RubyGems - actionpack - Versions diffs - 4.2.11.1 → 6.1.3.2 - Mend

actionpack 4.2.11.1 → 6.1.3.2

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (187) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +291 -489
data/MIT-LICENSE +1 -1
data/README.rdoc +9 -9
data/lib/abstract_controller/asset_paths.rb +2 -0
data/lib/abstract_controller/base.rb +81 -51
data/lib/{action_controller → abstract_controller}/caching/fragments.rb +64 -17
data/lib/abstract_controller/caching.rb +66 -0
data/lib/abstract_controller/callbacks.rb +61 -33
data/lib/abstract_controller/collector.rb +9 -13
data/lib/abstract_controller/error.rb +6 -0
data/lib/abstract_controller/helpers.rb +115 -99
data/lib/abstract_controller/logger.rb +2 -0
data/lib/abstract_controller/railties/routes_helpers.rb +21 -3
data/lib/abstract_controller/rendering.rb +48 -47
data/lib/abstract_controller/translation.rb +17 -8
data/lib/abstract_controller/url_for.rb +2 -0
data/lib/abstract_controller.rb +13 -5
data/lib/action_controller/api/api_rendering.rb +16 -0
data/lib/action_controller/api.rb +150 -0
data/lib/action_controller/base.rb +29 -24
data/lib/action_controller/caching.rb +12 -57
data/lib/action_controller/form_builder.rb +50 -0
data/lib/action_controller/log_subscriber.rb +17 -19
data/lib/action_controller/metal/basic_implicit_render.rb +13 -0
data/lib/action_controller/metal/conditional_get.rb +134 -46
data/lib/action_controller/metal/content_security_policy.rb +51 -0
data/lib/action_controller/metal/cookies.rb +6 -4
data/lib/action_controller/metal/data_streaming.rb +30 -50
data/lib/action_controller/metal/default_headers.rb +17 -0
data/lib/action_controller/metal/etag_with_flash.rb +18 -0
data/lib/action_controller/metal/etag_with_template_digest.rb +21 -16
data/lib/action_controller/metal/exceptions.rb +63 -15
data/lib/action_controller/metal/flash.rb +9 -8
data/lib/action_controller/metal/head.rb +26 -21
data/lib/action_controller/metal/helpers.rb +37 -18
data/lib/action_controller/metal/http_authentication.rb +81 -73
data/lib/action_controller/metal/implicit_render.rb +53 -9
data/lib/action_controller/metal/instrumentation.rb +32 -35
data/lib/action_controller/metal/live.rb +102 -120
data/lib/action_controller/metal/logging.rb +20 -0
data/lib/action_controller/metal/mime_responds.rb +49 -47
data/lib/action_controller/metal/parameter_encoding.rb +82 -0
data/lib/action_controller/metal/params_wrapper.rb +83 -66
data/lib/action_controller/metal/permissions_policy.rb +46 -0
data/lib/action_controller/metal/redirecting.rb +53 -32
data/lib/action_controller/metal/renderers.rb +87 -44
data/lib/action_controller/metal/rendering.rb +77 -50
data/lib/action_controller/metal/request_forgery_protection.rb +267 -103
data/lib/action_controller/metal/rescue.rb +10 -17
data/lib/action_controller/metal/streaming.rb +12 -11
data/lib/action_controller/metal/strong_parameters.rb +714 -186
data/lib/action_controller/metal/testing.rb +2 -17
data/lib/action_controller/metal/url_for.rb +19 -10
data/lib/action_controller/metal.rb +104 -87
data/lib/action_controller/railtie.rb +28 -10
data/lib/action_controller/railties/helpers.rb +3 -1
data/lib/action_controller/renderer.rb +141 -0
data/lib/action_controller/template_assertions.rb +11 -0
data/lib/action_controller/test_case.rb +296 -422
data/lib/action_controller.rb +34 -23
data/lib/action_dispatch/http/cache.rb +107 -56
data/lib/action_dispatch/http/content_disposition.rb +45 -0
data/lib/action_dispatch/http/content_security_policy.rb +286 -0
data/lib/action_dispatch/http/filter_parameters.rb +32 -25
data/lib/action_dispatch/http/filter_redirect.rb +10 -12
data/lib/action_dispatch/http/headers.rb +55 -22
data/lib/action_dispatch/http/mime_negotiation.rb +79 -51
data/lib/action_dispatch/http/mime_type.rb +153 -121
data/lib/action_dispatch/http/mime_types.rb +20 -6
data/lib/action_dispatch/http/parameters.rb +90 -40
data/lib/action_dispatch/http/permissions_policy.rb +173 -0
data/lib/action_dispatch/http/rack_cache.rb +2 -0
data/lib/action_dispatch/http/request.rb +226 -121
data/lib/action_dispatch/http/response.rb +248 -113
data/lib/action_dispatch/http/upload.rb +21 -7
data/lib/action_dispatch/http/url.rb +182 -100
data/lib/action_dispatch/journey/formatter.rb +90 -43
data/lib/action_dispatch/journey/gtg/builder.rb +28 -41
data/lib/action_dispatch/journey/gtg/simulator.rb +11 -16
data/lib/action_dispatch/journey/gtg/transition_table.rb +23 -21
data/lib/action_dispatch/journey/nfa/dot.rb +3 -14
data/lib/action_dispatch/journey/nodes/node.rb +29 -15
data/lib/action_dispatch/journey/parser.rb +17 -16
data/lib/action_dispatch/journey/parser.y +4 -3
data/lib/action_dispatch/journey/parser_extras.rb +12 -4
data/lib/action_dispatch/journey/path/pattern.rb +58 -54
data/lib/action_dispatch/journey/route.rb +100 -32
data/lib/action_dispatch/journey/router/utils.rb +29 -18
data/lib/action_dispatch/journey/router.rb +55 -51
data/lib/action_dispatch/journey/routes.rb +17 -17
data/lib/action_dispatch/journey/scanner.rb +26 -17
data/lib/action_dispatch/journey/visitors.rb +98 -54
data/lib/action_dispatch/journey.rb +5 -5
data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
data/lib/action_dispatch/middleware/callbacks.rb +3 -6
data/lib/action_dispatch/middleware/cookies.rb +347 -217
data/lib/action_dispatch/middleware/debug_exceptions.rb +135 -63
data/lib/action_dispatch/middleware/debug_locks.rb +124 -0
data/lib/action_dispatch/middleware/debug_view.rb +66 -0
data/lib/action_dispatch/middleware/exception_wrapper.rb +115 -71
data/lib/action_dispatch/middleware/executor.rb +21 -0
data/lib/action_dispatch/middleware/flash.rb +78 -54
data/lib/action_dispatch/middleware/host_authorization.rb +130 -0
data/lib/action_dispatch/middleware/public_exceptions.rb +32 -27
data/lib/action_dispatch/middleware/reloader.rb +5 -91
data/lib/action_dispatch/middleware/remote_ip.rb +53 -45
data/lib/action_dispatch/middleware/request_id.rb +17 -10
data/lib/action_dispatch/middleware/session/abstract_store.rb +41 -26
data/lib/action_dispatch/middleware/session/cache_store.rb +24 -14
data/lib/action_dispatch/middleware/session/cookie_store.rb +74 -75
data/lib/action_dispatch/middleware/session/mem_cache_store.rb +8 -2
data/lib/action_dispatch/middleware/show_exceptions.rb +28 -23
data/lib/action_dispatch/middleware/ssl.rb +118 -35
data/lib/action_dispatch/middleware/stack.rb +82 -41
data/lib/action_dispatch/middleware/static.rb +156 -89
data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +4 -14
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/{_source.erb → _source.html.erb} +4 -2
data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb +8 -0
data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +23 -4
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +24 -0
data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +15 -0
data/lib/action_dispatch/middleware/templates/rescues/layout.erb +105 -8
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +3 -3
data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
data/lib/action_dispatch/middleware/templates/routes/_route.html.erb +4 -4
data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +87 -64
data/lib/action_dispatch/railtie.rb +27 -13
data/lib/action_dispatch/request/session.rb +109 -61
data/lib/action_dispatch/request/utils.rb +90 -23
data/lib/action_dispatch/routing/endpoint.rb +9 -2
data/lib/action_dispatch/routing/inspector.rb +141 -102
data/lib/action_dispatch/routing/mapper.rb +811 -473
data/lib/action_dispatch/routing/polymorphic_routes.rb +167 -143
data/lib/action_dispatch/routing/redirection.rb +37 -27
data/lib/action_dispatch/routing/route_set.rb +363 -331
data/lib/action_dispatch/routing/routes_proxy.rb +32 -5
data/lib/action_dispatch/routing/url_for.rb +66 -26
data/lib/action_dispatch/routing.rb +36 -36
data/lib/action_dispatch/system_test_case.rb +190 -0
data/lib/action_dispatch/system_testing/browser.rb +86 -0
data/lib/action_dispatch/system_testing/driver.rb +67 -0
data/lib/action_dispatch/system_testing/server.rb +31 -0
data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +138 -0
data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +29 -0
data/lib/action_dispatch/testing/assertion_response.rb +46 -0
data/lib/action_dispatch/testing/assertions/response.rb +44 -22
data/lib/action_dispatch/testing/assertions/routing.rb +47 -31
data/lib/action_dispatch/testing/assertions.rb +6 -4
data/lib/action_dispatch/testing/integration.rb +391 -220
data/lib/action_dispatch/testing/request_encoder.rb +55 -0
data/lib/action_dispatch/testing/test_process.rb +53 -22
data/lib/action_dispatch/testing/test_request.rb +27 -34
data/lib/action_dispatch/testing/test_response.rb +11 -11
data/lib/action_dispatch.rb +35 -21
data/lib/action_pack/gem_version.rb +6 -4
data/lib/action_pack/version.rb +3 -1
data/lib/action_pack.rb +4 -2
metadata +78 -48
data/lib/action_controller/metal/force_ssl.rb +0 -97
data/lib/action_controller/metal/hide_actions.rb +0 -40
data/lib/action_controller/metal/rack_delegation.rb +0 -32
data/lib/action_controller/middleware.rb +0 -39
data/lib/action_controller/model_naming.rb +0 -12
data/lib/action_dispatch/http/parameter_filter.rb +0 -72
data/lib/action_dispatch/journey/backwards.rb +0 -5
data/lib/action_dispatch/journey/nfa/builder.rb +0 -76
data/lib/action_dispatch/journey/nfa/simulator.rb +0 -47
data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -163
data/lib/action_dispatch/journey/router/strexp.rb +0 -27
data/lib/action_dispatch/middleware/params_parser.rb +0 -60
data/lib/action_dispatch/testing/assertions/dom.rb +0 -3
data/lib/action_dispatch/testing/assertions/selector.rb +0 -3
data/lib/action_dispatch/testing/assertions/tag.rb +0 -3

data/lib/action_dispatch/http/permissions_policy.rb ADDED Viewed

@@ -0,0 +1,173 @@
+# frozen_string_literal: true
+require "active_support/core_ext/object/deep_dup"
+module ActionDispatch #:nodoc:
+  class PermissionsPolicy
+    class Middleware
+      CONTENT_TYPE = "Content-Type"
+      # The Feature-Policy header has been renamed to Permissions-Policy.
+      # The Permissions-Policy requires a different implementation and isn't
+      # yet supported by all browsers. To avoid having to rename this
+      # middleware in the future we use the new name for the middleware but
+      # keep the old header name and implementation for now.
+      POLICY       = "Feature-Policy"
+      def initialize(app)
+        @app = app
+      end
+      def call(env)
+        request = ActionDispatch::Request.new(env)
+        _, headers, _ = response = @app.call(env)
+        return response unless html_response?(headers)
+        return response if policy_present?(headers)
+        if policy = request.permissions_policy
+          headers[POLICY] = policy.build(request.controller_instance)
+        end
+        if policy_empty?(policy)
+          headers.delete(POLICY)
+        end
+        response
+      end
+      private
+        def html_response?(headers)
+          if content_type = headers[CONTENT_TYPE]
+            /html/.match?(content_type)
+          end
+        end
+        def policy_present?(headers)
+          headers[POLICY]
+        end
+        def policy_empty?(policy)
+          policy&.directives&.empty?
+        end
+    end
+    module Request
+      POLICY = "action_dispatch.permissions_policy"
+      def permissions_policy
+        get_header(POLICY)
+      end
+      def permissions_policy=(policy)
+        set_header(POLICY, policy)
+      end
+    end
+    MAPPINGS = {
+      self: "'self'",
+      none: "'none'",
+    }.freeze
+    # List of available permissions can be found at
+    # https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#policy-controlled-features
+    DIRECTIVES = {
+      accelerometer:        "accelerometer",
+      ambient_light_sensor: "ambient-light-sensor",
+      autoplay:             "autoplay",
+      camera:               "camera",
+      encrypted_media:      "encrypted-media",
+      fullscreen:           "fullscreen",
+      geolocation:          "geolocation",
+      gyroscope:            "gyroscope",
+      magnetometer:         "magnetometer",
+      microphone:           "microphone",
+      midi:                 "midi",
+      payment:              "payment",
+      picture_in_picture:   "picture-in-picture",
+      speaker:              "speaker",
+      usb:                  "usb",
+      vibrate:              "vibrate",
+      vr:                   "vr",
+    }.freeze
+    private_constant :MAPPINGS, :DIRECTIVES
+    attr_reader :directives
+    def initialize
+      @directives = {}
+      yield self if block_given?
+    end
+    def initialize_copy(other)
+      @directives = other.directives.deep_dup
+    end
+    DIRECTIVES.each do |name, directive|
+      define_method(name) do |*sources|
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
+    def build(context = nil)
+      build_directives(context).compact.join("; ")
+    end
+    private
+      def apply_mappings(sources)
+        sources.map do |source|
+          case source
+          when Symbol
+            apply_mapping(source)
+          when String, Proc
+            source
+          else
+            raise ArgumentError, "Invalid HTTP permissions policy source: #{source.inspect}"
+          end
+        end
+      end
+      def apply_mapping(source)
+        MAPPINGS.fetch(source) do
+          raise ArgumentError, "Unknown HTTP permissions policy source mapping: #{source.inspect}"
+        end
+      end
+      def build_directives(context)
+        @directives.map do |directive, sources|
+          if sources.is_a?(Array)
+            "#{directive} #{build_directive(sources, context).join(' ')}"
+          elsif sources
+            directive
+          else
+            nil
+          end
+        end
+      end
+      def build_directive(sources, context)
+        sources.map { |source| resolve_source(source, context) }
+      end
+      def resolve_source(source, context)
+        case source
+        when String
+          source
+        when Symbol
+          source.to_s
+        when Proc
+          if context.nil?
+            raise RuntimeError, "Missing context for the dynamic permissions policy source: #{source.inspect}"
+          else
+            context.instance_exec(&source)
+          end
+        else
+          raise RuntimeError, "Unexpected permissions policy source: #{source.inspect}"
+        end
+      end
+  end
+end

data/lib/action_dispatch/http/rack_cache.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 require "rack/cache"
 require "rack/cache/context"
 require "active_support/cache"