actionpack 5.2.0.rc1 → 5.2.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 252948a97023ff044a61ba6b4eace0810b36e6ed5b01687cdc402af4125c79b6
-  data.tar.gz: 16b93ec8e09990a9db1d0073c2836a0766fe7457b7c3d8671988421860bc6704
+  metadata.gz: be25f732c4dc857ef43fc18191e3e301a79e8d2ba7180d41835e9f4e45039c33
+  data.tar.gz: 729cf837049928a5242dffe6b5813f15d1d815f45adea221a5f9085db1a43dc4
 SHA512:
-  metadata.gz: a148db40d3edfe126926e6866ce0167083f2adbaafb5d1144e32784cb51c80f344a5e28b957577cd0b51653505c6318620107047d02e77c5758f2869932a30b9
-  data.tar.gz: 1e26f9ccc1bc7e7e2f1cff24486c1f1a2c84971004023758a50cd3907ad1ab44ebf244ec48d4af9886b7f885c7792715736c601affed74d68a29c680463914b7
+  metadata.gz: 61fc74b5642072debdd41474e99abd83dc29380f46042596f77b469d8757368e20cb228e37ce898a683be9a79193b355c15dc36536f7ca51712b48b91d0e9390
+  data.tar.gz: 8e91bd18e519108f6de49f20147600128020b51da0b341c22bdbaecd0fc8a244263fe89ae0f77a33e7a23584f97c44480b4267f228a0c2c031eb5e1c134a7b30

data/CHANGELOG.md

@@ -1,3 +1,67 @@
+## Rails 5.2.0.rc2 (March 20, 2018) ##
+
+*   Check exclude before flagging cookies as secure.
+
+    *Catherine Khuu*
+
+*   Always yield a CSP policy instance from `content_security_policy`
+
+    This allows a controller action to enable the policy individually
+    for a controller and/or specific actions.
+
+    *Andrew White*
+
+*   Add the ability to disable the global CSP in a controller, e.g:
+
+        class LegacyPagesController < ApplicationController
+          content_security_policy false, only: :index
+        end
+
+    *Andrew White*
+
+*   Add alias method `to_hash` to `to_h` for `cookies`.
+    Add alias method `to_h` to `to_hash` for `session`.
+
+    *Igor Kasyanchuk*
+
+*   Update the default HSTS max-age value to 31536000 seconds (1 year)
+    to meet the minimum max-age requirement for https://hstspreload.org/.
+
+    *Grant Bourque*
+
+*   Add support for automatic nonce generation for Rails UJS.
+
+    Because the UJS library creates a script tag to process responses it
+    normally requires the script-src attribute of the content security
+    policy to include 'unsafe-inline'.
+
+    To work around this we generate a per-request nonce value that is
+    embedded in a meta tag in a similar fashion to how CSRF protection
+    embeds its token in a meta tag. The UJS library can then read the
+    nonce value and set it on the dynamically generated script tag to
+    enable it to execute without needing 'unsafe-inline' enabled.
+
+    Nonce generation isn't 100% safe - if your script tag is including
+    user generated content in someway then it may be possible to exploit
+    an XSS vulnerability which can take advantage of the nonce. It is
+    however an improvement on a blanket permission for inline scripts.
+
+    It is also possible to use the nonce within your own script tags by
+    using `nonce: true` to set the nonce value on the tag, e.g
+
+        <%= javascript_tag nonce: true do %>
+          alert('Hello, World!');
+        <% end %>
+
+    Fixes #31689.
+
+    *Andrew White*
+
+*   Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
+
+    *Dominic Cleal*
+
+
 ## Rails 5.2.0.rc1 (January 30, 2018) ##
 
 *   Add `Referrer-Policy` header to default headers set.
@@ -34,7 +98,7 @@
 
     *Guillermo Iguaran*
 
-*   Fix optimized url helpers when using relative url root
+*   Fix optimized url helpers when using relative url root.
 
     Fixes #31220.
 
@@ -48,7 +112,7 @@
 
 ## Rails 5.2.0.beta1 (November 27, 2017) ##
 
-*   Add DSL for configuring Content-Security-Policy header
+*   Add DSL for configuring Content-Security-Policy header.
 
     The DSL allows you to configure a global Content-Security-Policy
     header and then override within a controller. For more information
@@ -100,7 +164,7 @@
 
         # controller override
         class PostsController < ApplicationController
-          self.content_security_policy_report_only = true
+          content_security_policy_report_only only: :index
         end
 
     Note that this feature does not validate the header for performance
@@ -108,7 +172,7 @@
 
     *Andrew White*
 
-*   Make `assert_recognizes` to traverse mounted engines
+*   Make `assert_recognizes` to traverse mounted engines.
 
     *Yuichiro Kaneko*
 

data/README.rdoc

@@ -32,7 +32,7 @@ The latest version of Action Pack can be installed with RubyGems:
 
 Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/master/actionpack
+* https://github.com/rails/rails/tree/5-2-stable/actionpack
 
 
 == License

data/lib/action_controller/metal/content_security_policy.rb

@@ -5,14 +5,26 @@ module ActionController #:nodoc:
     # TODO: Documentation
     extend ActiveSupport::Concern
 
+    include AbstractController::Helpers
+    include AbstractController::Callbacks
+
+    included do
+      helper_method :content_security_policy?
+      helper_method :content_security_policy_nonce
+    end
+
     module ClassMethods
-      def content_security_policy(**options, &block)
+      def content_security_policy(enabled = true, **options, &block)
         before_action(options) do
           if block_given?
-            policy = request.content_security_policy.clone
+            policy = current_content_security_policy
             yield policy
             request.content_security_policy = policy
           end
+
+          unless enabled
+            request.content_security_policy = nil
+          end
         end
       end
 
@@ -22,5 +34,19 @@ module ActionController #:nodoc:
         end
       end
     end
+
+    private
+
+      def content_security_policy?
+        request.content_security_policy
+      end
+
+      def content_security_policy_nonce
+        request.content_security_policy_nonce
+      end
+
+      def current_content_security_policy
+        request.content_security_policy.try(:clone) || ActionDispatch::ContentSecurityPolicy.new
+      end
   end
 end

data/lib/action_dispatch/http/content_security_policy.rb

@@ -21,6 +21,12 @@ module ActionDispatch #:nodoc:
         return response if policy_present?(headers)
 
         if policy = request.content_security_policy
+          if policy.directives["script-src"]
+            if nonce = request.content_security_policy_nonce
+              policy.directives["script-src"] << "'nonce-#{nonce}'"
+            end
+          end
+
           headers[header_name(request)] = policy.build(request.controller_instance)
         end
 
@@ -51,6 +57,8 @@ module ActionDispatch #:nodoc:
     module Request
       POLICY = "action_dispatch.content_security_policy".freeze
       POLICY_REPORT_ONLY = "action_dispatch.content_security_policy_report_only".freeze
+      NONCE_GENERATOR = "action_dispatch.content_security_policy_nonce_generator".freeze
+      NONCE = "action_dispatch.content_security_policy_nonce".freeze
 
       def content_security_policy
         get_header(POLICY)
@@ -67,6 +75,30 @@ module ActionDispatch #:nodoc:
       def content_security_policy_report_only=(value)
         set_header(POLICY_REPORT_ONLY, value)
       end
+
+      def content_security_policy_nonce_generator
+        get_header(NONCE_GENERATOR)
+      end
+
+      def content_security_policy_nonce_generator=(generator)
+        set_header(NONCE_GENERATOR, generator)
+      end
+
+      def content_security_policy_nonce
+        if content_security_policy_nonce_generator
+          if nonce = get_header(NONCE)
+            nonce
+          else
+            set_header(NONCE, generate_content_security_policy_nonce)
+          end
+        end
+      end
+
+      private
+
+        def generate_content_security_policy_nonce
+          content_security_policy_nonce_generator.call(self)
+        end
     end
 
     MAPPINGS = {
@@ -172,7 +204,7 @@ module ActionDispatch #:nodoc:
     end
 
     def build(context = nil)
-      build_directives(context).compact.join("; ") + ";"
+      build_directives(context).compact.join("; ")
     end
 
     private

data/lib/action_dispatch/middleware/cookies.rb

@@ -338,6 +338,9 @@ module ActionDispatch
       end
       alias :has_key? :key?
 
+      # Returns the cookies as Hash.
+      alias :to_hash :to_h
+
       def update(other_hash)
         @cookies.update other_hash.stringify_keys
         self
@@ -487,10 +490,14 @@ module ActionDispatch
 
       private
         def expiry_options(options)
-          if options[:expires].respond_to?(:from_now)
-            { expires_in: options[:expires] }
+          if request.use_authenticated_cookie_encryption
+            if options[:expires].respond_to?(:from_now)
+              { expires_in: options[:expires] }
+            else
+              { expires_at: options[:expires] }
+            end
           else
-            { expires_at: options[:expires] }
+            {}
           end
         end
 

data/lib/action_dispatch/middleware/ssl.rb

@@ -15,6 +15,8 @@ module ActionDispatch
   #
   #      config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
   #
+  #    Cookies will not be flagged as secure for excluded requests.
+  #
   # 2. <b>Secure cookies</b>: Sets the +secure+ flag on cookies to tell browsers they
   #    must not be sent along with +http://+ requests. Enabled by default. Set
   #    +config.ssl_options+ with <tt>secure_cookies: false</tt> to disable this feature.
@@ -26,8 +28,8 @@ module ActionDispatch
   #    Set +config.ssl_options+ with <tt>hsts: { ... }</tt> to configure HSTS:
   #
   #    * +expires+: How long, in seconds, these settings will stick. The minimum
-  #      required to qualify for browser preload lists is 18 weeks. Defaults to
-  #      180 days (recommended).
+  #      required to qualify for browser preload lists is 1 year. Defaults to
+  #      1 year (recommended).
   #
   #    * +subdomains+: Set to +true+ to tell the browser to apply these settings
   #      to all subdomains. This protects your cookies from interception by a
@@ -47,9 +49,8 @@ module ActionDispatch
   class SSL
     # :stopdoc:
 
-    # Default to 180 days, the low end for https://www.ssllabs.com/ssltest/
-    # and greater than the 18-week requirement for browser preload lists.
-    HSTS_EXPIRES_IN = 15552000
+    # Default to 1 year, the minimum for browser preload lists.
+    HSTS_EXPIRES_IN = 31536000
 
     def self.default_hsts_options
       { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
@@ -72,7 +73,7 @@ module ActionDispatch
       if request.ssl?
         @app.call(env).tap do |status, headers, body|
           set_hsts_header! headers
-          flag_cookies_as_secure! headers if @secure_cookies
+          flag_cookies_as_secure! headers if @secure_cookies && !@exclude.call(request)
         end
       else
         return redirect_to_https request unless @exclude.call(request)

data/lib/action_dispatch/request/session.rb

@@ -130,6 +130,7 @@ module ActionDispatch
         load_for_read!
         @delegate.dup.delete_if { |_, v| v.nil? }
       end
+      alias :to_h :to_hash
 
       # Updates the session with given Hash.
       #

data/lib/action_dispatch/routing/route_set.rb

@@ -855,7 +855,7 @@ module ActionDispatch
         recognize_path_with_request(req, path, extras)
       end
 
-      def recognize_path_with_request(req, path, extras)
+      def recognize_path_with_request(req, path, extras, raise_on_missing: true)
         @router.recognize(req) do |route, params|
           params.merge!(extras)
           params.each do |key, value|
@@ -875,12 +875,14 @@ module ActionDispatch
 
             return req.path_parameters
           elsif app.matches?(req) && app.engine?
-            path_parameters = app.rack_app.routes.recognize_path_with_request(req, path, extras)
-            return path_parameters
+            path_parameters = app.rack_app.routes.recognize_path_with_request(req, path, extras, raise_on_missing: false)
+            return path_parameters if path_parameters
           end
         end
 
-        raise ActionController::RoutingError, "No route matches #{path.inspect}"
+        if raise_on_missing
+          raise ActionController::RoutingError, "No route matches #{path.inspect}"
+        end
       end
     end
     # :startdoc:

data/lib/action_dispatch/routing/url_for.rb

@@ -191,7 +191,25 @@ module ActionDispatch
         end
       end
 
-      def route_for(name, *args) # :nodoc:
+      # Allows calling direct or regular named route.
+      #
+      #   resources :buckets
+      #
+      #   direct :recordable do |recording|
+      #     route_for(:bucket, recording.bucket)
+      #   end
+      #
+      #   direct :threadable do |threadable|
+      #     route_for(:recordable, threadable.parent)
+      #   end
+      #
+      # This maintains the context of the original caller on
+      # whether to return a path or full url, e.g:
+      #
+      #   threadable_path(threadable)  # => "/buckets/1"
+      #   threadable_url(threadable)   # => "http://example.com/buckets/1"
+      #
+      def route_for(name, *args)
         public_send(:"#{name}_url", *args)
       end
 

data/lib/action_dispatch/system_test_case.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-gem "capybara", "~> 2.15"
+gem "capybara", ">= 2.15", "< 4.0"
 
 require "capybara/dsl"
 require "capybara/minitest"

data/lib/action_pack/gem_version.rb

@@ -10,7 +10,7 @@ module ActionPack
     MAJOR = 5
     MINOR = 2
     TINY  = 0
-    PRE   = "rc1"
+    PRE   = "rc2"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 5.2.0.rc1
+  version: 5.2.0.rc2
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-01-30 00:00:00.000000000 Z
+date: 2018-03-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0.rc1
+        version: 5.2.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0.rc1
+        version: 5.2.0.rc2
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0.rc1
+        version: 5.2.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0.rc1
+        version: 5.2.0.rc2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0.rc1
+        version: 5.2.0.rc2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0.rc1
+        version: 5.2.0.rc2
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -293,8 +293,8 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.0.rc1/actionpack
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.0.rc1/actionpack/CHANGELOG.md
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.0.rc2/actionpack
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.0.rc2/actionpack/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -312,7 +312,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements:
 - none
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).