actionpack 4.2.10 → 7.2.0.rc1

data/lib/action_dispatch/http/content_security_policy.rb

@@ -0,0 +1,364 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+require "active_support/core_ext/object/deep_dup"
+require "active_support/core_ext/array/wrap"
+
+module ActionDispatch # :nodoc:
+  # # Action Dispatch Content Security Policy
+  #
+  # Configures the HTTP [Content-Security-Policy]
+  # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+  # response header to help protect against XSS and
+  # injection attacks.
+  #
+  # Example global policy:
+  #
+  #     Rails.application.config.content_security_policy do |policy|
+  #       policy.default_src :self, :https
+  #       policy.font_src    :self, :https, :data
+  #       policy.img_src     :self, :https, :data
+  #       policy.object_src  :none
+  #       policy.script_src  :self, :https
+  #       policy.style_src   :self, :https
+  #
+  #       # Specify URI for violation reports
+  #       policy.report_uri "/csp-violation-report-endpoint"
+  #     end
+  class ContentSecurityPolicy
+    class Middleware
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        status, headers, _ = response = @app.call(env)
+
+        # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the
+        # new CSP headers might not match nonces in the cached HTML.
+        return response if status == 304
+
+        return response if policy_present?(headers)
+
+        request = ActionDispatch::Request.new env
+
+        if policy = request.content_security_policy
+          nonce = request.content_security_policy_nonce
+          nonce_directives = request.content_security_policy_nonce_directives
+          context = request.controller_instance || request
+          headers[header_name(request)] = policy.build(context, nonce, nonce_directives)
+        end
+
+        response
+      end
+
+      private
+        def header_name(request)
+          if request.content_security_policy_report_only
+            ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY
+          else
+            ActionDispatch::Constants::CONTENT_SECURITY_POLICY
+          end
+        end
+
+        def policy_present?(headers)
+          headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY] ||
+            headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY]
+        end
+    end
+
+    module Request
+      POLICY = "action_dispatch.content_security_policy"
+      POLICY_REPORT_ONLY = "action_dispatch.content_security_policy_report_only"
+      NONCE_GENERATOR = "action_dispatch.content_security_policy_nonce_generator"
+      NONCE = "action_dispatch.content_security_policy_nonce"
+      NONCE_DIRECTIVES = "action_dispatch.content_security_policy_nonce_directives"
+
+      def content_security_policy
+        get_header(POLICY)
+      end
+
+      def content_security_policy=(policy)
+        set_header(POLICY, policy)
+      end
+
+      def content_security_policy_report_only
+        get_header(POLICY_REPORT_ONLY)
+      end
+
+      def content_security_policy_report_only=(value)
+        set_header(POLICY_REPORT_ONLY, value)
+      end
+
+      def content_security_policy_nonce_generator
+        get_header(NONCE_GENERATOR)
+      end
+
+      def content_security_policy_nonce_generator=(generator)
+        set_header(NONCE_GENERATOR, generator)
+      end
+
+      def content_security_policy_nonce_directives
+        get_header(NONCE_DIRECTIVES)
+      end
+
+      def content_security_policy_nonce_directives=(generator)
+        set_header(NONCE_DIRECTIVES, generator)
+      end
+
+      def content_security_policy_nonce
+        if content_security_policy_nonce_generator
+          if nonce = get_header(NONCE)
+            nonce
+          else
+            set_header(NONCE, generate_content_security_policy_nonce)
+          end
+        end
+      end
+
+      private
+        def generate_content_security_policy_nonce
+          content_security_policy_nonce_generator.call(self)
+        end
+    end
+
+    MAPPINGS = {
+      self:             "'self'",
+      unsafe_eval:      "'unsafe-eval'",
+      unsafe_hashes:    "'unsafe-hashes'",
+      unsafe_inline:    "'unsafe-inline'",
+      none:             "'none'",
+      http:             "http:",
+      https:            "https:",
+      data:             "data:",
+      mediastream:      "mediastream:",
+      allow_duplicates: "'allow-duplicates'",
+      blob:             "blob:",
+      filesystem:       "filesystem:",
+      report_sample:    "'report-sample'",
+      script:           "'script'",
+      strict_dynamic:   "'strict-dynamic'",
+      ws:               "ws:",
+      wss:              "wss:"
+    }.freeze
+
+    DIRECTIVES = {
+      base_uri:                   "base-uri",
+      child_src:                  "child-src",
+      connect_src:                "connect-src",
+      default_src:                "default-src",
+      font_src:                   "font-src",
+      form_action:                "form-action",
+      frame_ancestors:            "frame-ancestors",
+      frame_src:                  "frame-src",
+      img_src:                    "img-src",
+      manifest_src:               "manifest-src",
+      media_src:                  "media-src",
+      object_src:                 "object-src",
+      prefetch_src:               "prefetch-src",
+      require_trusted_types_for:  "require-trusted-types-for",
+      script_src:                 "script-src",
+      script_src_attr:            "script-src-attr",
+      script_src_elem:            "script-src-elem",
+      style_src:                  "style-src",
+      style_src_attr:             "style-src-attr",
+      style_src_elem:             "style-src-elem",
+      trusted_types:              "trusted-types",
+      worker_src:                 "worker-src"
+    }.freeze
+
+    DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze
+
+    private_constant :MAPPINGS, :DIRECTIVES, :DEFAULT_NONCE_DIRECTIVES
+
+    attr_reader :directives
+
+    def initialize
+      @directives = {}
+      yield self if block_given?
+    end
+
+    def initialize_copy(other)
+      @directives = other.directives.deep_dup
+    end
+
+    DIRECTIVES.each do |name, directive|
+      define_method(name) do |*sources|
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
+
+    # Specify whether to prevent the user agent from loading any assets over HTTP
+    # when the page uses HTTPS:
+    #
+    #     policy.block_all_mixed_content
+    #
+    # Pass `false` to allow it again:
+    #
+    #     policy.block_all_mixed_content false
+    #
+    def block_all_mixed_content(enabled = true)
+      if enabled
+        @directives["block-all-mixed-content"] = true
+      else
+        @directives.delete("block-all-mixed-content")
+      end
+    end
+
+    # Restricts the set of plugins that can be embedded:
+    #
+    #     policy.plugin_types "application/x-shockwave-flash"
+    #
+    # Leave empty to allow all plugins:
+    #
+    #     policy.plugin_types
+    #
+    def plugin_types(*types)
+      if types.first
+        @directives["plugin-types"] = types
+      else
+        @directives.delete("plugin-types")
+      end
+    end
+
+    # Enable the [report-uri]
+    # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
+    # directive. Violation reports will be sent to the
+    # specified URI:
+    #
+    #     policy.report_uri "/csp-violation-report-endpoint"
+    #
+    def report_uri(uri)
+      @directives["report-uri"] = [uri]
+    end
+
+    # Specify asset types for which [Subresource Integrity]
+    # (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
+    #
+    #     policy.require_sri_for :script, :style
+    #
+    # Leave empty to not require Subresource Integrity:
+    #
+    #     policy.require_sri_for
+    #
+    def require_sri_for(*types)
+      if types.first
+        @directives["require-sri-for"] = types
+      else
+        @directives.delete("require-sri-for")
+      end
+    end
+
+    # Specify whether a [sandbox]
+    # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
+    # should be enabled for the requested resource:
+    #
+    #     policy.sandbox
+    #
+    # Values can be passed as arguments:
+    #
+    #     policy.sandbox "allow-scripts", "allow-modals"
+    #
+    # Pass `false` to disable the sandbox:
+    #
+    #     policy.sandbox false
+    #
+    def sandbox(*values)
+      if values.empty?
+        @directives["sandbox"] = true
+      elsif values.first
+        @directives["sandbox"] = values
+      else
+        @directives.delete("sandbox")
+      end
+    end
+
+    # Specify whether user agents should treat any assets over HTTP as HTTPS:
+    #
+    #     policy.upgrade_insecure_requests
+    #
+    # Pass `false` to disable it:
+    #
+    #     policy.upgrade_insecure_requests false
+    #
+    def upgrade_insecure_requests(enabled = true)
+      if enabled
+        @directives["upgrade-insecure-requests"] = true
+      else
+        @directives.delete("upgrade-insecure-requests")
+      end
+    end
+
+    def build(context = nil, nonce = nil, nonce_directives = nil)
+      nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil?
+      build_directives(context, nonce, nonce_directives).compact.join("; ")
+    end
+
+    private
+      def apply_mappings(sources)
+        sources.map do |source|
+          case source
+          when Symbol
+            apply_mapping(source)
+          when String, Proc
+            source
+          else
+            raise ArgumentError, "Invalid content security policy source: #{source.inspect}"
+          end
+        end
+      end
+
+      def apply_mapping(source)
+        MAPPINGS.fetch(source) do
+          raise ArgumentError, "Unknown content security policy source mapping: #{source.inspect}"
+        end
+      end
+
+      def build_directives(context, nonce, nonce_directives)
+        @directives.map do |directive, sources|
+          if sources.is_a?(Array)
+            if nonce && nonce_directive?(directive, nonce_directives)
+              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+            else
+              "#{directive} #{build_directive(sources, context).join(' ')}"
+            end
+          elsif sources
+            directive
+          else
+            nil
+          end
+        end
+      end
+
+      def build_directive(sources, context)
+        sources.map { |source| resolve_source(source, context) }
+      end
+
+      def resolve_source(source, context)
+        case source
+        when String
+          source
+        when Symbol
+          source.to_s
+        when Proc
+          if context.nil?
+            raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}"
+          else
+            resolved = context.instance_exec(&source)
+            apply_mappings(Array.wrap(resolved))
+          end
+        else
+          raise RuntimeError, "Unexpected content security policy source: #{source.inspect}"
+        end
+      end
+
+      def nonce_directive?(directive, nonce_directives)
+        nonce_directives.include?(directive)
+      end
+  end
+end

data/lib/action_dispatch/http/filter_parameters.rb

@@ -1,76 +1,78 @@
-require 'active_support/core_ext/hash/keys'
-require 'active_support/core_ext/object/duplicable'
-require 'action_dispatch/http/parameter_filter'
+# frozen_string_literal: true
+
+# :markup: markdown
+
+require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
-    # Allows you to specify sensitive parameters which will be replaced from
-    # the request log by looking in the query string of the request and all
-    # sub-hashes of the params hash to filter. If a block is given, each key and
-    # value of the params hash and all sub-hashes is passed to it, the value
-    # or key can be replaced using String#replace or similar method.
+    # # Action Dispatch HTTP Filter Parameters
     #
-    #   env["action_dispatch.parameter_filter"] = [:password]
-    #   => replaces the value to all keys matching /password/i with "[FILTERED]"
+    # Allows you to specify sensitive query string and POST parameters to filter
+    # from the request log.
     #
-    #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
-    #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
+    #     # Replaces values with "[FILTERED]" for keys that match /foo|bar/i.
+    #     env["action_dispatch.parameter_filter"] = [:foo, "bar"]
     #
-    #   env["action_dispatch.parameter_filter"] = lambda do |k,v|
-    #     v.reverse! if k =~ /secret/i
-    #   end
-    #   => reverses the value to all keys matching /secret/i
+    # For more information about filter behavior, see
+    # ActiveSupport::ParameterFilter.
     module FilterParameters
       ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
-      NULL_PARAM_FILTER = ParameterFilter.new # :nodoc:
-      NULL_ENV_FILTER   = ParameterFilter.new ENV_MATCH # :nodoc:
+      NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
+      NULL_ENV_FILTER   = ActiveSupport::ParameterFilter.new ENV_MATCH # :nodoc:
 
-      def initialize(env)
+      def initialize
         super
         @filtered_parameters = nil
         @filtered_env        = nil
         @filtered_path       = nil
+        @parameter_filter    = nil
       end
 
-      # Return a hash of parameters with all sensitive data replaced.
+      # Returns a hash of parameters with all sensitive data replaced.
       def filtered_parameters
         @filtered_parameters ||= parameter_filter.filter(parameters)
+      rescue ActionDispatch::Http::Parameters::ParseError
+        @filtered_parameters = {}
       end
 
-      # Return a hash of request.env with all sensitive data replaced.
+      # Returns a hash of request.env with all sensitive data replaced.
       def filtered_env
         @filtered_env ||= env_filter.filter(@env)
       end
 
-      # Reconstructed a path with all sensitive GET parameters replaced.
+      # Reconstructs a path with all sensitive GET parameters replaced.
       def filtered_path
         @filtered_path ||= query_string.empty? ? path : "#{path}?#{filtered_query_string}"
       end
 
-    protected
-
+      # Returns the `ActiveSupport::ParameterFilter` object used to filter in this
+      # request.
       def parameter_filter
-        parameter_filter_for @env.fetch("action_dispatch.parameter_filter") {
-          return NULL_PARAM_FILTER
-        }
+        @parameter_filter ||= if has_header?("action_dispatch.parameter_filter")
+          parameter_filter_for get_header("action_dispatch.parameter_filter")
+        else
+          NULL_PARAM_FILTER
+        end
       end
 
-      def env_filter
-        user_key = @env.fetch("action_dispatch.parameter_filter") {
+    private
+      def env_filter # :doc:
+        user_key = fetch_header("action_dispatch.parameter_filter") {
           return NULL_ENV_FILTER
         }
         parameter_filter_for(Array(user_key) + ENV_MATCH)
       end
 
-      def parameter_filter_for(filters)
-        ParameterFilter.new(filters)
+      def parameter_filter_for(filters) # :doc:
+        ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = '[^&;=]+'
+      KV_RE   = "[^&;=]+"
       PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
-      def filtered_query_string
+      def filtered_query_string # :doc:
         query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter([[$1, $2]]).first.join("=")
+          parameter_filter.filter($1 => $2).first.join("=")
         end
       end
     end

data/lib/action_dispatch/http/filter_redirect.rb

@@ -1,38 +1,50 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
 module ActionDispatch
   module Http
     module FilterRedirect
+      FILTERED = "[FILTERED]" # :nodoc:
 
-      FILTERED = '[FILTERED]'.freeze # :nodoc:
-
-      def filtered_location
-        filters = location_filter
-        if !filters.empty? && location_filter_match?(filters)
+      def filtered_location # :nodoc:
+        if location_filter_match?
           FILTERED
         else
-          location
+          parameter_filtered_location
         end
       end
 
     private
-
-      def location_filter
+      def location_filters
         if request
-          request.env['action_dispatch.redirect_filter'] || []
+          request.get_header("action_dispatch.redirect_filter") || []
         else
           []
         end
       end
 
-      def location_filter_match?(filters)
-        filters.any? do |filter|
+      def location_filter_match?
+        location_filters.any? do |filter|
           if String === filter
             location.include?(filter)
           elsif Regexp === filter
-            location.match(filter)
+            location.match?(filter)
           end
         end
       end
 
+      def parameter_filtered_location
+        uri = URI.parse(location)
+        unless uri.query.nil? || uri.query.empty?
+          uri.query.gsub!(FilterParameters::PAIR_RE) do
+            request.parameter_filter.filter($1 => $2).first.join("=")
+          end
+        end
+        uri.to_s
+      rescue URI::Error
+        FILTERED
+      end
     end
   end
 end

data/lib/action_dispatch/http/headers.rb

@@ -1,10 +1,30 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
 module ActionDispatch
   module Http
+    # # Action Dispatch HTTP Headers
+    #
     # Provides access to the request's HTTP headers from the environment.
     #
-    #   env     = { "CONTENT_TYPE" => "text/plain" }
-    #   headers = ActionDispatch::Http::Headers.new(env)
-    #   headers["Content-Type"] # => "text/plain"
+    #     env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
+    #     headers = ActionDispatch::Http::Headers.from_hash(env)
+    #     headers["Content-Type"] # => "text/plain"
+    #     headers["User-Agent"] # => "curl/7.43.0"
+    #
+    # Also note that when headers are mapped to CGI-like variables by the Rack
+    # server, both dashes and underscores are converted to underscores. This
+    # ambiguity cannot be resolved at this stage anymore. Both underscores and
+    # dashes have to be interpreted as if they were originally sent as dashes.
+    #
+    #     # GET / HTTP/1.1
+    #     # ...
+    #     # User-Agent: curl/7.43.0
+    #     # X_Custom_Header: token
+    #
+    #     headers["X_Custom_Header"] # => nil
+    #     headers["X-Custom-Header"] # => "token"
     class Headers
       CGI_VARIABLES = Set.new(%W[
         AUTH_TYPE
@@ -30,70 +50,85 @@ module ActionDispatch
       HTTP_HEADER = /\A[A-Za-z0-9-]+\z/
 
       include Enumerable
-      attr_reader :env
 
-      def initialize(env = {}) # :nodoc:
-        @env = env
+      def self.from_hash(hash)
+        new ActionDispatch::Request.new hash
+      end
+
+      def initialize(request) # :nodoc:
+        @req = request
       end
 
       # Returns the value for the given key mapped to @env.
       def [](key)
-        @env[env_name(key)]
+        @req.get_header env_name(key)
       end
 
       # Sets the given value for the key mapped to @env.
       def []=(key, value)
-        @env[env_name(key)] = value
+        @req.set_header env_name(key), value
+      end
+
+      # Add a value to a multivalued header like `Vary` or `Accept-Encoding`.
+      def add(key, value)
+        @req.add_header env_name(key), value
       end
 
       def key?(key)
-        @env.key? env_name(key)
+        @req.has_header? env_name(key)
       end
       alias :include? :key?
 
+      DEFAULT = Object.new # :nodoc:
+
       # Returns the value for the given key mapped to @env.
       #
-      # If the key is not found and an optional code block is not provided,
-      # raises a <tt>KeyError</tt> exception.
+      # If the key is not found and an optional code block is not provided, raises a
+      # `KeyError` exception.
       #
-      # If the code block is provided, then it will be run and
-      # its result returned.
-      def fetch(key, *args, &block)
-        @env.fetch env_name(key), *args, &block
+      # If the code block is provided, then it will be run and its result returned.
+      def fetch(key, default = DEFAULT)
+        @req.fetch_header(env_name(key)) do
+          return default unless default == DEFAULT
+          return yield if block_given?
+          raise KeyError, key
+        end
       end
 
       def each(&block)
-        @env.each(&block)
+        @req.each_header(&block)
       end
 
       # Returns a new Http::Headers instance containing the contents of
-      # <tt>headers_or_env</tt> and the original instance.
+      # `headers_or_env` and the original instance.
       def merge(headers_or_env)
-        headers = Http::Headers.new(env.dup)
+        headers = @req.dup.headers
         headers.merge!(headers_or_env)
         headers
       end
 
-      # Adds the contents of <tt>headers_or_env</tt> to original instance
-      # entries; duplicate keys are overwritten with the values from
-      # <tt>headers_or_env</tt>.
+      # Adds the contents of `headers_or_env` to original instance entries; duplicate
+      # keys are overwritten with the values from `headers_or_env`.
       def merge!(headers_or_env)
         headers_or_env.each do |key, value|
-          self[env_name(key)] = value
+          @req.set_header env_name(key), value
         end
       end
 
+      def env; @req.env.dup; end
+
       private
-      # Converts a HTTP header name to an environment variable name if it is
-      # not contained within the headers hash.
-      def env_name(key)
-        key = key.to_s
-        if key =~ HTTP_HEADER
-          key = key.upcase.tr('-', '_')
-          key = "HTTP_" + key unless CGI_VARIABLES.include?(key)
+        # Converts an HTTP header name to an environment variable name if it is not
+        # contained within the headers hash.
+        def env_name(key)
+          key = key.to_s
+          if HTTP_HEADER.match?(key)
+            key = key.upcase
+            key.tr!("-", "_")
+            key.prepend("HTTP_") unless CGI_VARIABLES.include?(key)
+          end
+          key
         end
-        key
-      end
     end
   end
 end