RubyGems - actionpack - Versions diffs - 4.2.10 → 7.2.0.rc1 - Mend

actionpack 4.2.10 → 7.2.0.rc1

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (202) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +86 -600
data/MIT-LICENSE +1 -1
data/README.rdoc +13 -14
data/lib/abstract_controller/asset_paths.rb +5 -1
data/lib/abstract_controller/base.rb +166 -136
data/lib/abstract_controller/caching/fragments.rb +149 -0
data/lib/abstract_controller/caching.rb +68 -0
data/lib/abstract_controller/callbacks.rb +126 -57
data/lib/abstract_controller/collector.rb +13 -15
data/lib/abstract_controller/deprecator.rb +9 -0
data/lib/abstract_controller/error.rb +8 -0
data/lib/abstract_controller/helpers.rb +181 -132
data/lib/abstract_controller/logger.rb +5 -1
data/lib/abstract_controller/railties/routes_helpers.rb +10 -3
data/lib/abstract_controller/rendering.rb +56 -56
data/lib/abstract_controller/translation.rb +29 -15
data/lib/abstract_controller/url_for.rb +15 -11
data/lib/abstract_controller.rb +21 -5
data/lib/action_controller/api/api_rendering.rb +18 -0
data/lib/action_controller/api.rb +154 -0
data/lib/action_controller/base.rb +219 -155
data/lib/action_controller/caching.rb +28 -68
data/lib/action_controller/deprecator.rb +9 -0
data/lib/action_controller/form_builder.rb +55 -0
data/lib/action_controller/log_subscriber.rb +35 -22
data/lib/action_controller/metal/allow_browser.rb +119 -0
data/lib/action_controller/metal/basic_implicit_render.rb +17 -0
data/lib/action_controller/metal/conditional_get.rb +259 -122
data/lib/action_controller/metal/content_security_policy.rb +86 -0
data/lib/action_controller/metal/cookies.rb +9 -5
data/lib/action_controller/metal/data_streaming.rb +87 -104
data/lib/action_controller/metal/default_headers.rb +21 -0
data/lib/action_controller/metal/etag_with_flash.rb +22 -0
data/lib/action_controller/metal/etag_with_template_digest.rb +35 -26
data/lib/action_controller/metal/exceptions.rb +71 -24
data/lib/action_controller/metal/flash.rb +26 -19
data/lib/action_controller/metal/head.rb +45 -36
data/lib/action_controller/metal/helpers.rb +80 -64
data/lib/action_controller/metal/http_authentication.rb +297 -244
data/lib/action_controller/metal/implicit_render.rb +57 -9
data/lib/action_controller/metal/instrumentation.rb +76 -64
data/lib/action_controller/metal/live.rb +238 -176
data/lib/action_controller/metal/logging.rb +22 -0
data/lib/action_controller/metal/mime_responds.rb +177 -166
data/lib/action_controller/metal/parameter_encoding.rb +84 -0
data/lib/action_controller/metal/params_wrapper.rb +145 -118
data/lib/action_controller/metal/permissions_policy.rb +38 -0
data/lib/action_controller/metal/rate_limiting.rb +62 -0
data/lib/action_controller/metal/redirecting.rb +203 -64
data/lib/action_controller/metal/renderers.rb +108 -65
data/lib/action_controller/metal/rendering.rb +216 -56
data/lib/action_controller/metal/request_forgery_protection.rb +496 -163
data/lib/action_controller/metal/rescue.rb +19 -21
data/lib/action_controller/metal/streaming.rb +179 -138
data/lib/action_controller/metal/strong_parameters.rb +1058 -382
data/lib/action_controller/metal/testing.rb +11 -17
data/lib/action_controller/metal/url_for.rb +37 -21
data/lib/action_controller/metal.rb +236 -138
data/lib/action_controller/railtie.rb +89 -11
data/lib/action_controller/railties/helpers.rb +5 -1
data/lib/action_controller/renderer.rb +161 -0
data/lib/action_controller/template_assertions.rb +13 -0
data/lib/action_controller/test_case.rb +425 -497
data/lib/action_controller.rb +44 -22
data/lib/action_dispatch/constants.rb +34 -0
data/lib/action_dispatch/deprecator.rb +9 -0
data/lib/action_dispatch/http/cache.rb +119 -63
data/lib/action_dispatch/http/content_disposition.rb +47 -0
data/lib/action_dispatch/http/content_security_policy.rb +364 -0
data/lib/action_dispatch/http/filter_parameters.rb +36 -34
data/lib/action_dispatch/http/filter_redirect.rb +24 -12
data/lib/action_dispatch/http/headers.rb +66 -31
data/lib/action_dispatch/http/mime_negotiation.rb +106 -75
data/lib/action_dispatch/http/mime_type.rb +196 -136
data/lib/action_dispatch/http/mime_types.rb +25 -7
data/lib/action_dispatch/http/parameters.rb +97 -45
data/lib/action_dispatch/http/permissions_policy.rb +187 -0
data/lib/action_dispatch/http/rack_cache.rb +6 -0
data/lib/action_dispatch/http/request.rb +299 -170
data/lib/action_dispatch/http/response.rb +311 -160
data/lib/action_dispatch/http/upload.rb +52 -23
data/lib/action_dispatch/http/url.rb +201 -125
data/lib/action_dispatch/journey/formatter.rb +110 -50
data/lib/action_dispatch/journey/gtg/builder.rb +37 -50
data/lib/action_dispatch/journey/gtg/simulator.rb +20 -17
data/lib/action_dispatch/journey/gtg/transition_table.rb +96 -36
data/lib/action_dispatch/journey/nfa/dot.rb +5 -14
data/lib/action_dispatch/journey/nodes/node.rb +100 -20
data/lib/action_dispatch/journey/parser.rb +19 -17
data/lib/action_dispatch/journey/parser.y +4 -3
data/lib/action_dispatch/journey/parser_extras.rb +14 -4
data/lib/action_dispatch/journey/path/pattern.rb +79 -63
data/lib/action_dispatch/journey/route.rb +108 -44
data/lib/action_dispatch/journey/router/utils.rb +41 -29
data/lib/action_dispatch/journey/router.rb +64 -57
data/lib/action_dispatch/journey/routes.rb +23 -21
data/lib/action_dispatch/journey/scanner.rb +28 -17
data/lib/action_dispatch/journey/visitors.rb +100 -54
data/lib/action_dispatch/journey/visualizer/fsm.js +49 -24
data/lib/action_dispatch/journey/visualizer/index.html.erb +1 -1
data/lib/action_dispatch/journey.rb +7 -5
data/lib/action_dispatch/log_subscriber.rb +25 -0
data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
data/lib/action_dispatch/middleware/assume_ssl.rb +27 -0
data/lib/action_dispatch/middleware/callbacks.rb +7 -6
data/lib/action_dispatch/middleware/cookies.rb +471 -328
data/lib/action_dispatch/middleware/debug_exceptions.rb +149 -66
data/lib/action_dispatch/middleware/debug_locks.rb +129 -0
data/lib/action_dispatch/middleware/debug_view.rb +73 -0
data/lib/action_dispatch/middleware/exception_wrapper.rb +275 -73
data/lib/action_dispatch/middleware/executor.rb +32 -0
data/lib/action_dispatch/middleware/flash.rb +143 -101
data/lib/action_dispatch/middleware/host_authorization.rb +171 -0
data/lib/action_dispatch/middleware/public_exceptions.rb +36 -27
data/lib/action_dispatch/middleware/reloader.rb +10 -92
data/lib/action_dispatch/middleware/remote_ip.rb +133 -107
data/lib/action_dispatch/middleware/request_id.rb +29 -15
data/lib/action_dispatch/middleware/server_timing.rb +78 -0
data/lib/action_dispatch/middleware/session/abstract_store.rb +49 -27
data/lib/action_dispatch/middleware/session/cache_store.rb +33 -16
data/lib/action_dispatch/middleware/session/cookie_store.rb +86 -80
data/lib/action_dispatch/middleware/session/mem_cache_store.rb +15 -3
data/lib/action_dispatch/middleware/show_exceptions.rb +66 -36
data/lib/action_dispatch/middleware/ssl.rb +134 -36
data/lib/action_dispatch/middleware/stack.rb +109 -44
data/lib/action_dispatch/middleware/static.rb +159 -90
data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +7 -24
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +36 -0
data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +46 -36
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +12 -0
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +9 -0
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +26 -7
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +3 -3
data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +24 -0
data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +16 -0
data/lib/action_dispatch/middleware/templates/rescues/layout.erb +139 -15
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +23 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +6 -6
data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +7 -7
data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +9 -9
data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +4 -4
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +7 -4
data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +125 -93
data/lib/action_dispatch/railtie.rb +44 -16
data/lib/action_dispatch/request/session.rb +159 -69
data/lib/action_dispatch/request/utils.rb +97 -23
data/lib/action_dispatch/routing/endpoint.rb +11 -2
data/lib/action_dispatch/routing/inspector.rb +195 -106
data/lib/action_dispatch/routing/mapper.rb +1338 -955
data/lib/action_dispatch/routing/polymorphic_routes.rb +234 -201
data/lib/action_dispatch/routing/redirection.rb +78 -51
data/lib/action_dispatch/routing/route_set.rb +460 -374
data/lib/action_dispatch/routing/routes_proxy.rb +36 -12
data/lib/action_dispatch/routing/url_for.rb +172 -124
data/lib/action_dispatch/routing.rb +159 -158
data/lib/action_dispatch/system_test_case.rb +206 -0
data/lib/action_dispatch/system_testing/browser.rb +84 -0
data/lib/action_dispatch/system_testing/driver.rb +85 -0
data/lib/action_dispatch/system_testing/server.rb +33 -0
data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +164 -0
data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +23 -0
data/lib/action_dispatch/testing/assertion_response.rb +48 -0
data/lib/action_dispatch/testing/assertions/response.rb +71 -39
data/lib/action_dispatch/testing/assertions/routing.rb +228 -103
data/lib/action_dispatch/testing/assertions.rb +9 -6
data/lib/action_dispatch/testing/integration.rb +486 -306
data/lib/action_dispatch/testing/request_encoder.rb +60 -0
data/lib/action_dispatch/testing/test_helpers/page_dump_helper.rb +35 -0
data/lib/action_dispatch/testing/test_process.rb +35 -22
data/lib/action_dispatch/testing/test_request.rb +29 -34
data/lib/action_dispatch/testing/test_response.rb +48 -15
data/lib/action_dispatch.rb +82 -40
data/lib/action_pack/gem_version.rb +8 -4
data/lib/action_pack/version.rb +6 -2
data/lib/action_pack.rb +21 -18
metadata +146 -56
data/lib/action_controller/caching/fragments.rb +0 -103
data/lib/action_controller/metal/force_ssl.rb +0 -97
data/lib/action_controller/metal/hide_actions.rb +0 -40
data/lib/action_controller/metal/rack_delegation.rb +0 -32
data/lib/action_controller/middleware.rb +0 -39
data/lib/action_controller/model_naming.rb +0 -12
data/lib/action_dispatch/http/parameter_filter.rb +0 -72
data/lib/action_dispatch/journey/backwards.rb +0 -5
data/lib/action_dispatch/journey/nfa/builder.rb +0 -76
data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -163
data/lib/action_dispatch/journey/router/strexp.rb +0 -27
data/lib/action_dispatch/middleware/params_parser.rb +0 -60
data/lib/action_dispatch/middleware/templates/rescues/_source.erb +0 -27
data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
data/lib/action_dispatch/testing/assertions/tag.rb +0 -3

data/lib/action_dispatch/http/mime_negotiation.rb CHANGED Viewed

@@ -1,132 +1,145 @@
-require 'active_support/core_ext/module/attribute_accessors'
+# frozen_string_literal: true
+# :markup: markdown
+require "active_support/core_ext/module/attribute_accessors"
 module ActionDispatch
   module Http
     module MimeNegotiation
       extend ActiveSupport::Concern
+      class InvalidType < ::Mime::Type::InvalidMimeType; end
+      RESCUABLE_MIME_FORMAT_ERRORS = [
+        ActionController::BadRequest,
+        ActionDispatch::Http::Parameters::ParseError,
+      ]
       included do
-        mattr_accessor :ignore_accept_header
-        self.ignore_accept_header = false
+        mattr_accessor :ignore_accept_header, default: false
       end
-      attr_reader :variant
-      # The MIME type of the HTTP request, such as Mime::XML.
-      #
-      # For backward compatibility, the post \format is extracted from the
-      # X-Post-Data-Format HTTP header if present.
+      # The MIME type of the HTTP request, such as [Mime](:xml).
       def content_mime_type
-        @env["action_dispatch.request.content_type"] ||= begin
-          if @env['CONTENT_TYPE'] =~ /^([^,\;]*)/
+        fetch_header("action_dispatch.request.content_type") do |k|
+          v = if get_header("CONTENT_TYPE") =~ /^([^,;]*)/
             Mime::Type.lookup($1.strip.downcase)
           else
             nil
           end
+          set_header k, v
+        rescue ::Mime::Type::InvalidMimeType => e
+          raise InvalidType, e.message
         end
       end
-      def content_type
-        content_mime_type && content_mime_type.to_s
+      def has_content_type? # :nodoc:
+        get_header "CONTENT_TYPE"
       end
       # Returns the accepted MIME type for the request.
       def accepts
-        @env["action_dispatch.request.accepts"] ||= begin
-          header = @env['HTTP_ACCEPT'].to_s.strip
+        fetch_header("action_dispatch.request.accepts") do |k|
+          header = get_header("HTTP_ACCEPT").to_s.strip
-          if header.empty?
+          v = if header.empty?
             [content_mime_type]
           else
             Mime::Type.parse(header)
           end
+          set_header k, v
+        rescue ::Mime::Type::InvalidMimeType => e
+          raise InvalidType, e.message
         end
       end
-      # Returns the MIME type for the \format used in the request.
+      # Returns the MIME type for the format used in the request.
       #
-      #   GET /posts/5.xml   | request.format => Mime::XML
-      #   GET /posts/5.xhtml | request.format => Mime::HTML
-      #   GET /posts/5       | request.format => Mime::HTML or MIME::JS, or request.accepts.first
+      #     GET /posts/5.xml   | request.format => Mime[:xml]
+      #     GET /posts/5.xhtml | request.format => Mime[:html]
+      #     GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
       #
-      def format(view_path = [])
+      def format(_view_path = nil)
         formats.first || Mime::NullType.instance
       end
       def formats
-        @env["action_dispatch.request.formats"] ||= begin
-          params_readable = begin
-                              parameters[:format]
-                            rescue ActionController::BadRequest
-                              false
-                            end
-          if params_readable
+        fetch_header("action_dispatch.request.formats") do |k|
+          v = if params_readable?
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
-            accepts
+            accepts.dup
+          elsif extension_format = format_from_path_extension
+            [extension_format]
           elsif xhr?
-            [Mime::JS]
+            [Mime[:js]]
           else
-            [Mime::HTML]
+            [Mime[:html]]
           end
+          v.select! do |format|
+            format.symbol || format.ref == "*/*"
+          end
+          set_header k, v
         end
       end
-      # Sets the \variant for template.
+      # Sets the variant for template.
       def variant=(variant)
-        if variant.is_a?(Symbol)
-          @variant = [variant]
-        elsif variant.nil? || variant.is_a?(Array) && variant.any? && variant.all?{ |v| v.is_a?(Symbol) }
-          @variant = variant
+        variant = Array(variant)
+        if variant.all?(Symbol)
+          @variant = ActiveSupport::ArrayInquirer.new(variant)
         else
-          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols, not a #{variant.class}. " \
-            "For security reasons, never directly set the variant to a user-provided value, " \
-            "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
-            "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols."
         end
       end
-      # Sets the \format by string extension, which can be used to force custom formats
+      def variant
+        @variant ||= ActiveSupport::ArrayInquirer.new
+      end
+      # Sets the format by string extension, which can be used to force custom formats
       # that are not controlled by the extension.
       #
-      #   class ApplicationController < ActionController::Base
-      #     before_action :adjust_format_for_iphone
+      #     class ApplicationController < ActionController::Base
+      #       before_action :adjust_format_for_iphone
       #
-      #     private
-      #       def adjust_format_for_iphone
-      #         request.format = :iphone if request.env["HTTP_USER_AGENT"][/iPhone/]
-      #       end
-      #   end
+      #       private
+      #         def adjust_format_for_iphone
+      #           request.format = :iphone if request.env["HTTP_USER_AGENT"][/iPhone/]
+      #         end
+      #     end
       def format=(extension)
         parameters[:format] = extension.to_s
-        @env["action_dispatch.request.formats"] = [Mime::Type.lookup_by_extension(parameters[:format])]
+        set_header "action_dispatch.request.formats", [Mime::Type.lookup_by_extension(parameters[:format])]
       end
-      # Sets the \formats by string extensions. This differs from #format= by allowing you
-      # to set multiple, ordered formats, which is useful when you want to have a fallback.
+      # Sets the formats by string extensions. This differs from #format= by allowing
+      # you to set multiple, ordered formats, which is useful when you want to have a
+      # fallback.
       #
-      # In this example, the :iphone format will be used if it's available, otherwise it'll fallback
-      # to the :html format.
+      # In this example, the `:iphone` format will be used if it's available,
+      # otherwise it'll fall back to the `:html` format.
       #
-      #   class ApplicationController < ActionController::Base
-      #     before_action :adjust_format_for_iphone_with_html_fallback
+      #     class ApplicationController < ActionController::Base
+      #       before_action :adjust_format_for_iphone_with_html_fallback
       #
-      #     private
-      #       def adjust_format_for_iphone_with_html_fallback
-      #         request.formats = [ :iphone, :html ] if request.env["HTTP_USER_AGENT"][/iPhone/]
-      #       end
-      #   end
+      #       private
+      #         def adjust_format_for_iphone_with_html_fallback
+      #           request.formats = [ :iphone, :html ] if request.env["HTTP_USER_AGENT"][/iPhone/]
+      #         end
+      #     end
       def formats=(extensions)
         parameters[:format] = extensions.first.to_s
-        @env["action_dispatch.request.formats"] = extensions.collect do |extension|
+        set_header "action_dispatch.request.formats", extensions.collect { |extension|
           Mime::Type.lookup_by_extension(extension)
-        end
+        }
       end
-      # Receives an array of mimes and return the first user sent mime that
-      # matches the order array.
-      #
+      # Returns the first MIME type that matches the provided array of MIME types.
       def negotiate_mime(order)
         formats.each do |priority|
           if priority == Mime::ALL
@@ -139,18 +152,36 @@ module ActionDispatch
         order.include?(Mime::ALL) ? format : nil
       end
-      protected
+      def should_apply_vary_header?
+        !params_readable? && use_accept_header && valid_accept_header
+      end
-      BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
+      private
+        # We use normal content negotiation unless you include **/** in your list, in
+        # which case we assume you're a browser and send HTML.
+        BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
-      def valid_accept_header
-        (xhr? && (accept.present? || content_mime_type)) ||
-          (accept.present? && accept !~ BROWSER_LIKE_ACCEPTS)
-      end
+        def params_readable?
+          parameters[:format]
+        rescue *RESCUABLE_MIME_FORMAT_ERRORS
+          false
+        end
-      def use_accept_header
-        !self.class.ignore_accept_header
-      end
+        def valid_accept_header
+          (xhr? && (accept.present? || content_mime_type)) ||
+            (accept.present? && !accept.match?(BROWSER_LIKE_ACCEPTS))
+        end
+        def use_accept_header
+          !self.class.ignore_accept_header
+        end
+        def format_from_path_extension
+          path = get_header("action_dispatch.original_path") || get_header("PATH_INFO")
+          if match = path && path.match(/\.(\w+)\z/)
+            Mime[match.captures.first]
+          end
+        end
     end
   end
 end