actionpack 5.1.7 → 5.2.0.beta1

data/lib/action_controller/metal/rendering.rb

@@ -1,4 +1,4 @@
-require "active_support/core_ext/string/filters"
+# frozen_string_literal: true
 
 module ActionController
   module Rendering
@@ -40,7 +40,7 @@ module ActionController
     def render_to_string(*)
       result = super
       if result.respond_to?(:each)
-        string = ""
+        string = "".dup
         result.each { |r| string << r }
         string
       else

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "rack/session/abstract/id"
 require "action_controller/metal/exceptions"
 require "active_support/security_utils"
@@ -20,7 +22,7 @@ module ActionController #:nodoc:
   # Since HTML and JavaScript requests are typically made from the browser, we
   # need to ensure to verify request authenticity for the web browser. We can
   # use session-oriented authentication for these types of requests, by using
-  # the `protect_from_forgery` method in our controllers.
+  # the <tt>protect_from_forgery</tt> method in our controllers.
   #
   # GET requests are not protected since they don't have side effects like writing
   # to the database and don't leak sensitive information. JavaScript requests are
@@ -85,6 +87,10 @@ module ActionController #:nodoc:
       config_accessor :per_form_csrf_tokens
       self.per_form_csrf_tokens = false
 
+      # Controls whether forgery protection is enabled by default.
+      config_accessor :default_protect_from_forgery
+      self.default_protect_from_forgery = false
+
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
     end
@@ -128,6 +134,15 @@ module ActionController #:nodoc:
         append_after_action :verify_same_origin_request
       end
 
+      # Turn off request forgery protection. This is a wrapper for:
+      #
+      #   skip_before_action :verify_authenticity_token
+      #
+      # See +skip_before_action+ for allowed options.
+      def skip_forgery_protection(options = {})
+        skip_before_action :verify_authenticity_token, options
+      end
+
       private
 
         def protection_method_class(name)
@@ -201,7 +216,7 @@ module ActionController #:nodoc:
       # The actual before_action that is used to verify the CSRF token.
       # Don't override this directly. Provide your own forgery protection
       # strategy instead. If you override, you'll disable same-origin
-      # `<script>` verification.
+      # <tt><script></tt> verification.
       #
       # Lean on the protect_from_forgery declaration to mark which actions are
       # due for same-origin request verification. If protect_from_forgery is
@@ -233,8 +248,9 @@ module ActionController #:nodoc:
         "If you know what you're doing, go ahead and disable forgery " \
         "protection on this action to permit cross-origin JavaScript embedding."
       private_constant :CROSS_ORIGIN_JAVASCRIPT_WARNING
+      # :startdoc:
 
-      # If `verify_authenticity_token` was run (indicating that we have
+      # If +verify_authenticity_token+ was run (indicating that we have
       # forgery protection enabled for this request) then also verify that
       # we aren't serving an unauthorized cross-origin response.
       def verify_same_origin_request # :doc:
@@ -251,7 +267,7 @@ module ActionController #:nodoc:
         @marked_for_same_origin_verification = request.get?
       end
 
-      # If the `verify_authenticity_token` before_action ran, verify that
+      # If the +verify_authenticity_token+ before_action ran, verify that
       # JavaScript responses are only served to same-origin GET requests.
       def marked_for_same_origin_verification? # :doc:
         @marked_for_same_origin_verification ||= false
@@ -353,7 +369,7 @@ module ActionController #:nodoc:
       end
 
       def compare_with_real_token(token, session) # :doc:
-        ActiveSupport::SecurityUtils.secure_compare(token, real_csrf_token(session))
+        ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
       end
 
       def valid_per_form_csrf_token?(token, session) # :doc:
@@ -364,7 +380,7 @@ module ActionController #:nodoc:
             request.request_method
           )
 
-          ActiveSupport::SecurityUtils.secure_compare(token, correct_token)
+          ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, correct_token)
         else
           false
         end

data/lib/action_controller/metal/rescue.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module ActionController #:nodoc:
-  # This module is responsible for providing `rescue_from` helpers
+  # This module is responsible for providing +rescue_from+ helpers
   # to controllers and configuring when detailed exceptions must be
   # shown.
   module Rescue
@@ -8,8 +10,8 @@ module ActionController #:nodoc:
 
     # Override this method if you want to customize when detailed
     # exceptions must be shown. This method is only called when
-    # consider_all_requests_local is false. By default, it returns
-    # false, but someone may set it to `request.local?` so local
+    # +consider_all_requests_local+ is +false+. By default, it returns
+    # +false+, but someone may set it to <tt>request.local?</tt> so local
     # requests in production still show the detailed exception pages.
     def show_detailed_exceptions?
       false

data/lib/action_controller/metal/streaming.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "rack/chunked"
 
 module ActionController #:nodoc:

data/lib/action_controller/metal/strong_parameters.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/hash/indifferent_access"
 require "active_support/core_ext/hash/transform_values"
 require "active_support/core_ext/array/wrap"
@@ -119,8 +121,7 @@ module ActionController
   #   params[:key]  # => "value"
   #   params["key"] # => "value"
   class Parameters
-    cattr_accessor :permit_all_parameters, instance_accessor: false
-    self.permit_all_parameters = false
+    cattr_accessor :permit_all_parameters, instance_accessor: false, default: false
 
     cattr_accessor :action_on_unpermitted_parameters, instance_accessor: false
 
@@ -185,6 +186,7 @@ module ActionController
     #
     # :call-seq:
     #   to_s()
+    #
     # Returns the content of the parameters as a string.
 
     ##
@@ -212,8 +214,7 @@ module ActionController
     # config. For instance:
     #
     #    config.always_permitted_parameters = %w( controller action format )
-    cattr_accessor :always_permitted_parameters
-    self.always_permitted_parameters = %w( controller action )
+    cattr_accessor :always_permitted_parameters, default: %w( controller action )
 
     # Returns a new instance of <tt>ActionController::Parameters</tt>.
     # Also, sets the +permitted+ attribute to the default value of
@@ -254,7 +255,7 @@ module ActionController
     #     oddity: "Heavy stone crab"
     #   })
     #   params.to_h
-    #   # => ActionController::UnfilteredParameters: unable to convert unfiltered parameters to hash
+    #   # => ActionController::UnfilteredParameters: unable to convert unpermitted parameters to hash
     #
     #   safe_params = params.permit(:name)
     #   safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
@@ -274,7 +275,7 @@ module ActionController
     #     oddity: "Heavy stone crab"
     #   })
     #   params.to_hash
-    #   # => ActionController::UnfilteredParameters: unable to convert unfiltered parameters to hash
+    #   # => ActionController::UnfilteredParameters: unable to convert unpermitted parameters to hash
     #
     #   safe_params = params.permit(:name)
     #   safe_params.to_hash # => {"name"=>"Senjougahara Hitagi"}
@@ -290,6 +291,10 @@ module ActionController
     #     nationality: "Danish"
     #   })
     #   params.to_query
+    #   # => ActionController::UnfilteredParameters: unable to convert unpermitted parameters to hash
+    #
+    #   safe_params = params.permit(:name, :nationality)
+    #   safe_params.to_query
     #   # => "name=David&nationality=Danish"
     #
     # An optional namespace can be passed to enclose key names:
@@ -298,7 +303,8 @@ module ActionController
     #     name: "David",
     #     nationality: "Danish"
     #   })
-    #   params.to_query("user")
+    #   safe_params = params.permit(:name, :nationality)
+    #   safe_params.to_query("user")
     #   # => "user%5Bname%5D=David&user%5Bnationality%5D=Danish"
     #
     # The string pairs "key=value" that conform the query string
@@ -669,10 +675,10 @@ module ActionController
       self
     end
 
-    # Deletes and returns a key-value pair from +Parameters+ whose key is equal
-    # to key. If the key is not found, returns the default value. If the
-    # optional code block is given and the key is not found, pass in the key
-    # and return the result of block.
+    # Deletes a key-value pair from +Parameters+ and returns the value. If
+    # +key+ is not found, returns +nil+ (or, with optional code block, yields
+    # +key+ and returns the result). Cf. +#extract!+, which returns the
+    # corresponding +ActionController::Parameters+ object.
     def delete(key, &block)
       convert_value_to_parameters(@parameters.delete(key, &block))
     end
@@ -731,6 +737,7 @@ module ActionController
         other_hash.to_h.merge(@parameters)
       )
     end
+    alias_method :with_defaults, :reverse_merge
 
     # Returns current <tt>ActionController::Parameters</tt> instance with
     # current hash merged into +other_hash+.
@@ -738,6 +745,7 @@ module ActionController
       @parameters.merge!(other_hash.to_h) { |key, left, right| left }
       self
     end
+    alias_method :with_defaults!, :reverse_merge!
 
     # This is required by ActiveModel attribute assignment, so that user can
     # pass +Parameters+ to a mass assignment methods in a model. It should not

data/lib/action_controller/metal/testing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   module Testing
     extend ActiveSupport::Concern
@@ -10,11 +12,5 @@ module ActionController
         self.params = nil
       end
     end
-
-    module ClassMethods
-      def before_filters
-        _process_action_callbacks.find_all { |x| x.kind == :before }.map(&:name)
-      end
-    end
   end
 end

data/lib/action_controller/metal/url_for.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   # Includes +url_for+ into the host class. The class has to provide a +RouteSet+ by implementing
   # the <tt>_routes</tt> method. Otherwise, an exception will be raised.

data/lib/action_controller/railtie.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "rails"
 require "action_controller"
 require "action_dispatch/railtie"
@@ -23,10 +25,6 @@ module ActionController
       options = app.config.action_controller
 
       ActiveSupport.on_load(:action_controller, run_once: true) do
-        if options.delete(:raise_on_unfiltered_parameters)
-          ActiveSupport::Deprecation.warn("raise_on_unfiltered_parameters is deprecated and has no effect in Rails 5.1.")
-        end
-
         ActionController::Parameters.permit_all_parameters = options.delete(:permit_all_parameters) { false }
         if app.config.action_controller[:always_permitted_parameters]
           ActionController::Parameters.always_permitted_parameters =
@@ -73,5 +71,19 @@ module ActionController
         config.compile_methods! if config.respond_to?(:compile_methods!)
       end
     end
+
+    initializer "action_controller.request_forgery_protection" do |app|
+      ActiveSupport.on_load(:action_controller_base) do
+        if app.config.action_controller.default_protect_from_forgery
+          protect_from_forgery with: :exception
+        end
+      end
+    end
+
+    initializer "action_controller.eager_load_actions" do
+      ActiveSupport.on_load(:after_initialize) do
+        ActionController::Metal.descendants.each(&:action_methods) if config.eager_load
+      end
+    end
   end
 end

data/lib/action_controller/railties/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   module Railties
     module Helpers

data/lib/action_controller/renderer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/hash/keys"
 
 module ActionController

data/lib/action_controller/template_assertions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   module TemplateAssertions
     def assert_template(options = {}, message = nil)

data/lib/action_controller/test_case.rb

@@ -1,7 +1,10 @@
+# frozen_string_literal: true
+
 require "rack/session/abstract/id"
 require "active_support/core_ext/hash/conversions"
 require "active_support/core_ext/object/to_query"
 require "active_support/core_ext/module/anonymous"
+require "active_support/core_ext/module/redefine_method"
 require "active_support/core_ext/hash/keys"
 require "active_support/testing/constant_lookup"
 require "action_controller/template_assertions"
@@ -17,7 +20,7 @@ module ActionController
     # the database on the main thread, so they could open a txn, then the
     # controller thread will open a new connection and try to access data
     # that's only visible to the main thread's txn. This is the problem in #23483.
-    remove_method :new_controller_thread
+    silence_redefinition_of_method :new_controller_thread
     def new_controller_thread # :nodoc:
       yield
     end

data/lib/action_dispatch.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 #--
 # Copyright (c) 2004-2017 David Heinemeier Hansson
 #
@@ -40,6 +42,7 @@ module ActionDispatch
 
   eager_autoload do
     autoload_under "http" do
+      autoload :ContentSecurityPolicy
       autoload :Request
       autoload :Response
     end

data/lib/action_dispatch/http/cache.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionDispatch
   module Http
     module Cache
@@ -95,7 +97,7 @@ module ActionDispatch
         # support strong ETags and will ignore weak ETags entirely.
         #
         # Weak ETags are what we almost always need, so they're the default.
-        # Check out `#strong_etag=` to provide a strong ETag validator.
+        # Check out #strong_etag= to provide a strong ETag validator.
         def etag=(weak_validators)
           self.weak_etag = weak_validators
         end
@@ -164,19 +166,23 @@ module ActionDispatch
           @cache_control = cache_control_headers
         end
 
-        def handle_conditional_get!
-          if etag? || last_modified? || !@cache_control.empty?
-            set_conditional_cache_control!(@cache_control)
-          end
-        end
-
         DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate".freeze
         NO_CACHE              = "no-cache".freeze
         PUBLIC                = "public".freeze
         PRIVATE               = "private".freeze
         MUST_REVALIDATE       = "must-revalidate".freeze
 
-        def set_conditional_cache_control!(cache_control)
+        def handle_conditional_get!
+          # Normally default cache control setting is handled by ETag
+          # middleware. But, if an etag is already set, the middleware
+          # defaults to `no-cache` unless a default `Cache-Control` value is
+          # previously set. So, set a default one here.
+          if (etag? || last_modified?) && !self._cache_control
+            self._cache_control = DEFAULT_CACHE_CONTROL
+          end
+        end
+
+        def merge_and_normalize_cache_control!(cache_control)
           control = {}
           cc_headers = cache_control_headers
           if extras = cc_headers.delete(:extras)
@@ -189,7 +195,7 @@ module ActionDispatch
           control.merge! cache_control
 
           if control.empty?
-            self._cache_control = DEFAULT_CACHE_CONTROL
+            # Let middleware handle default behavior
           elsif control[:no_cache]
             self._cache_control = NO_CACHE
             if control[:extras]

data/lib/action_dispatch/http/content_security_policy.rb

@@ -0,0 +1,233 @@
+# frozen_string_literal: true
+
+module ActionDispatch #:nodoc:
+  class ContentSecurityPolicy
+    class Middleware
+      CONTENT_TYPE = "Content-Type".freeze
+      POLICY = "Content-Security-Policy".freeze
+      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only".freeze
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = ActionDispatch::Request.new env
+        _, headers, _ = response = @app.call(env)
+
+        return response unless html_response?(headers)
+        return response if policy_present?(headers)
+
+        if policy = request.content_security_policy
+          headers[header_name(request)] = policy.build(request.controller_instance)
+        end
+
+        response
+      end
+
+      private
+
+        def html_response?(headers)
+          if content_type = headers[CONTENT_TYPE]
+            content_type =~ /html/
+          end
+        end
+
+        def header_name(request)
+          if request.content_security_policy_report_only
+            POLICY_REPORT_ONLY
+          else
+            POLICY
+          end
+        end
+
+        def policy_present?(headers)
+          headers[POLICY] || headers[POLICY_REPORT_ONLY]
+        end
+    end
+
+    module Request
+      POLICY = "action_dispatch.content_security_policy".freeze
+      POLICY_REPORT_ONLY = "action_dispatch.content_security_policy_report_only".freeze
+
+      def content_security_policy
+        get_header(POLICY)
+      end
+
+      def content_security_policy=(policy)
+        set_header(POLICY, policy)
+      end
+
+      def content_security_policy_report_only
+        get_header(POLICY_REPORT_ONLY)
+      end
+
+      def content_security_policy_report_only=(value)
+        set_header(POLICY_REPORT_ONLY, value)
+      end
+    end
+
+    MAPPINGS = {
+      self:           "'self'",
+      unsafe_eval:    "'unsafe-eval'",
+      unsafe_inline:  "'unsafe-inline'",
+      none:           "'none'",
+      http:           "http:",
+      https:          "https:",
+      data:           "data:",
+      mediastream:    "mediastream:",
+      blob:           "blob:",
+      filesystem:     "filesystem:",
+      report_sample:  "'report-sample'",
+      strict_dynamic: "'strict-dynamic'"
+    }.freeze
+
+    DIRECTIVES = {
+      base_uri:        "base-uri",
+      child_src:       "child-src",
+      connect_src:     "connect-src",
+      default_src:     "default-src",
+      font_src:        "font-src",
+      form_action:     "form-action",
+      frame_ancestors: "frame-ancestors",
+      frame_src:       "frame-src",
+      img_src:         "img-src",
+      manifest_src:    "manifest-src",
+      media_src:       "media-src",
+      object_src:      "object-src",
+      script_src:      "script-src",
+      style_src:       "style-src",
+      worker_src:      "worker-src"
+    }.freeze
+
+    private_constant :MAPPINGS, :DIRECTIVES
+
+    attr_reader :directives
+
+    def initialize
+      @directives = {}
+      yield self if block_given?
+    end
+
+    def initialize_copy(other)
+      @directives = copy_directives(other.directives)
+    end
+
+    DIRECTIVES.each do |name, directive|
+      define_method(name) do |*sources|
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
+
+    def block_all_mixed_content(enabled = true)
+      if enabled
+        @directives["block-all-mixed-content"] = true
+      else
+        @directives.delete("block-all-mixed-content")
+      end
+    end
+
+    def plugin_types(*types)
+      if types.first
+        @directives["plugin-types"] = types
+      else
+        @directives.delete("plugin-types")
+      end
+    end
+
+    def report_uri(uri)
+      @directives["report-uri"] = [uri]
+    end
+
+    def require_sri_for(*types)
+      if types.first
+        @directives["require-sri-for"] = types
+      else
+        @directives.delete("require-sri-for")
+      end
+    end
+
+    def sandbox(*values)
+      if values.empty?
+        @directives["sandbox"] = true
+      elsif values.first
+        @directives["sandbox"] = values
+      else
+        @directives.delete("sandbox")
+      end
+    end
+
+    def upgrade_insecure_requests(enabled = true)
+      if enabled
+        @directives["upgrade-insecure-requests"] = true
+      else
+        @directives.delete("upgrade-insecure-requests")
+      end
+    end
+
+    def build(context = nil)
+      build_directives(context).compact.join("; ") + ";"
+    end
+
+    private
+      def copy_directives(directives)
+        directives.transform_values { |sources| sources.map(&:dup) }
+      end
+
+      def apply_mappings(sources)
+        sources.map do |source|
+          case source
+          when Symbol
+            apply_mapping(source)
+          when String, Proc
+            source
+          else
+            raise ArgumentError, "Invalid content security policy source: #{source.inspect}"
+          end
+        end
+      end
+
+      def apply_mapping(source)
+        MAPPINGS.fetch(source) do
+          raise ArgumentError, "Unknown content security policy source mapping: #{source.inspect}"
+        end
+      end
+
+      def build_directives(context)
+        @directives.map do |directive, sources|
+          if sources.is_a?(Array)
+            "#{directive} #{build_directive(sources, context).join(' ')}"
+          elsif sources
+            directive
+          else
+            nil
+          end
+        end
+      end
+
+      def build_directive(sources, context)
+        sources.map { |source| resolve_source(source, context) }
+      end
+
+      def resolve_source(source, context)
+        case source
+        when String
+          source
+        when Symbol
+          source.to_s
+        when Proc
+          if context.nil?
+            raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}"
+          else
+            context.instance_exec(&source)
+          end
+        else
+          raise RuntimeError, "Unexpected content security policy source: #{source.inspect}"
+        end
+      end
+  end
+end