@@ -202,6 +255,7 @@ module ActionController #:nodoc:
         params[request_forgery_protection_token]
       end
 
+      # Checks if the controller allows forgery protection.
       def protect_against_forgery?
         allow_forgery_protection
       end

data/lib/action_controller/metal/responder.rb

@@ -97,8 +97,12 @@ module ActionController #:nodoc:
   #
   # This will return status 201 if the task was saved successfully. If not,
   # it will simply ignore the given options and return status 422 and the
-  # resource errors. To customize the failure scenario, you can pass a
-  # a block to <code>respond_with</code>:
+  # resource errors. You can also override the location to redirect to:
+  #
+  #   respond_with(@project, location: root_path)
+  #
+  # To customize the failure scenario, you can pass a block to
+  # <code>respond_with</code>:
   #
   #   def create
   #     @project = Project.find(params[:project_id])
@@ -198,6 +202,7 @@ module ActionController #:nodoc:
     # This is the common behavior for formats associated with APIs, such as :xml and :json.
     def api_behavior(error)
       raise error unless resourceful?
+      raise MissingRenderer.new(format) unless has_renderer?
 
       if get?
         display resource
@@ -265,6 +270,11 @@ module ActionController #:nodoc:
       resource.respond_to?(:errors) && !resource.errors.empty?
     end
 
+    # Check whether the necessary Renderer is available
+    def has_renderer?
+      Renderers::RENDERERS.include?(format)
+    end
+
     # By default, render the <code>:edit</code> action for HTML requests with errors, unless
     # the verb was POST.
     #

data/lib/action_controller/metal/streaming.rb

@@ -193,31 +193,29 @@ module ActionController #:nodoc:
   module Streaming
     extend ActiveSupport::Concern
 
-    include AbstractController::Rendering
-
     protected
 
-    # Set proper cache control and transfer encoding when streaming
-    def _process_options(options) #:nodoc:
-      super
-      if options[:stream]
-        if env["HTTP_VERSION"] == "HTTP/1.0"
-          options.delete(:stream)
-        else
-          headers["Cache-Control"] ||= "no-cache"
-          headers["Transfer-Encoding"] = "chunked"
-          headers.delete("Content-Length")
+      # Set proper cache control and transfer encoding when streaming
+      def _process_options(options) #:nodoc:
+        super
+        if options[:stream]
+          if env["HTTP_VERSION"] == "HTTP/1.0"
+            options.delete(:stream)
+          else
+            headers["Cache-Control"] ||= "no-cache"
+            headers["Transfer-Encoding"] = "chunked"
+            headers.delete("Content-Length")
+          end
         end
       end
-    end
 
-    # Call render_body if we are streaming instead of usual +render+.
-    def _render_template(options) #:nodoc:
-      if options.delete(:stream)
-        Rack::Chunked::Body.new view_renderer.render_body(view_context, options)
-      else
-        super
+      # Call render_body if we are streaming instead of usual +render+.
+      def _render_template(options) #:nodoc:
+        if options.delete(:stream)
+          Rack::Chunked::Body.new view_renderer.render_body(view_context, options)
+        else
+          super
+        end
       end
-    end
   end
 end

data/lib/action_controller/metal/strong_parameters.rb

@@ -3,7 +3,6 @@ require 'active_support/core_ext/array/wrap'
 require 'active_support/rescuable'
 require 'action_dispatch/http/upload'
 require 'stringio'
-require 'set'
 
 module ActionController
   # Raised when a required parameter is missing.
@@ -126,13 +125,6 @@ module ActionController
       @permitted = self.class.permit_all_parameters
     end
 
-    # Attribute that keeps track of converted arrays, if any, to avoid double
-    # looping in the common use case permit + mass-assignment. Defined in a
-    # method to instantiate it only if needed.
-    def converted_arrays
-      @converted_arrays ||= Set.new
-    end
-
     # Returns +true+ if the parameter is permitted, +false+ otherwise.
     #
     #   params = ActionController::Parameters.new
@@ -157,10 +149,8 @@ module ActionController
     #   Person.new(params) # => #<Person id: nil, name: "Francesco">
     def permit!
       each_pair do |key, value|
-        value = convert_hashes_to_parameters(key, value)
-        Array.wrap(value).each do |_|
-          _.permit! if _.respond_to? :permit!
-        end
+        convert_hashes_to_parameters(key, value)
+        self[key].permit! if self[key].respond_to? :permit!
       end
 
       @permitted = true
@@ -180,12 +170,7 @@ module ActionController
     #   ActionController::Parameters.new(person: {}).require(:person)
     #   # => ActionController::ParameterMissing: param not found: person
     def require(key)
-      value = self[key]
-      if value.present? || value == false
-        value
-      else
-        raise ParameterMissing.new(key)
-      end
+      self[key].presence || raise(ParameterMissing.new(key))
     end
 
     # Alias of #require.
@@ -299,7 +284,14 @@ module ActionController
     #   params.fetch(:none, 'Francesco')    # => "Francesco"
     #   params.fetch(:none) { 'Francesco' } # => "Francesco"
     def fetch(key, *args)
-      convert_hashes_to_parameters(key, super, false)
+      value = super
+      # Don't rely on +convert_hashes_to_parameters+
+      # so as to not mutate via a +fetch+
+      if value.is_a?(Hash)
+        value = self.class.new(value)
+        value.permit! if permitted?
+      end
+      value
     rescue KeyError
       raise ActionController::ParameterMissing.new(key)
     end
@@ -313,7 +305,7 @@ module ActionController
     #   params.slice(:d)     # => {}
     def slice(*keys)
       self.class.new(super).tap do |new_instance|
-        new_instance.instance_variable_set :@permitted, @permitted
+        new_instance.permitted = @permitted
       end
     end
 
@@ -327,26 +319,22 @@ module ActionController
     #   copy_params.permitted?   # => true
     def dup
       super.tap do |duplicate|
-        duplicate.instance_variable_set :@permitted, @permitted
+        duplicate.permitted = @permitted
       end
     end
 
-    private
-      def convert_hashes_to_parameters(key, value, assign_if_converted=true)
-        converted = convert_value_to_parameters(value)
-        self[key] = converted if assign_if_converted && !converted.equal?(value)
-        converted
+    protected
+      def permitted=(new_permitted)
+        @permitted = new_permitted
       end
 
-      def convert_value_to_parameters(value)
-        if value.is_a?(Array) && !converted_arrays.member?(value)
-          converted = value.map { |_| convert_value_to_parameters(_) }
-          converted_arrays << converted
-          converted
-        elsif value.is_a?(Parameters) || !value.is_a?(Hash)
+    private
+      def convert_hashes_to_parameters(key, value)
+        if value.is_a?(Parameters) || !value.is_a?(Hash)
           value
         else
-          self.class.new(value)
+          # Convert to Parameters on first access
+          self[key] = self.class.new(value)
         end
       end
 
@@ -502,7 +490,7 @@ module ActionController
   #       end
   #   end
   #
-  # In order to use <tt>accepts_nested_attributes_for</tt> with Strong \Parameters, you
+  # In order to use <tt>accepts_nested_attribute_for</tt> with Strong \Parameters, you
   # will need to specify which nested attributes should be whitelisted.
   #
   #   class Person