actionpack 4.2.10 → 7.2.0.rc1

data/lib/action_controller/metal/redirecting.rb

@@ -1,96 +1,173 @@
-module ActionController
-  class RedirectBackError < AbstractController::Error #:nodoc:
-    DEFAULT_MESSAGE = 'No HTTP_REFERER was set in the request to this action, so redirect_to :back could not be called successfully. If this is a test, make sure to specify request.env["HTTP_REFERER"].'
+# frozen_string_literal: true
 
-    def initialize(message = nil)
-      super(message || DEFAULT_MESSAGE)
-    end
-  end
+# :markup: markdown
 
+module ActionController
   module Redirecting
     extend ActiveSupport::Concern
 
     include AbstractController::Logger
-    include ActionController::RackDelegation
     include ActionController::UrlFor
 
-    # Redirects the browser to the target specified in +options+. This parameter can be any one of:
+    class UnsafeRedirectError < StandardError; end
+
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/
+
+    included do
+      mattr_accessor :raise_on_open_redirects, default: false
+    end
+
+    # Redirects the browser to the target specified in `options`. This parameter can
+    # be any one of:
+    #
+    # *   `Hash` - The URL will be generated by calling url_for with the `options`.
+    # *   `Record` - The URL will be generated by calling url_for with the
+    #     `options`, which will reference a named URL for that record.
+    # *   `String` starting with `protocol://` (like `http://`) or a protocol
+    #     relative reference (like `//`) - Is passed straight through as the target
+    #     for redirection.
+    # *   `String` not containing a protocol - The current protocol and host is
+    #     prepended to the string.
+    # *   `Proc` - A block that will be executed in the controller's context. Should
+    #     return any option accepted by `redirect_to`.
     #
-    # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
-    # * <tt>Record</tt> - The URL will be generated by calling url_for with the +options+, which will reference a named URL for that record.
-    # * <tt>String</tt> starting with <tt>protocol://</tt> (like <tt>http://</tt>) or a protocol relative reference (like <tt>//</tt>) - Is passed straight through as the target for redirection.
-    # * <tt>String</tt> not containing a protocol - The current protocol and host is prepended to the string.
-    # * <tt>Proc</tt> - A block that will be executed in the controller's context. Should return any option accepted by +redirect_to+.
-    # * <tt>:back</tt> - Back to the page that issued the request. Useful for forms that are triggered from multiple places.
-    #   Short-hand for <tt>redirect_to(request.env["HTTP_REFERER"])</tt>
     #
-    # === Examples:
+    # ### Examples
     #
-    #   redirect_to action: "show", id: 5
-    #   redirect_to post
-    #   redirect_to "http://www.rubyonrails.org"
-    #   redirect_to "/images/screenshot.jpg"
-    #   redirect_to articles_url
-    #   redirect_to :back
-    #   redirect_to proc { edit_post_url(@post) }
+    #     redirect_to action: "show", id: 5
+    #     redirect_to @post
+    #     redirect_to "http://www.rubyonrails.org"
+    #     redirect_to "/images/screenshot.jpg"
+    #     redirect_to posts_url
+    #     redirect_to proc { edit_post_url(@post) }
     #
-    # The redirection happens as a "302 Found" header unless otherwise specified using the <tt>:status</tt> option:
+    # The redirection happens as a `302 Found` header unless otherwise specified
+    # using the `:status` option:
     #
-    #   redirect_to post_url(@post), status: :found
-    #   redirect_to action: 'atom', status: :moved_permanently
-    #   redirect_to post_url(@post), status: 301
-    #   redirect_to action: 'atom', status: 302
+    #     redirect_to post_url(@post), status: :found
+    #     redirect_to action: 'atom', status: :moved_permanently
+    #     redirect_to post_url(@post), status: 301
+    #     redirect_to action: 'atom', status: 302
     #
-    # The status code can either be a standard {HTTP Status code}[http://www.iana.org/assignments/http-status-codes] as an
-    # integer, or a symbol representing the downcased, underscored and symbolized description.
-    # Note that the status code must be a 3xx HTTP code, or redirection will not occur.
+    # The status code can either be a standard [HTTP Status
+    # code](https://www.iana.org/assignments/http-status-codes) as an integer, or a
+    # symbol representing the downcased, underscored and symbolized description.
+    # Note that the status code must be a 3xx HTTP code, or redirection will not
+    # occur.
     #
     # If you are using XHR requests other than GET or POST and redirecting after the
     # request then some browsers will follow the redirect using the original request
     # method. This may lead to undesirable behavior such as a double DELETE. To work
-    # around this  you can return a <tt>303 See Other</tt> status code which will be
+    # around this you can return a `303 See Other` status code which will be
     # followed using a GET request.
     #
-    #   redirect_to posts_url, status: :see_other
-    #   redirect_to action: 'index', status: 303
+    #     redirect_to posts_url, status: :see_other
+    #     redirect_to action: 'index', status: 303
+    #
+    # It is also possible to assign a flash message as part of the redirection.
+    # There are two special accessors for the commonly used flash names `alert` and
+    # `notice` as well as a general purpose `flash` bucket.
+    #
+    #     redirect_to post_url(@post), alert: "Watch it, mister!"
+    #     redirect_to post_url(@post), status: :found, notice: "Pay attention to the road"
+    #     redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
+    #     redirect_to({ action: 'atom' }, alert: "Something serious happened")
+    #
+    # Statements after `redirect_to` in our controller get executed, so
+    # `redirect_to` doesn't stop the execution of the function. To terminate the
+    # execution of the function immediately after the `redirect_to`, use return.
+    #
+    #     redirect_to post_url(@post) and return
     #
-    # It is also possible to assign a flash message as part of the redirection. There are two special accessors for the commonly used flash names
-    # +alert+ and +notice+ as well as a general purpose +flash+ bucket.
+    # ### Open Redirect protection
     #
-    #   redirect_to post_url(@post), alert: "Watch it, mister!"
-    #   redirect_to post_url(@post), status: :found, notice: "Pay attention to the road"
-    #   redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
-    #   redirect_to({ action: 'atom' }, alert: "Something serious happened")
+    # By default, Rails protects against redirecting to external hosts for your
+    # app's safety, so called open redirects. Note: this was a new default in Rails
+    # 7.0, after upgrading opt-in by uncommenting the line with
+    # `raise_on_open_redirects` in
+    # `config/initializers/new_framework_defaults_7_0.rb`
     #
-    # When using <tt>redirect_to :back</tt>, if there is no referrer,
-    # <tt>ActionController::RedirectBackError</tt> will be raised. You
-    # may specify some fallback behavior for this case by rescuing
-    # <tt>ActionController::RedirectBackError</tt>.
-    def redirect_to(options = {}, response_status = {}) #:doc:
+    # Here #redirect_to automatically validates the potentially-unsafe URL:
+    #
+    #     redirect_to params[:redirect_url]
+    #
+    # Raises UnsafeRedirectError in the case of an unsafe redirect.
+    #
+    # To allow any external redirects pass `allow_other_host: true`, though using a
+    # user-provided param in that case is unsafe.
+    #
+    #     redirect_to "https://rubyonrails.org", allow_other_host: true
+    #
+    # See #url_from for more information on what an internal and safe URL is, or how
+    # to fall back to an alternate redirect URL in the unsafe case.
+    def redirect_to(options = {}, response_options = {})
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
-      raise ActionControllerError.new("Cannot redirect to a parameter hash!") if options.is_a?(ActionController::Parameters)
       raise AbstractController::DoubleRenderError if response_body
 
-      self.status        = _extract_redirect_to_status(options, response_status)
-      self.location      = _compute_redirect_to_location(request, options)
-      self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
+      allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
+
+      self.status = _extract_redirect_to_status(options, response_options)
+
+      redirect_to_location = _compute_redirect_to_location(request, options)
+      _ensure_url_is_http_header_safe(redirect_to_location)
+
+      self.location      = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
+      self.response_body = ""
+    end
+
+    # Soft deprecated alias for #redirect_back_or_to where the `fallback_location`
+    # location is supplied as a keyword argument instead of the first positional
+    # argument.
+    def redirect_back(fallback_location:, allow_other_host: _allow_other_host, **args)
+      redirect_back_or_to fallback_location, allow_other_host: allow_other_host, **args
+    end
+
+    # Redirects the browser to the page that issued the request (the referrer) if
+    # possible, otherwise redirects to the provided default fallback location.
+    #
+    # The referrer information is pulled from the HTTP `Referer` (sic) header on the
+    # request. This is an optional header and its presence on the request is subject
+    # to browser security settings and user preferences. If the request is missing
+    # this header, the `fallback_location` will be used.
+    #
+    #     redirect_back_or_to({ action: "show", id: 5 })
+    #     redirect_back_or_to @post
+    #     redirect_back_or_to "http://www.rubyonrails.org"
+    #     redirect_back_or_to "/images/screenshot.jpg"
+    #     redirect_back_or_to posts_url
+    #     redirect_back_or_to proc { edit_post_url(@post) }
+    #     redirect_back_or_to '/', allow_other_host: false
+    #
+    # #### Options
+    # *   `:allow_other_host` - Allow or disallow redirection to the host that is
+    #     different to the current host, defaults to true.
+    #
+    #
+    # All other options that can be passed to #redirect_to are accepted as options,
+    # and the behavior is identical.
+    def redirect_back_or_to(fallback_location, allow_other_host: _allow_other_host, **options)
+      if request.referer && (allow_other_host || _url_host_allowed?(request.referer))
+        redirect_to request.referer, allow_other_host: allow_other_host, **options
+      else
+        # The method level `allow_other_host` doesn't apply in the fallback case, omit
+        # and let the `redirect_to` handling take over.
+        redirect_to fallback_location, **options
+      end
     end
 
-    def _compute_redirect_to_location(request, options) #:nodoc:
+    def _compute_redirect_to_location(request, options) # :nodoc:
       case options
-      # The scheme name consist of a letter followed by any combination of
-      # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
-      # characters; and is terminated by a colon (":").
-      # See http://tools.ietf.org/html/rfc3986#section-3.1
-      # The protocol relative scheme starts with a double slash "//".
-      when /\A([a-z][a-z\d\-+\.]*:|\/\/).*/i
-        options
+      # The scheme name consist of a letter followed by any combination of letters,
+      # digits, and the plus ("+"), period ("."), or hyphen ("-") characters; and is
+      # terminated by a colon (":"). See
+      # https://tools.ietf.org/html/rfc3986#section-3.1 The protocol relative scheme
+      # starts with a double slash "//".
+      when /\A([a-z][a-z\d\-+.]*:|\/\/).*/i
+        options.to_str
       when String
         request.protocol + request.host_with_port + options
-      when :back
-        request.headers["Referer"] or raise RedirectBackError
       when Proc
-        _compute_redirect_to_location request, options.call
+        _compute_redirect_to_location request, instance_eval(&options)
       else
         url_for(options)
       end.delete("\0\r\n")
@@ -98,15 +175,77 @@ module ActionController
     module_function :_compute_redirect_to_location
     public :_compute_redirect_to_location
 
+    # Verifies the passed `location` is an internal URL that's safe to redirect to
+    # and returns it, or nil if not. Useful to wrap a params provided redirect URL
+    # and fall back to an alternate URL to redirect to:
+    #
+    #     redirect_to url_from(params[:redirect_url]) || root_url
+    #
+    # The `location` is considered internal, and safe, if it's on the same host as
+    # `request.host`:
+    #
+    #     # If request.host is example.com:
+    #     url_from("https://example.com/profile") # => "https://example.com/profile"
+    #     url_from("http://example.com/profile")  # => "http://example.com/profile"
+    #     url_from("http://evil.com/profile")     # => nil
+    #
+    # Subdomains are considered part of the host:
+    #
+    #     # If request.host is on https://example.com or https://app.example.com, you'd get:
+    #     url_from("https://dev.example.com/profile") # => nil
+    #
+    # NOTE: there's a similarity with
+    # [url_for](rdoc-ref:ActionDispatch::Routing::UrlFor#url_for), which generates
+    # an internal URL from various options from within the app, e.g.
+    # `url_for(@post)`. However, #url_from is meant to take an external parameter to
+    # verify as in `url_from(params[:redirect_url])`.
+    def url_from(location)
+      location = location.presence
+      location if location && _url_host_allowed?(location)
+    end
+
     private
-      def _extract_redirect_to_status(options, response_status)
+      def _allow_other_host
+        !raise_on_open_redirects
+      end
+
+      def _extract_redirect_to_status(options, response_options)
         if options.is_a?(Hash) && options.key?(:status)
           Rack::Utils.status_code(options.delete(:status))
-        elsif response_status.key?(:status)
-          Rack::Utils.status_code(response_status[:status])
+        elsif response_options.key?(:status)
+          Rack::Utils.status_code(response_options[:status])
         else
           302
         end
       end
+
+      def _enforce_open_redirect_protection(location, allow_other_host:)
+        if allow_other_host || _url_host_allowed?(location)
+          location
+        else
+          raise UnsafeRedirectError, "Unsafe redirect to #{location.truncate(100).inspect}, pass allow_other_host: true to redirect anyway."
+        end
+      end
+
+      def _url_host_allowed?(url)
+        host = URI(url.to_s).host
+
+        return true if host == request.host
+        return false unless host.nil?
+        return false unless url.to_s.start_with?("/")
+        !url.to_s.start_with?("//")
+      rescue ArgumentError, URI::Error
+        false
+      end
+
+      def _ensure_url_is_http_header_safe(url)
+        # Attempt to comply with the set of valid token characters defined for an HTTP
+        # header value in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+        if url.match?(ILLEGAL_HEADER_VALUE_REGEX)
+          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
+            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+          raise UnsafeRedirectError, msg
+        end
+      end
   end
 end

data/lib/action_controller/metal/renderers.rb

@@ -1,16 +1,21 @@
-require 'set'
+# frozen_string_literal: true
+
+# :markup: markdown
+
+require "set"
 
 module ActionController
-  # See <tt>Renderers.add</tt>
+  # See Renderers.add
   def self.add_renderer(key, &block)
     Renderers.add(key, &block)
   end
 
-  # See <tt>Renderers.remove</tt>
+  # See Renderers.remove
   def self.remove_renderer(key)
     Renderers.remove(key)
   end
 
+  # See `Responder#api_behavior`
   class MissingRenderer < LoadError
     def initialize(format)
       super "No renderer defined for format: #{format}"
@@ -20,71 +25,53 @@ module ActionController
   module Renderers
     extend ActiveSupport::Concern
 
-    included do
-      class_attribute :_renderers
-      self._renderers = Set.new.freeze
-    end
+    # A Set containing renderer names that correspond to available renderer procs.
+    # Default values are `:json`, `:js`, `:xml`.
+    RENDERERS = Set.new
 
-    module ClassMethods
-      def use_renderers(*args)
-        renderers = _renderers + args
-        self._renderers = renderers.freeze
-      end
-      alias use_renderer use_renderers
+    included do
+      class_attribute :_renderers, default: Set.new.freeze
     end
 
-    def render_to_body(options)
-      _render_to_body_with_renderer(options) || super
-    end
+    # Used in ActionController::Base and ActionController::API to include all
+    # renderers by default.
+    module All
+      extend ActiveSupport::Concern
+      include Renderers
 
-    def _render_to_body_with_renderer(options)
-      _renderers.each do |name|
-        if options.key?(name)
-          _process_options(options)
-          method_name = Renderers._render_with_renderer_method_name(name)
-          return send(method_name, options.delete(name), options)
-        end
+      included do
+        self._renderers = RENDERERS
       end
-      nil
-    end
-
-    # A Set containing renderer names that correspond to available renderer procs.
-    # Default values are <tt>:json</tt>, <tt>:js</tt>, <tt>:xml</tt>.
-    RENDERERS = Set.new
-
-    def self._render_with_renderer_method_name(key)
-      "_render_with_renderer_#{key}"
     end
 
-    # Adds a new renderer to call within controller actions.
-    # A renderer is invoked by passing its name as an option to
-    # <tt>AbstractController::Rendering#render</tt>. To create a renderer
-    # pass it a name and a block. The block takes two arguments, the first
-    # is the value paired with its key and the second is the remaining
-    # hash of options passed to +render+.
+    # Adds a new renderer to call within controller actions. A renderer is invoked
+    # by passing its name as an option to AbstractController::Rendering#render. To
+    # create a renderer pass it a name and a block. The block takes two arguments,
+    # the first is the value paired with its key and the second is the remaining
+    # hash of options passed to `render`.
     #
     # Create a csv renderer:
     #
-    #   ActionController::Renderers.add :csv do |obj, options|
-    #     filename = options[:filename] || 'data'
-    #     str = obj.respond_to?(:to_csv) ? obj.to_csv : obj.to_s
-    #     send_data str, type: Mime::CSV,
-    #       disposition: "attachment; filename=#{filename}.csv"
-    #   end
+    #     ActionController::Renderers.add :csv do |obj, options|
+    #       filename = options[:filename] || 'data'
+    #       str = obj.respond_to?(:to_csv) ? obj.to_csv : obj.to_s
+    #       send_data str, type: Mime[:csv],
+    #         disposition: "attachment; filename=#{filename}.csv"
+    #     end
     #
-    # Note that we used Mime::CSV for the csv mime type as it comes with Rails.
+    # Note that we used [Mime](:csv) for the csv mime type as it comes with Rails.
     # For a custom renderer, you'll need to register a mime type with
-    # <tt>Mime::Type.register</tt>.
+    # `Mime::Type.register`.
     #
     # To use the csv renderer in a controller action:
     #
-    #   def show
-    #     @csvable = Csvable.find(params[:id])
-    #     respond_to do |format|
-    #       format.html
-    #       format.csv { render csv: @csvable, filename: @csvable.name }
+    #     def show
+    #       @csvable = Csvable.find(params[:id])
+    #       respond_to do |format|
+    #         format.html
+    #         format.csv { render csv: @csvable, filename: @csvable.name }
+    #       end
     #     end
-    #   end
     def self.add(key, &block)
       define_method(_render_with_renderer_method_name(key), &block)
       RENDERERS << key.to_sym
@@ -92,46 +79,102 @@ module ActionController
 
     # This method is the opposite of add method.
     #
-    # Usage:
+    # To remove a csv renderer:
     #
-    #   ActionController::Renderers.remove(:csv)
+    #     ActionController::Renderers.remove(:csv)
     def self.remove(key)
       RENDERERS.delete(key.to_sym)
       method_name = _render_with_renderer_method_name(key)
-      remove_method(method_name) if method_defined?(method_name)
+      remove_possible_method(method_name)
     end
 
-    module All
-      extend ActiveSupport::Concern
-      include Renderers
+    def self._render_with_renderer_method_name(key)
+      "_render_with_renderer_#{key}"
+    end
 
-      included do
-        self._renderers = RENDERERS
+    module ClassMethods
+      # Adds, by name, a renderer or renderers to the `_renderers` available to call
+      # within controller actions.
+      #
+      # It is useful when rendering from an ActionController::Metal controller or
+      # otherwise to add an available renderer proc to a specific controller.
+      #
+      # Both ActionController::Base and ActionController::API include
+      # ActionController::Renderers::All, making all renderers available in the
+      # controller. See Renderers::RENDERERS and Renderers.add.
+      #
+      # Since ActionController::Metal controllers cannot render, the controller must
+      # include AbstractController::Rendering, ActionController::Rendering, and
+      # ActionController::Renderers, and have at least one renderer.
+      #
+      # Rather than including ActionController::Renderers::All and including all
+      # renderers, you may specify which renderers to include by passing the renderer
+      # name or names to `use_renderers`. For example, a controller that includes only
+      # the `:json` renderer (`_render_with_renderer_json`) might look like:
+      #
+      #     class MetalRenderingController < ActionController::Metal
+      #       include AbstractController::Rendering
+      #       include ActionController::Rendering
+      #       include ActionController::Renderers
+      #
+      #       use_renderers :json
+      #
+      #       def show
+      #         render json: record
+      #       end
+      #     end
+      #
+      # You must specify a `use_renderer`, else the `controller.renderer` and
+      # `controller._renderers` will be `nil`, and the action will fail.
+      def use_renderers(*args)
+        renderers = _renderers + args
+        self._renderers = renderers.freeze
       end
+      alias use_renderer use_renderers
+    end
+
+    # Called by `render` in AbstractController::Rendering which sets the return
+    # value as the `response_body`.
+    #
+    # If no renderer is found, `super` returns control to
+    # `ActionView::Rendering.render_to_body`, if present.
+    def render_to_body(options)
+      _render_to_body_with_renderer(options) || super
+    end
+
+    def _render_to_body_with_renderer(options)
+      _renderers.each do |name|
+        if options.key?(name)
+          _process_options(options)
+          method_name = Renderers._render_with_renderer_method_name(name)
+          return send(method_name, options.delete(name), options)
+        end
+      end
+      nil
     end
 
     add :json do |json, options|
       json = json.to_json(options) unless json.kind_of?(String)
 
       if options[:callback].present?
-        if content_type.nil? || content_type == Mime::JSON
-          self.content_type = Mime::JS
+        if media_type.nil? || media_type == Mime[:json]
+          self.content_type = Mime[:js]
         end
 
         "/**/#{options[:callback]}(#{json})"
       else
-        self.content_type ||= Mime::JSON
+        self.content_type = Mime[:json] if media_type.nil?
         json
       end
     end
 
     add :js do |js, options|
-      self.content_type ||= Mime::JS
+      self.content_type = Mime[:js] if media_type.nil?
       js.respond_to?(:to_js) ? js.to_js(options) : js
     end
 
     add :xml do |xml, options|
-      self.content_type ||= Mime::XML
+      self.content_type = Mime[:xml] if media_type.nil?
       xml.respond_to?(:to_xml) ? xml.to_xml(options) : xml
     end
   end