actionpack 4.2.10 → 6.1.3.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (187) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +291 -479
  3. data/MIT-LICENSE +1 -1
  4. data/README.rdoc +9 -9
  5. data/lib/abstract_controller/asset_paths.rb +2 -0
  6. data/lib/abstract_controller/base.rb +81 -51
  7. data/lib/{action_controller → abstract_controller}/caching/fragments.rb +64 -17
  8. data/lib/abstract_controller/caching.rb +66 -0
  9. data/lib/abstract_controller/callbacks.rb +61 -33
  10. data/lib/abstract_controller/collector.rb +9 -13
  11. data/lib/abstract_controller/error.rb +6 -0
  12. data/lib/abstract_controller/helpers.rb +115 -99
  13. data/lib/abstract_controller/logger.rb +2 -0
  14. data/lib/abstract_controller/railties/routes_helpers.rb +21 -3
  15. data/lib/abstract_controller/rendering.rb +48 -47
  16. data/lib/abstract_controller/translation.rb +17 -8
  17. data/lib/abstract_controller/url_for.rb +2 -0
  18. data/lib/abstract_controller.rb +13 -5
  19. data/lib/action_controller/api/api_rendering.rb +16 -0
  20. data/lib/action_controller/api.rb +150 -0
  21. data/lib/action_controller/base.rb +29 -24
  22. data/lib/action_controller/caching.rb +12 -57
  23. data/lib/action_controller/form_builder.rb +50 -0
  24. data/lib/action_controller/log_subscriber.rb +17 -19
  25. data/lib/action_controller/metal/basic_implicit_render.rb +13 -0
  26. data/lib/action_controller/metal/conditional_get.rb +134 -46
  27. data/lib/action_controller/metal/content_security_policy.rb +51 -0
  28. data/lib/action_controller/metal/cookies.rb +6 -4
  29. data/lib/action_controller/metal/data_streaming.rb +30 -50
  30. data/lib/action_controller/metal/default_headers.rb +17 -0
  31. data/lib/action_controller/metal/etag_with_flash.rb +18 -0
  32. data/lib/action_controller/metal/etag_with_template_digest.rb +21 -16
  33. data/lib/action_controller/metal/exceptions.rb +63 -15
  34. data/lib/action_controller/metal/flash.rb +9 -8
  35. data/lib/action_controller/metal/head.rb +26 -21
  36. data/lib/action_controller/metal/helpers.rb +37 -18
  37. data/lib/action_controller/metal/http_authentication.rb +81 -73
  38. data/lib/action_controller/metal/implicit_render.rb +53 -9
  39. data/lib/action_controller/metal/instrumentation.rb +32 -35
  40. data/lib/action_controller/metal/live.rb +102 -120
  41. data/lib/action_controller/metal/logging.rb +20 -0
  42. data/lib/action_controller/metal/mime_responds.rb +49 -47
  43. data/lib/action_controller/metal/parameter_encoding.rb +82 -0
  44. data/lib/action_controller/metal/params_wrapper.rb +83 -66
  45. data/lib/action_controller/metal/permissions_policy.rb +46 -0
  46. data/lib/action_controller/metal/redirecting.rb +53 -32
  47. data/lib/action_controller/metal/renderers.rb +87 -44
  48. data/lib/action_controller/metal/rendering.rb +77 -50
  49. data/lib/action_controller/metal/request_forgery_protection.rb +267 -103
  50. data/lib/action_controller/metal/rescue.rb +10 -17
  51. data/lib/action_controller/metal/streaming.rb +12 -11
  52. data/lib/action_controller/metal/strong_parameters.rb +714 -186
  53. data/lib/action_controller/metal/testing.rb +2 -17
  54. data/lib/action_controller/metal/url_for.rb +19 -10
  55. data/lib/action_controller/metal.rb +104 -87
  56. data/lib/action_controller/railtie.rb +28 -10
  57. data/lib/action_controller/railties/helpers.rb +3 -1
  58. data/lib/action_controller/renderer.rb +141 -0
  59. data/lib/action_controller/template_assertions.rb +11 -0
  60. data/lib/action_controller/test_case.rb +296 -422
  61. data/lib/action_controller.rb +34 -23
  62. data/lib/action_dispatch/http/cache.rb +107 -56
  63. data/lib/action_dispatch/http/content_disposition.rb +45 -0
  64. data/lib/action_dispatch/http/content_security_policy.rb +286 -0
  65. data/lib/action_dispatch/http/filter_parameters.rb +32 -25
  66. data/lib/action_dispatch/http/filter_redirect.rb +10 -12
  67. data/lib/action_dispatch/http/headers.rb +55 -22
  68. data/lib/action_dispatch/http/mime_negotiation.rb +82 -50
  69. data/lib/action_dispatch/http/mime_type.rb +153 -121
  70. data/lib/action_dispatch/http/mime_types.rb +20 -6
  71. data/lib/action_dispatch/http/parameters.rb +90 -40
  72. data/lib/action_dispatch/http/permissions_policy.rb +173 -0
  73. data/lib/action_dispatch/http/rack_cache.rb +2 -0
  74. data/lib/action_dispatch/http/request.rb +226 -121
  75. data/lib/action_dispatch/http/response.rb +248 -113
  76. data/lib/action_dispatch/http/upload.rb +21 -7
  77. data/lib/action_dispatch/http/url.rb +182 -100
  78. data/lib/action_dispatch/journey/formatter.rb +90 -43
  79. data/lib/action_dispatch/journey/gtg/builder.rb +28 -41
  80. data/lib/action_dispatch/journey/gtg/simulator.rb +11 -16
  81. data/lib/action_dispatch/journey/gtg/transition_table.rb +23 -21
  82. data/lib/action_dispatch/journey/nfa/dot.rb +3 -14
  83. data/lib/action_dispatch/journey/nodes/node.rb +29 -15
  84. data/lib/action_dispatch/journey/parser.rb +17 -16
  85. data/lib/action_dispatch/journey/parser.y +4 -3
  86. data/lib/action_dispatch/journey/parser_extras.rb +12 -4
  87. data/lib/action_dispatch/journey/path/pattern.rb +58 -54
  88. data/lib/action_dispatch/journey/route.rb +100 -32
  89. data/lib/action_dispatch/journey/router/utils.rb +29 -18
  90. data/lib/action_dispatch/journey/router.rb +55 -51
  91. data/lib/action_dispatch/journey/routes.rb +17 -17
  92. data/lib/action_dispatch/journey/scanner.rb +26 -17
  93. data/lib/action_dispatch/journey/visitors.rb +98 -54
  94. data/lib/action_dispatch/journey.rb +5 -5
  95. data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
  96. data/lib/action_dispatch/middleware/callbacks.rb +3 -6
  97. data/lib/action_dispatch/middleware/cookies.rb +347 -217
  98. data/lib/action_dispatch/middleware/debug_exceptions.rb +135 -63
  99. data/lib/action_dispatch/middleware/debug_locks.rb +124 -0
  100. data/lib/action_dispatch/middleware/debug_view.rb +66 -0
  101. data/lib/action_dispatch/middleware/exception_wrapper.rb +115 -71
  102. data/lib/action_dispatch/middleware/executor.rb +21 -0
  103. data/lib/action_dispatch/middleware/flash.rb +78 -54
  104. data/lib/action_dispatch/middleware/host_authorization.rb +130 -0
  105. data/lib/action_dispatch/middleware/public_exceptions.rb +32 -27
  106. data/lib/action_dispatch/middleware/reloader.rb +5 -91
  107. data/lib/action_dispatch/middleware/remote_ip.rb +53 -45
  108. data/lib/action_dispatch/middleware/request_id.rb +17 -10
  109. data/lib/action_dispatch/middleware/session/abstract_store.rb +41 -26
  110. data/lib/action_dispatch/middleware/session/cache_store.rb +24 -14
  111. data/lib/action_dispatch/middleware/session/cookie_store.rb +74 -75
  112. data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -2
  113. data/lib/action_dispatch/middleware/show_exceptions.rb +28 -23
  114. data/lib/action_dispatch/middleware/ssl.rb +118 -35
  115. data/lib/action_dispatch/middleware/stack.rb +82 -41
  116. data/lib/action_dispatch/middleware/static.rb +156 -89
  117. data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
  118. data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
  119. data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
  120. data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -14
  121. data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
  122. data/lib/action_dispatch/middleware/templates/rescues/{_source.erb → _source.html.erb} +4 -2
  123. data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
  124. data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
  125. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
  126. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
  127. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +23 -4
  128. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
  129. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +24 -0
  130. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +15 -0
  131. data/lib/action_dispatch/middleware/templates/rescues/layout.erb +105 -8
  132. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
  133. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
  134. data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
  135. data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
  136. data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +3 -3
  137. data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
  138. data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
  139. data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +4 -4
  140. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +87 -64
  141. data/lib/action_dispatch/railtie.rb +27 -13
  142. data/lib/action_dispatch/request/session.rb +109 -61
  143. data/lib/action_dispatch/request/utils.rb +90 -23
  144. data/lib/action_dispatch/routing/endpoint.rb +9 -2
  145. data/lib/action_dispatch/routing/inspector.rb +141 -102
  146. data/lib/action_dispatch/routing/mapper.rb +811 -473
  147. data/lib/action_dispatch/routing/polymorphic_routes.rb +167 -143
  148. data/lib/action_dispatch/routing/redirection.rb +37 -27
  149. data/lib/action_dispatch/routing/route_set.rb +363 -331
  150. data/lib/action_dispatch/routing/routes_proxy.rb +32 -5
  151. data/lib/action_dispatch/routing/url_for.rb +66 -26
  152. data/lib/action_dispatch/routing.rb +36 -36
  153. data/lib/action_dispatch/system_test_case.rb +190 -0
  154. data/lib/action_dispatch/system_testing/browser.rb +86 -0
  155. data/lib/action_dispatch/system_testing/driver.rb +67 -0
  156. data/lib/action_dispatch/system_testing/server.rb +31 -0
  157. data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +138 -0
  158. data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +29 -0
  159. data/lib/action_dispatch/testing/assertion_response.rb +46 -0
  160. data/lib/action_dispatch/testing/assertions/response.rb +44 -22
  161. data/lib/action_dispatch/testing/assertions/routing.rb +47 -31
  162. data/lib/action_dispatch/testing/assertions.rb +6 -4
  163. data/lib/action_dispatch/testing/integration.rb +391 -220
  164. data/lib/action_dispatch/testing/request_encoder.rb +55 -0
  165. data/lib/action_dispatch/testing/test_process.rb +53 -22
  166. data/lib/action_dispatch/testing/test_request.rb +27 -34
  167. data/lib/action_dispatch/testing/test_response.rb +11 -11
  168. data/lib/action_dispatch.rb +35 -21
  169. data/lib/action_pack/gem_version.rb +6 -4
  170. data/lib/action_pack/version.rb +3 -1
  171. data/lib/action_pack.rb +4 -2
  172. metadata +78 -49
  173. data/lib/action_controller/metal/force_ssl.rb +0 -97
  174. data/lib/action_controller/metal/hide_actions.rb +0 -40
  175. data/lib/action_controller/metal/rack_delegation.rb +0 -32
  176. data/lib/action_controller/middleware.rb +0 -39
  177. data/lib/action_controller/model_naming.rb +0 -12
  178. data/lib/action_dispatch/http/parameter_filter.rb +0 -72
  179. data/lib/action_dispatch/journey/backwards.rb +0 -5
  180. data/lib/action_dispatch/journey/nfa/builder.rb +0 -76
  181. data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
  182. data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -163
  183. data/lib/action_dispatch/journey/router/strexp.rb +0 -27
  184. data/lib/action_dispatch/middleware/params_parser.rb +0 -60
  185. data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
  186. data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
  187. data/lib/action_dispatch/testing/assertions/tag.rb +0 -3
@@ -1,98 +1,12 @@
1
- require 'active_support/deprecation/reporting'
1
+ # frozen_string_literal: true
2
2
 
3
3
  module ActionDispatch
4
- # ActionDispatch::Reloader provides prepare and cleanup callbacks,
5
- # intended to assist with code reloading during development.
6
- #
7
- # Prepare callbacks are run before each request, and cleanup callbacks
8
- # after each request. In this respect they are analogs of ActionDispatch::Callback's
9
- # before and after callbacks. However, cleanup callbacks are not called until the
10
- # request is fully complete -- that is, after #close has been called on
11
- # the response body. This is important for streaming responses such as the
12
- # following:
13
- #
14
- # self.response_body = lambda { |response, output|
15
- # # code here which refers to application models
16
- # }
17
- #
18
- # Cleanup callbacks will not be called until after the response_body lambda
19
- # is evaluated, ensuring that it can refer to application models and other
20
- # classes before they are unloaded.
4
+ # ActionDispatch::Reloader wraps the request with callbacks provided by ActiveSupport::Reloader
5
+ # callbacks, intended to assist with code reloading during development.
21
6
  #
22
7
  # By default, ActionDispatch::Reloader is included in the middleware stack
23
8
  # only in the development environment; specifically, when +config.cache_classes+
24
- # is false. Callbacks may be registered even when it is not included in the
25
- # middleware stack, but are executed only when <tt>ActionDispatch::Reloader.prepare!</tt>
26
- # or <tt>ActionDispatch::Reloader.cleanup!</tt> are called manually.
27
- #
28
- class Reloader
29
- include ActiveSupport::Callbacks
30
- include ActiveSupport::Deprecation::Reporting
31
-
32
- define_callbacks :prepare
33
- define_callbacks :cleanup
34
-
35
- # Add a prepare callback. Prepare callbacks are run before each request, prior
36
- # to ActionDispatch::Callback's before callbacks.
37
- def self.to_prepare(*args, &block)
38
- unless block_given?
39
- warn "to_prepare without a block is deprecated. Please use a block"
40
- end
41
- set_callback(:prepare, *args, &block)
42
- end
43
-
44
- # Add a cleanup callback. Cleanup callbacks are run after each request is
45
- # complete (after #close is called on the response body).
46
- def self.to_cleanup(*args, &block)
47
- unless block_given?
48
- warn "to_cleanup without a block is deprecated. Please use a block"
49
- end
50
- set_callback(:cleanup, *args, &block)
51
- end
52
-
53
- # Execute all prepare callbacks.
54
- def self.prepare!
55
- new(nil).prepare!
56
- end
57
-
58
- # Execute all cleanup callbacks.
59
- def self.cleanup!
60
- new(nil).cleanup!
61
- end
62
-
63
- def initialize(app, condition=nil)
64
- @app = app
65
- @condition = condition || lambda { true }
66
- @validated = true
67
- end
68
-
69
- def call(env)
70
- @validated = @condition.call
71
- prepare!
72
-
73
- response = @app.call(env)
74
- response[2] = ::Rack::BodyProxy.new(response[2]) { cleanup! }
75
-
76
- response
77
- rescue Exception
78
- cleanup!
79
- raise
80
- end
81
-
82
- def prepare! #:nodoc:
83
- run_callbacks :prepare if validated?
84
- end
85
-
86
- def cleanup! #:nodoc:
87
- run_callbacks :cleanup if validated?
88
- ensure
89
- @validated = true
90
- end
91
-
92
- private
93
-
94
- def validated? #:nodoc:
95
- @validated
96
- end
9
+ # is false.
10
+ class Reloader < Executor
97
11
  end
98
12
  end
@@ -1,4 +1,6 @@
1
- require 'ipaddr'
1
+ # frozen_string_literal: true
2
+
3
+ require "ipaddr"
2
4
 
3
5
  module ActionDispatch
4
6
  # This middleware calculates the IP address of the remote client that is
@@ -6,13 +8,13 @@ module ActionDispatch
6
8
  # contain the address, and then picking the last-set address that is not
7
9
  # on the list of trusted IPs. This follows the precedent set by e.g.
8
10
  # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453],
9
- # with {reasoning explained at length}[http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection]
11
+ # with {reasoning explained at length}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection]
10
12
  # by @gingerlime. A more detailed explanation of the algorithm is given
11
13
  # at GetIp#calculate_ip.
12
14
  #
13
- # Some Rack servers concatenate repeated headers, like {HTTP RFC 2616}[http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]
15
+ # Some Rack servers concatenate repeated headers, like {HTTP RFC 2616}[https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]
14
16
  # requires. Some Rack servers simply drop preceding headers, and only report
15
- # the value that was {given in the last header}[http://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-servers].
17
+ # the value that was {given in the last header}[https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-servers].
16
18
  # If you are behind multiple proxy servers (like NGINX to HAProxy to Unicorn)
17
19
  # then you should test your Rack server to make sure your data is good.
18
20
  #
@@ -29,9 +31,9 @@ module ActionDispatch
29
31
  # The default trusted IPs list simply includes IP addresses that are
30
32
  # guaranteed by the IP specification to be private addresses. Those will
31
33
  # not be the ultimate client IP in production, and so are discarded. See
32
- # http://en.wikipedia.org/wiki/Private_network for details.
34
+ # https://en.wikipedia.org/wiki/Private_network for details.
33
35
  TRUSTED_PROXIES = [
34
- "127.0.0.1", # localhost IPv4
36
+ "127.0.0.0/8", # localhost IPv4 range, per RFC-3330
35
37
  "::1", # localhost IPv6
36
38
  "fc00::/7", # private IPv6 range fc00::/7
37
39
  "10.0.0.0/8", # private IPv4 range 10.x.x.x
@@ -43,7 +45,7 @@ module ActionDispatch
43
45
 
44
46
  # Create a new +RemoteIp+ middleware instance.
45
47
  #
46
- # The +check_ip_spoofing+ option is on by default. When on, an exception
48
+ # The +ip_spoofing_check+ option is on by default. When on, an exception
47
49
  # is raised if it looks like the client is trying to lie about its own IP
48
50
  # address. It makes sense to turn off this check on sites aimed at non-IP
49
51
  # clients (like WAP devices), or behind proxies that set headers in an
@@ -57,9 +59,9 @@ module ActionDispatch
57
59
  # with your proxy servers after it. If your proxies aren't removed, pass
58
60
  # them in via the +custom_proxies+ parameter. That way, the middleware will
59
61
  # ignore those IP addresses, and return the one that you want.
60
- def initialize(app, check_ip_spoofing = true, custom_proxies = nil)
62
+ def initialize(app, ip_spoofing_check = true, custom_proxies = nil)
61
63
  @app = app
62
- @check_ip = check_ip_spoofing
64
+ @check_ip = ip_spoofing_check
63
65
  @proxies = if custom_proxies.blank?
64
66
  TRUSTED_PROXIES
65
67
  elsif custom_proxies.respond_to?(:any?)
@@ -74,18 +76,19 @@ module ActionDispatch
74
76
  # requests. For those requests that do need to know the IP, the
75
77
  # GetIp#calculate_ip method will calculate the memoized client IP address.
76
78
  def call(env)
77
- env["action_dispatch.remote_ip"] = GetIp.new(env, self)
78
- @app.call(env)
79
+ req = ActionDispatch::Request.new env
80
+ req.remote_ip = GetIp.new(req, check_ip, proxies)
81
+ @app.call(req.env)
79
82
  end
80
83
 
81
84
  # The GetIp class exists as a way to defer processing of the request data
82
85
  # into an actual IP address. If the ActionDispatch::Request#remote_ip method
83
86
  # is called, this class will calculate the value and then memoize it.
84
87
  class GetIp
85
- def initialize(env, middleware)
86
- @env = env
87
- @check_ip = middleware.check_ip
88
- @proxies = middleware.proxies
88
+ def initialize(req, check_ip, proxies)
89
+ @req = req
90
+ @check_ip = check_ip
91
+ @proxies = proxies
89
92
  end
90
93
 
91
94
  # Sort through the various IP address headers, looking for the IP most
@@ -99,7 +102,7 @@ module ActionDispatch
99
102
  # proxies, that header may contain a list of IPs. Other proxy services
100
103
  # set the Client-Ip header instead, so we check that too.
101
104
  #
102
- # As discussed in {this post about Rails IP Spoofing}[http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
105
+ # As discussed in {this post about Rails IP Spoofing}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
103
106
  # while the first IP in the list is likely to be the "originating" IP,
104
107
  # it could also have been set by the client maliciously.
105
108
  #
@@ -108,23 +111,31 @@ module ActionDispatch
108
111
  # the last address left, which was presumably set by one of those proxies.
109
112
  def calculate_ip
110
113
  # Set by the Rack web server, this is a single value.
111
- remote_addr = ips_from('REMOTE_ADDR').last
114
+ remote_addr = ips_from(@req.remote_addr).last
112
115
 
113
116
  # Could be a CSV list and/or repeated headers that were concatenated.
114
- client_ips = ips_from('HTTP_CLIENT_IP').reverse
115
- forwarded_ips = ips_from('HTTP_X_FORWARDED_FOR').reverse
117
+ client_ips = ips_from(@req.client_ip).reverse
118
+ forwarded_ips = ips_from(@req.x_forwarded_for).reverse
116
119
 
117
120
  # +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
118
- # If they are both set, it means that this request passed through two
119
- # proxies with incompatible IP header conventions, and there is no way
120
- # for us to determine which header is the right one after the fact.
121
- # Since we have no idea, we give up and explode.
121
+ # If they are both set, it means that either:
122
+ #
123
+ # 1) This request passed through two proxies with incompatible IP header
124
+ # conventions.
125
+ # 2) The client passed one of +Client-Ip+ or +X-Forwarded-For+
126
+ # (whichever the proxy servers weren't using) themselves.
127
+ #
128
+ # Either way, there is no way for us to determine which header is the
129
+ # right one after the fact. Since we have no idea, if we are concerned
130
+ # about IP spoofing we need to give up and explode. (If you're not
131
+ # concerned about IP spoofing you can turn the +ip_spoofing_check+
132
+ # option off.)
122
133
  should_check_ip = @check_ip && client_ips.last && forwarded_ips.last
123
134
  if should_check_ip && !forwarded_ips.include?(client_ips.last)
124
135
  # We don't know which came from the proxy, and which from the user
125
- raise IpSpoofAttackError, "IP spoofing attack?! " +
126
- "HTTP_CLIENT_IP=#{@env['HTTP_CLIENT_IP'].inspect} " +
127
- "HTTP_X_FORWARDED_FOR=#{@env['HTTP_X_FORWARDED_FOR'].inspect}"
136
+ raise IpSpoofAttackError, "IP spoofing attack?! " \
137
+ "HTTP_CLIENT_IP=#{@req.client_ip.inspect} " \
138
+ "HTTP_X_FORWARDED_FOR=#{@req.x_forwarded_for.inspect}"
128
139
  end
129
140
 
130
141
  # We assume these things about the IP headers:
@@ -132,10 +143,11 @@ module ActionDispatch
132
143
  # - X-Forwarded-For will be a list of IPs, one per proxy, or blank
133
144
  # - Client-Ip is propagated from the outermost proxy, or is blank
134
145
  # - REMOTE_ADDR will be the IP that made the request to Rack
135
- ips = [forwarded_ips, client_ips, remote_addr].flatten.compact
146
+ ips = [forwarded_ips, client_ips].flatten.compact
136
147
 
137
- # If every single IP option is in the trusted list, just return REMOTE_ADDR
138
- filter_proxies(ips).first || remote_addr
148
+ # If every single IP option is in the trusted list, return the IP
149
+ # that's furthest away
150
+ filter_proxies(ips + [remote_addr]).first || ips.last || remote_addr
139
151
  end
140
152
 
141
153
  # Memoizes the value returned by #calculate_ip and returns it for
@@ -144,30 +156,26 @@ module ActionDispatch
144
156
  @ip ||= calculate_ip
145
157
  end
146
158
 
147
- protected
148
-
149
- def ips_from(header)
150
- # Split the comma-separated list into an array of strings
151
- ips = @env[header] ? @env[header].strip.split(/[,\s]+/) : []
159
+ private
160
+ def ips_from(header) # :doc:
161
+ return [] unless header
162
+ # Split the comma-separated list into an array of strings.
163
+ ips = header.strip.split(/[,\s]+/)
152
164
  ips.select do |ip|
153
- begin
154
- # Only return IPs that are valid according to the IPAddr#new method
155
- range = IPAddr.new(ip).to_range
156
- # we want to make sure nobody is sneaking a netmask in
157
- range.begin == range.end
158
- rescue ArgumentError
159
- nil
160
- end
165
+ # Only return IPs that are valid according to the IPAddr#new method.
166
+ range = IPAddr.new(ip).to_range
167
+ # We want to make sure nobody is sneaking a netmask in.
168
+ range.begin == range.end
169
+ rescue ArgumentError
170
+ nil
161
171
  end
162
172
  end
163
173
 
164
- def filter_proxies(ips)
174
+ def filter_proxies(ips) # :doc:
165
175
  ips.reject do |ip|
166
176
  @proxies.any? { |proxy| proxy === ip }
167
177
  end
168
178
  end
169
-
170
179
  end
171
-
172
180
  end
173
181
  end
@@ -1,9 +1,12 @@
1
- require 'securerandom'
2
- require 'active_support/core_ext/string/access'
1
+ # frozen_string_literal: true
2
+
3
+ require "securerandom"
4
+ require "active_support/core_ext/string/access"
3
5
 
4
6
  module ActionDispatch
5
- # Makes a unique request id available to the action_dispatch.request_id env variable (which is then accessible through
6
- # ActionDispatch::Request#uuid) and sends the same id to the client via the X-Request-Id header.
7
+ # Makes a unique request id available to the +action_dispatch.request_id+ env variable (which is then accessible
8
+ # through <tt>ActionDispatch::Request#request_id</tt> or the alias <tt>ActionDispatch::Request#uuid</tt>) and sends
9
+ # the same id to the client via the X-Request-Id header.
7
10
  #
8
11
  # The unique request id is either based on the X-Request-Id header in the request, which would typically be generated
9
12
  # by a firewall, load balancer, or the web server, or, if this header is not available, a random uuid. If the
@@ -12,19 +15,23 @@ module ActionDispatch
12
15
  # The unique request id can be used to trace a request end-to-end and would typically end up being part of log files
13
16
  # from multiple pieces of the stack.
14
17
  class RequestId
15
- def initialize(app)
18
+ def initialize(app, header:)
16
19
  @app = app
20
+ @header = header
17
21
  end
18
22
 
19
23
  def call(env)
20
- env["action_dispatch.request_id"] = external_request_id(env) || internal_request_id
21
- @app.call(env).tap { |_status, headers, _body| headers["X-Request-Id"] = env["action_dispatch.request_id"] }
24
+ req = ActionDispatch::Request.new env
25
+ req.request_id = make_request_id(req.headers[@header])
26
+ @app.call(env).tap { |_status, headers, _body| headers[@header] = req.request_id }
22
27
  end
23
28
 
24
29
  private
25
- def external_request_id(env)
26
- if request_id = env["HTTP_X_REQUEST_ID"].presence
27
- request_id.gsub(/[^\w\-]/, "").first(255)
30
+ def make_request_id(request_id)
31
+ if request_id.presence
32
+ request_id.gsub(/[^\w\-@]/, "").first(255)
33
+ else
34
+ internal_request_id
28
35
  end
29
36
  end
30
37
 
@@ -1,26 +1,25 @@
1
- require 'rack/utils'
2
- require 'rack/request'
3
- require 'rack/session/abstract/id'
4
- require 'action_dispatch/middleware/cookies'
5
- require 'action_dispatch/request/session'
1
+ # frozen_string_literal: true
2
+
3
+ require "rack/utils"
4
+ require "rack/request"
5
+ require "rack/session/abstract/id"
6
+ require "action_dispatch/middleware/cookies"
7
+ require "action_dispatch/request/session"
6
8
 
7
9
  module ActionDispatch
8
10
  module Session
9
11
  class SessionRestoreError < StandardError #:nodoc:
10
- attr_reader :original_exception
11
-
12
- def initialize(const_error)
13
- @original_exception = const_error
14
-
15
- super("Session contains objects whose class definition isn't available.\n" +
16
- "Remember to require the classes for all objects kept in the session.\n" +
17
- "(Original exception: #{const_error.message} [#{const_error.class}])\n")
12
+ def initialize
13
+ super("Session contains objects whose class definition isn't available.\n" \
14
+ "Remember to require the classes for all objects kept in the session.\n" \
15
+ "(Original exception: #{$!.message} [#{$!.class}])\n")
16
+ set_backtrace $!.backtrace
18
17
  end
19
18
  end
20
19
 
21
20
  module Compatibility
22
21
  def initialize(app, options = {})
23
- options[:key] ||= '_session_id'
22
+ options[:key] ||= "_session_id"
24
23
  super
25
24
  end
26
25
 
@@ -30,12 +29,15 @@ module ActionDispatch
30
29
  sid
31
30
  end
32
31
 
33
- protected
34
-
35
- def initialize_sid
32
+ private
33
+ def initialize_sid # :doc:
36
34
  @default_options.delete(:sidbits)
37
35
  @default_options.delete(:secure_random)
38
36
  end
37
+
38
+ def make_request(env)
39
+ ActionDispatch::Request.new env
40
+ end
39
41
  end
40
42
 
41
43
  module StaleSessionCheck
@@ -52,10 +54,10 @@ module ActionDispatch
52
54
  rescue ArgumentError => argument_error
53
55
  if argument_error.message =~ %r{undefined class/module ([\w:]*\w)}
54
56
  begin
55
- # Note that the regexp does not allow $1 to end with a ':'
57
+ # Note that the regexp does not allow $1 to end with a ':'.
56
58
  $1.constantize
57
- rescue LoadError, NameError => e
58
- raise ActionDispatch::Session::SessionRestoreError, e, e.backtrace
59
+ rescue LoadError, NameError
60
+ raise ActionDispatch::Session::SessionRestoreError
59
61
  end
60
62
  retry
61
63
  else
@@ -65,8 +67,8 @@ module ActionDispatch
65
67
  end
66
68
 
67
69
  module SessionObject # :nodoc:
68
- def prepare_session(env)
69
- Request::Session.create(self, env, @default_options)
70
+ def prepare_session(req)
71
+ Request::Session.create(self, req, @default_options)
70
72
  end
71
73
 
72
74
  def loaded_session?(session)
@@ -74,17 +76,30 @@ module ActionDispatch
74
76
  end
75
77
  end
76
78
 
77
- class AbstractStore < Rack::Session::Abstract::ID
79
+ class AbstractStore < Rack::Session::Abstract::Persisted
78
80
  include Compatibility
79
81
  include StaleSessionCheck
80
82
  include SessionObject
81
83
 
82
84
  private
85
+ def set_cookie(request, response, cookie)
86
+ request.cookie_jar[key] = cookie
87
+ end
88
+ end
83
89
 
84
- def set_cookie(env, session_id, cookie)
85
- request = ActionDispatch::Request.new(env)
86
- request.cookie_jar[key] = cookie
90
+ class AbstractSecureStore < Rack::Session::Abstract::PersistedSecure
91
+ include Compatibility
92
+ include StaleSessionCheck
93
+ include SessionObject
94
+
95
+ def generate_sid
96
+ Rack::Session::SessionId.new(super)
87
97
  end
98
+
99
+ private
100
+ def set_cookie(request, response, cookie)
101
+ request.cookie_jar[key] = cookie
102
+ end
88
103
  end
89
104
  end
90
105
  end
@@ -1,13 +1,18 @@
1
- require 'action_dispatch/middleware/session/abstract_store'
1
+ # frozen_string_literal: true
2
+
3
+ require "action_dispatch/middleware/session/abstract_store"
2
4
 
3
5
  module ActionDispatch
4
6
  module Session
5
- # Session store that uses an ActiveSupport::Cache::Store to store the sessions. This store is most useful
7
+ # A session store that uses an ActiveSupport::Cache::Store to store the sessions. This store is most useful
6
8
  # if you don't store critical data in your sessions and you don't need them to live for extended periods
7
9
  # of time.
8
- class CacheStore < AbstractStore
9
- # Create a new store. The cache to use can be passed in the <tt>:cache</tt> option. If it is
10
- # not specified, <tt>Rails.cache</tt> will be used.
10
+ #
11
+ # ==== Options
12
+ # * <tt>cache</tt> - The cache to use. If it is not specified, <tt>Rails.cache</tt> will be used.
13
+ # * <tt>expire_after</tt> - The length of time a session will be stored before automatically expiring.
14
+ # By default, the <tt>:expires_in</tt> option of the cache is used.
15
+ class CacheStore < AbstractSecureStore
11
16
  def initialize(app, options = {})
12
17
  @cache = options[:cache] || Rails.cache
13
18
  options[:expire_after] ||= @cache.options[:expires_in]
@@ -15,18 +20,18 @@ module ActionDispatch
15
20
  end
16
21
 
17
22
  # Get a session from the cache.
18
- def get_session(env, sid)
19
- unless sid and session = @cache.read(cache_key(sid))
23
+ def find_session(env, sid)
24
+ unless sid && (session = get_session_with_fallback(sid))
20
25
  sid, session = generate_sid, {}
21
26
  end
22
27
  [sid, session]
23
28
  end
24
29
 
25
30
  # Set a session in the cache.
26
- def set_session(env, sid, session, options)
27
- key = cache_key(sid)
31
+ def write_session(env, sid, session, options)
32
+ key = cache_key(sid.private_id)
28
33
  if session
29
- @cache.write(key, session, :expires_in => options[:expire_after])
34
+ @cache.write(key, session, expires_in: options[:expire_after])
30
35
  else
31
36
  @cache.delete(key)
32
37
  end
@@ -34,15 +39,20 @@ module ActionDispatch
34
39
  end
35
40
 
36
41
  # Remove a session from the cache.
37
- def destroy_session(env, sid, options)
38
- @cache.delete(cache_key(sid))
42
+ def delete_session(env, sid, options)
43
+ @cache.delete(cache_key(sid.private_id))
44
+ @cache.delete(cache_key(sid.public_id))
39
45
  generate_sid
40
46
  end
41
47
 
42
48
  private
43
49
  # Turn the session id into a cache key.
44
- def cache_key(sid)
45
- "_session_id:#{sid}"
50
+ def cache_key(id)
51
+ "_session_id:#{id}"
52
+ end
53
+
54
+ def get_session_with_fallback(sid)
55
+ @cache.read(cache_key(sid.private_id)) || @cache.read(cache_key(sid.public_id))
46
56
  end
47
57
  end
48
58
  end