actionpack 5.0.0.beta1.1 → 5.0.0.beta2

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -81,6 +81,10 @@ module ActionController #:nodoc:
       config_accessor :forgery_protection_origin_check
       self.forgery_protection_origin_check = false
 
+      # Controls whether form-action/method specific CSRF tokens are used.
+      config_accessor :per_form_csrf_tokens
+      self.per_form_csrf_tokens = false
+
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
     end
@@ -277,16 +281,25 @@ module ActionController #:nodoc:
       end
 
       # Sets the token value for the current session.
-      def form_authenticity_token
-        masked_authenticity_token(session)
+      def form_authenticity_token(form_options: {})
+        masked_authenticity_token(session, form_options: form_options)
       end
 
       # Creates a masked version of the authenticity token that varies
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
-      def masked_authenticity_token(session)
+      def masked_authenticity_token(session, form_options: {})
+        action, method = form_options.values_at(:action, :method)
+
+        raw_token = if per_form_csrf_tokens && action && method
+          action_path = normalize_action_path(action)
+          per_form_csrf_token(session, action_path, method)
+        else
+          real_csrf_token(session)
+        end
+
         one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
-        encrypted_csrf_token = xor_byte_strings(one_time_pad, real_csrf_token(session))
+        encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
         masked_token = one_time_pad + encrypted_csrf_token
         Base64.strict_encode64(masked_token)
       end
@@ -316,28 +329,54 @@ module ActionController #:nodoc:
           compare_with_real_token masked_token, session
 
         elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
-          # Split the token into the one-time pad and the encrypted
-          # value and decrypt it
-          one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH]
-          encrypted_csrf_token = masked_token[AUTHENTICITY_TOKEN_LENGTH..-1]
-          csrf_token = xor_byte_strings(one_time_pad, encrypted_csrf_token)
-
-          compare_with_real_token csrf_token, session
+          csrf_token = unmask_token(masked_token)
 
+          compare_with_real_token(csrf_token, session) ||
+            valid_per_form_csrf_token?(csrf_token, session)
         else
           false # Token is malformed
         end
       end
 
+      def unmask_token(masked_token)
+        # Split the token into the one-time pad and the encrypted
+        # value and decrypt it
+        one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH]
+        encrypted_csrf_token = masked_token[AUTHENTICITY_TOKEN_LENGTH..-1]
+        xor_byte_strings(one_time_pad, encrypted_csrf_token)
+      end
+
       def compare_with_real_token(token, session)
         ActiveSupport::SecurityUtils.secure_compare(token, real_csrf_token(session))
       end
 
+      def valid_per_form_csrf_token?(token, session)
+        if per_form_csrf_tokens
+          correct_token = per_form_csrf_token(
+            session,
+            normalize_action_path(request.fullpath),
+            request.request_method
+          )
+
+          ActiveSupport::SecurityUtils.secure_compare(token, correct_token)
+        else
+          false
+        end
+      end
+
       def real_csrf_token(session)
         session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
         Base64.strict_decode64(session[:_csrf_token])
       end
 
+      def per_form_csrf_token(session, action_path, method)
+        OpenSSL::HMAC.digest(
+          OpenSSL::Digest::SHA256.new,
+          real_csrf_token(session),
+          [action_path, method.downcase].join("#")
+        )
+      end
+
       def xor_byte_strings(s1, s2)
         s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
       end
@@ -362,5 +401,9 @@ module ActionController #:nodoc:
           true
         end
       end
+
+      def normalize_action_path(action_path)
+        action_path.split('?').first.to_s.chomp('/')
+      end
   end
 end

data/lib/action_controller/metal/strong_parameters.rb

@@ -109,7 +109,8 @@ module ActionController
     cattr_accessor :permit_all_parameters, instance_accessor: false
     cattr_accessor :action_on_unpermitted_parameters, instance_accessor: false
 
-    delegate :keys, :key?, :has_key?, :empty?, :inspect, to: :@parameters
+    delegate :keys, :key?, :has_key?, :values, :has_value?, :value?, :empty?, :include?, :inspect,
+      :as_json, to: :@parameters
 
     # By default, never raise an UnpermittedParameters exception if these
     # params are present. The default includes both 'controller' and 'action'
@@ -159,7 +160,11 @@ module ActionController
       if other_hash.respond_to?(:permitted?)
         super
       else
-        @parameters == other_hash
+        if other_hash.is_a?(Hash)
+          @parameters == other_hash.with_indifferent_access
+        else
+          @parameters == other_hash
+        end
       end
     end
 
@@ -176,7 +181,7 @@ module ActionController
     #   safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
     def to_h
       if permitted?
-        convert_parameters_to_hashes(@parameters)
+        convert_parameters_to_hashes(@parameters, :to_h)
       else
         slice(*self.class.always_permitted_parameters).permit!.to_h
       end
@@ -186,7 +191,7 @@ module ActionController
     # <tt>ActiveSupport::HashWithIndifferentAccess</tt> representation of this
     # parameter.
     def to_unsafe_h
-      convert_parameters_to_hashes(@parameters)
+      convert_parameters_to_hashes(@parameters, :to_unsafe_h)
     end
     alias_method :to_unsafe_hash, :to_unsafe_h
 
@@ -419,7 +424,7 @@ module ActionController
     #   params.fetch(:none)                 # => ActionController::ParameterMissing: param is missing or the value is empty: none
     #   params.fetch(:none, 'Francesco')    # => "Francesco"
     #   params.fetch(:none) { 'Francesco' } # => "Francesco"
-    def fetch(key, *args, &block)
+    def fetch(key, *args)
       convert_value_to_parameters(
         @parameters.fetch(key) {
           if block_given?
@@ -514,7 +519,7 @@ module ActionController
     # to key. If the key is not found, returns the default value. If the
     # optional code block is given and the key is not found, pass in the key
     # and return the result of block.
-    def delete(key, &block)
+    def delete(key)
       convert_value_to_parameters(@parameters.delete(key))
     end
 
@@ -579,6 +584,24 @@ module ActionController
       dup
     end
 
+    def method_missing(method_sym, *args, &block)
+      if @parameters.respond_to?(method_sym)
+        message = <<-DEPRECATE.squish
+          Method #{method_sym} is deprecated and will be removed in Rails 5.1,
+          as `ActionController::Parameters` no longer inherits from
+          hash. Using this deprecated behavior exposes potential security
+          problems. If you continue to use this method you may be creating
+          a security vulnerability in your app that can be exploited. Instead,
+          consider using one of these documented methods which are not
+          deprecated: http://api.rubyonrails.org/v#{ActionPack.version}/classes/ActionController/Parameters.html
+        DEPRECATE
+        ActiveSupport::Deprecation.warn(message)
+        @parameters.public_send(method_sym, *args, &block)
+      else
+        super
+      end
+    end
+
     protected
       def permitted=(new_permitted)
         @permitted = new_permitted
@@ -595,16 +618,16 @@ module ActionController
         end
       end
 
-      def convert_parameters_to_hashes(value)
+      def convert_parameters_to_hashes(value, using)
         case value
         when Array
-          value.map { |v| convert_parameters_to_hashes(v) }
+          value.map { |v| convert_parameters_to_hashes(v, using) }
         when Hash
           value.transform_values do |v|
-            convert_parameters_to_hashes(v)
+            convert_parameters_to_hashes(v, using)
           end.with_indifferent_access
         when Parameters
-          value.to_h
+          value.send(using)
         else
           value
         end

data/lib/action_controller/test_case.rb

@@ -8,6 +8,10 @@ require 'rails-dom-testing'
 
 module ActionController
   # :stopdoc:
+  class Metal
+    include Testing::Functional
+  end
+
   # ActionController::TestCase will be deprecated and moved to a gem in Rails 5.1.
   # Please use ActionDispatch::IntegrationTest going forward.
   class TestRequest < ActionDispatch::TestRequest #:nodoc:
@@ -455,16 +459,16 @@ module ActionController
             parameters = nil
           end
 
-          if parameters.present? || session.present? || flash.present?
+          if parameters || session || flash
             non_kwarg_request_warning
           end
         end
 
-        if body.present?
+        if body
           @request.set_header 'RAW_POST_DATA', body
         end
 
-        if http_method.present?
+        if http_method
           http_method = http_method.to_s.upcase
         else
           http_method = "GET"
@@ -472,16 +476,12 @@ module ActionController
 
         parameters ||= {}
 
-        if format.present?
+        if format
           parameters[:format] = format
         end
 
         @html_document = nil
 
-        unless @controller.respond_to?(:recycle!)
-          @controller.extend(Testing::Functional)
-        end
-
         self.cookies.update @request.cookies
         self.cookies.update_cookies_from_jar
         @request.set_header 'HTTP_COOKIE', cookies.to_header

data/lib/action_dispatch.rb

@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2015 David Heinemeier Hansson
+# Copyright (c) 2004-2016 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -95,6 +95,7 @@ module ActionDispatch
     autoload :TestProcess
     autoload :TestRequest
     autoload :TestResponse
+    autoload :AssertionResponse
   end
 end
 

data/lib/action_dispatch/http/cache.rb

@@ -80,9 +80,17 @@ module ActionDispatch
           set_header DATE, utc_time.httpdate
         end
 
+        # This method allows you to set the ETag for cached content, which
+        # will be returned to the end user.
+        #
+        # By default, Action Dispatch sets all ETags to be weak.
+        # This ensures that if the content changes only semantically,
+        # the whole page doesn't have to be regenerated from scratch
+        # by the web server. With strong ETags, pages are compared
+        # byte by byte, and are regenerated only if they are not exactly equal.
         def etag=(etag)
           key = ActiveSupport::Cache.expand_cache_key(etag)
-          super %("#{Digest::MD5.hexdigest(key)}")
+          super %(W/"#{Digest::MD5.hexdigest(key)}")
         end
 
         def etag?; etag; end
@@ -91,7 +99,7 @@ module ActionDispatch
 
         DATE          = 'Date'.freeze
         LAST_MODIFIED = "Last-Modified".freeze
-        SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public must-revalidate])
+        SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public private must-revalidate])
 
         def cache_control_segments
           if cache_control = _cache_control

data/lib/action_dispatch/http/headers.rb

@@ -2,9 +2,23 @@ module ActionDispatch
   module Http
     # Provides access to the request's HTTP headers from the environment.
     #
-    #   env     = { "CONTENT_TYPE" => "text/plain" }
+    #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
     #   headers = ActionDispatch::Http::Headers.new(env)
     #   headers["Content-Type"] # => "text/plain"
+    #   headers["User-Agent"] # => "curl/7/43/0"
+    #
+    # Also note that when headers are mapped to CGI-like variables by the Rack
+    # server, both dashes and underscores are converted to underscores. This
+    # ambiguity cannot be resolved at this stage anymore. Both underscores and
+    # dashes have to be interpreted as if they were originally sent as dashes.
+    #
+    #   # GET / HTTP/1.1
+    #   # ...
+    #   # User-Agent: curl/7.43.0
+    #   # X_Custom_Header: token
+    #
+    #   headers["X_Custom_Header"] # => nil
+    #   headers["X-Custom-Header"] # => "token"
     class Headers
       CGI_VARIABLES = Set.new(%W[
         AUTH_TYPE

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -67,10 +67,10 @@ module ActionDispatch
 
           v = if params_readable
             Array(Mime[parameters[:format]])
-          elsif format = format_from_path_extension
-            Array(Mime[format])
           elsif use_accept_header && valid_accept_header
             accepts
+          elsif extension_format = format_from_path_extension
+            [extension_format]
           elsif xhr?
             [Mime[:js]]
           else
@@ -166,7 +166,7 @@ module ActionDispatch
       def format_from_path_extension
         path = @env['action_dispatch.original_path'] || @env['PATH_INFO']
         if match = path && path.match(/\.(\w+)\z/)
-          match.captures.first
+          Mime[match.captures.first]
         end
       end
     end

data/lib/action_dispatch/http/mime_type.rb

@@ -1,3 +1,5 @@
+# -*- frozen-string-literal: true -*-
+
 require 'singleton'
 require 'active_support/core_ext/module/attribute_accessors'
 require 'active_support/core_ext/string/starts_ends_with'
@@ -106,70 +108,58 @@ module Mime
         result = @index <=> item.index if result == 0
         result
       end
-
-      def ==(item)
-        @name == item.to_s
-      end
     end
 
-    class AcceptList < Array #:nodoc:
-      def assort!
-        sort!
+    class AcceptList #:nodoc:
+      def self.sort!(list)
+        list.sort!
+
+        text_xml_idx = find_item_by_name list, 'text/xml'
+        app_xml_idx = find_item_by_name list, Mime[:xml].to_s
 
         # Take care of the broken text/xml entry by renaming or deleting it
         if text_xml_idx && app_xml_idx
+          app_xml = list[app_xml_idx]
+          text_xml = list[text_xml_idx]
+
           app_xml.q = [text_xml.q, app_xml.q].max # set the q value to the max of the two
-          exchange_xml_items if app_xml_idx > text_xml_idx  # make sure app_xml is ahead of text_xml in the list
-          delete_at(text_xml_idx)                 # delete text_xml from the list
+          if app_xml_idx > text_xml_idx  # make sure app_xml is ahead of text_xml in the list
+            list[app_xml_idx], list[text_xml_idx] = text_xml, app_xml
+            app_xml_idx, text_xml_idx = text_xml_idx, app_xml_idx
+          end
+          list.delete_at(text_xml_idx)                 # delete text_xml from the list
         elsif text_xml_idx
-          text_xml.name = Mime[:xml].to_s
+          list[text_xml_idx].name = Mime[:xml].to_s
         end
 
         # Look for more specific XML-based types and sort them ahead of app/xml
         if app_xml_idx
+          app_xml = list[app_xml_idx]
           idx = app_xml_idx
 
-          while idx < length
-            type = self[idx]
+          while idx < list.length
+            type = list[idx]
             break if type.q < app_xml.q
 
             if type.name.ends_with? '+xml'
-              self[app_xml_idx], self[idx] = self[idx], app_xml
-              @app_xml_idx = idx
+              list[app_xml_idx], list[idx] = list[idx], app_xml
+              app_xml_idx = idx
             end
             idx += 1
           end
         end
 
-        map! { |i| Mime::Type.lookup(i.name) }.uniq!
-        to_a
+        list.map! { |i| Mime::Type.lookup(i.name) }.uniq!
+        list
       end
 
-      private
-        def text_xml_idx
-          @text_xml_idx ||= index('text/xml')
-        end
-
-        def app_xml_idx
-          @app_xml_idx ||= index(Mime[:xml].to_s)
-        end
-
-        def text_xml
-          self[text_xml_idx]
-        end
-
-        def app_xml
-          self[app_xml_idx]
-        end
-
-        def exchange_xml_items
-          self[app_xml_idx], self[text_xml_idx] = text_xml, app_xml
-          @app_xml_idx, @text_xml_idx = text_xml_idx, app_xml_idx
-        end
+      def self.find_item_by_name(array, name)
+        array.index { |item| item.name == name }
+      end
     end
 
     class << self
-      TRAILING_STAR_REGEXP = /(text|application)\/\*/
+      TRAILING_STAR_REGEXP = /^(text|application)\/\*/
       PARAMETER_SEPARATOR_REGEXP = /;\s*\w+="?\w+"?/
 
       def register_callback(&block)
@@ -209,21 +199,22 @@ module Mime
           accept_header = accept_header.split(PARAMETER_SEPARATOR_REGEXP).first
           parse_trailing_star(accept_header) || [Mime::Type.lookup(accept_header)].compact
         else
-          list, index = AcceptList.new, 0
+          list, index = [], 0
           accept_header.split(',').each do |header|
             params, q = header.split(PARAMETER_SEPARATOR_REGEXP)
-            if params.present?
-              params.strip!
 
-              params = parse_trailing_star(params) || [params]
+            next unless params
+            params.strip!
+            next if params.empty?
+
+            params = parse_trailing_star(params) || [params]
 
-              params.each do |m|
-                list << AcceptItem.new(index, m.to_s, q)
-                index += 1
-              end
+            params.each do |m|
+              list << AcceptItem.new(index, m.to_s, q)
+              index += 1
             end
           end
-          list.assort!
+          AcceptList.sort! list
         end
       end