actionpack 5.0.0.beta3 → 5.0.0.beta4

data/lib/action_dispatch/http/filter_parameters.rb

@@ -4,9 +4,11 @@ module ActionDispatch
   module Http
     # Allows you to specify sensitive parameters which will be replaced from
     # the request log by looking in the query string of the request and all
-    # sub-hashes of the params hash to filter. If a block is given, each key and
-    # value of the params hash and all sub-hashes is passed to it, the value
-    # or key can be replaced using String#replace or similar method.
+    # sub-hashes of the params hash to filter. Filtering only certain sub-keys
+    # from a hash is possible by using the dot notation: 'credit_card.number'.
+    # If a block is given, each key and value of the params hash and all
+    # sub-hashes is passed to it, the value or key can be replaced using
+    # String#replace or similar method.
     #
     #   env["action_dispatch.parameter_filter"] = [:password]
     #   => replaces the value to all keys matching /password/i with "[FILTERED]"
@@ -14,6 +16,10 @@ module ActionDispatch
     #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
     #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
     #
+    #   env["action_dispatch.parameter_filter"] = [ "credit_card.code" ]
+    #   => replaces { credit_card: {code: "xxxx"} } with "[FILTERED]", does not
+    #   change { file: { code: "xxxx"} }
+    #
     #   env["action_dispatch.parameter_filter"] = -> (k, v) do
     #     v.reverse! if k =~ /secret/i
     #   end

data/lib/action_dispatch/http/headers.rb

@@ -5,7 +5,7 @@ module ActionDispatch
     #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
     #   headers = ActionDispatch::Http::Headers.new(env)
     #   headers["Content-Type"] # => "text/plain"
-    #   headers["User-Agent"] # => "curl/7/43/0"
+    #   headers["User-Agent"] # => "curl/7.43.0"
     #
     # Also note that when headers are mapped to CGI-like variables by the Rack
     # server, both dashes and underscores are converted to underscores. This
@@ -115,7 +115,7 @@ module ActionDispatch
 
       private
 
-      # Converts a HTTP header name to an environment variable name if it is
+      # Converts an HTTP header name to an environment variable name if it is
       # not contained within the headers hash.
       def env_name(key)
         key = key.to_s

data/lib/action_dispatch/http/mime_types.rb

@@ -21,7 +21,7 @@ Mime::Type.register "video/mpeg", :mpeg, [], %w(mpg mpeg mpe)
 Mime::Type.register "application/xml", :xml, %w( text/xml application/x-xml )
 Mime::Type.register "application/rss+xml", :rss
 Mime::Type.register "application/atom+xml", :atom
-Mime::Type.register "application/x-yaml", :yaml, %w( text/yaml )
+Mime::Type.register "application/x-yaml", :yaml, %w( text/yaml ), %w(yml yaml)
 
 Mime::Type.register "multipart/form-data", :multipart_form
 Mime::Type.register "application/x-www-form-urlencoded", :url_encoded_form

data/lib/action_dispatch/http/request.rb

@@ -337,7 +337,6 @@ module ActionDispatch
       else
         self.session = {}
       end
-      self.flash = nil
     end
 
     def session=(session) #:nodoc:

data/lib/action_dispatch/journey/formatter.rb

@@ -32,8 +32,13 @@ module ActionDispatch
 
           defaults       = route.defaults
           required_parts = route.required_parts
-          parameterized_parts.keep_if do |key, value|
-            (defaults[key].nil? && value.present?) || value.to_s != defaults[key].to_s || required_parts.include?(key)
+
+          route.parts.reverse_each do |key|
+            break if defaults[key].nil? && parameterized_parts[key].present?
+            break if parameterized_parts[key].to_s != defaults[key].to_s
+            break if required_parts.include?(key)
+
+            parameterized_parts.delete(key)
           end
 
           return [route.format(parameterized_parts), params]

data/lib/action_dispatch/journey/route.rb

@@ -82,7 +82,7 @@ module ActionDispatch
       end
 
       def requirements # :nodoc:
-        # needed for rails `rake routes`
+        # needed for rails `rails routes`
         @defaults.merge(path.requirements).delete_if { |_,v|
           /.+?/ == v
         }

data/lib/action_dispatch/middleware/callbacks.rb

@@ -7,7 +7,16 @@ module ActionDispatch
     define_callbacks :call
 
     class << self
-      delegate :to_prepare, :to_cleanup, :to => "ActionDispatch::Reloader"
+      def to_prepare(*args, &block)
+        ActiveSupport::Reloader.to_prepare(*args, &block)
+      end
+
+      def to_cleanup(*args, &block)
+        ActiveSupport::Reloader.to_complete(*args, &block)
+      end
+
+      deprecate to_prepare: 'use ActiveSupport::Reloader.to_prepare instead',
+        to_cleanup: 'use ActiveSupport::Reloader.to_complete instead'
 
       def before(*args, &block)
         set_callback(:call, :before, *args, &block)

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -1,4 +1,3 @@
-require 'action_controller/metal/exceptions'
 require 'active_support/core_ext/module/attribute_accessors'
 require 'rack/utils'
 

data/lib/action_dispatch/middleware/executor.rb

@@ -0,0 +1,19 @@
+require 'rack/body_proxy'
+
+module ActionDispatch
+  class Executor
+    def initialize(app, executor)
+      @app, @executor = app, executor
+    end
+
+    def call(env)
+      state = @executor.run!
+      begin
+        response = @app.call(env)
+        returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }
+      ensure
+        state.complete! unless returned
+      end
+    end
+  end
+end

data/lib/action_dispatch/middleware/flash.rb

@@ -70,6 +70,11 @@ module ActionDispatch
           session.delete('flash')
         end
       end
+
+      def reset_session # :nodoc
+        super
+        self.flash = nil
+      end
     end
 
     class FlashNow #:nodoc:

data/lib/action_dispatch/middleware/params_parser.rb

@@ -37,6 +37,7 @@ module ActionDispatch
     # The +parsers+ argument can take Hash of parsers where key is identifying
     # content mime type, and value is a lambda that is going to process data.
     def self.new(app, parsers = {})
+      ActiveSupport::Deprecation.warn('ActionDispatch::ParamsParser is deprecated and will be removed in Rails 5.1. Configure the parameter parsing in ActionDispatch::Request.parameter_parsers.')
       parsers = parsers.transform_keys { |key| key.respond_to?(:symbol) ? key.symbol : key }
       ActionDispatch::Request.parameter_parsers = ActionDispatch::Request::DEFAULT_PARSERS.merge(parsers)
       app

data/lib/action_dispatch/middleware/reloader.rb

@@ -23,74 +23,32 @@ module ActionDispatch
   # middleware stack, but are executed only when <tt>ActionDispatch::Reloader.prepare!</tt>
   # or <tt>ActionDispatch::Reloader.cleanup!</tt> are called manually.
   #
-  class Reloader
-    include ActiveSupport::Callbacks
-    include ActiveSupport::Deprecation::Reporting
-
-    define_callbacks :prepare
-    define_callbacks :cleanup
-
-    # Add a prepare callback. Prepare callbacks are run before each request, prior
-    # to ActionDispatch::Callback's before callbacks.
+  class Reloader < Executor
     def self.to_prepare(*args, &block)
-      unless block_given?
-        warn "to_prepare without a block is deprecated. Please use a block"
-      end
-      set_callback(:prepare, *args, &block)
+      ActiveSupport::Reloader.to_prepare(*args, &block)
     end
 
-    # Add a cleanup callback. Cleanup callbacks are run after each request is
-    # complete (after #close is called on the response body).
     def self.to_cleanup(*args, &block)
-      unless block_given?
-        warn "to_cleanup without a block is deprecated. Please use a block"
-      end
-      set_callback(:cleanup, *args, &block)
+      ActiveSupport::Reloader.to_complete(*args, &block)
     end
 
-    # Execute all prepare callbacks.
     def self.prepare!
-      new(nil).prepare!
+      default_reloader.prepare!
     end
 
-    # Execute all cleanup callbacks.
     def self.cleanup!
-      new(nil).cleanup!
-    end
-
-    def initialize(app, condition=nil)
-      @app = app
-      @condition = condition || lambda { true }
-      @validated = true
+      default_reloader.reload!
     end
 
-    def call(env)
-      @validated = @condition.call
-      prepare!
-
-      response = @app.call(env)
-      response[2] = ::Rack::BodyProxy.new(response[2]) { cleanup! }
+    class << self
+      attr_accessor :default_reloader # :nodoc:
 
-      response
-    rescue Exception
-      cleanup!
-      raise
+      deprecate to_prepare: 'use ActiveSupport::Reloader.to_prepare instead',
+        to_cleanup: 'use ActiveSupport::Reloader.to_complete instead',
+        prepare!: 'use Rails.application.reloader.prepare! instead',
+        cleanup!: 'use Rails.application.reloader.reload! instead of cleanup + prepare'
     end
 
-    def prepare! #:nodoc:
-      run_callbacks :prepare if validated?
-    end
-
-    def cleanup! #:nodoc:
-      run_callbacks :cleanup if validated?
-    ensure
-      @validated = true
-    end
-
-    private
-
-    def validated? #:nodoc:
-      @validated
-    end
+    self.default_reloader = ActiveSupport::Reloader
   end
 end

data/lib/action_dispatch/middleware/ssl.rb

@@ -23,7 +23,7 @@ module ActionDispatch
   #     preload lists is `18.weeks`.
   #   * `subdomains`: Set to `true` to tell the browser to apply these settings
   #     to all subdomains. This protects your cookies from interception by a
-  #     vulnerable site on a subdomain. Defaults to `false`.
+  #     vulnerable site on a subdomain. Defaults to `true`.
   #   * `preload`: Advertise that this site may be included in browsers'
   #     preloaded HSTS lists. HSTS protects your site on every visit *except the
   #     first visit* since it hasn't seen your HSTS header yet. To close this
@@ -34,6 +34,10 @@ module ActionDispatch
   # original HSTS directive until it expires. Instead, use the header to tell browsers to
   # expire HSTS immediately. Setting `hsts: false` is a shortcut for
   # `hsts: { expires: 0 }`.
+  #
+  # Requests can opt-out of redirection with `exclude`:
+  #
+  #    config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
   class SSL
     # Default to 180 days, the low end for https://www.ssllabs.com/ssltest/
     # and greater than the 18-week requirement for browser preload lists.
@@ -49,14 +53,26 @@ module ActionDispatch
       if options[:host] || options[:port]
         ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
           The `:host` and `:port` options are moving within `:redirect`:
-          `config.ssl_options = { redirect: { host: …, port: … }}`.
+          `config.ssl_options = { redirect: { host: …, port: … } }`.
         end_warning
         @redirect = options.slice(:host, :port)
       else
         @redirect = redirect
       end
 
+      @exclude = @redirect && @redirect[:exclude] || proc { !@redirect }
       @secure_cookies = secure_cookies
+
+      if hsts != true && hsts != false && hsts[:subdomains].nil?
+        hsts[:subdomains] = false
+
+        ActiveSupport::Deprecation.warn <<-end_warning.strip_heredoc
+          In Rails 5.1, The `:subdomains` option of HSTS config will be treated as true if
+          unspecified. Set `config.ssl_options = { hsts: { subdomains: false } }` to opt out
+          of this behavior.
+        end_warning
+      end
+
       @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
     end
 
@@ -69,7 +85,7 @@ module ActionDispatch
           flag_cookies_as_secure! headers if @secure_cookies
         end
       else
-        return redirect_to_https request if @redirect
+        return redirect_to_https request unless @exclude.call(request)
         @app.call(env)
       end
     end

data/lib/action_dispatch/railtie.rb

@@ -39,6 +39,8 @@ module ActionDispatch
       config.action_dispatch.always_write_cookie = Rails.env.development? if config.action_dispatch.always_write_cookie.nil?
       ActionDispatch::Cookies::CookieJar.always_write_cookie = config.action_dispatch.always_write_cookie
 
+      ActionDispatch::Reloader.default_reloader = app.reloader
+
       ActionDispatch.test_app = app
     end
   end

data/lib/action_dispatch/request/session.rb

@@ -9,7 +9,7 @@ module ActionDispatch
 
       # Singleton object used to determine if an optional param wasn't specified
       Unspecified = Object.new
-
+      
       # Creates a session hash, merging the properties of the previous session if any
       def self.create(store, req, default_options)
         session_was = find req
@@ -61,7 +61,7 @@ module ActionDispatch
       def initialize(by, req)
         @by       = by
         @req      = req
-        @delegate = {}.with_indifferent_access
+        @delegate = {}
         @loaded   = false
         @exists   = nil # we haven't checked yet
       end
@@ -88,13 +88,13 @@ module ActionDispatch
       # nil if the given key is not found in the session.
       def [](key)
         load_for_read!
-        @delegate[key]
+        @delegate[key.to_s]
       end
 
       # Returns true if the session has the given key or false.
       def has_key?(key)
         load_for_read!
-        @delegate.key?(key)
+        @delegate.key?(key.to_s)
       end
       alias :key? :has_key?
       alias :include? :has_key?
@@ -112,7 +112,7 @@ module ActionDispatch
       # Writes given value to given key of the session.
       def []=(key, value)
         load_for_write!
-        @delegate[key] = value
+        @delegate[key.to_s] = value
       end
 
       # Clears the session.
@@ -139,13 +139,13 @@ module ActionDispatch
       #   # => {"session_id"=>"e29b9ea315edf98aad94cc78c34cc9b2", "foo" => "bar"}
       def update(hash)
         load_for_write!
-        @delegate.update hash
+        @delegate.update stringify_keys(hash)
       end
 
       # Deletes given key from the session.
       def delete(key)
         load_for_write!
-        @delegate.delete key
+        @delegate.delete key.to_s
       end
 
       # Returns value of the given key from the session, or raises +KeyError+
@@ -165,9 +165,9 @@ module ActionDispatch
       def fetch(key, default=Unspecified, &block)
         load_for_read!
         if default == Unspecified
-          @delegate.fetch(key, &block)
+          @delegate.fetch(key.to_s, &block)
         else
-          @delegate.fetch(key, default, &block)
+          @delegate.fetch(key.to_s, default, &block)
         end
       end
 
@@ -211,9 +211,15 @@ module ActionDispatch
       def load!
         id, session = @by.load_session @req
         options[:id] = id
-        @delegate.replace(session)
+        @delegate.replace(stringify_keys(session))
         @loaded = true
       end
+
+      def stringify_keys(other)
+        other.each_with_object({}) { |(key, value), hash|
+          hash[key.to_s] = value
+        }
+      end
     end
   end
 end

data/lib/action_dispatch/routing.rb

@@ -73,14 +73,14 @@ module ActionDispatch
   #   get 'post/:id' => 'posts#show'
   #   post 'post/:id' => 'posts#create_comment'
   #
+  # Now, if you POST to <tt>/posts/:id</tt>, it will route to the <tt>create_comment</tt> action. A GET on the same
+  # URL will route to the <tt>show</tt> action.
+  #
   # If your route needs to respond to more than one HTTP method (or all methods) then using the
   # <tt>:via</tt> option on <tt>match</tt> is preferable.
   #
   #   match 'post/:id' => 'posts#show', via: [:get, :post]
   #
-  # Now, if you POST to <tt>/posts/:id</tt>, it will route to the <tt>create_comment</tt> action. A GET on the same
-  # URL will route to the <tt>show</tt> action.
-  #
   # == Named routes
   #
   # Routes can be named by passing an <tt>:as</tt> option,
@@ -252,5 +252,14 @@ module ActionDispatch
 
     SEPARATORS = %w( / . ? ) #:nodoc:
     HTTP_METHODS = [:get, :head, :post, :patch, :put, :delete, :options] #:nodoc:
+
+    #:stopdoc:
+    INSECURE_URL_PARAMETERS_MESSAGE = <<-MSG.squish
+      Attempting to generate a URL from non-sanitized request parameters!
+
+      An attacker can inject malicious data into the generated URL, such as
+      changing the host. Whitelist and sanitize passed parameters to be secure.
+    MSG
+    #:startdoc:
   end
 end

data/lib/action_dispatch/routing/inspector.rb

@@ -33,11 +33,11 @@ module ActionDispatch
       end
 
       def controller
-        requirements[:controller] || ':controller'
+        parts.include?(:controller) ? ':controller' : requirements[:controller]
       end
 
       def action
-        requirements[:action] || ':action'
+        parts.include?(:action) ? ':action' : requirements[:action]
       end
 
       def internal?
@@ -51,7 +51,7 @@ module ActionDispatch
 
     ##
     # This class is just used for displaying route information when someone
-    # executes `rake routes` or looks at the RoutingError page.
+    # executes `rails routes` or looks at the RoutingError page.
     # People should not use this class.
     class RoutesInspector # :nodoc:
       def initialize(routes)