actionpack 4.2.11.1 → 5.2.4.3

data/lib/action_controller.rb

@@ -1,34 +1,42 @@
-require 'active_support/rails'
-require 'abstract_controller'
-require 'action_dispatch'
-require 'action_controller/metal/live'
-require 'action_controller/metal/strong_parameters'
+# frozen_string_literal: true
+
+require "active_support/rails"
+require "abstract_controller"
+require "action_dispatch"
+require "action_controller/metal/live"
+require "action_controller/metal/strong_parameters"
 
 module ActionController
   extend ActiveSupport::Autoload
 
+  autoload :API
   autoload :Base
-  autoload :Caching
   autoload :Metal
   autoload :Middleware
+  autoload :Renderer
+  autoload :FormBuilder
+
+  eager_autoload do
+    autoload :Caching
+  end
 
   autoload_under "metal" do
-    autoload :Compatibility
     autoload :ConditionalGet
+    autoload :ContentSecurityPolicy
     autoload :Cookies
     autoload :DataStreaming
     autoload :EtagWithTemplateDigest
+    autoload :EtagWithFlash
     autoload :Flash
     autoload :ForceSSL
     autoload :Head
     autoload :Helpers
-    autoload :HideActions
     autoload :HttpAuthentication
+    autoload :BasicImplicitRender
     autoload :ImplicitRender
     autoload :Instrumentation
     autoload :MimeResponds
     autoload :ParamsWrapper
-    autoload :RackDelegation
     autoload :Redirecting
     autoload :Renderers
     autoload :Rendering
@@ -36,23 +44,23 @@ module ActionController
     autoload :Rescue
     autoload :Streaming
     autoload :StrongParameters
+    autoload :ParameterEncoding
     autoload :Testing
     autoload :UrlFor
   end
 
-  autoload :TestCase,           'action_controller/test_case'
-  autoload :TemplateAssertions, 'action_controller/test_case'
-
-  def self.eager_load!
-    super
-    ActionController::Caching.eager_load!
+  autoload_under "api" do
+    autoload :ApiRendering
   end
+
+  autoload :TestCase,           "action_controller/test_case"
+  autoload :TemplateAssertions, "action_controller/test_case"
 end
 
 # Common Active Support usage in Action Controller
-require 'active_support/core_ext/module/attribute_accessors'
-require 'active_support/core_ext/load_error'
-require 'active_support/core_ext/module/attr_internal'
-require 'active_support/core_ext/name_error'
-require 'active_support/core_ext/uri'
-require 'active_support/inflector'
+require "active_support/core_ext/module/attribute_accessors"
+require "active_support/core_ext/load_error"
+require "active_support/core_ext/module/attr_internal"
+require "active_support/core_ext/name_error"
+require "active_support/core_ext/uri"
+require "active_support/inflector"

data/lib/action_dispatch/http/cache.rb

@@ -1,26 +1,24 @@
+# frozen_string_literal: true
 
 module ActionDispatch
   module Http
     module Cache
       module Request
-
-        HTTP_IF_MODIFIED_SINCE = 'HTTP_IF_MODIFIED_SINCE'.freeze
-        HTTP_IF_NONE_MATCH     = 'HTTP_IF_NONE_MATCH'.freeze
+        HTTP_IF_MODIFIED_SINCE = "HTTP_IF_MODIFIED_SINCE".freeze
+        HTTP_IF_NONE_MATCH     = "HTTP_IF_NONE_MATCH".freeze
 
         def if_modified_since
-          if since = env[HTTP_IF_MODIFIED_SINCE]
+          if since = get_header(HTTP_IF_MODIFIED_SINCE)
             Time.rfc2822(since) rescue nil
           end
         end
 
         def if_none_match
-          env[HTTP_IF_NONE_MATCH]
+          get_header HTTP_IF_NONE_MATCH
         end
 
         def if_none_match_etags
-          (if_none_match ? if_none_match.split(/\s*,\s*/) : []).collect do |etag|
-            etag.gsub(/^\"|\"$/, "")
-          end
+          if_none_match ? if_none_match.split(/\s*,\s*/) : []
         end
 
         def not_modified?(modified_at)
@@ -29,8 +27,8 @@ module ActionDispatch
 
         def etag_matches?(etag)
           if etag
-            etag = etag.gsub(/^\"|\"$/, "")
-            if_none_match_etags.include?(etag)
+            validators = if_none_match_etags
+            validators.include?(etag) || validators.include?("*")
           end
         end
 
@@ -51,53 +49,96 @@ module ActionDispatch
       end
 
       module Response
-        attr_reader :cache_control, :etag
-        alias :etag? :etag
+        attr_reader :cache_control
 
         def last_modified
-          if last = headers[LAST_MODIFIED]
+          if last = get_header(LAST_MODIFIED)
             Time.httpdate(last)
           end
         end
 
         def last_modified?
-          headers.include?(LAST_MODIFIED)
+          has_header? LAST_MODIFIED
         end
 
         def last_modified=(utc_time)
-          headers[LAST_MODIFIED] = utc_time.httpdate
+          set_header LAST_MODIFIED, utc_time.httpdate
         end
 
         def date
-          if date_header = headers[DATE]
+          if date_header = get_header(DATE)
             Time.httpdate(date_header)
           end
         end
 
         def date?
-          headers.include?(DATE)
+          has_header? DATE
         end
 
         def date=(utc_time)
-          headers[DATE] = utc_time.httpdate
+          set_header DATE, utc_time.httpdate
+        end
+
+        # This method sets a weak ETag validator on the response so browsers
+        # and proxies may cache the response, keyed on the ETag. On subsequent
+        # requests, the If-None-Match header is set to the cached ETag. If it
+        # matches the current ETag, we can return a 304 Not Modified response
+        # with no body, letting the browser or proxy know that their cache is
+        # current. Big savings in request time and network bandwidth.
+        #
+        # Weak ETags are considered to be semantically equivalent but not
+        # byte-for-byte identical. This is perfect for browser caching of HTML
+        # pages where we don't care about exact equality, just what the user
+        # is viewing.
+        #
+        # Strong ETags are considered byte-for-byte identical. They allow a
+        # browser or proxy cache to support Range requests, useful for paging
+        # through a PDF file or scrubbing through a video. Some CDNs only
+        # support strong ETags and will ignore weak ETags entirely.
+        #
+        # Weak ETags are what we almost always need, so they're the default.
+        # Check out #strong_etag= to provide a strong ETag validator.
+        def etag=(weak_validators)
+          self.weak_etag = weak_validators
         end
 
-        def etag=(etag)
-          key = ActiveSupport::Cache.expand_cache_key(etag)
-          @etag = self[ETAG] = %("#{Digest::MD5.hexdigest(key)}")
+        def weak_etag=(weak_validators)
+          set_header "ETag", generate_weak_etag(weak_validators)
+        end
+
+        def strong_etag=(strong_validators)
+          set_header "ETag", generate_strong_etag(strong_validators)
+        end
+
+        def etag?; etag; end
+
+        # True if an ETag is set and it's a weak validator (preceded with W/)
+        def weak_etag?
+          etag? && etag.starts_with?('W/"')
+        end
+
+        # True if an ETag is set and it isn't a weak validator (not preceded with W/)
+        def strong_etag?
+          etag? && !weak_etag?
         end
 
       private
 
-        DATE          = 'Date'.freeze
+        DATE          = "Date".freeze
         LAST_MODIFIED = "Last-Modified".freeze
-        ETAG          = "ETag".freeze
-        CACHE_CONTROL = "Cache-Control".freeze
-        SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public must-revalidate])
+        SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public private must-revalidate])
+
+        def generate_weak_etag(validators)
+          "W/#{generate_strong_etag(validators)}"
+        end
+
+        def generate_strong_etag(validators)
+          %("#{ActiveSupport::Digest.hexdigest(ActiveSupport::Cache.expand_cache_key(validators))}")
+        end
 
         def cache_control_segments
-          if cache_control = self[CACHE_CONTROL]
-            cache_control.delete(' ').split(',')
+          if cache_control = _cache_control
+            cache_control.delete(" ").split(",")
           else
             []
           end
@@ -107,10 +148,10 @@ module ActionDispatch
           cache_control = {}
 
           cache_control_segments.each do |segment|
-            directive, argument = segment.split('=', 2)
+            directive, argument = segment.split("=", 2)
 
             if SPECIAL_KEYS.include? directive
-              key = directive.tr('-', '_')
+              key = directive.tr("-", "_")
               cache_control[key.to_sym] = argument || true
             else
               cache_control[:extras] ||= []
@@ -123,13 +164,6 @@ module ActionDispatch
 
         def prepare_cache_control!
           @cache_control = cache_control_headers
-          @etag = self[ETAG]
-        end
-
-        def handle_conditional_get!
-          if etag? || last_modified? || !@cache_control.empty?
-            set_conditional_cache_control!
-          end
         end
 
         DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate".freeze
@@ -138,25 +172,37 @@ module ActionDispatch
         PRIVATE               = "private".freeze
         MUST_REVALIDATE       = "must-revalidate".freeze
 
-        def set_conditional_cache_control!
+        def handle_conditional_get!
+          # Normally default cache control setting is handled by ETag
+          # middleware. But, if an etag is already set, the middleware
+          # defaults to `no-cache` unless a default `Cache-Control` value is
+          # previously set. So, set a default one here.
+          if (etag? || last_modified?) && !self._cache_control
+            self._cache_control = DEFAULT_CACHE_CONTROL
+          end
+        end
+
+        def merge_and_normalize_cache_control!(cache_control)
           control = {}
           cc_headers = cache_control_headers
           if extras = cc_headers.delete(:extras)
-            @cache_control[:extras] ||= []
-            @cache_control[:extras] += extras
-            @cache_control[:extras].uniq!
+            cache_control[:extras] ||= []
+            cache_control[:extras] += extras
+            cache_control[:extras].uniq!
           end
 
           control.merge! cc_headers
-          control.merge! @cache_control
+          control.merge! cache_control
 
           if control.empty?
-            headers[CACHE_CONTROL] = DEFAULT_CACHE_CONTROL
+            # Let middleware handle default behavior
           elsif control[:no_cache]
-            headers[CACHE_CONTROL] = NO_CACHE
-            if control[:extras]
-              headers[CACHE_CONTROL] += ", #{control[:extras].join(', ')}"
-            end
+            options = []
+            options << PUBLIC if control[:public]
+            options << NO_CACHE
+            options.concat(control[:extras]) if control[:extras]
+
+            self._cache_control = options.join(", ")
           else
             extras  = control[:extras]
             max_age = control[:max_age]
@@ -167,7 +213,7 @@ module ActionDispatch
             options << MUST_REVALIDATE if control[:must_revalidate]
             options.concat(extras) if extras
 
-            headers[CACHE_CONTROL] = options.join(", ")
+            self._cache_control = options.join(", ")
           end
         end
       end

data/lib/action_dispatch/http/content_security_policy.rb

@@ -0,0 +1,272 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/object/deep_dup"
+
+module ActionDispatch #:nodoc:
+  class ContentSecurityPolicy
+    class Middleware
+      CONTENT_TYPE = "Content-Type".freeze
+      POLICY = "Content-Security-Policy".freeze
+      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only".freeze
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = ActionDispatch::Request.new env
+        _, headers, _ = response = @app.call(env)
+
+        return response unless html_response?(headers)
+        return response if policy_present?(headers)
+
+        if policy = request.content_security_policy
+          nonce = request.content_security_policy_nonce
+          context = request.controller_instance || request
+          headers[header_name(request)] = policy.build(context, nonce)
+        end
+
+        response
+      end
+
+      private
+
+        def html_response?(headers)
+          if content_type = headers[CONTENT_TYPE]
+            content_type =~ /html/
+          end
+        end
+
+        def header_name(request)
+          if request.content_security_policy_report_only
+            POLICY_REPORT_ONLY
+          else
+            POLICY
+          end
+        end
+
+        def policy_present?(headers)
+          headers[POLICY] || headers[POLICY_REPORT_ONLY]
+        end
+    end
+
+    module Request
+      POLICY = "action_dispatch.content_security_policy".freeze
+      POLICY_REPORT_ONLY = "action_dispatch.content_security_policy_report_only".freeze
+      NONCE_GENERATOR = "action_dispatch.content_security_policy_nonce_generator".freeze
+      NONCE = "action_dispatch.content_security_policy_nonce".freeze
+
+      def content_security_policy
+        get_header(POLICY)
+      end
+
+      def content_security_policy=(policy)
+        set_header(POLICY, policy)
+      end
+
+      def content_security_policy_report_only
+        get_header(POLICY_REPORT_ONLY)
+      end
+
+      def content_security_policy_report_only=(value)
+        set_header(POLICY_REPORT_ONLY, value)
+      end
+
+      def content_security_policy_nonce_generator
+        get_header(NONCE_GENERATOR)
+      end
+
+      def content_security_policy_nonce_generator=(generator)
+        set_header(NONCE_GENERATOR, generator)
+      end
+
+      def content_security_policy_nonce
+        if content_security_policy_nonce_generator
+          if nonce = get_header(NONCE)
+            nonce
+          else
+            set_header(NONCE, generate_content_security_policy_nonce)
+          end
+        end
+      end
+
+      private
+
+        def generate_content_security_policy_nonce
+          content_security_policy_nonce_generator.call(self)
+        end
+    end
+
+    MAPPINGS = {
+      self:           "'self'",
+      unsafe_eval:    "'unsafe-eval'",
+      unsafe_inline:  "'unsafe-inline'",
+      none:           "'none'",
+      http:           "http:",
+      https:          "https:",
+      data:           "data:",
+      mediastream:    "mediastream:",
+      blob:           "blob:",
+      filesystem:     "filesystem:",
+      report_sample:  "'report-sample'",
+      strict_dynamic: "'strict-dynamic'",
+      ws:             "ws:",
+      wss:            "wss:"
+    }.freeze
+
+    DIRECTIVES = {
+      base_uri:        "base-uri",
+      child_src:       "child-src",
+      connect_src:     "connect-src",
+      default_src:     "default-src",
+      font_src:        "font-src",
+      form_action:     "form-action",
+      frame_ancestors: "frame-ancestors",
+      frame_src:       "frame-src",
+      img_src:         "img-src",
+      manifest_src:    "manifest-src",
+      media_src:       "media-src",
+      object_src:      "object-src",
+      script_src:      "script-src",
+      style_src:       "style-src",
+      worker_src:      "worker-src"
+    }.freeze
+
+    NONCE_DIRECTIVES = %w[script-src].freeze
+
+    private_constant :MAPPINGS, :DIRECTIVES, :NONCE_DIRECTIVES
+
+    attr_reader :directives
+
+    def initialize
+      @directives = {}
+      yield self if block_given?
+    end
+
+    def initialize_copy(other)
+      @directives = other.directives.deep_dup
+    end
+
+    DIRECTIVES.each do |name, directive|
+      define_method(name) do |*sources|
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
+
+    def block_all_mixed_content(enabled = true)
+      if enabled
+        @directives["block-all-mixed-content"] = true
+      else
+        @directives.delete("block-all-mixed-content")
+      end
+    end
+
+    def plugin_types(*types)
+      if types.first
+        @directives["plugin-types"] = types
+      else
+        @directives.delete("plugin-types")
+      end
+    end
+
+    def report_uri(uri)
+      @directives["report-uri"] = [uri]
+    end
+
+    def require_sri_for(*types)
+      if types.first
+        @directives["require-sri-for"] = types
+      else
+        @directives.delete("require-sri-for")
+      end
+    end
+
+    def sandbox(*values)
+      if values.empty?
+        @directives["sandbox"] = true
+      elsif values.first
+        @directives["sandbox"] = values
+      else
+        @directives.delete("sandbox")
+      end
+    end
+
+    def upgrade_insecure_requests(enabled = true)
+      if enabled
+        @directives["upgrade-insecure-requests"] = true
+      else
+        @directives.delete("upgrade-insecure-requests")
+      end
+    end
+
+    def build(context = nil, nonce = nil)
+      build_directives(context, nonce).compact.join("; ")
+    end
+
+    private
+      def apply_mappings(sources)
+        sources.map do |source|
+          case source
+          when Symbol
+            apply_mapping(source)
+          when String, Proc
+            source
+          else
+            raise ArgumentError, "Invalid content security policy source: #{source.inspect}"
+          end
+        end
+      end
+
+      def apply_mapping(source)
+        MAPPINGS.fetch(source) do
+          raise ArgumentError, "Unknown content security policy source mapping: #{source.inspect}"
+        end
+      end
+
+      def build_directives(context, nonce)
+        @directives.map do |directive, sources|
+          if sources.is_a?(Array)
+            if nonce && nonce_directive?(directive)
+              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+            else
+              "#{directive} #{build_directive(sources, context).join(' ')}"
+            end
+          elsif sources
+            directive
+          else
+            nil
+          end
+        end
+      end
+
+      def build_directive(sources, context)
+        sources.map { |source| resolve_source(source, context) }
+      end
+
+      def resolve_source(source, context)
+        case source
+        when String
+          source
+        when Symbol
+          source.to_s
+        when Proc
+          if context.nil?
+            raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}"
+          else
+            resolved = context.instance_exec(&source)
+            resolved.is_a?(Symbol) ? apply_mapping(resolved) : resolved
+          end
+        else
+          raise RuntimeError, "Unexpected content security policy source: #{source.inspect}"
+        end
+      end
+
+      def nonce_directive?(directive)
+        NONCE_DIRECTIVES.include?(directive)
+      end
+  end
+end