actionpack 4.2.8 → 5.2.4.2

data/lib/action_controller/metal/content_security_policy.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module ActionController #:nodoc:
+  module ContentSecurityPolicy
+    # TODO: Documentation
+    extend ActiveSupport::Concern
+
+    include AbstractController::Helpers
+    include AbstractController::Callbacks
+
+    included do
+      helper_method :content_security_policy?
+      helper_method :content_security_policy_nonce
+    end
+
+    module ClassMethods
+      def content_security_policy(enabled = true, **options, &block)
+        before_action(options) do
+          if block_given?
+            policy = current_content_security_policy
+            yield policy
+            request.content_security_policy = policy
+          end
+
+          unless enabled
+            request.content_security_policy = nil
+          end
+        end
+      end
+
+      def content_security_policy_report_only(report_only = true, **options)
+        before_action(options) do
+          request.content_security_policy_report_only = report_only
+        end
+      end
+    end
+
+    private
+
+      def content_security_policy?
+        request.content_security_policy
+      end
+
+      def content_security_policy_nonce
+        request.content_security_policy_nonce
+      end
+
+      def current_content_security_policy
+        request.content_security_policy.try(:clone) || ActionDispatch::ContentSecurityPolicy.new
+      end
+  end
+end

data/lib/action_controller/metal/cookies.rb

@@ -1,11 +1,11 @@
+# frozen_string_literal: true
+
 module ActionController #:nodoc:
   module Cookies
     extend ActiveSupport::Concern
 
-    include RackDelegation
-
     included do
-      helper_method :cookies
+      helper_method :cookies if defined?(helper_method)
     end
 
     private

data/lib/action_controller/metal/data_streaming.rb

@@ -1,4 +1,6 @@
-require 'action_controller/metal/exceptions'
+# frozen_string_literal: true
+
+require "action_controller/metal/exceptions"
 
 module ActionController #:nodoc:
   # Methods for sending arbitrary data and for streaming files to the browser,
@@ -8,10 +10,10 @@ module ActionController #:nodoc:
 
     include ActionController::Rendering
 
-    DEFAULT_SEND_FILE_TYPE        = 'application/octet-stream'.freeze #:nodoc:
-    DEFAULT_SEND_FILE_DISPOSITION = 'attachment'.freeze #:nodoc:
+    DEFAULT_SEND_FILE_TYPE        = "application/octet-stream".freeze #:nodoc:
+    DEFAULT_SEND_FILE_DISPOSITION = "attachment".freeze #:nodoc:
 
-    protected
+    private
       # Sends the file. This uses a server-appropriate method (such as X-Sendfile)
       # via the Rack::Sendfile middleware. The header to use is set via
       # +config.action_dispatch.x_sendfile_header+.
@@ -25,14 +27,13 @@ module ActionController #:nodoc:
       # * <tt>:filename</tt> - suggests a filename for the browser to use.
       #   Defaults to <tt>File.basename(path)</tt>.
       # * <tt>:type</tt> - specifies an HTTP content type.
-      #   You can specify either a string or a symbol for a registered type register with
-      #   <tt>Mime::Type.register</tt>, for example :json
-      #   If omitted, type will be guessed from the file extension specified in <tt>:filename</tt>.
-      #   If no content type is registered for the extension, default type 'application/octet-stream' will be used.
+      #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
+      #   If omitted, the type will be inferred from the file extension specified in <tt>:filename</tt>.
+      #   If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
       # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
       #   Valid values are 'inline' and 'attachment' (default).
       # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to 200.
-      # * <tt>:url_based_filename</tt> - set to +true+ if you want the browser guess the filename from
+      # * <tt>:url_based_filename</tt> - set to +true+ if you want the browser to guess the filename from
       #   the URL, which is necessary for i18n filenames on certain browsers
       #   (setting <tt>:filename</tt> overrides this option).
       #
@@ -55,58 +56,38 @@ module ActionController #:nodoc:
       #
       # Read about the other Content-* HTTP headers if you'd like to
       # provide the user with more information (such as Content-Description) in
-      # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11.
+      # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11.
       #
       # Also be aware that the document may be cached by proxies and browsers.
       # The Pragma and Cache-Control headers declare how the file may be cached
       # by intermediaries. They default to require clients to validate with
       # the server before releasing cached responses. See
-      # http://www.mnot.net/cache_docs/ for an overview of web caching and
-      # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
+      # https://www.mnot.net/cache_docs/ for an overview of web caching and
+      # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
       # for the Cache-Control header spec.
       def send_file(path, options = {}) #:doc:
-        raise MissingFile, "Cannot read file #{path}" unless File.file?(path) and File.readable?(path)
+        raise MissingFile, "Cannot read file #{path}" unless File.file?(path) && File.readable?(path)
 
         options[:filename] ||= File.basename(path) unless options[:url_based_filename]
         send_file_headers! options
 
         self.status = options[:status] || 200
         self.content_type = options[:content_type] if options.key?(:content_type)
-        self.response_body = FileBody.new(path)
-      end
-
-      # Avoid having to pass an open file handle as the response body.
-      # Rack::Sendfile will usually intercept the response and uses
-      # the path directly, so there is no reason to open the file.
-      class FileBody #:nodoc:
-        attr_reader :to_path
-
-        def initialize(path)
-          @to_path = path
-        end
-
-        # Stream the file's contents if Rack::Sendfile isn't present.
-        def each
-          File.open(to_path, 'rb') do |file|
-            while chunk = file.read(16384)
-              yield chunk
-            end
-          end
-        end
+        response.send_file path
       end
 
       # Sends the given binary data to the browser. This method is similar to
       # <tt>render plain: data</tt>, but also allows you to specify whether
       # the browser should display the response as a file attachment (i.e. in a
       # download dialog) or as inline data. You may also set the content type,
-      # the apparent file name, and other things.
+      # the file name, and other things.
       #
       # Options:
       # * <tt>:filename</tt> - suggests a filename for the browser to use.
-      # * <tt>:type</tt> - specifies an HTTP content type. Defaults to 'application/octet-stream'. You can specify
-      #   either a string or a symbol for a registered type register with <tt>Mime::Type.register</tt>, for example :json
-      #   If omitted, type will be guessed from the file extension specified in <tt>:filename</tt>.
-      #   If no content type is registered for the extension, default type 'application/octet-stream' will be used.
+      # * <tt>:type</tt> - specifies an HTTP content type. Defaults to 'application/octet-stream'.
+      #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
+      #   If omitted, type will be inferred from the file extension specified in <tt>:filename</tt>.
+      #   If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
       # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
       #   Valid values are 'inline' and 'attachment' (default).
       # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to 200.
@@ -126,14 +107,16 @@ module ActionController #:nodoc:
       # See +send_file+ for more information on HTTP Content-* headers and caching.
       def send_data(data, options = {}) #:doc:
         send_file_headers! options
-        render options.slice(:status, :content_type).merge(:text => data)
+        render options.slice(:status, :content_type).merge(body: data)
       end
 
-    private
       def send_file_headers!(options)
         type_provided = options.has_key?(:type)
 
         content_type = options.fetch(:type, DEFAULT_SEND_FILE_TYPE)
+        self.content_type = content_type
+        response.sending_file = true
+
         raise ArgumentError, ":type option required" if content_type.nil?
 
         if content_type.is_a?(Symbol)
@@ -143,7 +126,7 @@ module ActionController #:nodoc:
         else
           if !type_provided && options[:filename]
             # If type wasn't provided, try guessing from file extension.
-            content_type = Mime::Type.lookup_by_extension(File.extname(options[:filename]).downcase.delete('.')) || content_type
+            content_type = Mime::Type.lookup_by_extension(File.extname(options[:filename]).downcase.delete(".")) || content_type
           end
           self.content_type = content_type
         end
@@ -152,12 +135,10 @@ module ActionController #:nodoc:
         unless disposition.nil?
           disposition  = disposition.to_s
           disposition += %(; filename="#{options[:filename]}") if options[:filename]
-          headers['Content-Disposition'] = disposition
+          headers["Content-Disposition"] = disposition
         end
 
-        headers['Content-Transfer-Encoding'] = 'binary'
-
-        response.sending_file = true
+        headers["Content-Transfer-Encoding"] = "binary"
 
         # Fix a problem with IE 6.0 on opening downloaded files:
         # If Cache-Control: no-cache is set (which Rails does by default),

data/lib/action_controller/metal/etag_with_flash.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module ActionController
+  # When you're using the flash, it's generally used as a conditional on the view.
+  # This means the content of the view depends on the flash. Which in turn means
+  # that the ETag for a response should be computed with the content of the flash
+  # in mind. This does that by including the content of the flash as a component
+  # in the ETag that's generated for a response.
+  module EtagWithFlash
+    extend ActiveSupport::Concern
+
+    include ActionController::ConditionalGet
+
+    included do
+      etag { flash unless flash.empty? }
+    end
+  end
+end

data/lib/action_controller/metal/etag_with_template_digest.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   # When our views change, they should bubble up into HTTP cache freshness
   # and bust browser caches. So the template digest for the current action
@@ -22,10 +24,9 @@ module ActionController
     include ActionController::ConditionalGet
 
     included do
-      class_attribute :etag_with_template_digest
-      self.etag_with_template_digest = true
+      class_attribute :etag_with_template_digest, default: true
 
-      ActiveSupport.on_load :action_view, yield: true do |action_view_base|
+      ActiveSupport.on_load :action_view, yield: true do
         etag do |options|
           determine_template_etag(options) if etag_with_template_digest
         end
@@ -33,18 +34,24 @@ module ActionController
     end
 
     private
-    def determine_template_etag(options)
-      if template = pick_template_for_etag(options)
-        lookup_and_digest_template(template)
+      def determine_template_etag(options)
+        if template = pick_template_for_etag(options)
+          lookup_and_digest_template(template)
+        end
       end
-    end
 
-    def pick_template_for_etag(options)
-      options.fetch(:template) { "#{controller_name}/#{action_name}" }
-    end
+      # Pick the template digest to include in the ETag. If the +:template+ option
+      # is present, use the named template. If +:template+ is +nil+ or absent, use
+      # the default controller/action template. If +:template+ is false, omit the
+      # template digest from the ETag.
+      def pick_template_for_etag(options)
+        unless options[:template] == false
+          options[:template] || "#{controller_path}/#{action_name}"
+        end
+      end
 
-    def lookup_and_digest_template(template)
-      ActionView::Digestor.digest name: template, finder: lookup_context
-    end
+      def lookup_and_digest_template(template)
+        ActionView::Digestor.digest name: template, finder: lookup_context
+      end
   end
 end

data/lib/action_controller/metal/exceptions.rb

@@ -1,16 +1,13 @@
+# frozen_string_literal: true
+
 module ActionController
   class ActionControllerError < StandardError #:nodoc:
   end
 
   class BadRequest < ActionControllerError #:nodoc:
-    attr_reader :original_exception
-
-    def initialize(type = nil, e = nil)
-      return super() unless type && e
-
-      super("Invalid #{type} parameters: #{e.message}")
-      @original_exception = e
-      set_backtrace e.backtrace
+    def initialize(msg = nil)
+      super(msg)
+      set_backtrace $!.backtrace if $!
     end
   end
 
@@ -19,7 +16,7 @@ module ActionController
 
   class RoutingError < ActionControllerError #:nodoc:
     attr_reader :failures
-    def initialize(message, failures=[])
+    def initialize(message, failures = [])
       super(message)
       @failures = failures
     end
@@ -30,21 +27,18 @@ module ActionController
 
   class MethodNotAllowed < ActionControllerError #:nodoc:
     def initialize(*allowed_methods)
-      super("Only #{allowed_methods.to_sentence(:locale => :en)} requests are allowed.")
+      super("Only #{allowed_methods.to_sentence(locale: :en)} requests are allowed.")
     end
   end
 
   class NotImplemented < MethodNotAllowed #:nodoc:
   end
 
-  class UnknownController < ActionControllerError #:nodoc:
-  end
-
   class MissingFile < ActionControllerError #:nodoc:
   end
 
   class SessionOverflowError < ActionControllerError #:nodoc:
-    DEFAULT_MESSAGE = 'Your session data is larger than the data column in which it is to be stored. You must increase the size of your data column if you intend to store large data.'
+    DEFAULT_MESSAGE = "Your session data is larger than the data column in which it is to be stored. You must increase the size of your data column if you intend to store large data."
 
     def initialize(message = nil)
       super(message || DEFAULT_MESSAGE)

data/lib/action_controller/metal/flash.rb

@@ -1,10 +1,11 @@
+# frozen_string_literal: true
+
 module ActionController #:nodoc:
   module Flash
     extend ActiveSupport::Concern
 
     included do
-      class_attribute :_flash_types, instance_accessor: false
-      self._flash_types = []
+      class_attribute :_flash_types, instance_accessor: false, default: []
 
       delegate :flash, to: :request
       add_flash_types(:alert, :notice)
@@ -42,7 +43,7 @@ module ActionController #:nodoc:
       end
     end
 
-    protected
+    private
       def redirect_to(options = {}, response_status_and_flash = {}) #:doc:
         self.class._flash_types.each do |flash_type|
           if type = response_status_and_flash.delete(flash_type)

data/lib/action_controller/metal/force_ssl.rb

@@ -1,18 +1,20 @@
-require 'active_support/core_ext/hash/except'
-require 'active_support/core_ext/hash/slice'
+# frozen_string_literal: true
+
+require "active_support/core_ext/hash/except"
+require "active_support/core_ext/hash/slice"
 
 module ActionController
-  # This module provides a method which will redirect browser to use HTTPS
-  # protocol. This will ensure that user's sensitive information will be
-  # transferred safely over the internet. You _should_ always force browser
+  # This module provides a method which will redirect the browser to use the secured HTTPS
+  # protocol. This will ensure that users' sensitive information will be
+  # transferred safely over the internet. You _should_ always force the browser
   # to use HTTPS when you're transferring sensitive information such as
   # user authentication, account information, or credit card information.
   #
   # Note that if you are really concerned about your application security,
   # you might consider using +config.force_ssl+ in your config file instead.
-  # That will ensure all the data transferred via HTTPS protocol and prevent
-  # user from getting session hijacked when accessing the site under unsecured
-  # HTTP protocol.
+  # That will ensure all the data is transferred via HTTPS, and will
+  # prevent the user from getting their session hijacked when accessing the
+  # site over unsecured HTTP protocol.
   module ForceSSL
     extend ActiveSupport::Concern
     include AbstractController::Callbacks
@@ -23,7 +25,7 @@ module ActionController
 
     module ClassMethods
       # Force the request to this particular controller or specified actions to be
-      # under HTTPS protocol.
+      # through the HTTPS protocol.
       #
       # If you need to disable this for any reason (e.g. development) then you can use
       # an +:if+ or +:unless+ condition.
@@ -37,7 +39,7 @@ module ActionController
       #     end
       #
       # ==== URL Options
-      # You can pass any of the following options to affect the redirect url
+      # You can pass any of the following options to affect the redirect URL
       # * <tt>host</tt>       - Redirect to a different host name
       # * <tt>subdomain</tt>  - Redirect to a different subdomain
       # * <tt>domain</tt>     - Redirect to a different domain
@@ -55,10 +57,10 @@ module ActionController
       # You can pass any of the following options to affect the before_action callback
       # * <tt>only</tt>       - The callback should be run only for this action
       # * <tt>except</tt>     - The callback should be run for all actions except this action
-      # * <tt>if</tt>         - A symbol naming an instance method or a proc; the callback
-      #                         will be called only when it returns a true value.
-      # * <tt>unless</tt>     - A symbol naming an instance method or a proc; the callback
-      #                         will be called only when it returns a false value.
+      # * <tt>if</tt>         - A symbol naming an instance method or a proc; the
+      #   callback will be called only when it returns a true value.
+      # * <tt>unless</tt>     - A symbol naming an instance method or a proc; the
+      #   callback will be called only when it returns a false value.
       def force_ssl(options = {})
         action_options = options.slice(*ACTION_OPTIONS)
         redirect_options = options.except(*ACTION_OPTIONS)
@@ -71,15 +73,15 @@ module ActionController
     # Redirect the existing request to use the HTTPS protocol.
     #
     # ==== Parameters
-    # * <tt>host_or_options</tt> - Either a host name or any of the url & redirect options
-    #                              available to the <tt>force_ssl</tt> method.
+    # * <tt>host_or_options</tt> - Either a host name or any of the URL and
+    #   redirect options available to the <tt>force_ssl</tt> method.
     def force_ssl_redirect(host_or_options = nil)
       unless request.ssl?
         options = {
-          :protocol => 'https://',
-          :host     => request.host,
-          :path     => request.fullpath,
-          :status   => :moved_permanently
+          protocol: "https://",
+          host: request.host,
+          path: request.fullpath,
+          status: :moved_permanently
         }
 
         if host_or_options.is_a?(Hash)
@@ -89,7 +91,7 @@ module ActionController
         end
 
         secure_url = ActionDispatch::Http::URL.url_for(options.slice(*URL_OPTIONS))
-        flash.keep if respond_to?(:flash)
+        flash.keep if respond_to?(:flash) && request.respond_to?(:flash)
         redirect_to secure_url, options.slice(*REDIRECT_OPTIONS)
       end
     end