actionpack 4.2.11.3 → 5.0.7.2

data/lib/action_dispatch/middleware/ssl.rb

@@ -1,72 +1,160 @@
 module ActionDispatch
+  # This middleware is added to the stack when `config.force_ssl = true`, and is passed
+  # the options set in `config.ssl_options`. It does three jobs to enforce secure HTTP
+  # requests:
+  #
+  #   1. TLS redirect: Permanently redirects http:// requests to https://
+  #      with the same URL host, path, etc. Enabled by default. Set `config.ssl_options`
+  #      to modify the destination URL
+  #      (e.g. `redirect: { host: "secure.widgets.com", port: 8080 }`), or set
+  #      `redirect: false` to disable this feature.
+  #
+  #   2. Secure cookies: Sets the `secure` flag on cookies to tell browsers they
+  #      mustn't be sent along with http:// requests. Enabled by default. Set
+  #      `config.ssl_options` with `secure_cookies: false` to disable this feature.
+  #
+  #   3. HTTP Strict Transport Security (HSTS): Tells the browser to remember
+  #      this site as TLS-only and automatically redirect non-TLS requests.
+  #      Enabled by default. Configure `config.ssl_options` with `hsts: false` to disable.
+  #
+  # Set `config.ssl_options` with `hsts: { … }` to configure HSTS:
+  #   * `expires`: How long, in seconds, these settings will stick. The minimum
+  #     required to qualify for browser preload lists is `18.weeks`. Defaults to
+  #     `180.days` (recommended).
+  #   * `subdomains`: Set to `true` to tell the browser to apply these settings
+  #     to all subdomains. This protects your cookies from interception by a
+  #     vulnerable site on a subdomain. Defaults to `false`.
+  #   * `preload`: Advertise that this site may be included in browsers'
+  #     preloaded HSTS lists. HSTS protects your site on every visit *except the
+  #     first visit* since it hasn't seen your HSTS header yet. To close this
+  #     gap, browser vendors include a baked-in list of HSTS-enabled sites.
+  #     Go to https://hstspreload.appspot.com to submit your site for inclusion.
+  #     Defaults to `false`.
+  #
+  # To turn off HSTS, omitting the header is not enough. Browsers will remember the
+  # original HSTS directive until it expires. Instead, use the header to tell browsers to
+  # expire HSTS immediately. Setting `hsts: false` is a shortcut for
+  # `hsts: { expires: 0 }`.
+  #
+  # Requests can opt-out of redirection with `exclude`:
+  #
+  #    config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
   class SSL
-    YEAR = 31536000
+    # Default to 180 days, the low end for https://www.ssllabs.com/ssltest/
+    # and greater than the 18-week requirement for browser preload lists.
+    HSTS_EXPIRES_IN = 15552000
 
     def self.default_hsts_options
-      { :expires => YEAR, :subdomains => false }
+      { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
     end
 
-    def initialize(app, options = {})
+    def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)
       @app = app
 
-      @hsts = options.fetch(:hsts, {})
-      @hsts = {} if @hsts == true
-      @hsts = self.class.default_hsts_options.merge(@hsts) if @hsts
+      if options[:host] || options[:port]
+        ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
+          The `:host` and `:port` options are moving within `:redirect`:
+          `config.ssl_options = { redirect: { host: …, port: … } }`.
+        end_warning
+        @redirect = options.slice(:host, :port)
+      else
+        @redirect = redirect
+      end
+
+      @exclude = @redirect && @redirect[:exclude] || proc { !@redirect }
+      @secure_cookies = secure_cookies
+
+      if hsts != true && hsts != false && hsts[:subdomains].nil?
+        hsts[:subdomains] = false
 
-      @host    = options[:host]
-      @port    = options[:port]
+        ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
+          In Rails 5.1, The `:subdomains` option of HSTS config will be treated as true if
+          unspecified. Set `config.ssl_options = { hsts: { subdomains: false } }` to opt out
+          of this behavior.
+        end_warning
+      end
+
+      @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
     end
 
     def call(env)
-      request = Request.new(env)
+      request = Request.new env
 
       if request.ssl?
-        status, headers, body = @app.call(env)
-        headers.reverse_merge!(hsts_headers)
-        flag_cookies_as_secure!(headers)
-        [status, headers, body]
+        @app.call(env).tap do |status, headers, body|
+          set_hsts_header! headers
+          flag_cookies_as_secure! headers if @secure_cookies
+        end
       else
-        redirect_to_https(request)
+        return redirect_to_https request unless @exclude.call(request)
+        @app.call(env)
       end
     end
 
     private
-      def redirect_to_https(request)
-        host = @host || request.host
-        port = @port || request.port
-
-        location = "https://#{host}"
-        location << ":#{port}" if port != 80
-        location << request.fullpath
-
-        headers = { 'Content-Type' => 'text/html', 'Location' => location }
-
-        [301, headers, []]
+      def set_hsts_header!(headers)
+        headers['Strict-Transport-Security'.freeze] ||= @hsts_header
       end
 
-      # http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02
-      def hsts_headers
-        if @hsts
-          value = "max-age=#{@hsts[:expires].to_i}"
-          value += "; includeSubDomains" if @hsts[:subdomains]
-          { 'Strict-Transport-Security' => value }
+      def normalize_hsts_options(options)
+        case options
+        # Explicitly disabling HSTS clears the existing setting from browsers
+        # by setting expiry to 0.
+        when false
+          self.class.default_hsts_options.merge(expires: 0)
+        # Default to enabled, with default options.
+        when nil, true
+          self.class.default_hsts_options
         else
-          {}
+          self.class.default_hsts_options.merge(options)
         end
       end
 
+      # http://tools.ietf.org/html/rfc6797#section-6.1
+      def build_hsts_header(hsts)
+        value = "max-age=#{hsts[:expires].to_i}"
+        value << "; includeSubDomains" if hsts[:subdomains]
+        value << "; preload" if hsts[:preload]
+        value
+      end
+
       def flag_cookies_as_secure!(headers)
-        if cookies = headers['Set-Cookie']
-          cookies = cookies.split("\n")
+        if cookies = headers['Set-Cookie'.freeze]
+          cookies = cookies.split("\n".freeze)
 
-          headers['Set-Cookie'] = cookies.map { |cookie|
+          headers['Set-Cookie'.freeze] = cookies.map { |cookie|
             if cookie !~ /;\s*secure\s*(;|$)/i
               "#{cookie}; secure"
             else
               cookie
             end
-          }.join("\n")
+          }.join("\n".freeze)
         end
       end
+
+      def redirect_to_https(request)
+        [ @redirect.fetch(:status, redirection_status(request)),
+          { 'Content-Type' => 'text/html',
+            'Location' => https_location_for(request) },
+          @redirect.fetch(:body, []) ]
+      end
+
+      def redirection_status(request)
+        if request.get? || request.head?
+          301 # Issue a permanent redirect via a GET request.
+        else
+          307 # Issue a fresh request redirect to preserve the HTTP method.
+        end
+      end
+
+      def https_location_for(request)
+        host = @redirect[:host] || request.host
+        port = @redirect[:port] || request.port
+
+        location = "https://#{host}"
+        location << ":#{port}" if port != 80 && port != 443
+        location << request.fullpath
+        location
+      end
   end
 end

data/lib/action_dispatch/middleware/stack.rb

@@ -4,25 +4,15 @@ require "active_support/dependencies"
 module ActionDispatch
   class MiddlewareStack
     class Middleware
-      attr_reader :args, :block, :name, :classcache
+      attr_reader :args, :block, :klass
 
-      def initialize(klass_or_name, *args, &block)
-        @klass = nil
-
-        if klass_or_name.respond_to?(:name)
-          @klass = klass_or_name
-          @name  = @klass.name
-        else
-          @name  = klass_or_name.to_s
-        end
-
-        @classcache = ActiveSupport::Dependencies::Reference
-        @args, @block = args, block
+      def initialize(klass, args, block)
+        @klass = klass
+        @args  = args
+        @block = block
       end
 
-      def klass
-        @klass || classcache[@name]
-      end
+      def name; klass.name; end
 
       def ==(middleware)
         case middleware
@@ -30,24 +20,20 @@ module ActionDispatch
           klass == middleware.klass
         when Class
           klass == middleware
-        else
-          normalize(@name) == normalize(middleware)
         end
       end
 
       def inspect
-        klass.to_s
+        if klass.is_a?(Class)
+          klass.to_s
+        else
+          klass.class.to_s
+        end
       end
 
       def build(app)
         klass.new(app, *args, &block)
       end
-
-    private
-
-      def normalize(object)
-        object.to_s.strip.sub(/^::/, '')
-      end
     end
 
     include Enumerable
@@ -75,19 +61,17 @@ module ActionDispatch
       middlewares[i]
     end
 
-    def unshift(*args, &block)
-      middleware = self.class::Middleware.new(*args, &block)
-      middlewares.unshift(middleware)
+    def unshift(klass, *args, &block)
+      middlewares.unshift(build_middleware(klass, args, block))
     end
 
     def initialize_copy(other)
       self.middlewares = other.middlewares.dup
     end
 
-    def insert(index, *args, &block)
+    def insert(index, klass, *args, &block)
       index = assert_index(index, :before)
-      middleware = self.class::Middleware.new(*args, &block)
-      middlewares.insert(index, middleware)
+      middlewares.insert(index, build_middleware(klass, args, block))
     end
 
     alias_method :insert_before, :insert
@@ -104,26 +88,46 @@ module ActionDispatch
     end
 
     def delete(target)
-      middlewares.delete target
+      target = get_class target
+      middlewares.delete_if { |m| m.klass == target }
     end
 
-    def use(*args, &block)
-      middleware = self.class::Middleware.new(*args, &block)
-      middlewares.push(middleware)
+    def use(klass, *args, &block)
+      middlewares.push(build_middleware(klass, args, block))
     end
 
-    def build(app = nil, &block)
-      app ||= block
-      raise "MiddlewareStack#build requires an app" unless app
+    def build(app = Proc.new)
       middlewares.freeze.reverse.inject(app) { |a, e| e.build(a) }
     end
 
-  protected
+    private
 
     def assert_index(index, where)
-      i = index.is_a?(Integer) ? index : middlewares.index(index)
+      index = get_class index
+      i = index.is_a?(Integer) ? index : middlewares.index { |m| m.klass == index }
       raise "No such middleware to insert #{where}: #{index.inspect}" unless i
       i
     end
+
+    def get_class(klass)
+      if klass.is_a?(String) || klass.is_a?(Symbol)
+        classcache = ActiveSupport::Dependencies::Reference
+        converted_klass = classcache[klass.to_s]
+        ActiveSupport::Deprecation.warn <<-eowarn
+Passing strings or symbols to the middleware builder is deprecated, please change
+them to actual class references.  For example:
+
+  "#{klass}" => #{converted_klass}
+
+        eowarn
+        converted_klass
+      else
+        klass
+      end
+    end
+
+    def build_middleware(klass, args, block)
+      Middleware.new(get_class(klass), args, block)
+    end
   end
 end

data/lib/action_dispatch/middleware/static.rb

@@ -3,33 +3,37 @@ require 'active_support/core_ext/uri'
 
 module ActionDispatch
   # This middleware returns a file's contents from disk in the body response.
-  # When initialized it can accept an optional 'Cache-Control' header which
-  # will be set when a response containing a file's contents is delivered.
+  # When initialized, it can accept optional HTTP headers, which will be set
+  # when a response containing a file's contents is delivered.
   #
   # This middleware will render the file specified in `env["PATH_INFO"]`
-  # where the base path is in the +root+ directory. For example if the +root+
-  # is set to `public/` then a request with `env["PATH_INFO"]` of
-  # `assets/application.js` will return a response with contents of a file
+  # where the base path is in the +root+ directory. For example, if the +root+
+  # is set to `public/`, then a request with `env["PATH_INFO"]` of
+  # `assets/application.js` will return a response with the contents of a file
   # located at `public/assets/application.js` if the file exists. If the file
-  # does not exist a 404 "File not Found" response will be returned.
+  # does not exist, a 404 "File not Found" response will be returned.
   class FileHandler
-    def initialize(root, cache_control)
+    def initialize(root, index: 'index', headers: {})
       @root          = root.chomp('/')
-      @compiled_root = /^#{Regexp.escape(root)}/
-      headers        = cache_control && { 'Cache-Control' => cache_control }
-      @file_server = ::Rack::File.new(@root, headers)
+      @file_server   = ::Rack::File.new(@root, headers)
+      @index         = index
     end
 
+    # Takes a path to a file. If the file is found, has valid encoding, and has
+    # correct read permissions, the return value is a URI-escaped string
+    # representing the filename. Otherwise, false is returned.
+    #
+    # Used by the `Static` class to check the existence of a valid file
+    # in the server's `public/` directory (see Static#call).
     def match?(path)
-      path = URI.parser.unescape(path)
+      path = ::Rack::Utils.unescape_path path
       return false unless valid_path?(path)
+      path = Rack::Utils.clean_path_info path
 
-      paths = [path, "#{path}#{ext}", "#{path}/index#{ext}"].map { |v|
-        Rack::Utils.clean_path_info v
-      }
+      paths = [path, "#{path}#{ext}", "#{path}/#{@index}#{ext}"]
 
       if match = paths.detect { |p|
-        path = File.join(@root, p.force_encoding('UTF-8'))
+        path = File.join(@root, p.force_encoding('UTF-8'.freeze))
         begin
           File.file?(path) && File.readable?(path)
         rescue SystemCallError
@@ -37,31 +41,35 @@ module ActionDispatch
         end
 
       }
-        return ::Rack::Utils.escape(match)
+        return ::Rack::Utils.escape_path(match)
       end
     end
 
     def call(env)
-      path      = env['PATH_INFO']
+      serve(Rack::Request.new(env))
+    end
+
+    def serve(request)
+      path      = request.path_info
       gzip_path = gzip_file_path(path)
 
-      if gzip_path && gzip_encoding_accepted?(env)
-        env['PATH_INFO']            = gzip_path
-        status, headers, body       = @file_server.call(env)
+      if gzip_path && gzip_encoding_accepted?(request)
+        request.path_info           = gzip_path
+        status, headers, body       = @file_server.call(request.env)
         if status == 304
           return [status, headers, body]
         end
         headers['Content-Encoding'] = 'gzip'
         headers['Content-Type']     = content_type(path)
       else
-        status, headers, body = @file_server.call(env)
+        status, headers, body = @file_server.call(request.env)
       end
 
       headers['Vary'] = 'Accept-Encoding' if gzip_path
 
       return [status, headers, body]
     ensure
-      env['PATH_INFO'] = path
+      request.path_info = path
     end
 
     private
@@ -70,17 +78,17 @@ module ActionDispatch
       end
 
       def content_type(path)
-        ::Rack::Mime.mime_type(::File.extname(path), 'text/plain')
+        ::Rack::Mime.mime_type(::File.extname(path), 'text/plain'.freeze)
       end
 
-      def gzip_encoding_accepted?(env)
-        env['HTTP_ACCEPT_ENCODING'] =~ /\bgzip\b/i
+      def gzip_encoding_accepted?(request)
+        request.accept_encoding.any? { |enc, quality| enc =~ /\bgzip\b/i }
       end
 
       def gzip_file_path(path)
         can_gzip_mime = content_type(path) =~ /\A(?:text\/|application\/javascript)/
         gzip_path     = "#{path}.gz"
-        if can_gzip_mime && File.exist?(File.join(@root, ::Rack::Utils.unescape(gzip_path)))
+        if can_gzip_mime && File.exist?(File.join(@root, ::Rack::Utils.unescape_path(gzip_path)))
           gzip_path
         else
           false
@@ -93,7 +101,7 @@ module ActionDispatch
   end
 
   # This middleware will attempt to return the contents of a file's body from
-  # disk in the response.  If a file is not found on disk, the request will be
+  # disk in the response. If a file is not found on disk, the request will be
   # delegated to the application stack. This middleware is commonly initialized
   # to serve assets from a server's `public/` directory.
   #
@@ -102,22 +110,30 @@ module ActionDispatch
   # produce a directory traversal using this middleware. Only 'GET' and 'HEAD'
   # requests will result in a file being returned.
   class Static
-    def initialize(app, path, cache_control=nil)
+    def initialize(app, path, deprecated_cache_control = :not_set, index: 'index', headers: {})
+      if deprecated_cache_control != :not_set
+        ActiveSupport::Deprecation.warn("The `cache_control` argument is deprecated," \
+                                        "replaced by `headers: { 'Cache-Control' => #{deprecated_cache_control} }`, " \
+                                        " and will be removed in Rails 5.1.")
+        headers['Cache-Control'.freeze] = deprecated_cache_control
+      end
+
       @app = app
-      @file_handler = FileHandler.new(path, cache_control)
+      @file_handler = FileHandler.new(path, index: index, headers: headers)
     end
 
     def call(env)
-      case env['REQUEST_METHOD']
-      when 'GET', 'HEAD'
-        path = env['PATH_INFO'].chomp('/')
+      req = Rack::Request.new env
+
+      if req.get? || req.head?
+        path = req.path_info.chomp('/'.freeze)
         if match = @file_handler.match?(path)
-          env["PATH_INFO"] = match
-          return @file_handler.call(env)
+          req.path_info = match
+          return @file_handler.serve(req)
         end
       end
 
-      @app.call(env)
+      @app.call(req.env)
     end
   end
 end

data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb

@@ -5,20 +5,8 @@
   <pre id="blame_trace" <%='style="display:none"' if hide %>><code><%= @exception.describe_blame %></code></pre>
 <% end %>
 
-<%
-  clean_params = @request.filtered_parameters.clone
-  clean_params.delete("action")
-  clean_params.delete("controller")
-
-  request_dump = clean_params.empty? ? 'None' : clean_params.inspect.gsub(',', ",\n")
-
-  def debug_hash(object)
-    object.to_hash.sort_by { |k, _| k.to_s }.map { |k, v| "#{k}: #{v.inspect rescue $!.message}" }.join("\n")
-  end unless self.class.method_defined?(:debug_hash)
-%>
-
 <h2 style="margin-top: 30px">Request</h2>
-<p><b>Parameters</b>:</p> <pre><%= request_dump %></pre>
+<p><b>Parameters</b>:</p> <pre><%= debug_params(@request.filtered_parameters) %></pre>
 
 <div class="details">
   <div class="summary"><a href="#" onclick="return toggleSessionDump()">Toggle session dump</a></div>
@@ -31,4 +19,4 @@
 </div>
 
 <h2 style="margin-top: 30px">Response</h2>
-<p><b>Headers</b>:</p> <pre><%= defined?(@response) ? @response.headers.inspect.gsub(',', ",\n") : 'None' %></pre>
+<p><b>Headers</b>:</p> <pre><%= debug_headers(defined?(@response) ? @response.headers : {}) %></pre>

data/lib/action_dispatch/middleware/templates/rescues/_source.text.erb

@@ -0,0 +1,8 @@
+<% @source_extracts.first(3).each do |source_extract| %>
+<% if source_extract[:code] %>
+Extracted source (around line #<%= source_extract[:line_number] %>):
+
+<% source_extract[:code].each do |line, source| -%>
+<%= line == source_extract[:line_number] ? "*#{line}" : "##{line}" -%> <%= source -%><% end -%>
+<% end %>
+<% end %>

data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb

@@ -1,6 +1,6 @@
 <header>
   <h1>
-    <%= @exception.original_exception.class.to_s %> in
+    <%= @exception.cause.class.to_s %> in
     <%= @request.parameters["controller"].camelize if @request.parameters["controller"] %>#<%= @request.parameters["action"] %>
   </h1>
 </header>

data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb

@@ -1,4 +1,4 @@
-<%= @exception.original_exception.class.to_s %> in <%= @request.parameters["controller"].camelize if @request.parameters["controller"] %>#<%= @request.parameters["action"] %>
+<%= @exception.cause.class.to_s %> in <%= @request.parameters["controller"].camelize if @request.parameters["controller"] %>#<%= @request.parameters["action"] %>
 
 Showing <%= @exception.file_name %> where line #<%= @exception.line_number %> raised:
 <%= @exception.message %>

data/lib/action_dispatch/middleware/templates/routes/_route.html.erb

@@ -4,13 +4,13 @@
       <%= route[:name] %><span class='helper'>_path</span>
     <% end %>
   </td>
-  <td data-route-verb='<%= route[:verb] %>'>
+  <td>
     <%= route[:verb] %>
   </td>
-  <td data-route-path='<%= route[:path] %>' data-regexp='<%= route[:regexp] %>'>
+  <td data-route-path='<%= route[:path] %>'>
     <%= route[:path] %>
   </td>
-  <td data-route-reqs='<%= route[:reqs] %>'>
-    <%= route[:reqs] %>
+  <td>
+    <%=simple_format route[:reqs] %>
   </td>
 </tr>