actionpack 5.2.0 → 5.2.1.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7210d67baf838b6439c73d158313c6fc688fd653005214068ca3af0919ddd204
-  data.tar.gz: a4798ec67b96081357d6e4c8c41c014499939328d5844d600c56d6f5a1b8e091
+  metadata.gz: 64edb9594a9442de350c820f190ba694bad46fc2b326ddd91e30a48d09879a6d
+  data.tar.gz: dff86b8fc14dba0af55290f1af2c205d0491ce32ce8ab23c164ec99a34e4756f
 SHA512:
-  metadata.gz: 9f136ee0d9b4ab35c7e5475d3424a9417428e0920065ac4af34c7de15b85a74d9b0edc80e966ca485ad572c04c1540fea665b0bd61c2dc267ad682efc67ce630
-  data.tar.gz: 4cbe8646e8ecd95f1fcaa92badfe7f854593950501a4148236ff304fc62ee97317428733c16e7db38daaae2a1b2543f632e19d219543ad8cdbaa5f80cb019923
+  metadata.gz: 582f4a5f98828afc8026dd93d5a173a2afd22c65839dda2c16009fcf118a3a53f2c82f2cbd20360fc6ca31d3da77d6fe9915b29497084a78de7671d3b23d735a
+  data.tar.gz: 89d4b50b7c3f4dabbd5348bbd75687579838e182a5ecbf621a4d40d6605aa784f240f2a095931a77ef99be5c1a79bad315c3944ea0abf96804161a254ca25b8f

data/CHANGELOG.md

@@ -1,3 +1,58 @@
+## Rails 5.2.1.rc1 (July 30, 2018) ##
+
+*   Prevent `?null=` being passed on JSON encoded test requests.
+
+    `RequestEncoder#encode_params` won't attempt to parse params if
+    there are none.
+
+    So call like this will no longer append a `?null=` query param.
+
+        get foos_url, as: :json
+
+    *Alireza Bashiri*
+
+*   Ensure `ActionController::Parameters#transform_values` and
+    `ActionController::Parameters#transform_values!` converts hashes into
+    parameters.
+
+    *Kevin Sjöberg*
+
+*   Fix strong parameters `permit!` with nested arrays.
+
+    Given:
+    ```
+    params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
+    params.permit!
+    ```
+
+    `params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
+
+    *Steve Hull*
+
+*   Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
+    `ActionController::TestCase` subclasses.
+
+    *Eugene Kenny*
+
+*   Output only one Content-Security-Policy nonce header value per request.
+
+    Fixes #32597.
+
+    *Andrey Novikov*, *Andrew White*
+
+*   Only disable GPUs for headless Chrome on Windows.
+
+    It is not necessary anymore for Linux and macOS machines.
+
+    https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
+
+    *Stefan Wrobel*
+
+*   Fix system tests transactions not closed between examples.
+
+    *Sergey Tarasov*
+
+
 ## Rails 5.2.0 (April 09, 2018) ##
 
 *   Check exclude before flagging cookies as secure.

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -418,7 +418,7 @@ module ActionController #:nodoc:
 
       NULL_ORIGIN_MESSAGE = <<-MSG.strip_heredoc
         The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually
-        means you have the 'no-referrer' Referrer-Policy header enabled, or that you the request came from a site that
+        means you have the 'no-referrer' Referrer-Policy header enabled, or that the request came from a site that
         refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the
         best solution is to change your referrer policy to something less strict like same-origin or strict-same-origin.
         If you cannot change the referrer policy, you can disable origin checking with the

data/lib/action_controller/metal/strong_parameters.rb

@@ -375,7 +375,7 @@ module ActionController
     #   Person.new(params) # => #<Person id: nil, name: "Francesco">
     def permit!
       each_pair do |key, value|
-        Array.wrap(value).each do |v|
+        Array.wrap(value).flatten.each do |v|
           v.permit! if v.respond_to? :permit!
         end
       end
@@ -561,12 +561,14 @@ module ActionController
     # Returns a parameter for the given +key+. If the +key+
     # can't be found, there are several options: With no other arguments,
     # it will raise an <tt>ActionController::ParameterMissing</tt> error;
-    # if more arguments are given, then that will be returned; if a block
+    # if a second argument is given, then that is returned (converted to an
+    # instance of ActionController::Parameters if possible); if a block
     # is given, then that will be run and its result returned.
     #
     #   params = ActionController::Parameters.new(person: { name: "Francesco" })
     #   params.fetch(:person)               # => <ActionController::Parameters {"name"=>"Francesco"} permitted: false>
     #   params.fetch(:none)                 # => ActionController::ParameterMissing: param is missing or the value is empty: none
+    #   params.fetch(:none, {})             # => <ActionController::Parameters {} permitted: false>
     #   params.fetch(:none, "Francesco")    # => "Francesco"
     #   params.fetch(:none) { "Francesco" } # => "Francesco"
     def fetch(key, *args)
@@ -592,7 +594,8 @@ module ActionController
       #   params2 = ActionController::Parameters.new(foo: [10, 11, 12])
       #   params2.dig(:foo, 1) # => 11
       def dig(*keys)
-        convert_value_to_parameters(@parameters.dig(*keys))
+        convert_hashes_to_parameters(keys.first, @parameters[keys.first])
+        @parameters.dig(*keys)
       end
     end
 
@@ -639,20 +642,18 @@ module ActionController
     #   params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
     #   params.transform_values { |x| x * 2 }
     #   # => <ActionController::Parameters {"a"=>2, "b"=>4, "c"=>6} permitted: false>
-    def transform_values(&block)
-      if block
-        new_instance_with_inherited_permitted_status(
-          @parameters.transform_values(&block)
-        )
-      else
-        @parameters.transform_values
-      end
+    def transform_values
+      return to_enum(:transform_values) unless block_given?
+      new_instance_with_inherited_permitted_status(
+        @parameters.transform_values { |v| yield convert_value_to_parameters(v) }
+      )
     end
 
     # Performs values transformation and returns the altered
     # <tt>ActionController::Parameters</tt> instance.
-    def transform_values!(&block)
-      @parameters.transform_values!(&block)
+    def transform_values!
+      return to_enum(:transform_values!) unless block_given?
+      @parameters.transform_values! { |v| yield convert_value_to_parameters(v) }
       self
     end
 

data/lib/action_controller/test_case.rb

@@ -460,10 +460,6 @@ module ActionController
       def process(action, method: "GET", params: {}, session: nil, body: nil, flash: {}, format: nil, xhr: false, as: nil)
         check_required_ivars
 
-        if body
-          @request.set_header "RAW_POST_DATA", body
-        end
-
         http_method = method.to_s.upcase
 
         @html_document = nil
@@ -478,6 +474,10 @@ module ActionController
         @response.request = @request
         @controller.recycle!
 
+        if body
+          @request.set_header "RAW_POST_DATA", body
+        end
+
         @request.set_header "REQUEST_METHOD", http_method
 
         if as
@@ -604,6 +604,8 @@ module ActionController
           env.delete "action_dispatch.request.query_parameters"
           env.delete "action_dispatch.request.request_parameters"
           env["rack.input"] = StringIO.new
+          env.delete "CONTENT_LENGTH"
+          env.delete "RAW_POST_DATA"
           env
         end
 

data/lib/action_dispatch/http/content_security_policy.rb

@@ -21,13 +21,8 @@ module ActionDispatch #:nodoc:
         return response if policy_present?(headers)
 
         if policy = request.content_security_policy
-          if policy.directives["script-src"]
-            if nonce = request.content_security_policy_nonce
-              policy.directives["script-src"] << "'nonce-#{nonce}'"
-            end
-          end
-
-          headers[header_name(request)] = policy.build(request.controller_instance)
+          nonce = request.content_security_policy_nonce
+          headers[header_name(request)] = policy.build(request.controller_instance, nonce)
         end
 
         response
@@ -113,7 +108,9 @@ module ActionDispatch #:nodoc:
       blob:           "blob:",
       filesystem:     "filesystem:",
       report_sample:  "'report-sample'",
-      strict_dynamic: "'strict-dynamic'"
+      strict_dynamic: "'strict-dynamic'",
+      ws:             "ws:",
+      wss:            "wss:"
     }.freeze
 
     DIRECTIVES = {
@@ -134,7 +131,9 @@ module ActionDispatch #:nodoc:
       worker_src:      "worker-src"
     }.freeze
 
-    private_constant :MAPPINGS, :DIRECTIVES
+    NONCE_DIRECTIVES = %w[script-src].freeze
+
+    private_constant :MAPPINGS, :DIRECTIVES, :NONCE_DIRECTIVES
 
     attr_reader :directives
 
@@ -203,8 +202,8 @@ module ActionDispatch #:nodoc:
       end
     end
 
-    def build(context = nil)
-      build_directives(context).compact.join("; ")
+    def build(context = nil, nonce = nil)
+      build_directives(context, nonce).compact.join("; ")
     end
 
     private
@@ -227,10 +226,14 @@ module ActionDispatch #:nodoc:
         end
       end
 
-      def build_directives(context)
+      def build_directives(context, nonce)
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
-            "#{directive} #{build_directive(sources, context).join(' ')}"
+            if nonce && nonce_directive?(directive)
+              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+            else
+              "#{directive} #{build_directive(sources, context).join(' ')}"
+            end
           elsif sources
             directive
           else
@@ -259,5 +262,9 @@ module ActionDispatch #:nodoc:
           raise RuntimeError, "Unexpected content security policy source: #{source.inspect}"
         end
       end
+
+      def nonce_directive?(directive)
+        NONCE_DIRECTIVES.include?(directive)
+      end
   end
 end

data/lib/action_dispatch/journey/routes.rb

@@ -51,11 +51,12 @@ module ActionDispatch
       def ast
         @ast ||= begin
           asts = anchored_routes.map(&:ast)
-          Nodes::Or.new(asts) unless asts.empty?
+          Nodes::Or.new(asts)
         end
       end
 
       def simulator
+        return if ast.nil?
         @simulator ||= begin
           gtg = GTG::Builder.new(ast).transition_table
           GTG::Simulator.new(gtg)

data/lib/action_dispatch/middleware/flash.rb

@@ -73,7 +73,7 @@ module ActionDispatch
         end
       end
 
-      def reset_session # :nodoc
+      def reset_session # :nodoc:
         super
         self.flash = nil
       end

data/lib/action_dispatch/middleware/static.rb

@@ -16,7 +16,7 @@ module ActionDispatch
   # does not exist, a 404 "File not Found" response will be returned.
   class FileHandler
     def initialize(root, index: "index", headers: {})
-      @root          = root.chomp("/")
+      @root          = root.chomp("/").b
       @file_server   = ::Rack::File.new(@root, headers)
       @index         = index
     end
@@ -35,7 +35,7 @@ module ActionDispatch
       paths = [path, "#{path}#{ext}", "#{path}/#{@index}#{ext}"]
 
       if match = paths.detect { |p|
-        path = File.join(@root, p.dup.force_encoding(Encoding::UTF_8))
+        path = File.join(@root, p.b)
         begin
           File.file?(path) && File.readable?(path)
         rescue SystemCallError
@@ -43,7 +43,7 @@ module ActionDispatch
         end
 
       }
-        return ::Rack::Utils.escape_path(match)
+        return ::Rack::Utils.escape_path(match).b
       end
     end
 
@@ -90,8 +90,8 @@ module ActionDispatch
       def gzip_file_path(path)
         can_gzip_mime = content_type(path) =~ /\A(?:text\/|application\/javascript)/
         gzip_path     = "#{path}.gz"
-        if can_gzip_mime && File.exist?(File.join(@root, ::Rack::Utils.unescape_path(gzip_path)))
-          gzip_path
+        if can_gzip_mime && File.exist?(File.join(@root, ::Rack::Utils.unescape_path(gzip_path).b))
+          gzip_path.b
         else
           false
         end

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb

@@ -10,7 +10,7 @@
 <div id="container">
   <h2>
     <%= h @exception.message %>
-    <% if @exception.message.match? %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}} %>
+    <% if %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}.match?(@exception.message) %>
       <br />To resolve this issue run: bin/rails active_storage:install
     <% end %>
   </h2>

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb

@@ -4,7 +4,7 @@
 <% end %>
 
 <%= @exception.message %>
-<% if @exception.message.match? %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}} %>
+<% if %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}.match?(@exception.message) %>
 To resolve this issue run: bin/rails active_storage:install
 <% end %>
 

data/lib/action_dispatch/routing/mapper.rb

@@ -664,6 +664,7 @@ module ActionDispatch
           def define_generate_prefix(app, name)
             _route = @set.named_routes.get name
             _routes = @set
+            _url_helpers = @set.url_helpers
 
             script_namer = ->(options) do
               prefix_options = options.slice(*_route.segment_keys)
@@ -675,7 +676,7 @@ module ActionDispatch
 
               # We must actually delete prefix segment keys to avoid passing them to next url_for.
               _route.segment_keys.each { |k| options.delete(k) }
-              _routes.url_helpers.send("#{name}_path", prefix_options)
+              _url_helpers.send("#{name}_path", prefix_options)
             end
 
             app.routes.define_mounted_helper(name, script_namer)

data/lib/action_dispatch/routing/url_for.rb

@@ -204,7 +204,7 @@ module ActionDispatch
       #   end
       #
       # This maintains the context of the original caller on
-      # whether to return a path or full url, e.g:
+      # whether to return a path or full URL, e.g:
       #
       #   threadable_path(threadable)  # => "/buckets/1"
       #   threadable_url(threadable)   # => "http://example.com/buckets/1"

data/lib/action_dispatch/system_test_case.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-gem "capybara", ">= 2.15", "< 4.0"
+gem "capybara", ">= 2.15"
 
 require "capybara/dsl"
 require "capybara/minitest"

data/lib/action_dispatch/system_testing/browser.rb

@@ -33,7 +33,7 @@ module ActionDispatch
         def headless_chrome_browser_options
           options = Selenium::WebDriver::Chrome::Options.new
           options.args << "--headless"
-          options.args << "--disable-gpu"
+          options.args << "--disable-gpu" if Gem.win_platform?
 
           options
         end

data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb

@@ -19,6 +19,7 @@ module ActionDispatch
         def after_teardown
           take_failed_screenshot
           Capybara.reset_sessions!
+        ensure
           super
         end
       end

data/lib/action_dispatch/testing/request_encoder.rb

@@ -34,7 +34,7 @@ module ActionDispatch
     end
 
     def encode_params(params)
-      @param_encoder.call(params)
+      @param_encoder.call(params) if params
     end
 
     def self.parser(content_type)

data/lib/action_pack/gem_version.rb

@@ -9,8 +9,8 @@ module ActionPack
   module VERSION
     MAJOR = 5
     MINOR = 2
-    TINY  = 0
-    PRE   = nil
+    TINY  = 1
+    PRE   = "rc1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 5.2.0
+  version: 5.2.1.rc1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-09 00:00:00.000000000 Z
+date: 2018-07-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0
+        version: 5.2.1.rc1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0
+        version: 5.2.1.rc1
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0
+        version: 5.2.1.rc1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0
+        version: 5.2.1.rc1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0
+        version: 5.2.1.rc1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0
+        version: 5.2.1.rc1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -293,8 +293,8 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.0/actionpack
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.0/actionpack/CHANGELOG.md
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.1.rc1/actionpack
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.1.rc1/actionpack/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -306,13 +306,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.2.2
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements:
 - none
 rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 2.7.3
 signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).