actionpack 5.1.7 → 5.2.4.3

data/lib/action_controller/log_subscriber.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   class LogSubscriber < ActiveSupport::LogSubscriber
     INTERNAL_PARAMS = %w(controller action format _method only_path)
@@ -24,7 +26,7 @@ module ActionController
           exception_class_name = payload[:exception].first
           status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
         end
-        message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
+        message = "Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms".dup
         message << " (#{additions.join(" | ".freeze)})" unless additions.empty?
         message << "\n\n" if defined?(Rails.env) && Rails.env.development?
 
@@ -60,9 +62,9 @@ module ActionController
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
         def #{method}(event)
           return unless logger.info? && ActionController::Base.enable_fragment_cache_logging
-          key_or_path = event.payload[:key] || event.payload[:path]
+          key         = ActiveSupport::Cache.expand_cache_key(event.payload[:key] || event.payload[:path])
           human_name  = #{method.to_s.humanize.inspect}
-          info("\#{human_name} \#{key_or_path} (\#{event.duration.round(1)}ms)")
+          info("\#{human_name} \#{key} (\#{event.duration.round(1)}ms)")
         end
       METHOD
     end

data/lib/action_controller/metal.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/array/extract_options"
 require "action_dispatch/middleware/stack"
 require "action_dispatch/http/request"
@@ -24,10 +26,10 @@ module ActionController
       end
     end
 
-    def build(action, app = Proc.new)
+    def build(action, app = nil, &block)
       action = action.to_s
 
-      middlewares.reverse.inject(app) do |a, middleware|
+      middlewares.reverse.inject(app || block) do |a, middleware|
         middleware.valid?(action) ? middleware.build(a) : a
       end
     end
@@ -208,8 +210,7 @@ module ActionController
       @_request.reset_session
     end
 
-    class_attribute :middleware_stack
-    self.middleware_stack = ActionController::MiddlewareStack.new
+    class_attribute :middleware_stack, default: ActionController::MiddlewareStack.new
 
     def self.inherited(base) # :nodoc:
       base.middleware_stack = middleware_stack.dup
@@ -229,18 +230,16 @@ module ActionController
 
     # Returns a Rack endpoint for the given action name.
     def self.action(name)
+      app = lambda { |env|
+        req = ActionDispatch::Request.new(env)
+        res = make_response! req
+        new.dispatch(name, req, res)
+      }
+
       if middleware_stack.any?
-        middleware_stack.build(name) do |env|
-          req = ActionDispatch::Request.new(env)
-          res = make_response! req
-          new.dispatch(name, req, res)
-        end
+        middleware_stack.build(name, app)
       else
-        lambda { |env|
-          req = ActionDispatch::Request.new(env)
-          res = make_response! req
-          new.dispatch(name, req, res)
-        }
+        app
       end
     end
 

data/lib/action_controller/metal/basic_implicit_render.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   module BasicImplicitRender # :nodoc:
     def send_action(method, *args)

data/lib/action_controller/metal/conditional_get.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/hash/keys"
 
 module ActionController
@@ -7,8 +9,7 @@ module ActionController
     include Head
 
     included do
-      class_attribute :etaggers
-      self.etaggers = []
+      class_attribute :etaggers, default: []
     end
 
     module ClassMethods
@@ -227,7 +228,7 @@ module ActionController
     #   expires_in 3.hours, public: true, must_revalidate: true
     #
     # This method will overwrite an existing Cache-Control header.
-    # See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
+    # See https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
     #
     # The method will also ensure an HTTP Date header for client compatibility.
     def expires_in(seconds, options = {})

data/lib/action_controller/metal/content_security_policy.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module ActionController #:nodoc:
+  module ContentSecurityPolicy
+    # TODO: Documentation
+    extend ActiveSupport::Concern
+
+    include AbstractController::Helpers
+    include AbstractController::Callbacks
+
+    included do
+      helper_method :content_security_policy?
+      helper_method :content_security_policy_nonce
+    end
+
+    module ClassMethods
+      def content_security_policy(enabled = true, **options, &block)
+        before_action(options) do
+          if block_given?
+            policy = current_content_security_policy
+            yield policy
+            request.content_security_policy = policy
+          end
+
+          unless enabled
+            request.content_security_policy = nil
+          end
+        end
+      end
+
+      def content_security_policy_report_only(report_only = true, **options)
+        before_action(options) do
+          request.content_security_policy_report_only = report_only
+        end
+      end
+    end
+
+    private
+
+      def content_security_policy?
+        request.content_security_policy
+      end
+
+      def content_security_policy_nonce
+        request.content_security_policy_nonce
+      end
+
+      def current_content_security_policy
+        request.content_security_policy.try(:clone) || ActionDispatch::ContentSecurityPolicy.new
+      end
+  end
+end

data/lib/action_controller/metal/cookies.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController #:nodoc:
   module Cookies
     extend ActiveSupport::Concern

data/lib/action_controller/metal/data_streaming.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_controller/metal/exceptions"
 
 module ActionController #:nodoc:
@@ -54,14 +56,14 @@ module ActionController #:nodoc:
       #
       # Read about the other Content-* HTTP headers if you'd like to
       # provide the user with more information (such as Content-Description) in
-      # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11.
+      # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11.
       #
       # Also be aware that the document may be cached by proxies and browsers.
       # The Pragma and Cache-Control headers declare how the file may be cached
       # by intermediaries. They default to require clients to validate with
       # the server before releasing cached responses. See
-      # http://www.mnot.net/cache_docs/ for an overview of web caching and
-      # http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
+      # https://www.mnot.net/cache_docs/ for an overview of web caching and
+      # https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9
       # for the Cache-Control header spec.
       def send_file(path, options = {}) #:doc:
         raise MissingFile, "Cannot read file #{path}" unless File.file?(path) && File.readable?(path)
@@ -111,10 +113,10 @@ module ActionController #:nodoc:
       def send_file_headers!(options)
         type_provided = options.has_key?(:type)
 
-        self.content_type = DEFAULT_SEND_FILE_TYPE
+        content_type = options.fetch(:type, DEFAULT_SEND_FILE_TYPE)
+        self.content_type = content_type
         response.sending_file = true
 
-        content_type = options.fetch(:type, DEFAULT_SEND_FILE_TYPE)
         raise ArgumentError, ":type option required" if content_type.nil?
 
         if content_type.is_a?(Symbol)

data/lib/action_controller/metal/etag_with_flash.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   # When you're using the flash, it's generally used as a conditional on the view.
   # This means the content of the view depends on the flash. Which in turn means

data/lib/action_controller/metal/etag_with_template_digest.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   # When our views change, they should bubble up into HTTP cache freshness
   # and bust browser caches. So the template digest for the current action
@@ -22,8 +24,7 @@ module ActionController
     include ActionController::ConditionalGet
 
     included do
-      class_attribute :etag_with_template_digest
-      self.etag_with_template_digest = true
+      class_attribute :etag_with_template_digest, default: true
 
       ActiveSupport.on_load :action_view, yield: true do
         etag do |options|

data/lib/action_controller/metal/exceptions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   class ActionControllerError < StandardError #:nodoc:
   end
@@ -32,9 +34,6 @@ module ActionController
   class NotImplemented < MethodNotAllowed #:nodoc:
   end
 
-  class UnknownController < ActionControllerError #:nodoc:
-  end
-
   class MissingFile < ActionControllerError #:nodoc:
   end
 

data/lib/action_controller/metal/flash.rb

@@ -1,10 +1,11 @@
+# frozen_string_literal: true
+
 module ActionController #:nodoc:
   module Flash
     extend ActiveSupport::Concern
 
     included do
-      class_attribute :_flash_types, instance_accessor: false
-      self._flash_types = []
+      class_attribute :_flash_types, instance_accessor: false, default: []
 
       delegate :flash, to: :request
       add_flash_types(:alert, :notice)

data/lib/action_controller/metal/force_ssl.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/hash/except"
 require "active_support/core_ext/hash/slice"
 
@@ -37,7 +39,7 @@ module ActionController
       #     end
       #
       # ==== URL Options
-      # You can pass any of the following options to affect the redirect url
+      # You can pass any of the following options to affect the redirect URL
       # * <tt>host</tt>       - Redirect to a different host name
       # * <tt>subdomain</tt>  - Redirect to a different subdomain
       # * <tt>domain</tt>     - Redirect to a different domain
@@ -71,7 +73,7 @@ module ActionController
     # Redirect the existing request to use the HTTPS protocol.
     #
     # ==== Parameters
-    # * <tt>host_or_options</tt> - Either a host name or any of the url and
+    # * <tt>host_or_options</tt> - Either a host name or any of the URL and
     #   redirect options available to the <tt>force_ssl</tt> method.
     def force_ssl_redirect(host_or_options = nil)
       unless request.ssl?

data/lib/action_controller/metal/head.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   module Head
     # Returns a response that has no content (merely headers). The options

data/lib/action_controller/metal/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   # The \Rails framework provides a large number of helpers for working with assets, dates, forms,
   # numbers and model objects, to name a few. These helpers are available to all templates
@@ -53,9 +55,8 @@ module ActionController
     include AbstractController::Helpers
 
     included do
-      class_attribute :helpers_path, :include_all_helpers
-      self.helpers_path ||= []
-      self.include_all_helpers = true
+      class_attribute :helpers_path, default: []
+      class_attribute :include_all_helpers, default: true
     end
 
     module ClassMethods

data/lib/action_controller/metal/http_authentication.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "base64"
 require "active_support/security_utils"
 
@@ -70,10 +72,10 @@ module ActionController
             before_action(options.except(:name, :password, :realm)) do
               authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
                 # This comparison uses & so that it doesn't short circuit and
-                # uses `variable_size_secure_compare` so that length information
+                # uses `secure_compare` so that length information
                 # isn't leaked.
-                ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
-                  ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
+                ActiveSupport::SecurityUtils.secure_compare(name, options[:name]) &
+                  ActiveSupport::SecurityUtils.secure_compare(password, options[:password])
               end
             end
           end
@@ -246,7 +248,7 @@ module ActionController
       def decode_credentials(header)
         ActiveSupport::HashWithIndifferentAccess[header.to_s.gsub(/^Digest\s+/, "").split(",").map do |pair|
           key, value = pair.split("=", 2)
-          [key.strip, value.to_s.gsub(/^"|"$/, "").delete('\'')]
+          [key.strip, value.to_s.gsub(/^"|"$/, "").delete("'")]
         end]
       end
 
@@ -348,10 +350,7 @@ module ActionController
     #         authenticate_or_request_with_http_token do |token, options|
     #           # Compare the tokens in a time-constant manner, to mitigate
     #           # timing attacks.
-    #           ActiveSupport::SecurityUtils.secure_compare(
-    #             ::Digest::SHA256.hexdigest(token),
-    #             ::Digest::SHA256.hexdigest(TOKEN)
-    #           )
+    #           ActiveSupport::SecurityUtils.secure_compare(token, TOKEN)
     #         end
     #       end
     #   end
@@ -475,7 +474,7 @@ module ActionController
 
       # This removes the <tt>"</tt> characters wrapping the value.
       def rewrite_param_values(array_params)
-        array_params.each { |param| (param[1] || "").gsub! %r/^"|"$/, "" }
+        array_params.each { |param| (param[1] || "".dup).gsub! %r/^"|"$/, "" }
       end
 
       # This method takes an authorization body and splits up the key-value

data/lib/action_controller/metal/implicit_render.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   # Handles implicit rendering for a controller action that does not
   # explicitly respond with +render+, +respond_to+, +redirect+, or +head+.

data/lib/action_controller/metal/instrumentation.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "benchmark"
 require "abstract_controller/logger"
 
@@ -81,16 +83,13 @@ module ActionController
     #   def cleanup_view_runtime
     #     super - time_taken_in_something_expensive
     #   end
-    #
-    # :api: plugin
-    def cleanup_view_runtime
+    def cleanup_view_runtime # :doc:
       yield
     end
 
     # Every time after an action is processed, this method is invoked
     # with the payload, so you can add more information.
-    # :api: plugin
-    def append_info_to_payload(payload)
+    def append_info_to_payload(payload) # :doc:
       payload[:view_runtime] = view_runtime
     end
 
@@ -98,7 +97,6 @@ module ActionController
       # A hook which allows other frameworks to log what happened during
       # controller process action. This method should return an array
       # with the messages to be added.
-      # :api: plugin
       def log_process_action(payload) #:nodoc:
         messages, view_runtime = [], payload[:view_runtime]
         messages << ("Views: %.1fms" % view_runtime.to_f) if view_runtime

data/lib/action_controller/metal/live.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_dispatch/http/response"
 require "delegate"
 require "active_support/json"
@@ -295,7 +297,7 @@ module ActionController
       return unless logger
 
       logger.fatal do
-        message = "\n#{exception.class} (#{exception.message}):\n"
+        message = "\n#{exception.class} (#{exception.message}):\n".dup
         message << exception.annoted_source_code.to_s if exception.respond_to?(:annoted_source_code)
         message << "  " << exception.backtrace.join("\n  ")
         "#{message}\n\n"

data/lib/action_controller/metal/mime_responds.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "abstract_controller/collector"
 
 module ActionController #:nodoc:
@@ -182,7 +184,7 @@ module ActionController #:nodoc:
     #   request.variant = [:tablet, :phone]
     #
     # This will work similarly to formats and MIME types negotiation. If there
-    # is no +:tablet+ variant declared, +:phone+ variant will be picked:
+    # is no +:tablet+ variant declared, the +:phone+ variant will be used:
     #
     #   respond_to do |format|
     #     format.html.none

data/lib/action_controller/metal/parameter_encoding.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionController
   # Specify binary encoding for parameters for a given action.
   module ParameterEncoding

data/lib/action_controller/metal/params_wrapper.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/hash/slice"
 require "active_support/core_ext/hash/except"
 require "active_support/core_ext/module/anonymous"
@@ -91,7 +93,7 @@ module ActionController
       end
 
       def model
-        super || synchronize { super || self.model = _default_wrap_model }
+        super || self.model = _default_wrap_model
       end
 
       def include
@@ -110,6 +112,14 @@ module ActionController
               else
                 self.include = m.attribute_names
               end
+
+              if m.respond_to?(:nested_attributes_options) && m.nested_attributes_options.keys.any?
+                self.include += m.nested_attributes_options.keys.map do |key|
+                  key.to_s.dup.concat("_attributes")
+                end
+              end
+
+              self.include
             end
           end
         end
@@ -159,8 +169,7 @@ module ActionController
     end
 
     included do
-      class_attribute :_wrapper_options
-      self._wrapper_options = Options.from_hash(format: [])
+      class_attribute :_wrapper_options, default: Options.from_hash(format: [])
     end
 
     module ClassMethods
@@ -233,12 +242,7 @@ module ActionController
     # by the metal call stack.
     def process_action(*args)
       if _wrapper_enabled?
-        if request.parameters[_wrapper_key].present?
-          wrapped_hash = _extract_parameters(request.parameters)
-        else
-          wrapped_hash = _wrap_parameters request.request_parameters
-        end
-
+        wrapped_hash = _wrap_parameters request.request_parameters
         wrapped_keys = request.request_parameters.keys
         wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
 
@@ -283,7 +287,7 @@ module ActionController
         return false unless request.has_content_type?
 
         ref = request.content_mime_type.ref
-        _wrapper_formats.include?(ref) && _wrapper_key && !request.request_parameters.key?(_wrapper_key)
+        _wrapper_formats.include?(ref) && _wrapper_key && !request.parameters.key?(_wrapper_key)
       end
   end
 end