actionpack 5.0.0.beta1.1 → 5.0.0.beta2

data/lib/action_dispatch/http/parameters.rb

@@ -43,7 +43,7 @@ module ActionDispatch
       #
       #   {'action' => 'my_action', 'controller' => 'my_controller'}
       def path_parameters
-        get_header(PARAMETERS_KEY) || {}
+        get_header(PARAMETERS_KEY) || set_header(PARAMETERS_KEY, {})
       end
 
       private

data/lib/action_dispatch/http/request.rb

@@ -259,7 +259,7 @@ module ActionDispatch
     end
 
     # Returns the IP address of client as a +String+,
-    # usually set by the RemoteIp middleware.
+    # usually set by the RemoteIp middleware.
     def remote_ip
       @remote_ip ||= (get_header("action_dispatch.remote_ip") || ip).to_s
     end

data/lib/action_dispatch/http/response.rb

@@ -232,7 +232,7 @@ module ActionDispatch # :nodoc:
     end
 
     # Sets the HTTP character set. In case of nil parameter
-    # it sets the charset to utf-8.
+    # it sets the charset to utf-8.
     #
     #   response.charset = 'utf-16' # => 'utf-16'
     #   response.charset = nil      # => 'utf-8'
@@ -412,6 +412,13 @@ module ActionDispatch # :nodoc:
     end
 
     def before_sending
+      # Normally we've already committed by now, but it's possible
+      # (e.g., if the controller action tries to read back its own
+      # response) to get here before that. In that case, we must force
+      # an "early" commit: we're about to freeze the headers, so this is
+      # our last chance.
+      commit! unless committed?
+
       headers.freeze
       request.commit_cookie_jar! unless committed?
     end

data/lib/action_dispatch/journey/path/pattern.rb

@@ -124,7 +124,7 @@ module ActionDispatch
           end
 
           def captures
-            (length - 1).times.map { |i| self[i + 1] }
+            Array.new(length - 1) { |i| self[i + 1] }
           end
 
           def [](x)

data/lib/action_dispatch/middleware/ssl.rb

@@ -1,19 +1,23 @@
 module ActionDispatch
-  # This middleware is added to the stack when `config.force_ssl = true`.
-  # It does three jobs to enforce secure HTTP requests:
+  # This middleware is added to the stack when `config.force_ssl = true`, and is passed
+  # the options set in `config.ssl_options`. It does three jobs to enforce secure HTTP
+  # requests:
   #
-  #   1. TLS redirect. http:// requests are permanently redirected to https://
-  #      with the same URL host, path, etc. Pass `:host` and/or `:port` to
-  #      modify the destination URL. This is always enabled.
+  #   1. TLS redirect: Permanently redirects http:// requests to https://
+  #      with the same URL host, path, etc. Enabled by default. Set `config.ssl_options`
+  #      to modify the destination URL
+  #      (e.g. `redirect: { host: "secure.widgets.com", port: 8080 }`), or set
+  #      `redirect: false` to disable this feature.
   #
-  #   2. Secure cookies. Sets the `secure` flag on cookies to tell browsers they
-  #      mustn't be sent along with http:// requests. This is always enabled.
+  #   2. Secure cookies: Sets the `secure` flag on cookies to tell browsers they
+  #      mustn't be sent along with http:// requests. Enabled by default. Set
+  #      `config.ssl_options` with `secure_cookies: false` to disable this feature.
   #
-  #   3. HTTP Strict Transport Security (HSTS). Tells the browser to remember
+  #   3. HTTP Strict Transport Security (HSTS): Tells the browser to remember
   #      this site as TLS-only and automatically redirect non-TLS requests.
-  #      Enabled by default. Pass `hsts: false` to disable.
+  #      Enabled by default. Configure `config.ssl_options` with `hsts: false` to disable.
   #
-  # Configure HSTS with `hsts: { … }`:
+  # Set `config.ssl_options` with `hsts: { … }` to configure HSTS:
   #   * `expires`: How long, in seconds, these settings will stick. Defaults to
   #     `180.days` (recommended). The minimum required to qualify for browser
   #     preload lists is `18.weeks`.
@@ -26,10 +30,10 @@ module ActionDispatch
   #     gap, browser vendors include a baked-in list of HSTS-enabled sites.
   #     Go to https://hstspreload.appspot.com to submit your site for inclusion.
   #
-  # Disabling HSTS: To turn off HSTS, omitting the header is not enough.
-  # Browsers will remember the original HSTS directive until it expires.
-  # Instead, use the header to tell browsers to expire HSTS immediately.
-  # Setting `hsts: false` is a shortcut for `hsts: { expires: 0 }`.
+  # To turn off HSTS, omitting the header is not enough. Browsers will remember the
+  # original HSTS directive until it expires. Instead, use the header to tell browsers to
+  # expire HSTS immediately. Setting `hsts: false` is a shortcut for
+  # `hsts: { expires: 0 }`.
   class SSL
     # Default to 180 days, the low end for https://www.ssllabs.com/ssltest/
     # and greater than the 18-week requirement for browser preload lists.
@@ -39,7 +43,7 @@ module ActionDispatch
       { expires: HSTS_EXPIRES_IN, subdomains: false, preload: false }
     end
 
-    def initialize(app, redirect: {}, hsts: {}, **options)
+    def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, **options)
       @app = app
 
       if options[:host] || options[:port]
@@ -52,6 +56,7 @@ module ActionDispatch
         @redirect = redirect
       end
 
+      @secure_cookies = secure_cookies
       @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
     end
 
@@ -61,10 +66,11 @@ module ActionDispatch
       if request.ssl?
         @app.call(env).tap do |status, headers, body|
           set_hsts_header! headers
-          flag_cookies_as_secure! headers
+          flag_cookies_as_secure! headers if @secure_cookies
         end
       else
-        redirect_to_https request
+        return redirect_to_https request if @redirect
+        @app.call(env)
       end
     end
 

data/lib/action_dispatch/middleware/stack.rb

@@ -14,6 +14,15 @@ module ActionDispatch
 
       def name; klass.name; end
 
+      def ==(middleware)
+        case middleware
+        when Middleware
+          klass == middleware.klass
+        when Class
+          klass == middleware
+        end
+      end
+
       def inspect
         if klass.is_a?(Class)
           klass.to_s

data/lib/action_dispatch/middleware/static.rb

@@ -27,7 +27,7 @@ module ActionDispatch
     # in the server's `public/` directory (see Static#call).
     def match?(path)
       path = ::Rack::Utils.unescape_path path
-      return false unless path.valid_encoding?
+      return false unless valid_path?(path)
       path = Rack::Utils.clean_path_info path
 
       paths = [path, "#{path}#{ext}", "#{path}/#{@index}#{ext}"]
@@ -94,6 +94,10 @@ module ActionDispatch
           false
         end
       end
+
+      def valid_path?(path)
+        path.valid_encoding? && !path.include?("\0")
+      end
   end
 
   # This middleware will attempt to return the contents of a file's body from

data/lib/action_dispatch/request/session.rb

@@ -109,7 +109,7 @@ module ActionDispatch
         @delegate.values
       end
 
-      # Writes given value to given key of the session.
+      # Writes given value to given key of the session.
       def []=(key, value)
         load_for_write!
         @delegate[key.to_s] = value
@@ -148,8 +148,8 @@ module ActionDispatch
         @delegate.delete key.to_s
       end
 
-      # Returns value of given key from the session, or raises +KeyError+
-      # if can't find given key in case of not setted dafault value.
+      # Returns value of the given key from the session, or raises +KeyError+
+      # if can't find the given key and no default value is set.
       # Returns default value if specified.
       #
       #   session.fetch(:foo)

data/lib/action_dispatch/routing.rb

@@ -239,7 +239,8 @@ module ActionDispatch
   #
   #   rails routes
   #
-  # Target specific controllers by prefixing the command with <tt>CONTROLLER=x</tt>.
+  # Target specific controllers by prefixing the command with <tt>--controller</tt> option
+  # - or its <tt>-c</tt> shorthand.
   #
   module Routing
     extend ActiveSupport::Autoload

data/lib/action_dispatch/routing/inspector.rb

@@ -60,12 +60,10 @@ module ActionDispatch
       end
 
       def format(formatter, filter = nil)
-        routes_to_display = filter_routes(filter)
-
+        routes_to_display = filter_routes(normalize_filter(filter))
         routes = collect_routes(routes_to_display)
-
         if routes.none?
-          formatter.no_routes
+          formatter.no_routes(collect_routes(@routes))
           return formatter.result
         end
 
@@ -82,9 +80,19 @@ module ActionDispatch
 
       private
 
+      def normalize_filter(filter)
+        if filter.is_a?(Hash) && filter[:controller]
+          { controller: /#{filter[:controller].downcase.sub(/_?controller\z/, '').sub('::', '/')}/ }
+        elsif filter
+          { controller: /#{filter}/, action: /#{filter}/ }
+        end
+      end
+
       def filter_routes(filter)
         if filter
-          @routes.select { |route| route.defaults[:controller] == filter }
+          @routes.select do |route|
+            filter.any? { |default, value| route.defaults[default] =~ value }
+          end
         else
           @routes
         end
@@ -136,14 +144,18 @@ module ActionDispatch
         @buffer << draw_header(routes)
       end
 
-      def no_routes
-        @buffer << <<-MESSAGE.strip_heredoc
+      def no_routes(routes)
+        @buffer <<
+        if routes.none?
+          <<-MESSAGE.strip_heredoc
           You don't have any routes defined!
 
           Please add some routes in config/routes.rb.
-
-          For more information about routes, see the Rails guide: http://guides.rubyonrails.org/routing.html.
           MESSAGE
+        else
+          "No routes were found for this controller"
+        end
+        @buffer << "For more information about routes, see the Rails guide: http://guides.rubyonrails.org/routing.html."
       end
 
       private
@@ -187,7 +199,7 @@ module ActionDispatch
       def header(routes)
       end
 
-      def no_routes
+      def no_routes(*)
         @buffer << <<-MESSAGE.strip_heredoc
           <p>You don't have any routes defined!</p>
           <ul>

data/lib/action_dispatch/routing/mapper.rb

@@ -184,26 +184,32 @@ module ActionDispatch
         def build_path(ast, requirements, anchor)
           pattern = Journey::Path::Pattern.new(ast, requirements, JOINED_SEPARATORS, anchor)
 
-          # Get all the symbol nodes followed by literals that are not the
-          # dummy node.
-          symbols = ast.find_all { |n|
-            n.cat? && n.left.symbol? && n.right.cat? && n.right.left.literal?
-          }.map(&:left)
-
-          # Get all the symbol nodes preceded by literals.
-          symbols.concat ast.find_all { |n|
-            n.cat? && n.left.literal? && n.right.cat? && n.right.left.symbol?
-          }.map { |n| n.right.left }
-
-          symbols.each { |x|
-            x.regexp = /(?:#{Regexp.union(x.regexp, '-')})+/
+          # Find all the symbol nodes that are adjacent to literal nodes and alter
+          # the regexp so that Journey will partition them into custom routes.
+          ast.find_all { |node|
+            next unless node.cat?
+
+            if node.left.literal? && node.right.symbol?
+              symbol = node.right
+            elsif node.left.literal? && node.right.cat? && node.right.left.symbol?
+              symbol = node.right.left
+            elsif node.left.symbol? && node.right.literal?
+              symbol = node.left
+            elsif node.left.symbol? && node.right.cat? && node.right.left.literal?
+              symbol = node.left
+            else
+              next
+            end
+
+            if symbol
+              symbol.regexp = /(?:#{Regexp.union(symbol.regexp, '-')})+/
+            end
           }
 
           pattern
         end
         private :build_path
 
-
         private
           def add_wildcard_options(options, formatted, path_ast)
             # Add a constraint for wildcard route to make it non-greedy and match the
@@ -387,24 +393,6 @@ module ActionDispatch
       end
 
       module Base
-        # You can specify what Rails should route "/" to with the root method:
-        #
-        #   root to: 'pages#main'
-        #
-        # For options, see +match+, as +root+ uses it internally.
-        #
-        # You can also pass a string which will expand
-        #
-        #   root 'pages#main'
-        #
-        # You should put the root route at the top of <tt>config/routes.rb</tt>,
-        # because this means it will be matched first. As this is the most popular route
-        # of most Rails applications, this is beneficial.
-        def root(options = {})
-          name = has_named_route?(:root) ? nil : :root
-          match '/', { as: name, via:  :get }.merge!(options)
-        end
-
         # Matches a url pattern to one or more routes.
         #
         # You should not use the +match+ method in your router
@@ -1689,7 +1677,20 @@ to this:
           @set.add_route(mapping, ast, as, anchor)
         end
 
-        def root(path, options={})
+        # You can specify what Rails should route "/" to with the root method:
+        #
+        #   root to: 'pages#main'
+        #
+        # For options, see +match+, as +root+ uses it internally.
+        #
+        # You can also pass a string which will expand
+        #
+        #   root 'pages#main'
+        #
+        # You should put the root route at the top of <tt>config/routes.rb</tt>,
+        # because this means it will be matched first. As this is the most popular route
+        # of most Rails applications, this is beneficial.
+        def root(path, options = {})
           if path.is_a?(String)
             options[:to] = path
           elsif path.is_a?(Hash) and options.empty?
@@ -1701,11 +1702,11 @@ to this:
           if @scope.resources?
             with_scope_level(:root) do
               path_scope(parent_resource.path) do
-                super(options)
+                match_root_route(options)
               end
             end
           else
-            super(options)
+            match_root_route(options)
           end
         end
 
@@ -1900,6 +1901,11 @@ to this:
         ensure
           @scope = @scope.parent
         end
+
+        def match_root_route(options)
+          name = has_named_route?(:root) ? nil : :root
+          match '/', { :as => name, :via => :get }.merge!(options)
+        end
       end
 
       # Routing Concerns allow you to declare common routes that can be reused

data/lib/action_dispatch/routing/route_set.rb

@@ -281,8 +281,17 @@ module ActionDispatch
           helper = UrlHelper.create(route, opts, route_key, url_strategy)
           mod.module_eval do
             define_method(name) do |*args|
-              options = nil
-              options = args.pop if args.last.is_a? Hash
+              last = args.last
+              options = case last
+                        when Hash
+                          args.pop
+                        when ActionController::Parameters
+                          if last.permitted?
+                            args.pop.to_h
+                          else
+                            raise ArgumentError, "Generating an URL from non sanitized request parameters is insecure!"
+                          end
+                        end
               helper.call self, args, options
             end
           end

data/lib/action_dispatch/testing/assertion_response.rb

@@ -0,0 +1,49 @@
+module ActionDispatch
+  # This is a class that abstracts away an asserted response.
+  # It purposely does not inherit from Response, because it doesn't need it.
+  # That means it does not have headers or a body.
+  #
+  # As an input to the initializer, we take a Fixnum, a String, or a Symbol.
+  # If it's a Fixnum or String, we figure out what its symbolized name.
+  # If it's a Symbol, we figure out what its corresponding code is.
+  # The resulting code will be a Fixnum, for real HTTP codes, and it will
+  # be a String for the pseudo-HTTP codes, such as:
+  #   :success, :missing, :redirect and :error
+  class AssertionResponse
+    attr_reader :code, :name
+
+    GENERIC_RESPONSE_CODES = { # :nodoc:
+      success: "2XX",
+      missing: "404",
+      redirect: "3XX",
+      error: "5XX"
+    }
+
+    def initialize(code_or_name)
+      if code_or_name.is_a?(Symbol)
+        @name = code_or_name
+        @code = code_from_name(code_or_name)
+      else
+        @name = name_from_code(code_or_name)
+        @code = code_or_name
+      end
+
+      raise ArgumentError, "Invalid response name: #{name}" if @code.nil?
+      raise ArgumentError, "Invalid response code: #{code}" if @name.nil?
+    end
+
+    def code_and_name
+      "#{code}: #{name}"
+    end
+
+    private
+
+    def code_from_name(name)
+      GENERIC_RESPONSE_CODES[name] || Rack::Utils::SYMBOL_TO_STATUS_CODE[name]
+    end
+
+    def name_from_code(code)
+      GENERIC_RESPONSE_CODES.invert[code] || Rack::Utils::HTTP_STATUS_CODES[code]
+    end
+  end
+end