actionpack 4.2.11.1 → 6.1.3.2

data/lib/action_dispatch/middleware/stack.rb

@@ -1,28 +1,20 @@
+# frozen_string_literal: true
+
 require "active_support/inflector/methods"
 require "active_support/dependencies"
 
 module ActionDispatch
   class MiddlewareStack
     class Middleware
-      attr_reader :args, :block, :name, :classcache
-
-      def initialize(klass_or_name, *args, &block)
-        @klass = nil
-
-        if klass_or_name.respond_to?(:name)
-          @klass = klass_or_name
-          @name  = @klass.name
-        else
-          @name  = klass_or_name.to_s
-        end
+      attr_reader :args, :block, :klass
 
-        @classcache = ActiveSupport::Dependencies::Reference
-        @args, @block = args, block
+      def initialize(klass, args, block)
+        @klass = klass
+        @args  = args
+        @block = block
       end
 
-      def klass
-        @klass || classcache[@name]
-      end
+      def name; klass.name; end
 
       def ==(middleware)
         case middleware
@@ -30,23 +22,44 @@ module ActionDispatch
           klass == middleware.klass
         when Class
           klass == middleware
-        else
-          normalize(@name) == normalize(middleware)
         end
       end
 
       def inspect
-        klass.to_s
+        if klass.is_a?(Class)
+          klass.to_s
+        else
+          klass.class.to_s
+        end
       end
 
       def build(app)
         klass.new(app, *args, &block)
       end
 
-    private
+      def build_instrumented(app)
+        InstrumentationProxy.new(build(app), inspect)
+      end
+    end
 
-      def normalize(object)
-        object.to_s.strip.sub(/^::/, '')
+    # This class is used to instrument the execution of a single middleware.
+    # It proxies the +call+ method transparently and instruments the method
+    # call.
+    class InstrumentationProxy
+      EVENT_NAME = "process_middleware.action_dispatch"
+
+      def initialize(middleware, class_name)
+        @middleware = middleware
+
+        @payload = {
+          middleware: class_name,
+        }
+      end
+
+      def call(env)
+        ActiveSupport::Notifications.instrument(EVENT_NAME, @payload) do
+          @middleware.call(env)
+        end
       end
     end
 
@@ -75,20 +88,20 @@ module ActionDispatch
       middlewares[i]
     end
 
-    def unshift(*args, &block)
-      middleware = self.class::Middleware.new(*args, &block)
-      middlewares.unshift(middleware)
+    def unshift(klass, *args, &block)
+      middlewares.unshift(build_middleware(klass, args, block))
     end
+    ruby2_keywords(:unshift) if respond_to?(:ruby2_keywords, true)
 
     def initialize_copy(other)
       self.middlewares = other.middlewares.dup
     end
 
-    def insert(index, *args, &block)
+    def insert(index, klass, *args, &block)
       index = assert_index(index, :before)
-      middleware = self.class::Middleware.new(*args, &block)
-      middlewares.insert(index, middleware)
+      middlewares.insert(index, build_middleware(klass, args, block))
     end
+    ruby2_keywords(:insert) if respond_to?(:ruby2_keywords, true)
 
     alias_method :insert_before, :insert
 
@@ -96,34 +109,62 @@ module ActionDispatch
       index = assert_index(index, :after)
       insert(index + 1, *args, &block)
     end
+    ruby2_keywords(:insert_after) if respond_to?(:ruby2_keywords, true)
 
     def swap(target, *args, &block)
       index = assert_index(target, :before)
       insert(index, *args, &block)
       middlewares.delete_at(index + 1)
     end
+    ruby2_keywords(:swap) if respond_to?(:ruby2_keywords, true)
 
     def delete(target)
-      middlewares.delete target
+      middlewares.delete_if { |m| m.klass == target }
     end
 
-    def use(*args, &block)
-      middleware = self.class::Middleware.new(*args, &block)
-      middlewares.push(middleware)
+    def move(target, source)
+      source_index = assert_index(source, :before)
+      source_middleware = middlewares.delete_at(source_index)
+
+      target_index = assert_index(target, :before)
+      middlewares.insert(target_index, source_middleware)
     end
 
-    def build(app = nil, &block)
-      app ||= block
-      raise "MiddlewareStack#build requires an app" unless app
-      middlewares.freeze.reverse.inject(app) { |a, e| e.build(a) }
+    alias_method :move_before, :move
+
+    def move_after(target, source)
+      source_index = assert_index(source, :after)
+      source_middleware = middlewares.delete_at(source_index)
+
+      target_index = assert_index(target, :after)
+      middlewares.insert(target_index + 1, source_middleware)
     end
 
-  protected
+    def use(klass, *args, &block)
+      middlewares.push(build_middleware(klass, args, block))
+    end
+    ruby2_keywords(:use) if respond_to?(:ruby2_keywords, true)
 
-    def assert_index(index, where)
-      i = index.is_a?(Integer) ? index : middlewares.index(index)
-      raise "No such middleware to insert #{where}: #{index.inspect}" unless i
-      i
+    def build(app = nil, &block)
+      instrumenting = ActiveSupport::Notifications.notifier.listening?(InstrumentationProxy::EVENT_NAME)
+      middlewares.freeze.reverse.inject(app || block) do |a, e|
+        if instrumenting
+          e.build_instrumented(a)
+        else
+          e.build(a)
+        end
+      end
     end
+
+    private
+      def assert_index(index, where)
+        i = index.is_a?(Integer) ? index : middlewares.index { |m| m.klass == index }
+        raise "No such middleware to insert #{where}: #{index.inspect}" unless i
+        i
+      end
+
+      def build_middleware(klass, args, block)
+        Middleware.new(klass, args, block)
+      end
   end
 end

data/lib/action_dispatch/middleware/static.rb

@@ -1,123 +1,190 @@
-require 'rack/utils'
-require 'active_support/core_ext/uri'
+# frozen_string_literal: true
+
+require "rack/utils"
+require "active_support/core_ext/uri"
 
 module ActionDispatch
-  # This middleware returns a file's contents from disk in the body response.
-  # When initialized it can accept an optional 'Cache-Control' header which
-  # will be set when a response containing a file's contents is delivered.
+  # This middleware serves static files from disk, if available.
+  # If no file is found, it hands off to the main app.
+  #
+  # In Rails apps, this middleware is configured to serve assets from
+  # the +public/+ directory.
+  #
+  # Only GET and HEAD requests are served. POST and other HTTP methods
+  # are handed off to the main app.
+  #
+  # Only files in the root directory are served; path traversal is denied.
+  class Static
+    def initialize(app, path, index: "index", headers: {})
+      @app = app
+      @file_handler = FileHandler.new(path, index: index, headers: headers)
+    end
+
+    def call(env)
+      @file_handler.attempt(env) || @app.call(env)
+    end
+  end
+
+  # This endpoint serves static files from disk using Rack::File.
   #
-  # This middleware will render the file specified in `env["PATH_INFO"]`
-  # where the base path is in the +root+ directory. For example if the +root+
-  # is set to `public/` then a request with `env["PATH_INFO"]` of
-  # `assets/application.js` will return a response with contents of a file
-  # located at `public/assets/application.js` if the file exists. If the file
-  # does not exist a 404 "File not Found" response will be returned.
+  # URL paths are matched with static files according to expected
+  # conventions: +path+, +path+.html, +path+/index.html.
+  #
+  # Precompressed versions of these files are checked first. Brotli (.br)
+  # and gzip (.gz) files are supported. If +path+.br exists, this
+  # endpoint returns that file with a <tt>Content-Encoding: br</tt> header.
+  #
+  # If no matching file is found, this endpoint responds 404 Not Found.
+  #
+  # Pass the +root+ directory to search for matching files, an optional
+  # <tt>index: "index"</tt> to change the default +path+/index.html, and optional
+  # additional response headers.
   class FileHandler
-    def initialize(root, cache_control)
-      @root          = root.chomp('/')
-      @compiled_root = /^#{Regexp.escape(root)}/
-      headers        = cache_control && { 'Cache-Control' => cache_control }
+    # Accept-Encoding value -> file extension
+    PRECOMPRESSED = {
+      "br" => ".br",
+      "gzip" => ".gz",
+      "identity" => nil
+    }
+
+    def initialize(root, index: "index", headers: {}, precompressed: %i[ br gzip ], compressible_content_types: /\A(?:text\/|application\/javascript)/)
+      @root = root.chomp("/").b
+      @index = index
+
+      @precompressed = Array(precompressed).map(&:to_s) | %w[ identity ]
+      @compressible_content_types = compressible_content_types
+
       @file_server = ::Rack::File.new(@root, headers)
     end
 
-    def match?(path)
-      path = URI.parser.unescape(path)
-      return false unless valid_path?(path)
+    def call(env)
+      attempt(env) || @file_server.call(env)
+    end
 
-      paths = [path, "#{path}#{ext}", "#{path}/index#{ext}"].map { |v|
-        Rack::Utils.clean_path_info v
-      }
+    def attempt(env)
+      request = Rack::Request.new env
 
-      if match = paths.detect { |p|
-        path = File.join(@root, p.force_encoding('UTF-8'))
-        begin
-          File.file?(path) && File.readable?(path)
-        rescue SystemCallError
-          false
+      if request.get? || request.head?
+        if found = find_file(request.path_info, accept_encoding: request.accept_encoding)
+          serve request, *found
         end
-
-      }
-        return ::Rack::Utils.escape(match)
       end
     end
 
-    def call(env)
-      path      = env['PATH_INFO']
-      gzip_path = gzip_file_path(path)
-
-      if gzip_path && gzip_encoding_accepted?(env)
-        env['PATH_INFO']            = gzip_path
-        status, headers, body       = @file_server.call(env)
-        if status == 304
-          return [status, headers, body]
+    private
+      def serve(request, filepath, content_headers)
+        original, request.path_info =
+          request.path_info, ::Rack::Utils.escape_path(filepath).b
+
+        @file_server.call(request.env).tap do |status, headers, body|
+          # Omit Content-Encoding/Type/etc headers for 304 Not Modified
+          if status != 304
+            headers.update(content_headers)
+          end
         end
-        headers['Content-Encoding'] = 'gzip'
-        headers['Content-Type']     = content_type(path)
-      else
-        status, headers, body = @file_server.call(env)
+      ensure
+        request.path_info = original
       end
 
-      headers['Vary'] = 'Accept-Encoding' if gzip_path
+      # Match a URI path to a static file to be served.
+      #
+      # Used by the +Static+ class to negotiate a servable file in the
+      # +public/+ directory (see Static#call).
+      #
+      # Checks for +path+, +path+.html, and +path+/index.html files,
+      # in that order, including .br and .gzip compressed extensions.
+      #
+      # If a matching file is found, the path and necessary response headers
+      # (Content-Type, Content-Encoding) are returned.
+      def find_file(path_info, accept_encoding:)
+        each_candidate_filepath(path_info) do |filepath, content_type|
+          if response = try_files(filepath, content_type, accept_encoding: accept_encoding)
+            return response
+          end
+        end
+      end
 
-      return [status, headers, body]
-    ensure
-      env['PATH_INFO'] = path
-    end
+      def try_files(filepath, content_type, accept_encoding:)
+        headers = { "Content-Type" => content_type }
 
-    private
-      def ext
-        ::ActionController::Base.default_static_extension
+        if compressible? content_type
+          try_precompressed_files filepath, headers, accept_encoding: accept_encoding
+        elsif file_readable? filepath
+          [ filepath, headers ]
+        end
       end
 
-      def content_type(path)
-        ::Rack::Mime.mime_type(::File.extname(path), 'text/plain')
+      def try_precompressed_files(filepath, headers, accept_encoding:)
+        each_precompressed_filepath(filepath) do |content_encoding, precompressed_filepath|
+          if file_readable? precompressed_filepath
+            # Identity encoding is default, so we skip Accept-Encoding
+            # negotiation and needn't set Content-Encoding.
+            #
+            # Vary header is expected when we've found other available
+            # encodings that Accept-Encoding ruled out.
+            if content_encoding == "identity"
+              return precompressed_filepath, headers
+            else
+              headers["Vary"] = "Accept-Encoding"
+
+              if accept_encoding.any? { |enc, _| /\b#{content_encoding}\b/i.match?(enc) }
+                headers["Content-Encoding"] = content_encoding
+                return precompressed_filepath, headers
+              end
+            end
+          end
+        end
       end
 
-      def gzip_encoding_accepted?(env)
-        env['HTTP_ACCEPT_ENCODING'] =~ /\bgzip\b/i
+      def file_readable?(path)
+        file_stat = File.stat(File.join(@root, path.b))
+      rescue SystemCallError
+        false
+      else
+        file_stat.file? && file_stat.readable?
       end
 
-      def gzip_file_path(path)
-        can_gzip_mime = content_type(path) =~ /\A(?:text\/|application\/javascript)/
-        gzip_path     = "#{path}.gz"
-        if can_gzip_mime && File.exist?(File.join(@root, ::Rack::Utils.unescape(gzip_path)))
-          gzip_path
-        else
-          false
-        end
+      def compressible?(content_type)
+        @compressible_content_types.match?(content_type)
       end
 
-      def valid_path?(path)
-        path.valid_encoding? && !path.include?("\0")
+      def each_precompressed_filepath(filepath)
+        @precompressed.each do |content_encoding|
+          precompressed_ext = PRECOMPRESSED.fetch(content_encoding)
+          yield content_encoding, "#{filepath}#{precompressed_ext}"
+        end
+
+        nil
       end
-  end
 
-  # This middleware will attempt to return the contents of a file's body from
-  # disk in the response.  If a file is not found on disk, the request will be
-  # delegated to the application stack. This middleware is commonly initialized
-  # to serve assets from a server's `public/` directory.
-  #
-  # This middleware verifies the path to ensure that only files
-  # living in the root directory can be rendered. A request cannot
-  # produce a directory traversal using this middleware. Only 'GET' and 'HEAD'
-  # requests will result in a file being returned.
-  class Static
-    def initialize(app, path, cache_control=nil)
-      @app = app
-      @file_handler = FileHandler.new(path, cache_control)
-    end
+      def each_candidate_filepath(path_info)
+        return unless path = clean_path(path_info)
 
-    def call(env)
-      case env['REQUEST_METHOD']
-      when 'GET', 'HEAD'
-        path = env['PATH_INFO'].chomp('/')
-        if match = @file_handler.match?(path)
-          env["PATH_INFO"] = match
-          return @file_handler.call(env)
+        ext = ::File.extname(path)
+        content_type = ::Rack::Mime.mime_type(ext, nil)
+        yield path, content_type || "text/plain"
+
+        # Tack on .html and /index.html only for paths that don't have
+        # an explicit, resolvable file extension. No need to check
+        # for foo.js.html and foo.js/index.html.
+        unless content_type
+          default_ext = ::ActionController::Base.default_static_extension
+          if ext != default_ext
+            default_content_type = ::Rack::Mime.mime_type(default_ext, "text/plain")
+
+            yield "#{path}#{default_ext}", default_content_type
+            yield "#{path}/#{@index}#{default_ext}", default_content_type
+          end
         end
+
+        nil
       end
 
-      @app.call(env)
-    end
+      def clean_path(path_info)
+        path = ::Rack::Utils.unescape_path path_info.chomp("/")
+        if ::Rack::Utils.valid_path? path
+          ::Rack::Utils.clean_path_info path
+        end
+      end
   end
 end

data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb

@@ -0,0 +1,13 @@
+<% actions = ActiveSupport::ActionableError.actions(exception) %>
+
+<% if actions.any? %>
+  <div class="actions">
+    <% actions.each do |action, _| %>
+      <%= button_to action, ActionDispatch::ActionableExceptions.endpoint, params: {
+        error: exception.class.name,
+        action: action,
+        location: request.path
+      } %>
+    <% end %>
+  </div>
+<% end %>

data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb

@@ -0,0 +1,22 @@
+<% if exception.respond_to?(:original_message) && exception.respond_to?(:corrections) %>
+  <div class="exception-message">
+    <%= simple_format h(exception.original_message), { class: "message" }, wrapper_tag: "div" %>
+  </div>
+  <%
+    # The 'did_you_mean' gem can raise exceptions when calling #corrections on
+    # the exception. If it does there are no corrections to show.
+    corrections = exception.corrections rescue []
+  %>
+  <% if corrections.any? %>
+    <b>Did you mean?</b>
+    <ul>
+    <% corrections.each do |correction| %>
+      <li style="list-style-type: none"><%= h correction %></li>
+    <% end %>
+    </ul>
+  <% end %>
+<% else %>
+  <div class="exception-message">
+    <%= simple_format h(exception.message), { class: "message" }, wrapper_tag: "div" %>
+  </div>
+<% end %>

data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb

@@ -5,20 +5,10 @@
   <pre id="blame_trace" <%='style="display:none"' if hide %>><code><%= @exception.describe_blame %></code></pre>
 <% end %>
 
-<%
-  clean_params = @request.filtered_parameters.clone
-  clean_params.delete("action")
-  clean_params.delete("controller")
-
-  request_dump = clean_params.empty? ? 'None' : clean_params.inspect.gsub(',', ",\n")
-
-  def debug_hash(object)
-    object.to_hash.sort_by { |k, _| k.to_s }.map { |k, v| "#{k}: #{v.inspect rescue $!.message}" }.join("\n")
-  end unless self.class.method_defined?(:debug_hash)
-%>
-
 <h2 style="margin-top: 30px">Request</h2>
-<p><b>Parameters</b>:</p> <pre><%= request_dump %></pre>
+<% if params_valid? %>
+  <p><b>Parameters</b>:</p> <pre><%= debug_params(@request.filtered_parameters) %></pre>
+<% end %>
 
 <div class="details">
   <div class="summary"><a href="#" onclick="return toggleSessionDump()">Toggle session dump</a></div>
@@ -31,4 +21,4 @@
 </div>
 
 <h2 style="margin-top: 30px">Response</h2>
-<p><b>Headers</b>:</p> <pre><%= defined?(@response) ? @response.headers.inspect.gsub(',', ",\n") : 'None' %></pre>
+<p><b>Headers</b>:</p> <pre><%= debug_headers(defined?(@response) ? @response.headers : {}) %></pre>

data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb

@@ -1,5 +1,5 @@
 <%
-  clean_params = @request.filtered_parameters.clone
+  clean_params = params_valid? ? @request.filtered_parameters.clone : {}
   clean_params.delete("action")
   clean_params.delete("controller")
 

data/lib/action_dispatch/middleware/templates/rescues/{_source.erb → _source.html.erb}

@@ -1,6 +1,8 @@
-<% @source_extracts.each_with_index do |source_extract, index| %>
+<% error_index = local_assigns[:error_index] || 0 %>
+
+<% source_extracts.each_with_index do |source_extract, index| %>
   <% if source_extract[:code] %>
-    <div class="source <%="hidden" if @show_source_idx != index%>" id="frame-source-<%=index%>">
+    <div class="source <%= "hidden" if show_source_idx != index %>" id="frame-source-<%= error_index %>-<%= index %>">
       <div class="info">
         Extracted source (around line <strong>#<%= source_extract[:line_number] %></strong>):
       </div>

data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb

@@ -0,0 +1,8 @@
+<% @source_extracts.first(3).each do |source_extract| %>
+<% if source_extract[:code] %>
+Extracted source (around line #<%= source_extract[:line_number] %>):
+
+<% source_extract[:code].each do |line, source| -%>
+<%= line == source_extract[:line_number] ? "*#{line}" : "##{line}" -%> <%= source -%><% end -%>
+<% end %>
+<% end %>