actionpack 5.0.0.beta3 → 5.0.0.beta4

data/lib/action_controller/metal/data_streaming.rb

@@ -25,14 +25,13 @@ module ActionController #:nodoc:
       # * <tt>:filename</tt> - suggests a filename for the browser to use.
       #   Defaults to <tt>File.basename(path)</tt>.
       # * <tt>:type</tt> - specifies an HTTP content type.
-      #   You can specify either a string or a symbol for a registered type register with
-      #   <tt>Mime::Type.register</tt>, for example :json
-      #   If omitted, type will be guessed from the file extension specified in <tt>:filename</tt>.
-      #   If no content type is registered for the extension, default type 'application/octet-stream' will be used.
+      #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
+      #   If omitted, the type will be inferred from the file extension specified in <tt>:filename</tt>.
+      #   If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
       # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
       #   Valid values are 'inline' and 'attachment' (default).
       # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to 200.
-      # * <tt>:url_based_filename</tt> - set to +true+ if you want the browser guess the filename from
+      # * <tt>:url_based_filename</tt> - set to +true+ if you want the browser to guess the filename from
       #   the URL, which is necessary for i18n filenames on certain browsers
       #   (setting <tt>:filename</tt> overrides this option).
       #
@@ -79,14 +78,14 @@ module ActionController #:nodoc:
       # <tt>render plain: data</tt>, but also allows you to specify whether
       # the browser should display the response as a file attachment (i.e. in a
       # download dialog) or as inline data. You may also set the content type,
-      # the apparent file name, and other things.
+      # the file name, and other things.
       #
       # Options:
       # * <tt>:filename</tt> - suggests a filename for the browser to use.
-      # * <tt>:type</tt> - specifies an HTTP content type. Defaults to 'application/octet-stream'. You can specify
-      #   either a string or a symbol for a registered type register with <tt>Mime::Type.register</tt>, for example :json
-      #   If omitted, type will be guessed from the file extension specified in <tt>:filename</tt>.
-      #   If no content type is registered for the extension, default type 'application/octet-stream' will be used.
+      # * <tt>:type</tt> - specifies an HTTP content type. Defaults to 'application/octet-stream'.
+      #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
+      #   If omitted, type will be inferred from the file extension specified in <tt>:filename</tt>.
+      #   If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
       # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
       #   Valid values are 'inline' and 'attachment' (default).
       # * <tt>:status</tt> - specifies the status code to send with the response. Defaults to 200.

data/lib/action_controller/metal/force_ssl.rb

@@ -2,17 +2,17 @@ require 'active_support/core_ext/hash/except'
 require 'active_support/core_ext/hash/slice'
 
 module ActionController
-  # This module provides a method which will redirect browser to use HTTPS
+  # This module provides a method which will redirect the browser to use HTTPS
   # protocol. This will ensure that user's sensitive information will be
-  # transferred safely over the internet. You _should_ always force browser
+  # transferred safely over the internet. You _should_ always force the browser
   # to use HTTPS when you're transferring sensitive information such as
   # user authentication, account information, or credit card information.
   #
   # Note that if you are really concerned about your application security,
   # you might consider using +config.force_ssl+ in your config file instead.
   # That will ensure all the data transferred via HTTPS protocol and prevent
-  # user from getting session hijacked when accessing the site under unsecured
-  # HTTP protocol.
+  # the user from getting their session hijacked when accessing the site over
+  # unsecured HTTP protocol.
   module ForceSSL
     extend ActiveSupport::Concern
     include AbstractController::Callbacks

data/lib/action_controller/metal/http_authentication.rb

@@ -310,9 +310,9 @@ module ActionController
       end
 
       # Might want a shorter timeout depending on whether the request
-      # is a PATCH, PUT, or POST, and if client is browser or web service.
+      # is a PATCH, PUT, or POST, and if the client is a browser or web service.
       # Can be much shorter if the Stale directive is implemented. This would
-      # allow a user to use new nonce without prompting user again for their
+      # allow a user to use new nonce without prompting the user again for their
       # username and password.
       def validate_nonce(secret_key, request, value, seconds_to_timeout=5*60)
         return false if value.nil?
@@ -347,7 +347,12 @@ module ActionController
     #     private
     #       def authenticate
     #         authenticate_or_request_with_http_token do |token, options|
-    #           token == TOKEN
+    #           # Compare the tokens in a time-constant manner, to mitigate
+    #           # timing attacks.
+    #           ActiveSupport::SecurityUtils.secure_compare(
+    #             ::Digest::SHA256.hexdigest(token),
+    #             ::Digest::SHA256.hexdigest(TOKEN)
+    #           )
     #         end
     #       end
     #   end

data/lib/action_controller/metal/implicit_render.rb

@@ -1,29 +1,62 @@
+require 'active_support/core_ext/string/strip'
+
 module ActionController
+  # Handles implicit rendering for a controller action that does not
+  # explicitly respond with +render+, +respond_to+, +redirect+, or +head+.
+  #
+  # For API controllers, the implicit response is always 204 No Content.
+  #
+  # For all other controllers, we use these heuristics to decide whether to
+  # render a template, raise an error for a missing template, or respond with
+  # 204 No Content:
+  #
+  # First, if we DO find a template, it's rendered. Template lookup accounts
+  # for the action name, locales, format, variant, template handlers, and more
+  # (see +render+ for details).
+  #
+  # Second, if we DON'T find a template but the controller action does have
+  # templates for other formats, variants, etc., then we trust that you meant
+  # to provide a template for this response, too, and we raise
+  # <tt>ActionController::UnknownFormat</tt> with an explanation.
+  #
+  # Third, if we DON'T find a template AND the request is a page load in a web
+  # browser (technically, a non-XHR GET request for an HTML response) where
+  # you reasonably expect to have rendered a template, then we raise
+  # <tt>ActionView::UnknownFormat</tt> with an explanation.
+  #
+  # Finally, if we DON'T find a template AND the request isn't a browser page
+  # load, then we implicitly respond with 204 No Content.
   module ImplicitRender
 
+    # :stopdoc:
     include BasicImplicitRender
 
-    # Renders the template corresponding to the controller action, if it exists.
-    # The action name, format, and variant are all taken into account.
-    # For example, the "new" action with an HTML format and variant "phone" 
-    # would try to render the <tt>new.html+phone.erb</tt> template.
-    #
-    # If no template is found <tt>ActionController::BasicImplicitRender</tt>'s implementation is called, unless
-    # a block is passed. In that case, it will override the super implementation.
-    #
-    #   default_render do
-    #     head 404 # No template was found
-    #   end
     def default_render(*args)
       if template_exists?(action_name.to_s, _prefixes, variants: request.variant)
         render(*args)
+      elsif any_templates?(action_name.to_s, _prefixes)
+        message = "#{self.class.name}\##{action_name} is missing a template " \
+          "for this request format and variant.\n" \
+          "\nrequest.formats: #{request.formats.map(&:to_s).inspect}" \
+          "\nrequest.variant: #{request.variant.inspect}"
+
+        raise ActionController::UnknownFormat, message
+      elsif interactive_browser_request?
+        message = "#{self.class.name}\##{action_name} is missing a template " \
+          "for this request format and variant.\n\n" \
+          "request.formats: #{request.formats.map(&:to_s).inspect}\n" \
+          "request.variant: #{request.variant.inspect}\n\n" \
+          "NOTE! For XHR/Ajax or API requests, this action would normally " \
+          "respond with 204 No Content: an empty white screen. Since you're " \
+          "loading it in a web browser, we assume that you expected to " \
+          "actually render a template, not… nothing, so we're showing an " \
+          "error to be extra-clear. If you expect 204 No Content, carry on. " \
+          "That's what you'll get from an XHR or API request. Give it a shot."
+
+        raise ActionController::UnknownFormat, message
       else
-        if block_given?
-          yield(*args)
-        else
-          logger.info "No template found for #{self.class.name}\##{action_name}, rendering head :no_content" if logger
-          super
-        end
+        logger.info "No template found for #{self.class.name}\##{action_name}, rendering head :no_content" if logger
+        super
       end
     end
 
@@ -32,5 +65,10 @@ module ActionController
         "default_render"
       end
     end
+
+    private
+      def interactive_browser_request?
+        request.get? && request.format == Mime[:html] && !request.xhr?
+      end
   end
 end

data/lib/action_controller/metal/instrumentation.rb

@@ -19,6 +19,7 @@ module ActionController
         :controller => self.class.name,
         :action     => self.action_name,
         :params     => request.filtered_parameters,
+        :headers    => request.headers,
         :format     => request.format.ref,
         :method     => request.request_method,
         :path       => request.fullpath
@@ -74,8 +75,8 @@ module ActionController
       ActiveSupport::Notifications.instrument("halted_callback.action_controller", :filter => filter)
     end
 
-    # A hook which allows you to clean up any time taken into account in
-    # views wrongly, like database querying time.
+    # A hook which allows you to clean up any time, wrongly taken into account in
+    # views, like database querying time.
     #
     #   def cleanup_view_runtime
     #     super - time_taken_in_something_expensive

data/lib/action_controller/metal/live.rb

@@ -3,7 +3,7 @@ require 'delegate'
 require 'active_support/json'
 
 module ActionController
-  # Mix this module in to your controller, and all actions in that controller
+  # Mix this module into your controller, and all actions in that controller
   # will be able to stream data to the client as it's written.
   #
   #   class MyController < ActionController::Base
@@ -20,7 +20,7 @@ module ActionController
   #     end
   #   end
   #
-  # There are a few caveats with this use. You *cannot* write headers after the
+  # There are a few caveats with this module. You *cannot* write headers after the
   # response has been committed (Response#committed? will return truthy).
   # Calling +write+ or +close+ on the response stream will cause the response
   # object to be committed. Make sure all headers are set before calling write

data/lib/action_controller/metal/mime_responds.rb

@@ -198,7 +198,7 @@ module ActionController #:nodoc:
         _process_format(format)
         _set_rendered_content_type format
         response = collector.response
-        response ? response.call : render({})
+        response.call if response
       else
         raise ActionController::UnknownFormat
       end

data/lib/action_controller/metal/redirecting.rb

@@ -84,7 +84,7 @@ module ActionController
     #   redirect_back fallback_location:  proc { edit_post_url(@post) }
     #
     # All options that can be passed to <tt>redirect_to</tt> are accepted as
-    # options and the behavior is indetical.
+    # options and the behavior is identical.
     def redirect_back(fallback_location:, **args)
       if referer = request.headers["Referer"]
         redirect_to referer, **args

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -213,7 +213,7 @@ module ActionController #:nodoc:
 
         if !verified_request?
           if logger && log_warning_on_csrf_failure
-            logger.warn "Can't verify CSRF token authenticity"
+            logger.warn "Can't verify CSRF token authenticity."
           end
           handle_unverified_request
         end
@@ -405,7 +405,8 @@ module ActionController #:nodoc:
       end
 
       def normalize_action_path(action_path)
-        action_path.split('?').first.to_s.chomp('/')
+        uri = URI.parse(action_path)
+        uri.path.chomp('/')
       end
   end
 end

data/lib/action_controller/metal/rescue.rb

@@ -7,8 +7,12 @@ module ActionController #:nodoc:
     include ActiveSupport::Rescuable
 
     def rescue_with_handler(exception)
-      if exception.cause && handler_for_rescue(exception.cause)
-        exception = exception.cause
+      if exception.cause
+        handler_index = index_of_handler_for_rescue(exception) || Float::INFINITY
+        cause_handler_index = index_of_handler_for_rescue(exception.cause)
+        if cause_handler_index && cause_handler_index <= handler_index
+          exception = exception.cause
+        end
       end
       super(exception)
     end

data/lib/action_controller/metal/strong_parameters.rb

@@ -184,6 +184,13 @@ module ActionController
     # Returns an unsafe, unfiltered
     # <tt>ActiveSupport::HashWithIndifferentAccess</tt> representation of this
     # parameter.
+    #
+    #   params = ActionController::Parameters.new({
+    #     name: 'Senjougahara Hitagi',
+    #     oddity: 'Heavy stone crab'
+    #   })
+    #   params.to_unsafe_h
+    #   # => {"name"=>"Senjougahara Hitagi", "oddity" => "Heavy stone crab"}
     def to_unsafe_h
       convert_parameters_to_hashes(@parameters, :to_unsafe_h)
     end
@@ -430,6 +437,21 @@ module ActionController
       )
     end
 
+    if Hash.method_defined?(:dig)
+      # Extracts the nested parameter from the given +keys+ by calling +dig+
+      # at each step. Returns +nil+ if any intermediate step is +nil+.
+      #
+      # params = ActionController::Parameters.new(foo: { bar: { baz: 1 } })
+      # params.dig(:foo, :bar, :baz) # => 1
+      # params.dig(:foo, :zot, :xyz) # => nil
+      #
+      # params2 = ActionController::Parameters.new(foo: [10, 11, 12])
+      # params2.dig(:foo, 1) # => 11
+      def dig(*keys)
+        convert_value_to_parameters(@parameters.dig(*keys))
+      end
+    end
+
     # Returns a new <tt>ActionController::Parameters</tt> instance that
     # includes only the given +keys+. If the given +keys+
     # don't exist, returns an empty hash.
@@ -734,6 +756,10 @@ module ActionController
         end
       end
 
+      def non_scalar?(value)
+        value.is_a?(Array) || value.is_a?(Parameters)
+      end
+
       EMPTY_ARRAY = []
       def hash_filter(params, filter)
         filter = filter.with_indifferent_access
@@ -748,7 +774,7 @@ module ActionController
             array_of_permitted_scalars?(self[key]) do |val|
               params[key] = val
             end
-          else
+          elsif non_scalar?(value)
             # Declaration { user: :name } or { user: [:name, :age, { address: ... }] }.
             params[key] = each_element(value) do |element|
               element.permit(*Array.wrap(filter[key]))
@@ -799,7 +825,8 @@ module ActionController
   #   end
   #
   # In order to use <tt>accepts_nested_attributes_for</tt> with Strong \Parameters, you
-  # will need to specify which nested attributes should be whitelisted.
+  # will need to specify which nested attributes should be whitelisted. You might want
+  # to allow +:id+ and +:_destroy+, see ActiveRecord::NestedAttributes for more information.
   #
   #   class Person
   #     has_many :pets
@@ -819,7 +846,7 @@ module ActionController
   #         # It's mandatory to specify the nested attributes that should be whitelisted.
   #         # If you use `permit` with just the key that points to the nested attributes hash,
   #         # it will return an empty hash.
-  #         params.require(:person).permit(:name, :age, pets_attributes: [ :name, :category ])
+  #         params.require(:person).permit(:name, :age, pets_attributes: [ :id, :name, :category ])
   #       end
   #   end
   #

data/lib/action_controller/renderer.rb

@@ -45,7 +45,7 @@ module ActionController
     }.freeze
 
     # Create a new renderer instance for a specific controller class.
-    def self.for(controller, env = {}, defaults = DEFAULTS)
+    def self.for(controller, env = {}, defaults = DEFAULTS.dup)
       new(controller, env, defaults)
     end
 

data/lib/action_controller/test_case.rb

@@ -176,7 +176,7 @@ module ActionController
     def initialize(session = {})
       super(nil, nil)
       @id = SecureRandom.hex(16)
-      @data = session.with_indifferent_access
+      @data = stringify_keys(session)
       @loaded = true
     end
 
@@ -428,7 +428,7 @@ module ActionController
       end
       alias xhr :xml_http_request
 
-      # Simulate a HTTP request to +action+ by specifying request method,
+      # Simulate an HTTP request to +action+ by specifying request method,
       # parameters and set/volley the response.
       #
       # - +action+: The controller action to call.

data/lib/action_dispatch.rb

@@ -51,8 +51,8 @@ module ActionDispatch
     autoload :Cookies
     autoload :DebugExceptions
     autoload :ExceptionWrapper
+    autoload :Executor
     autoload :Flash
-    autoload :LoadInterlock
     autoload :ParamsParser
     autoload :PublicExceptions
     autoload :Reloader

data/lib/action_dispatch/http/cache.rb

@@ -17,9 +17,7 @@ module ActionDispatch
         end
 
         def if_none_match_etags
-          (if_none_match ? if_none_match.split(/\s*,\s*/) : []).collect do |etag|
-            etag.gsub(/^\"|\"$/, "")
-          end
+          if_none_match ? if_none_match.split(/\s*,\s*/) : []
         end
 
         def not_modified?(modified_at)
@@ -28,8 +26,8 @@ module ActionDispatch
 
         def etag_matches?(etag)
           if etag
-            etag = etag.gsub(/^\"|\"$/, "")
-            if_none_match_etags.include?(etag)
+            validators = if_none_match_etags
+            validators.include?(etag) || validators.include?('*')
           end
         end
 
@@ -80,27 +78,63 @@ module ActionDispatch
           set_header DATE, utc_time.httpdate
         end
 
-        # This method allows you to set the ETag for cached content, which
-        # will be returned to the end user.
+        # This method sets a weak ETag validator on the response so browsers
+        # and proxies may cache the response, keyed on the ETag. On subsequent
+        # requests, the If-None-Match header is set to the cached ETag. If it
+        # matches the current ETag, we can return a 304 Not Modified response
+        # with no body, letting the browser or proxy know that their cache is
+        # current. Big savings in request time and network bandwidth.
+        #
+        # Weak ETags are considered to be semantically equivalent but not
+        # byte-for-byte identical. This is perfect for browser caching of HTML
+        # pages where we don't care about exact equality, just what the user
+        # is viewing.
         #
-        # By default, Action Dispatch sets all ETags to be weak.
-        # This ensures that if the content changes only semantically,
-        # the whole page doesn't have to be regenerated from scratch
-        # by the web server. With strong ETags, pages are compared
-        # byte by byte, and are regenerated only if they are not exactly equal.
-        def etag=(etag)
-          key = ActiveSupport::Cache.expand_cache_key(etag)
-          super %(W/"#{Digest::MD5.hexdigest(key)}")
+        # Strong ETags are considered byte-for-byte identical. They allow a
+        # browser or proxy cache to support Range requests, useful for paging
+        # through a PDF file or scrubbing through a video. Some CDNs only
+        # support strong ETags and will ignore weak ETags entirely.
+        #
+        # Weak ETags are what we almost always need, so they're the default.
+        # Check out `#strong_etag=` to provide a strong ETag validator.
+        def etag=(weak_validators)
+          self.weak_etag = weak_validators
+        end
+
+        def weak_etag=(weak_validators)
+          set_header 'ETag', generate_weak_etag(weak_validators)
+        end
+
+        def strong_etag=(strong_validators)
+          set_header 'ETag', generate_strong_etag(strong_validators)
         end
 
         def etag?; etag; end
 
+        # True if an ETag is set and it's a weak validator (preceded with W/)
+        def weak_etag?
+          etag? && etag.starts_with?('W/"')
+        end
+
+        # True if an ETag is set and it isn't a weak validator (not preceded with W/)
+        def strong_etag?
+          etag? && !weak_etag?
+        end
+
       private
 
         DATE          = 'Date'.freeze
         LAST_MODIFIED = "Last-Modified".freeze
         SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public private must-revalidate])
 
+        def generate_weak_etag(validators)
+          "W/#{generate_strong_etag(validators)}"
+        end
+
+        def generate_strong_etag(validators)
+          %("#{Digest::MD5.hexdigest(ActiveSupport::Cache.expand_cache_key(validators))}")
+        end
+
         def cache_control_segments
           if cache_control = _cache_control
             cache_control.delete(' ').split(',')