actionpack 4.2.10 → 5.0.0

data/lib/action_dispatch/routing/url_for.rb

@@ -1,7 +1,7 @@
 module ActionDispatch
   module Routing
     # In <tt>config/routes.rb</tt> you define URL-to-controller mappings, but the reverse
-    # is also possible: an URL can be generated from one of your routing definitions.
+    # is also possible: a URL can be generated from one of your routing definitions.
     # URL generation functionality is centralized in this module.
     #
     # See ActionDispatch::Routing for general information about routing and routes.rb.
@@ -52,9 +52,11 @@ module ActionDispatch
     # argument.
     #
     # For convenience reasons, mailers provide a shortcut for ActionController::UrlFor#url_for.
-    # So within mailers, you only have to type 'url_for' instead of 'ActionController::UrlFor#url_for'
-    # in full. However, mailers don't have hostname information, and that's why you'll still
-    # have to specify the <tt>:host</tt> argument when generating URLs in mailers.
+    # So within mailers, you only have to type +url_for+ instead of 'ActionController::UrlFor#url_for'
+    # in full. However, mailers don't have hostname information, and you still have to provide
+    # the +:host+ argument or set the default host that will be used in all mailers using the
+    # configuration option +config.action_mailer.default_url_options+. For more information on
+    # url_for in mailers read the ActionMailer#Base documentation.
     #
     #
     # == URL generation for named routes
@@ -147,6 +149,20 @@ module ActionDispatch
       #    # => 'http://somehost.org/myapp/tasks/testing'
       #    url_for controller: 'tasks', action: 'testing', host: 'somehost.org', script_name: "/myapp", only_path: true
       #    # => '/myapp/tasks/testing'
+      #
+      # Missing routes keys may be filled in from the current request's parameters
+      # (e.g. +:controller+, +:action+, +:id+ and any other parameters that are
+      # placed in the path). Given that the current action has been reached
+      # through `GET /users/1`:
+      #
+      #   url_for(only_path: true)                        # => '/users/1'
+      #   url_for(only_path: true, action: 'edit')        # => '/users/1/edit'
+      #   url_for(only_path: true, action: 'edit', id: 2) # => '/users/2/edit'
+      #
+      # Notice that no +:id+ parameter was provided to the first +url_for+ call
+      # and the helper used the one from the route's path. Any path parameter
+      # implicitly used by +url_for+ can always be overwritten like shown on the
+      # last +url_for+ calls.
       def url_for(options = nil)
         case options
         when nil
@@ -155,6 +171,13 @@ module ActionDispatch
           route_name = options.delete :use_route
           _routes.url_for(options.symbolize_keys.reverse_merge!(url_options),
                          route_name)
+        when ActionController::Parameters
+          unless options.permitted?
+            raise ArgumentError.new(ActionDispatch::Routing::INSECURE_URL_PARAMETERS_MESSAGE)
+          end
+          route_name = options.delete :use_route
+          _routes.url_for(options.to_h.symbolize_keys.
+                          reverse_merge!(url_options), route_name)
         when String
           options
         when Symbol
@@ -185,12 +208,6 @@ module ActionDispatch
       def _routes_context
         self
       end
-
-      private
-
-        def _generate_paths_by_default
-          true
-        end
     end
   end
 end

data/lib/action_dispatch/routing.rb

@@ -1,8 +1,3 @@
-# encoding: UTF-8
-require 'active_support/core_ext/object/to_param'
-require 'active_support/core_ext/regexp'
-require 'active_support/dependencies/autoload'
-
 module ActionDispatch
   # The routing module provides URL rewriting in native Ruby. It's a way to
   # redirect incoming requests to controllers and actions. This replaces
@@ -58,7 +53,7 @@ module ActionDispatch
   #     resources :posts, :comments
   #   end
   #
-  # Alternately, you can add prefixes to your path without using a separate
+  # Alternatively, you can add prefixes to your path without using a separate
   # directory by using +scope+. +scope+ takes additional options which
   # apply to all enclosed routes.
   #
@@ -78,14 +73,14 @@ module ActionDispatch
   #   get 'post/:id' => 'posts#show'
   #   post 'post/:id' => 'posts#create_comment'
   #
+  # Now, if you POST to <tt>/posts/:id</tt>, it will route to the <tt>create_comment</tt> action. A GET on the same
+  # URL will route to the <tt>show</tt> action.
+  #
   # If your route needs to respond to more than one HTTP method (or all methods) then using the
   # <tt>:via</tt> option on <tt>match</tt> is preferable.
   #
   #   match 'post/:id' => 'posts#show', via: [:get, :post]
   #
-  # Now, if you POST to <tt>/posts/:id</tt>, it will route to the <tt>create_comment</tt> action. A GET on the same
-  # URL will route to the <tt>show</tt> action.
-  #
   # == Named routes
   #
   # Routes can be named by passing an <tt>:as</tt> option,
@@ -151,6 +146,7 @@ module ActionDispatch
   #     get 'geocode/:postalcode' => :show, constraints: {
   #       postalcode: /\d{5}(-\d{4})?/
   #     }
+  #   end
   #
   # Constraints can include the 'ignorecase' and 'extended syntax' regular
   # expression modifiers:
@@ -163,7 +159,7 @@ module ActionDispatch
   #
   #   controller 'geocode' do
   #     get 'geocode/:postalcode' => :show, constraints: {
-  #       postalcode: /# Postcode format
+  #       postalcode: /# Postalcode format
   #          \d{5} #Prefix
   #          (-\d{4})? #Suffix
   #          /x
@@ -232,7 +228,6 @@ module ActionDispatch
   #   def send_to_jail
   #     get '/jail'
   #     assert_response :success
-  #     assert_template "jail/front"
   #   end
   #
   #   def goes_to_login
@@ -242,9 +237,9 @@ module ActionDispatch
   #
   # == View a list of all your routes
   #
-  #   rake routes
+  #   rails routes
   #
-  # Target specific controllers by prefixing the command with <tt>CONTROLLER=x</tt>.
+  # Target specific controllers by prefixing the command with <tt>-c</tt> option.
   #
   module Routing
     extend ActiveSupport::Autoload
@@ -257,5 +252,14 @@ module ActionDispatch
 
     SEPARATORS = %w( / . ? ) #:nodoc:
     HTTP_METHODS = [:get, :head, :post, :patch, :put, :delete, :options] #:nodoc:
+
+    #:stopdoc:
+    INSECURE_URL_PARAMETERS_MESSAGE = <<-MSG.squish
+      Attempting to generate a URL from non-sanitized request parameters!
+
+      An attacker can inject malicious data into the generated URL, such as
+      changing the host. Whitelist and sanitize passed parameters to be secure.
+    MSG
+    #:startdoc:
   end
 end

data/lib/action_dispatch/testing/assertion_response.rb

@@ -0,0 +1,45 @@
+module ActionDispatch
+  # This is a class that abstracts away an asserted response. It purposely
+  # does not inherit from Response because it doesn't need it. That means it
+  # does not have headers or a body.
+  class AssertionResponse
+    attr_reader :code, :name
+
+    GENERIC_RESPONSE_CODES = { # :nodoc:
+      success: "2XX",
+      missing: "404",
+      redirect: "3XX",
+      error: "5XX"
+    }
+
+    # Accepts a specific response status code as an Integer (404) or String
+    # ('404') or a response status range as a Symbol pseudo-code (:success,
+    # indicating any 200-299 status code).
+    def initialize(code_or_name)
+      if code_or_name.is_a?(Symbol)
+        @name = code_or_name
+        @code = code_from_name(code_or_name)
+      else
+        @name = name_from_code(code_or_name)
+        @code = code_or_name
+      end
+
+      raise ArgumentError, "Invalid response name: #{name}" if @code.nil?
+      raise ArgumentError, "Invalid response code: #{code}" if @name.nil?
+    end
+
+    def code_and_name
+      "#{code}: #{name}"
+    end
+
+    private
+
+    def code_from_name(name)
+      GENERIC_RESPONSE_CODES[name] || Rack::Utils::SYMBOL_TO_STATUS_CODE[name]
+    end
+
+    def name_from_code(code)
+      GENERIC_RESPONSE_CODES.invert[code] || Rack::Utils::HTTP_STATUS_CODES[code]
+    end
+  end
+end

data/lib/action_dispatch/testing/assertions/response.rb

@@ -1,8 +1,14 @@
-
 module ActionDispatch
   module Assertions
     # A small suite of assertions that test responses from \Rails applications.
     module ResponseAssertions
+      RESPONSE_PREDICATES = { # :nodoc:
+        success:  :successful?,
+        missing:  :not_found?,
+        redirect: :redirection?,
+        error:    :server_error?,
+      }
+
       # Asserts that the response is one of the following types:
       #
       # * <tt>:success</tt>   - Status code was in the 200-299 range
@@ -14,43 +20,35 @@ module ActionDispatch
       # or its symbolic equivalent <tt>assert_response(:not_implemented)</tt>.
       # See Rack::Utils::SYMBOL_TO_STATUS_CODE for a full list.
       #
-      #   # assert that the response was a redirection
+      #   # Asserts that the response was a redirection
       #   assert_response :redirect
       #
-      #   # assert that the response code was status code 401 (unauthorized)
+      #   # Asserts that the response code was status code 401 (unauthorized)
       #   assert_response 401
       def assert_response(type, message = nil)
-        message ||= "Expected response to be a <#{type}>, but was <#{@response.response_code}>"
+        message ||= generate_response_message(type)
 
-        if Symbol === type
-          if [:success, :missing, :redirect, :error].include?(type)
-            assert @response.send("#{type}?"), message
-          else
-            code = Rack::Utils::SYMBOL_TO_STATUS_CODE[type]
-            if code.nil?
-              raise ArgumentError, "Invalid response type :#{type}"
-            end
-            assert_equal code, @response.response_code, message
-          end
+        if RESPONSE_PREDICATES.keys.include?(type)
+          assert @response.send(RESPONSE_PREDICATES[type]), message
         else
-          assert_equal type, @response.response_code, message
+          assert_equal AssertionResponse.new(type).code, @response.response_code, message
         end
       end
 
-      # Assert that the redirection options passed in match those of the redirect called in the latest action.
+      # Asserts that the redirection options passed in match those of the redirect called in the latest action.
       # This match can be partial, such that <tt>assert_redirected_to(controller: "weblog")</tt> will also
       # match the redirection of <tt>redirect_to(controller: "weblog", action: "show")</tt> and so on.
       #
-      #   # assert that the redirection was to the "index" action on the WeblogController
+      #   # Asserts that the redirection was to the "index" action on the WeblogController
       #   assert_redirected_to controller: "weblog", action: "index"
       #
-      #   # assert that the redirection was to the named route login_url
+      #   # Asserts that the redirection was to the named route login_url
       #   assert_redirected_to login_url
       #
-      #   # assert that the redirection was to the url for @customer
+      #   # Asserts that the redirection was to the url for @customer
       #   assert_redirected_to @customer
       #
-      #   # asserts that the redirection matches the regular expression
+      #   # Asserts that the redirection matches the regular expression
       #   assert_redirected_to %r(\Ahttp://example.org)
       def assert_redirected_to(options = {}, message=nil)
         assert_response(:redirect, message)
@@ -77,6 +75,26 @@ module ActionDispatch
             handle._compute_redirect_to_location(@request, fragment)
           end
         end
+
+        def generate_response_message(expected, actual = @response.response_code)
+          "Expected response to be a <#{code_with_name(expected)}>,"\
+          " but was a <#{code_with_name(actual)}>"
+          .concat location_if_redirected
+        end
+
+        def location_if_redirected
+          return '' unless @response.redirection? && @response.location.present?
+          location = normalize_argument_to_redirection(@response.location)
+          " redirect to <#{location}>"
+        end
+
+        def code_with_name(code_or_name)
+          if RESPONSE_PREDICATES.values.include?("#{code_or_name}?".to_sym)
+            code_or_name = RESPONSE_PREDICATES.invert["#{code_or_name}?".to_sym]
+          end
+
+          AssertionResponse.new(code_or_name).code_and_name
+        end
     end
   end
 end

data/lib/action_dispatch/testing/assertions/routing.rb

@@ -14,14 +14,14 @@ module ActionDispatch
       # requiring a specific HTTP method. The hash should contain a :path with the incoming request path
       # and a :method containing the required HTTP verb.
       #
-      #   # assert that POSTing to /items will call the create action on ItemsController
+      #   # Asserts that POSTing to /items will call the create action on ItemsController
       #   assert_recognizes({controller: 'items', action: 'create'}, {path: 'items', method: :post})
       #
       # You can also pass in +extras+ with a hash containing URL parameters that would normally be in the query string. This can be used
-      # to assert that values in the query string string will end up in the params hash correctly. To test query strings you must use the
+      # to assert that values in the query string will end up in the params hash correctly. To test query strings you must use the
       # extras argument, appending the query string on the path directly will not work. For example:
       #
-      #   # assert that a path of '/items/list/1?view=print' returns the correct options
+      #   # Asserts that a path of '/items/list/1?view=print' returns the correct options
       #   assert_recognizes({controller: 'items', action: 'list', id: '1', view: 'print'}, 'items/list/1', { view: "print" })
       #
       # The +message+ parameter allows you to pass in an error message that is displayed upon failure.
@@ -86,8 +86,9 @@ module ActionDispatch
         end
         # Load routes.rb if it hasn't been loaded.
 
-        generated_path, extra_keys = @routes.generate_extras(options, defaults)
-        found_extras = options.reject { |k, _| ! extra_keys.include? k }
+        options = options.clone
+        generated_path, query_string_keys = @routes.generate_extras(options, defaults)
+        found_extras = options.reject { |k, _| ! query_string_keys.include? k }
 
         msg = message || sprintf("found extras <%s>, not <%s>", found_extras, extras)
         assert_equal(extras, found_extras, msg)
@@ -104,19 +105,19 @@ module ActionDispatch
       # The +extras+ hash allows you to specify options that would normally be provided as a query string to the action. The
       # +message+ parameter allows you to specify a custom error message to display upon failure.
       #
-      #  # Assert a basic route: a controller with the default action (index)
+      #  # Asserts a basic route: a controller with the default action (index)
       #  assert_routing '/home', controller: 'home', action: 'index'
       #
       #  # Test a route generated with a specific controller, action, and parameter (id)
       #  assert_routing '/entries/show/23', controller: 'entries', action: 'show', id: 23
       #
-      #  # Assert a basic route (controller + default action), with an error message if it fails
+      #  # Asserts a basic route (controller + default action), with an error message if it fails
       #  assert_routing '/store', { controller: 'store', action: 'index' }, {}, {}, 'Route for store index not generated properly'
       #
       #  # Tests a route, providing a defaults hash
       #  assert_routing 'controller/action/9', {id: "9", item: "square"}, {controller: "controller", action: "action"}, {}, {item: "square"}
       #
-      #  # Tests a route with a HTTP method
+      #  # Tests a route with an HTTP method
       #  assert_routing({ method: 'put', path: '/product/321' }, { controller: "product", action: "update", id: "321" })
       def assert_routing(path, options, defaults={}, extras={}, message=nil)
         assert_recognizes(options, path, extras, message)
@@ -150,7 +151,7 @@ module ActionDispatch
           old_controller, @controller = @controller, @controller.clone
           _routes = @routes
 
-          @controller.singleton_class.send(:include, _routes.url_helpers)
+          @controller.singleton_class.include(_routes.url_helpers)
           @controller.view_context_class = Class.new(@controller.view_context_class) do
             include _routes.url_helpers
           end
@@ -183,7 +184,7 @@ module ActionDispatch
           end
 
           # Assume given controller
-          request = ActionController::TestRequest.new
+          request = ActionController::TestRequest.create
 
           if path =~ %r{://}
             fail_on(URI::InvalidURIError, msg) do

data/lib/action_dispatch/testing/assertions.rb

@@ -12,7 +12,7 @@ module ActionDispatch
     include Rails::Dom::Testing::Assertions
 
     def html_document
-      @html_document ||= if @response.content_type.to_s =~ /xml$/
+      @html_document ||= if @response.content_type.to_s =~ /xml\z/
         Nokogiri::XML::Document.parse(@response.body)
       else
         Nokogiri::HTML::Document.parse(@response.body)