actionpack 4.2.11.3 → 5.0.7.2

data/lib/action_controller/metal/renderers.rb

@@ -11,6 +11,7 @@ module ActionController
     Renderers.remove(key)
   end
 
+  # See <tt>Responder#api_behavior</tt>
   class MissingRenderer < LoadError
     def initialize(format)
       super "No renderer defined for format: #{format}"
@@ -20,40 +21,25 @@ module ActionController
   module Renderers
     extend ActiveSupport::Concern
 
+    # A Set containing renderer names that correspond to available renderer procs.
+    # Default values are <tt>:json</tt>, <tt>:js</tt>, <tt>:xml</tt>.
+    RENDERERS = Set.new
+
     included do
       class_attribute :_renderers
       self._renderers = Set.new.freeze
     end
 
-    module ClassMethods
-      def use_renderers(*args)
-        renderers = _renderers + args
-        self._renderers = renderers.freeze
-      end
-      alias use_renderer use_renderers
-    end
-
-    def render_to_body(options)
-      _render_to_body_with_renderer(options) || super
-    end
+    # Used in <tt>ActionController::Base</tt>
+    # and <tt>ActionController::API</tt> to include all
+    # renderers by default.
+    module All
+      extend ActiveSupport::Concern
+      include Renderers
 
-    def _render_to_body_with_renderer(options)
-      _renderers.each do |name|
-        if options.key?(name)
-          _process_options(options)
-          method_name = Renderers._render_with_renderer_method_name(name)
-          return send(method_name, options.delete(name), options)
-        end
+      included do
+        self._renderers = RENDERERS
       end
-      nil
-    end
-
-    # A Set containing renderer names that correspond to available renderer procs.
-    # Default values are <tt>:json</tt>, <tt>:js</tt>, <tt>:xml</tt>.
-    RENDERERS = Set.new
-
-    def self._render_with_renderer_method_name(key)
-      "_render_with_renderer_#{key}"
     end
 
     # Adds a new renderer to call within controller actions.
@@ -68,11 +54,11 @@ module ActionController
     #   ActionController::Renderers.add :csv do |obj, options|
     #     filename = options[:filename] || 'data'
     #     str = obj.respond_to?(:to_csv) ? obj.to_csv : obj.to_s
-    #     send_data str, type: Mime::CSV,
+    #     send_data str, type: Mime[:csv],
     #       disposition: "attachment; filename=#{filename}.csv"
     #   end
     #
-    # Note that we used Mime::CSV for the csv mime type as it comes with Rails.
+    # Note that we used Mime[:csv] for the csv mime type as it comes with Rails.
     # For a custom renderer, you'll need to register a mime type with
     # <tt>Mime::Type.register</tt>.
     #
@@ -92,7 +78,7 @@ module ActionController
 
     # This method is the opposite of add method.
     #
-    # Usage:
+    # To remove a csv renderer:
     #
     #   ActionController::Renderers.remove(:csv)
     def self.remove(key)
@@ -101,37 +87,94 @@ module ActionController
       remove_method(method_name) if method_defined?(method_name)
     end
 
-    module All
-      extend ActiveSupport::Concern
-      include Renderers
+    def self._render_with_renderer_method_name(key)
+      "_render_with_renderer_#{key}"
+    end
 
-      included do
-        self._renderers = RENDERERS
+    module ClassMethods
+
+      # Adds, by name, a renderer or renderers to the +_renderers+ available
+      # to call within controller actions.
+      #
+      # It is useful when rendering from an <tt>ActionController::Metal</tt> controller or
+      # otherwise to add an available renderer proc to a specific controller.
+      #
+      # Both <tt>ActionController::Base</tt> and <tt>ActionController::API</tt>
+      # include <tt>ActionController::Renderers::All</tt>, making all renderers
+      # available in the controller. See <tt>Renderers::RENDERERS</tt> and <tt>Renderers.add</tt>.
+      #
+      # Since <tt>ActionController::Metal</tt> controllers cannot render, the controller
+      # must include <tt>AbstractController::Rendering</tt>, <tt>ActionController::Rendering</tt>,
+      # and <tt>ActionController::Renderers</tt>, and have at lest one renderer.
+      #
+      # Rather than including <tt>ActionController::Renderers::All</tt> and including all renderers,
+      # you may specify which renderers to include by passing the renderer name or names to
+      # +use_renderers+. For example, a controller that includes only the <tt>:json</tt> renderer
+      # (+_render_with_renderer_json+) might look like:
+      #
+      #   class MetalRenderingController < ActionController::Metal
+      #     include AbstractController::Rendering
+      #     include ActionController::Rendering
+      #     include ActionController::Renderers
+      #
+      #     use_renderers :json
+      #
+      #     def show
+      #       render json: record
+      #     end
+      #   end
+      #
+      # You must specify a +use_renderer+, else the +controller.renderer+ and
+      # +controller._renderers+ will be <tt>nil</tt>, and the action will fail.
+      def use_renderers(*args)
+        renderers = _renderers + args
+        self._renderers = renderers.freeze
       end
+      alias use_renderer use_renderers
+    end
+
+    # Called by +render+ in <tt>AbstractController::Rendering</tt>
+    # which sets the return value as the +response_body+.
+    #
+    # If no renderer is found, +super+ returns control to
+    # <tt>ActionView::Rendering.render_to_body</tt>, if present.
+    def render_to_body(options)
+      _render_to_body_with_renderer(options) || super
+    end
+
+    def _render_to_body_with_renderer(options)
+      _renderers.each do |name|
+        if options.key?(name)
+          _process_options(options)
+          method_name = Renderers._render_with_renderer_method_name(name)
+          return send(method_name, options.delete(name), options)
+        end
+      end
+      nil
     end
 
     add :json do |json, options|
       json = json.to_json(options) unless json.kind_of?(String)
 
       if options[:callback].present?
-        if content_type.nil? || content_type == Mime::JSON
-          self.content_type = Mime::JS
+        if content_type.nil? || content_type == Mime[:json]
+          self.content_type = Mime[:js]
         end
 
         "/**/#{options[:callback]}(#{json})"
       else
-        self.content_type ||= Mime::JSON
+        self.content_type ||= Mime[:json]
         json
       end
     end
 
     add :js do |js, options|
-      self.content_type ||= Mime::JS
+      self.content_type ||= Mime[:js]
       js.respond_to?(:to_js) ? js.to_js(options) : js
     end
 
     add :xml do |xml, options|
-      self.content_type ||= Mime::XML
+      self.content_type ||= Mime[:xml]
       xml.respond_to?(:to_xml) ? xml.to_xml(options) : xml
     end
   end

data/lib/action_controller/metal/rendering.rb

@@ -1,9 +1,29 @@
+require 'active_support/core_ext/string/filters'
+
 module ActionController
   module Rendering
     extend ActiveSupport::Concern
 
     RENDER_FORMATS_IN_PRIORITY = [:body, :text, :plain, :html]
 
+    module ClassMethods
+      # Documentation at ActionController::Renderer#render
+      delegate :render, to: :renderer
+
+      # Returns a renderer instance (inherited from ActionController::Renderer)
+      # for the controller.
+      attr_reader :renderer
+
+      def setup_renderer! # :nodoc:
+        @renderer = Renderer.for(self)
+      end
+
+      def inherited(klass)
+        klass.setup_renderer!
+        super
+      end
+    end
+
     # Before processing, set the request formats in current controller formats.
     def process_action(*) #:nodoc:
       self.formats = request.formats.map(&:ref).compact
@@ -42,13 +62,13 @@ module ActionController
       nil
     end
 
-    def _process_format(format, options = {})
-      super
+    def _set_html_content_type
+      self.content_type = Mime[:html].to_s
+    end
 
-      if options[:plain]
-        self.content_type = Mime::TEXT
-      else
-        self.content_type ||= format.to_s
+    def _set_rendered_content_type(format)
+      if format && !response.content_type
+        self.content_type = format.to_s
       end
     end
 
@@ -63,11 +83,23 @@ module ActionController
     def _normalize_options(options) #:nodoc:
       _normalize_text(options)
 
+      if options[:text]
+        ActiveSupport::Deprecation.warn <<-WARNING.squish
+          `render :text` is deprecated because it does not actually render a
+          `text/plain` response. Switch to `render plain: 'plain text'` to
+          render as `text/plain`, `render html: '<strong>HTML</strong>'` to
+          render as `text/html`, or `render body: 'raw'` to match the deprecated
+          behavior and render with the default Content-Type, which is
+          `text/html`.
+        WARNING
+      end
+
       if options[:html]
         options[:html] = ERB::Util.html_escape(options[:html])
       end
 
       if options.delete(:nothing)
+        ActiveSupport::Deprecation.warn("`:nothing` option is deprecated and will be removed in Rails 5.1. Use `head` method to respond with empty response body.")
         options[:body] = nil
       end
 

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -13,9 +13,14 @@ module ActionController #:nodoc:
   # by including a token in the rendered HTML for your application. This token is
   # stored as a random string in the session, to which an attacker does not have
   # access. When a request reaches your application, \Rails verifies the received
-  # token with the token in the session. Only HTML and JavaScript requests are checked,
-  # so this will not protect your XML API (presumably you'll have a different
-  # authentication scheme there anyway).
+  # token with the token in the session. All requests are checked except GET requests
+  # as these should be idempotent. Keep in mind that all session-oriented requests
+  # should be CSRF protected, including JavaScript and HTML requests.
+  #
+  # Since HTML and JavaScript requests are typically made from the browser, we
+  # need to ensure to verify request authenticity for the web browser. We can
+  # use session-oriented authentication for these types of requests, by using
+  # the `protect_from_forgery` method in our controllers.
   #
   # GET requests are not protected since they don't have side effects like writing
   # to the database and don't leak sensitive information. JavaScript requests are
@@ -26,22 +31,21 @@ module ActionController #:nodoc:
   # Ajax) requests are allowed to make GET requests for JavaScript responses.
   #
   # It's important to remember that XML or JSON requests are also affected and if
-  # you're building an API you'll need something like:
+  # you're building an API you should change forgery protection method in
+  # <tt>ApplicationController</tt> (by default: <tt>:exception</tt>):
   #
   #   class ApplicationController < ActionController::Base
-  #     protect_from_forgery
-  #     skip_before_action :verify_authenticity_token, if: :json_request?
-  #
-  #     protected
-  #
-  #     def json_request?
-  #       request.format.json?
-  #     end
+  #     protect_from_forgery unless: -> { request.format.json? }
   #   end
   #
-  # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method,
-  # which checks the token and resets the session if it doesn't match what was expected.
-  # A call to this method is generated for new \Rails applications by default.
+  # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method.
+  # By default <tt>protect_from_forgery</tt> protects your session with
+  # <tt>:null_session</tt> method, which provides an empty session
+  # during request.
+  #
+  # We may want to disable CSRF protection for APIs since they are typically
+  # designed to be state-less. That is, the request API client will handle
+  # the session for you instead of Rails.
   #
   # The token parameter is named <tt>authenticity_token</tt> by default. The name and
   # value of this token must be added to every layout that renders forms by including
@@ -73,6 +77,14 @@ module ActionController #:nodoc:
       config_accessor :log_warning_on_csrf_failure
       self.log_warning_on_csrf_failure = true
 
+      # Controls whether the Origin header is checked in addition to the CSRF token.
+      config_accessor :forgery_protection_origin_check
+      self.forgery_protection_origin_check = false
+
+      # Controls whether form-action/method specific CSRF tokens are used.
+      config_accessor :per_form_csrf_tokens
+      self.per_form_csrf_tokens = false
+
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
     end
@@ -86,13 +98,21 @@ module ActionController #:nodoc:
       #
       #   class FooController < ApplicationController
       #     protect_from_forgery except: :index
+      #   end
+      #
+      # You can disable forgery protection on controller by skipping the verification before_action:
       #
-      # You can disable CSRF protection on controller by skipping the verification before_action:
       #   skip_before_action :verify_authenticity_token
       #
       # Valid Options:
       #
-      # * <tt>:only/:except</tt> - Passed to the <tt>before_action</tt> call. Set which actions are verified.
+      # * <tt>:only/:except</tt> - Only apply forgery protection to a subset of actions. For example <tt>only: [ :create, :create_all ]</tt>.
+      # * <tt>:if/:unless</tt> - Turn off the forgery protection entirely depending on the passed Proc or method reference.
+      # * <tt>:prepend</tt> - By default, the verification of the authentication token will be added at the position of the
+      #   protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
+      #   when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
+      #
+      #   If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
       # * <tt>:with</tt> - Set the method to handle unverified request.
       #
       # Valid unverified request handling methods are:
@@ -100,9 +120,11 @@ module ActionController #:nodoc:
       # * <tt>:reset_session</tt> - Resets the session.
       # * <tt>:null_session</tt> - Provides an empty session during request but doesn't reset it completely. Used as default if <tt>:with</tt> option is not specified.
       def protect_from_forgery(options = {})
+        options = options.reverse_merge(prepend: false)
+
         self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
         self.request_forgery_protection_token ||= :authenticity_token
-        prepend_before_action :verify_authenticity_token, options
+        before_action :verify_authenticity_token, options
         append_after_action :verify_same_origin_request
       end
 
@@ -124,17 +146,17 @@ module ActionController #:nodoc:
         # This is the method that defines the application behavior when a request is found to be unverified.
         def handle_unverified_request
           request = @controller.request
-          request.session = NullSessionHash.new(request.env)
-          request.env['action_dispatch.request.flash_hash'] = nil
-          request.env['rack.session.options'] = { skip: true }
-          request.env['action_dispatch.cookies'] = NullCookieJar.build(request)
+          request.session = NullSessionHash.new(request)
+          request.flash = nil
+          request.session_options = { skip: true }
+          request.cookie_jar = NullCookieJar.build(request, {})
         end
 
         protected
 
         class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
-          def initialize(env)
-            super(nil, env)
+          def initialize(req)
+            super(nil, req)
             @data = {}
             @loaded = true
           end
@@ -148,14 +170,6 @@ module ActionController #:nodoc:
         end
 
         class NullCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc:
-          def self.build(request)
-            key_generator = request.env[ActionDispatch::Cookies::GENERATOR_KEY]
-            host          = request.host
-            secure        = request.ssl?
-
-            new(key_generator, host, secure, options_for_env({}))
-          end
-
           def write(*)
             # nothing
           end
@@ -199,7 +213,7 @@ module ActionController #:nodoc:
 
         if !verified_request?
           if logger && log_warning_on_csrf_failure
-            logger.warn "Can't verify CSRF token authenticity"
+            logger.warn "Can't verify CSRF token authenticity."
           end
           handle_unverified_request
         end
@@ -246,26 +260,46 @@ module ActionController #:nodoc:
 
       # Returns true or false if a request is verified. Checks:
       #
-      # * is it a GET or HEAD request?  Gets should be safe and idempotent
+      # * Is it a GET or HEAD request?  Gets should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
       # * Does the X-CSRF-Token header match the form_authenticity_token
       def verified_request?
         !protect_against_forgery? || request.get? || request.head? ||
-          valid_authenticity_token?(session, form_authenticity_param) ||
-          valid_authenticity_token?(session, request.headers['X-CSRF-Token'])
+          (valid_request_origin? && any_authenticity_token_valid?)
+      end
+
+      # Checks if any of the authenticity tokens from the request are valid.
+      def any_authenticity_token_valid?
+        request_authenticity_tokens.any? do |token|
+          valid_authenticity_token?(session, token)
+        end
+      end
+
+      # Possible authenticity tokens sent in the request.
+      def request_authenticity_tokens
+        [form_authenticity_param, request.x_csrf_token]
       end
 
       # Sets the token value for the current session.
-      def form_authenticity_token
-        masked_authenticity_token(session)
+      def form_authenticity_token(form_options: {})
+        masked_authenticity_token(session, form_options: form_options)
       end
 
       # Creates a masked version of the authenticity token that varies
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
-      def masked_authenticity_token(session)
+      def masked_authenticity_token(session, form_options: {})
+        action, method = form_options.values_at(:action, :method)
+
+        raw_token = if per_form_csrf_tokens && action && method
+          action_path = normalize_action_path(action)
+          per_form_csrf_token(session, action_path, method)
+        else
+          real_csrf_token(session)
+        end
+
         one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
-        encrypted_csrf_token = xor_byte_strings(one_time_pad, real_csrf_token(session))
+        encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
         masked_token = one_time_pad + encrypted_csrf_token
         Base64.strict_encode64(masked_token)
       end
@@ -295,30 +329,58 @@ module ActionController #:nodoc:
           compare_with_real_token masked_token, session
 
         elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
-          # Split the token into the one-time pad and the encrypted
-          # value and decrypt it
-          one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH]
-          encrypted_csrf_token = masked_token[AUTHENTICITY_TOKEN_LENGTH..-1]
-          csrf_token = xor_byte_strings(one_time_pad, encrypted_csrf_token)
-
-          compare_with_real_token csrf_token, session
+          csrf_token = unmask_token(masked_token)
 
+          compare_with_real_token(csrf_token, session) ||
+            valid_per_form_csrf_token?(csrf_token, session)
         else
           false # Token is malformed
         end
       end
 
+      def unmask_token(masked_token)
+        # Split the token into the one-time pad and the encrypted
+        # value and decrypt it
+        one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH]
+        encrypted_csrf_token = masked_token[AUTHENTICITY_TOKEN_LENGTH..-1]
+        xor_byte_strings(one_time_pad, encrypted_csrf_token)
+      end
+
       def compare_with_real_token(token, session)
         ActiveSupport::SecurityUtils.secure_compare(token, real_csrf_token(session))
       end
 
+      def valid_per_form_csrf_token?(token, session)
+        if per_form_csrf_tokens
+          correct_token = per_form_csrf_token(
+            session,
+            normalize_action_path(request.fullpath),
+            request.request_method
+          )
+
+          ActiveSupport::SecurityUtils.secure_compare(token, correct_token)
+        else
+          false
+        end
+      end
+
       def real_csrf_token(session)
         session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
         Base64.strict_decode64(session[:_csrf_token])
       end
 
+      def per_form_csrf_token(session, action_path, method)
+        OpenSSL::HMAC.digest(
+          OpenSSL::Digest::SHA256.new,
+          real_csrf_token(session),
+          [action_path, method.downcase].join("#")
+        )
+      end
+
       def xor_byte_strings(s1, s2)
-        s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
+        s2_bytes = s2.bytes
+        s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 }
+        s2_bytes.pack('C*')
       end
 
       # The form's authenticity parameter. Override to provide your own.
@@ -330,5 +392,21 @@ module ActionController #:nodoc:
       def protect_against_forgery?
         allow_forgery_protection
       end
+
+      # Checks if the request originated from the same origin by looking at the
+      # Origin header.
+      def valid_request_origin?
+        if forgery_protection_origin_check
+          # We accept blank origin headers because some user agents don't send it.
+          request.origin.nil? || request.origin == request.base_url
+        else
+          true
+        end
+      end
+
+      def normalize_action_path(action_path)
+        uri = URI.parse(action_path)
+        uri.path.chomp('/')
+      end
   end
 end

data/lib/action_controller/metal/rescue.rb

@@ -1,20 +1,11 @@
 module ActionController #:nodoc:
-  # This module is responsible to provide `rescue_from` helpers
-  # to controllers and configure when detailed exceptions must be
+  # This module is responsible for providing `rescue_from` helpers
+  # to controllers and configuring when detailed exceptions must be
   # shown.
   module Rescue
     extend ActiveSupport::Concern
     include ActiveSupport::Rescuable
 
-    def rescue_with_handler(exception)
-      if (exception.respond_to?(:original_exception) &&
-          (orig_exception = exception.original_exception) &&
-          handler_for_rescue(orig_exception))
-        exception = orig_exception
-      end
-      super(exception)
-    end
-
     # Override this method if you want to customize when detailed
     # exceptions must be shown. This method is only called when
     # consider_all_requests_local is false. By default, it returns
@@ -29,7 +20,7 @@ module ActionController #:nodoc:
         super
       rescue Exception => exception
         request.env['action_dispatch.show_detailed_exceptions'] ||= show_detailed_exceptions?
-        rescue_with_handler(exception) || raise(exception)
+        rescue_with_handler(exception) || raise
       end
   end
 end

data/lib/action_controller/metal/streaming.rb

@@ -110,9 +110,9 @@ module ActionController #:nodoc:
   # This means that, if you have <code>yield :title</code> in your layout
   # and you want to use streaming, you would have to render the whole template
   # (and eventually trigger all queries) before streaming the title and all
-  # assets, which kills the purpose of streaming. For this reason Rails 3.1
-  # introduces a new helper called +provide+ that does the same as +content_for+
-  # but tells the layout to stop searching for other entries and continue rendering.
+  # assets, which kills the purpose of streaming. For this purpose, you can use
+  # a helper called +provide+ that does the same as +content_for+ but tells the
+  # layout to stop searching for other entries and continue rendering.
   #
   # For instance, the template above using +provide+ would be:
   #
@@ -199,7 +199,7 @@ module ActionController #:nodoc:
       def _process_options(options) #:nodoc:
         super
         if options[:stream]
-          if env["HTTP_VERSION"] == "HTTP/1.0"
+          if request.version == "HTTP/1.0"
             options.delete(:stream)
           else
             headers["Cache-Control"] ||= "no-cache"