actionpack 5.2.4.4 → 6.1.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (155) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +264 -322
  3. data/MIT-LICENSE +1 -1
  4. data/README.rdoc +4 -3
  5. data/lib/abstract_controller.rb +1 -0
  6. data/lib/abstract_controller/base.rb +38 -4
  7. data/lib/abstract_controller/caching.rb +1 -1
  8. data/lib/abstract_controller/caching/fragments.rb +6 -22
  9. data/lib/abstract_controller/callbacks.rb +14 -2
  10. data/lib/abstract_controller/collector.rb +1 -2
  11. data/lib/abstract_controller/helpers.rb +106 -90
  12. data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
  13. data/lib/abstract_controller/rendering.rb +9 -9
  14. data/lib/abstract_controller/translation.rb +11 -5
  15. data/lib/action_controller.rb +7 -4
  16. data/lib/action_controller/api.rb +4 -3
  17. data/lib/action_controller/base.rb +6 -9
  18. data/lib/action_controller/caching.rb +1 -3
  19. data/lib/action_controller/log_subscriber.rb +10 -7
  20. data/lib/action_controller/metal.rb +10 -8
  21. data/lib/action_controller/metal/basic_implicit_render.rb +1 -1
  22. data/lib/action_controller/metal/conditional_get.rb +19 -5
  23. data/lib/action_controller/metal/content_security_policy.rb +1 -2
  24. data/lib/action_controller/metal/cookies.rb +3 -1
  25. data/lib/action_controller/metal/data_streaming.rb +6 -7
  26. data/lib/action_controller/metal/default_headers.rb +17 -0
  27. data/lib/action_controller/metal/etag_with_template_digest.rb +3 -5
  28. data/lib/action_controller/metal/exceptions.rb +56 -2
  29. data/lib/action_controller/metal/flash.rb +5 -5
  30. data/lib/action_controller/metal/head.rb +7 -4
  31. data/lib/action_controller/metal/helpers.rb +14 -5
  32. data/lib/action_controller/metal/http_authentication.rb +24 -23
  33. data/lib/action_controller/metal/implicit_render.rb +5 -15
  34. data/lib/action_controller/metal/instrumentation.rb +13 -14
  35. data/lib/action_controller/metal/live.rb +30 -32
  36. data/lib/action_controller/metal/logging.rb +20 -0
  37. data/lib/action_controller/metal/mime_responds.rb +19 -4
  38. data/lib/action_controller/metal/parameter_encoding.rb +35 -4
  39. data/lib/action_controller/metal/params_wrapper.rb +31 -22
  40. data/lib/action_controller/metal/permissions_policy.rb +46 -0
  41. data/lib/action_controller/metal/redirecting.rb +6 -6
  42. data/lib/action_controller/metal/renderers.rb +4 -4
  43. data/lib/action_controller/metal/rendering.rb +8 -3
  44. data/lib/action_controller/metal/request_forgery_protection.rb +62 -34
  45. data/lib/action_controller/metal/rescue.rb +1 -1
  46. data/lib/action_controller/metal/streaming.rb +0 -1
  47. data/lib/action_controller/metal/strong_parameters.rb +167 -58
  48. data/lib/action_controller/metal/url_for.rb +1 -1
  49. data/lib/action_controller/railties/helpers.rb +1 -1
  50. data/lib/action_controller/renderer.rb +37 -13
  51. data/lib/action_controller/template_assertions.rb +1 -1
  52. data/lib/action_controller/test_case.rb +70 -65
  53. data/lib/action_dispatch.rb +9 -3
  54. data/lib/action_dispatch/http/cache.rb +26 -21
  55. data/lib/action_dispatch/http/content_disposition.rb +45 -0
  56. data/lib/action_dispatch/http/content_security_policy.rb +33 -19
  57. data/lib/action_dispatch/http/filter_parameters.rb +9 -8
  58. data/lib/action_dispatch/http/filter_redirect.rb +2 -3
  59. data/lib/action_dispatch/http/headers.rb +4 -4
  60. data/lib/action_dispatch/http/mime_negotiation.rb +26 -13
  61. data/lib/action_dispatch/http/mime_type.rb +42 -23
  62. data/lib/action_dispatch/http/parameters.rb +14 -23
  63. data/lib/action_dispatch/http/permissions_policy.rb +173 -0
  64. data/lib/action_dispatch/http/request.rb +45 -22
  65. data/lib/action_dispatch/http/response.rb +45 -25
  66. data/lib/action_dispatch/http/upload.rb +9 -1
  67. data/lib/action_dispatch/http/url.rb +82 -82
  68. data/lib/action_dispatch/journey.rb +0 -2
  69. data/lib/action_dispatch/journey/formatter.rb +54 -30
  70. data/lib/action_dispatch/journey/gtg/builder.rb +22 -37
  71. data/lib/action_dispatch/journey/gtg/simulator.rb +8 -7
  72. data/lib/action_dispatch/journey/gtg/transition_table.rb +6 -5
  73. data/lib/action_dispatch/journey/nfa/dot.rb +0 -11
  74. data/lib/action_dispatch/journey/nodes/node.rb +13 -11
  75. data/lib/action_dispatch/journey/parser.rb +13 -13
  76. data/lib/action_dispatch/journey/parser.y +1 -1
  77. data/lib/action_dispatch/journey/path/pattern.rb +19 -21
  78. data/lib/action_dispatch/journey/route.rb +10 -20
  79. data/lib/action_dispatch/journey/router.rb +26 -34
  80. data/lib/action_dispatch/journey/router/utils.rb +14 -12
  81. data/lib/action_dispatch/journey/routes.rb +0 -2
  82. data/lib/action_dispatch/journey/scanner.rb +10 -4
  83. data/lib/action_dispatch/journey/visitors.rb +1 -4
  84. data/lib/action_dispatch/middleware/actionable_exceptions.rb +46 -0
  85. data/lib/action_dispatch/middleware/callbacks.rb +2 -4
  86. data/lib/action_dispatch/middleware/cookies.rb +128 -109
  87. data/lib/action_dispatch/middleware/debug_exceptions.rb +43 -66
  88. data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
  89. data/lib/action_dispatch/middleware/debug_view.rb +66 -0
  90. data/lib/action_dispatch/middleware/exception_wrapper.rb +75 -30
  91. data/lib/action_dispatch/middleware/flash.rb +1 -1
  92. data/lib/action_dispatch/middleware/host_authorization.rb +121 -0
  93. data/lib/action_dispatch/middleware/public_exceptions.rb +6 -3
  94. data/lib/action_dispatch/middleware/remote_ip.rb +14 -16
  95. data/lib/action_dispatch/middleware/request_id.rb +5 -6
  96. data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -3
  97. data/lib/action_dispatch/middleware/session/cookie_store.rb +3 -9
  98. data/lib/action_dispatch/middleware/show_exceptions.rb +3 -2
  99. data/lib/action_dispatch/middleware/ssl.rb +20 -15
  100. data/lib/action_dispatch/middleware/stack.rb +56 -2
  101. data/lib/action_dispatch/middleware/static.rb +153 -93
  102. data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb +13 -0
  103. data/lib/action_dispatch/middleware/templates/rescues/_actions.text.erb +0 -0
  104. data/lib/action_dispatch/middleware/templates/rescues/_message_and_suggestions.html.erb +22 -0
  105. data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb +3 -1
  106. data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +1 -1
  107. data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
  108. data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
  109. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
  110. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
  111. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +23 -4
  112. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +1 -1
  113. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +6 -3
  114. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +3 -1
  115. data/lib/action_dispatch/middleware/templates/rescues/layout.erb +104 -8
  116. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
  117. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
  118. data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
  119. data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
  120. data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
  121. data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb +1 -1
  122. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +24 -1
  123. data/lib/action_dispatch/railtie.rb +8 -2
  124. data/lib/action_dispatch/request/session.rb +10 -9
  125. data/lib/action_dispatch/request/utils.rb +26 -2
  126. data/lib/action_dispatch/routing.rb +21 -20
  127. data/lib/action_dispatch/routing/inspector.rb +100 -52
  128. data/lib/action_dispatch/routing/mapper.rb +155 -103
  129. data/lib/action_dispatch/routing/polymorphic_routes.rb +13 -15
  130. data/lib/action_dispatch/routing/redirection.rb +3 -3
  131. data/lib/action_dispatch/routing/route_set.rb +71 -69
  132. data/lib/action_dispatch/routing/url_for.rb +2 -2
  133. data/lib/action_dispatch/system_test_case.rb +54 -11
  134. data/lib/action_dispatch/system_testing/browser.rb +53 -16
  135. data/lib/action_dispatch/system_testing/driver.rb +11 -3
  136. data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +49 -7
  137. data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +8 -10
  138. data/lib/action_dispatch/testing/assertion_response.rb +0 -1
  139. data/lib/action_dispatch/testing/assertions.rb +1 -1
  140. data/lib/action_dispatch/testing/assertions/response.rb +4 -7
  141. data/lib/action_dispatch/testing/assertions/routing.rb +20 -8
  142. data/lib/action_dispatch/testing/integration.rb +61 -28
  143. data/lib/action_dispatch/testing/request_encoder.rb +2 -2
  144. data/lib/action_dispatch/testing/test_process.rb +29 -4
  145. data/lib/action_dispatch/testing/test_request.rb +3 -3
  146. data/lib/action_dispatch/testing/test_response.rb +4 -32
  147. data/lib/action_pack.rb +1 -1
  148. data/lib/action_pack/gem_version.rb +4 -4
  149. metadata +38 -26
  150. data/lib/action_controller/metal/force_ssl.rb +0 -99
  151. data/lib/action_dispatch/http/parameter_filter.rb +0 -86
  152. data/lib/action_dispatch/journey/nfa/builder.rb +0 -78
  153. data/lib/action_dispatch/journey/nfa/simulator.rb +0 -49
  154. data/lib/action_dispatch/journey/nfa/transition_table.rb +0 -120
  155. data/lib/action_dispatch/system_testing/test_helpers/undef_methods.rb +0 -26
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: '0581fd2c86192b6ffd29f90a71d0da4aaf9d3040398cb841440102bec565ebf7'
4
- data.tar.gz: d5957327e6b31e0bb9c0427382ead54bb8a6e8939400a5c3e81c7b2de32cad58
3
+ metadata.gz: 3813bd7e46eeb386962cafd48601aace5759055c9311cc47e79706458e4d8723
4
+ data.tar.gz: 9b1c73e829be328eff697fb0472c2917516a7956db547e6f364c1fa194a49cd1
5
5
  SHA512:
6
- metadata.gz: 910806a975bc0a799af4b6cd093a8f1da502d58aaf0903f4ce031b20da8cd16cb803b14ae575ab14cbd65b55a393cc8c0420861cf36547a9d59acde1f03857df
7
- data.tar.gz: 7a373c8ddedb72c5a7933c85f809b850396c8daba7bdaa34c4447f3d2a8868dc8f508da1899e6b97d7625c5f1723e38b122e09672f95f43ba7db4caa832ddcc3
6
+ metadata.gz: 271e0b7f7ce9cb659ffe7684f03677ea6699f065e1b2c1e8ce20cf992f3525c6ea2947702308b764fd21407498ac0e916dbd3390934615bf0c5d73450a938927
7
+ data.tar.gz: 9344404abd36b7fcc6bdf73a5186bc6bfc6665565b0fce4bf143aea6d149b61eefed5ec56787bebcbf0a9307bf464bbe4d822f726965f834fc3afaa13dde786d
data/CHANGELOG.md CHANGED
@@ -1,484 +1,426 @@
1
- ## Rails 5.2.4.4 (September 09, 2020) ##
1
+ ## Rails 6.1.1 (January 07, 2021) ##
2
2
 
3
- * No changes.
3
+ * Fix nil translation key lookup in controllers/
4
4
 
5
+ *Jan Klimo*
5
6
 
6
- ## Rails 5.2.4.3 (May 18, 2020) ##
7
+ * Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.
7
8
 
8
- * [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
9
+ *Alex Robbin*
9
10
 
10
- * [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
11
+ * Change the request method to a `GET` when passing failed requests down to `config.exceptions_app`.
11
12
 
13
+ *Alex Robbin*
12
14
 
13
- ## Rails 5.2.4.1 (December 18, 2019) ##
14
15
 
15
- * Fix possible information leak / session hijacking vulnerability.
16
-
17
- The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
18
- gem dalli to be updated as well.
19
-
20
- CVE-2019-16782.
21
-
22
-
23
- ## Rails 5.2.4 (November 27, 2019) ##
24
-
25
- * No changes.
26
-
27
-
28
- ## Rails 5.2.3 (March 27, 2019) ##
29
-
30
- * Allow using `public` and `no-cache` together in the the Cache Control header.
31
-
32
- Before this change, even if `public` was specified in the Cache Control header,
33
- it was excluded when `no-cache` was included. This change preserves the
34
- `public` value as is.
35
-
36
- Fixes #34780.
37
-
38
- *Yuji Yaginuma*
39
-
40
- * Allow `nil` params for `ActionController::TestCase`.
41
-
42
- *Ryo Nakamura*
16
+ ## Rails 6.1.0 (December 09, 2020) ##
43
17
 
18
+ * Support for the HTTP header `Feature-Policy` has been revised to reflect
19
+ its [rename](https://github.com/w3c/webappsec-permissions-policy/pull/379) to [`Permissions-Policy`](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field).
44
20
 
45
- ## Rails 5.2.2.1 (March 11, 2019) ##
46
-
47
- * No changes.
48
-
49
-
50
- ## Rails 5.2.2 (December 04, 2018) ##
21
+ ```ruby
22
+ Rails.application.config.permissions_policy do |p|
23
+ p.camera :none
24
+ p.gyroscope :none
25
+ p.microphone :none
26
+ p.usb :none
27
+ p.fullscreen :self
28
+ p.payment :self, "https://secure-example.com"
29
+ end
30
+ ```
51
31
 
52
- * Reset Capybara sessions if failed system test screenshot raising an exception.
32
+ *Julien Grillot*
53
33
 
54
- Reset Capybara sessions if `take_failed_screenshot` raise exception
55
- in system test `after_teardown`.
34
+ * Allow `ActionDispatch::HostAuthorization` to exclude specific requests.
56
35
 
57
- *Maxim Perepelitsa*
36
+ Host Authorization checks can be skipped for specific requests. This allows for health check requests to be permitted for requests with missing or non-matching host headers.
58
37
 
59
- * Use request object for context if there's no controller
38
+ *Chris Bisnett*
60
39
 
61
- There is no controller instance when using a redirect route or a
62
- mounted rack application so pass the request object as the context
63
- when resolving dynamic CSP sources in this scenario.
40
+ * Add `config.action_dispatch.request_id_header` to allow changing the name of
41
+ the unique X-Request-Id header
64
42
 
65
- Fixes #34200.
43
+ *Arlston Fernandes*
66
44
 
67
- *Andrew White*
45
+ * Deprecate `config.action_dispatch.return_only_media_type_on_content_type`.
68
46
 
69
- * Apply mapping to symbols returned from dynamic CSP sources
47
+ *Rafael Mendonça França*
70
48
 
71
- Previously if a dynamic source returned a symbol such as :self it
72
- would be converted to a string implicity, e.g:
49
+ * Change `ActionDispatch::Response#content_type` to return the full Content-Type header.
73
50
 
74
- policy.default_src -> { :self }
51
+ *Rafael Mendonça França*
75
52
 
76
- would generate the header:
53
+ * Remove deprecated `ActionDispatch::Http::ParameterFilter`.
77
54
 
78
- Content-Security-Policy: default-src self
55
+ *Rafael Mendonça França*
79
56
 
80
- and now it generates:
57
+ * Added support for exclusive no-store Cache-Control header.
81
58
 
82
- Content-Security-Policy: default-src 'self'
59
+ If `no-store` is set on Cache-Control header it is exclusive (all other cache directives are dropped).
83
60
 
84
- *Andrew White*
61
+ *Chris Kruger*
85
62
 
86
- * Fix `rails routes -c` for controller name consists of multiple word.
63
+ * Catch invalid UTF-8 parameters for POST requests and respond with BadRequest.
87
64
 
88
- *Yoshiyuki Kinjo*
65
+ Additionally, perform `#set_binary_encoding` in `ActionDispatch::Http::Request#GET` and
66
+ `ActionDispatch::Http::Request#POST` prior to validating encoding.
89
67
 
90
- * Call the `#redirect_to` block in controller context.
68
+ *Adrianna Chang*
91
69
 
92
- *Steven Peckins*
70
+ * Allow `assert_recognizes` routing assertions to work on mounted root routes.
93
71
 
72
+ *Gannon McGibbon*
94
73
 
95
- ## Rails 5.2.1.1 (November 27, 2018) ##
74
+ * Change default redirection status code for non-GET/HEAD requests to 308 Permanent Redirect for `ActionDispatch::SSL`.
96
75
 
97
- * No changes.
76
+ *Alan Tan*, *Oz Ben-David*
98
77
 
78
+ * Fix `follow_redirect!` to follow redirection with same HTTP verb when following
79
+ a 308 redirection.
99
80
 
100
- ## Rails 5.2.1 (August 07, 2018) ##
81
+ *Alan Tan*
101
82
 
102
- * Prevent `?null=` being passed on JSON encoded test requests.
83
+ * When multiple domains are specified for a cookie, a domain will now be
84
+ chosen only if it is equal to or is a superdomain of the request host.
103
85
 
104
- `RequestEncoder#encode_params` won't attempt to parse params if
105
- there are none.
86
+ *Jonathan Hefner*
106
87
 
107
- So call like this will no longer append a `?null=` query param.
88
+ * `ActionDispatch::Static` handles precompiled Brotli (.br) files.
108
89
 
109
- get foos_url, as: :json
90
+ Adds to existing support for precompiled gzip (.gz) files.
91
+ Brotli files are preferred due to much better compression.
110
92
 
111
- *Alireza Bashiri*
93
+ When the browser requests /some.js with `Accept-Encoding: br`,
94
+ we check for public/some.js.br and serve that file, if present, with
95
+ `Content-Encoding: br` and `Vary: Accept-Encoding` headers.
112
96
 
113
- * Ensure `ActionController::Parameters#transform_values` and
114
- `ActionController::Parameters#transform_values!` converts hashes into
115
- parameters.
97
+ *Ryan Edward Hall*, *Jeremy Daer*
116
98
 
117
- *Kevin Sjöberg*
99
+ * Add raise_on_missing_translations support for controllers.
118
100
 
119
- * Fix strong parameters `permit!` with nested arrays.
101
+ This configuration determines whether an error should be raised for missing translations.
102
+ It can be enabled through `config.i18n.raise_on_missing_translations`. Note that described
103
+ configuration also affects raising error for missing translations in views.
120
104
 
121
- Given:
122
- ```
123
- params = ActionController::Parameters.new(nested_arrays: [[{ x: 2, y: 3 }, { x: 21, y: 42 }]])
124
- params.permit!
125
- ```
105
+ *fatkodima*
126
106
 
127
- `params[:nested_arrays][0][0].permitted?` will now return `true` instead of `false`.
128
-
129
- *Steve Hull*
130
-
131
- * Reset `RAW_POST_DATA` and `CONTENT_LENGTH` request environment between test requests in
132
- `ActionController::TestCase` subclasses.
107
+ * Added `compact` and `compact!` to `ActionController::Parameters`.
133
108
 
134
109
  *Eugene Kenny*
135
110
 
136
- * Output only one Content-Security-Policy nonce header value per request.
137
-
138
- Fixes #32597.
139
-
140
- *Andrey Novikov*, *Andrew White*
141
-
142
- * Only disable GPUs for headless Chrome on Windows.
143
-
144
- It is not necessary anymore for Linux and macOS machines.
145
-
146
- https://bugs.chromium.org/p/chromium/issues/detail?id=737678#c1
147
-
148
- *Stefan Wrobel*
111
+ * Calling `each_pair` or `each_value` on an `ActionController::Parameters`
112
+ without passing a block now returns an enumerator.
149
113
 
150
- * Fix system tests transactions not closed between examples.
114
+ *Eugene Kenny*
151
115
 
152
- *Sergey Tarasov*
116
+ * `fixture_file_upload` now uses path relative to `file_fixture_path`
153
117
 
118
+ Previously the path had to be relative to `fixture_path`.
119
+ You can change your existing code as follow:
154
120
 
155
- ## Rails 5.2.0 (April 09, 2018) ##
121
+ ```ruby
122
+ # Before
123
+ fixture_file_upload('files/dog.png')
156
124
 
157
- * Check exclude before flagging cookies as secure.
125
+ # After
126
+ fixture_file_upload('dog.png')
127
+ ```
158
128
 
159
- *Catherine Khuu*
129
+ *Edouard Chin*
160
130
 
161
- * Always yield a CSP policy instance from `content_security_policy`
131
+ * Remove deprecated `force_ssl` at the controller level.
162
132
 
163
- This allows a controller action to enable the policy individually
164
- for a controller and/or specific actions.
133
+ *Rafael Mendonça França*
165
134
 
166
- *Andrew White*
135
+ * The +helper+ class method for controllers loads helper modules specified as
136
+ strings/symbols with `String#constantize` instead of `require_dependency`.
167
137
 
168
- * Add the ability to disable the global CSP in a controller, e.g:
138
+ Remember that support for strings/symbols is only a convenient API. You can
139
+ always pass a module object:
169
140
 
170
- class LegacyPagesController < ApplicationController
171
- content_security_policy false, only: :index
172
- end
141
+ ```ruby
142
+ helper UtilsHelper
143
+ ```
173
144
 
174
- *Andrew White*
145
+ which is recommended because it is simple and direct. When a string/symbol
146
+ is received, `helper` just manipulates and inflects the argument to obtain
147
+ that same module object.
175
148
 
176
- * Add alias method `to_hash` to `to_h` for `cookies`.
177
- Add alias method `to_h` to `to_hash` for `session`.
149
+ *Xavier Noria*, *Jean Boussier*
178
150
 
179
- *Igor Kasyanchuk*
151
+ * Correctly identify the entire localhost IPv4 range as trusted proxy.
180
152
 
181
- * Update the default HSTS max-age value to 31536000 seconds (1 year)
182
- to meet the minimum max-age requirement for https://hstspreload.org/.
153
+ *Nick Soracco*
183
154
 
184
- *Grant Bourque*
155
+ * `url_for` will now use "https://" as the default protocol when
156
+ `Rails.application.config.force_ssl` is set to true.
185
157
 
186
- * Add support for automatic nonce generation for Rails UJS.
158
+ *Jonathan Hefner*
187
159
 
188
- Because the UJS library creates a script tag to process responses it
189
- normally requires the script-src attribute of the content security
190
- policy to include 'unsafe-inline'.
160
+ * Accept and default to base64_urlsafe CSRF tokens.
191
161
 
192
- To work around this we generate a per-request nonce value that is
193
- embedded in a meta tag in a similar fashion to how CSRF protection
194
- embeds its token in a meta tag. The UJS library can then read the
195
- nonce value and set it on the dynamically generated script tag to
196
- enable it to execute without needing 'unsafe-inline' enabled.
162
+ Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
163
+ them difficult to deal with. For example, the common practice of sending
164
+ the CSRF token to a browser in a client-readable cookie does not work properly
165
+ out of the box: the value has to be url-encoded and decoded to survive transport.
197
166
 
198
- Nonce generation isn't 100% safe - if your script tag is including
199
- user generated content in someway then it may be possible to exploit
200
- an XSS vulnerability which can take advantage of the nonce. It is
201
- however an improvement on a blanket permission for inline scripts.
167
+ Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
168
+ to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
169
+ for backwards compatibility.
202
170
 
203
- It is also possible to use the nonce within your own script tags by
204
- using `nonce: true` to set the nonce value on the tag, e.g
171
+ *Scott Blum*
205
172
 
206
- <%= javascript_tag nonce: true do %>
207
- alert('Hello, World!');
208
- <% end %>
173
+ * Support rolling deploys for cookie serialization/encryption changes.
209
174
 
210
- Fixes #31689.
175
+ In a distributed configuration like rolling update, users may observe
176
+ both old and new instances during deployment. Users may be served by a
177
+ new instance and then by an old instance.
211
178
 
212
- *Andrew White*
179
+ That means when the server changes `cookies_serializer` from `:marshal`
180
+ to `:hybrid` or the server changes `use_authenticated_cookie_encryption`
181
+ from `false` to `true`, users may lose their sessions if they access the
182
+ server during deployment.
213
183
 
214
- * Matches behavior of `Hash#each` in `ActionController::Parameters#each`.
184
+ We added fallbacks to downgrade the cookie format when necessary during
185
+ deployment, ensuring compatibility on both old and new instances.
215
186
 
216
- Rails 5.0 introduced a bug when looping through controller params using `each`. Only the keys of params hash were passed to the block, e.g.
187
+ *Masaki Hara*
217
188
 
218
- # Parameters: {"param"=>"1", "param_two"=>"2"}
219
- def index
220
- params.each do |name|
221
- puts name
222
- end
223
- end
189
+ * `ActionDispatch::Request.remote_ip` has ip address even when all sites are trusted.
224
190
 
225
- # Prints
226
- # param
227
- # param_two
191
+ Before, if all `X-Forwarded-For` sites were trusted, the `remote_ip` would default to `127.0.0.1`.
192
+ Now, the furthest proxy site is used. e.g.: It now gives an ip address when using curl from the load balancer.
228
193
 
229
- In Rails 5.2 the bug has been fixed and name will be an array (which was the behavior for all versions prior to 5.0), instead of a string.
194
+ *Keenan Brock*
230
195
 
231
- To fix the code above simply change as per example below:
196
+ * Fix possible information leak / session hijacking vulnerability.
232
197
 
233
- # Parameters: {"param"=>"1", "param_two"=>"2"}
234
- def index
235
- params.each do |name, value|
236
- puts name
237
- end
238
- end
198
+ The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the
199
+ gem dalli to be updated as well.
239
200
 
240
- # Prints
241
- # param
242
- # param_two
201
+ CVE-2019-16782.
243
202
 
244
- *Dominic Cleal*
203
+ * Include child session assertion count in ActionDispatch::IntegrationTest.
245
204
 
246
- * Add `Referrer-Policy` header to default headers set.
205
+ `IntegrationTest#open_session` uses `dup` to create the new session, which
206
+ meant it had its own copy of `@assertions`. This prevented the assertions
207
+ from being correctly counted and reported.
247
208
 
248
- *Guillermo Iguaran*
209
+ Child sessions now have their `attr_accessor` overridden to delegate to the
210
+ root session.
249
211
 
250
- * Changed the system tests to set Puma as default server only when the
251
- user haven't specified manually another server.
212
+ Fixes #32142.
252
213
 
253
- *Guillermo Iguaran*
214
+ *Sam Bostock*
254
215
 
255
- * Add secure `X-Download-Options` and `X-Permitted-Cross-Domain-Policies` to
256
- default headers set.
216
+ * Add SameSite protection to every written cookie.
257
217
 
258
- *Guillermo Iguaran*
218
+ Enabling `SameSite` cookie protection is an addition to CSRF protection,
219
+ where cookies won't be sent by browsers in cross-site POST requests when set to `:lax`.
259
220
 
260
- * Add headless firefox support to System Tests.
221
+ `:strict` disables cookies being sent in cross-site GET or POST requests.
261
222
 
262
- *bogdanvlviv*
223
+ Passing `:none` disables this protection and is the same as previous versions albeit a `; SameSite=None` is appended to the cookie.
263
224
 
264
- * Changed the default system test screenshot output from `inline` to `simple`.
225
+ See upgrade instructions in config/initializers/new_framework_defaults_6_1.rb.
265
226
 
266
- `inline` works well for iTerm2 but not everyone uses iTerm2. Some terminals like
267
- Terminal.app ignore the `inline` and output the path to the file since it can't
268
- render the image. Other terminals, like those on Ubuntu, cannot handle the image
269
- inline, but also don't handle it gracefully and instead of outputting the file
270
- path, it dumps binary into the terminal.
227
+ More info [here](https://tools.ietf.org/html/draft-west-first-party-cookies-07)
271
228
 
272
- Commit 9d6e28 fixes this by changing the default for screenshot to be `simple`.
229
+ _NB: Technically already possible as Rack supports SameSite protection, this is to ensure it's applied to all cookies_
273
230
 
274
- *Eileen M. Uchitelle*
231
+ *Cédric Fabianski*
275
232
 
276
- * Register most popular audio/video/font mime types supported by modern browsers.
233
+ * Bring back the feature that allows loading external route files from the router.
277
234
 
278
- *Guillermo Iguaran*
235
+ This feature existed back in 2012 but got reverted with the incentive that
236
+ https://github.com/rails/routing_concerns was a better approach. Turned out
237
+ that this wasn't fully the case and loading external route files from the router
238
+ can be helpful for applications with a really large set of routes.
239
+ Without this feature, application needs to implement routes reloading
240
+ themselves and it's not straightforward.
279
241
 
280
- * Fix optimized url helpers when using relative url root.
242
+ ```ruby
243
+ # config/routes.rb
281
244
 
282
- Fixes #31220.
245
+ Rails.application.routes.draw do
246
+ draw(:admin)
247
+ end
283
248
 
284
- *Andrew White*
249
+ # config/routes/admin.rb
285
250
 
286
- * Add DSL for configuring Content-Security-Policy header.
251
+ get :foo, to: 'foo#bar'
252
+ ```
287
253
 
288
- The DSL allows you to configure a global Content-Security-Policy
289
- header and then override within a controller. For more information
290
- about the Content-Security-Policy header see MDN:
254
+ *Yehuda Katz*, *Edouard Chin*
291
255
 
292
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
256
+ * Fix system test driver option initialization for non-headless browsers.
293
257
 
294
- Example global policy:
258
+ *glaszig*
295
259
 
296
- # config/initializers/content_security_policy.rb
297
- Rails.application.config.content_security_policy do |p|
298
- p.default_src :self, :https
299
- p.font_src :self, :https, :data
300
- p.img_src :self, :https, :data
301
- p.object_src :none
302
- p.script_src :self, :https
303
- p.style_src :self, :https, :unsafe_inline
304
- end
260
+ * `redirect_to.action_controller` notifications now include the `ActionDispatch::Request` in
261
+ their payloads as `:request`.
305
262
 
306
- Example controller overrides:
263
+ *Austin Story*
307
264
 
308
- # Override policy inline
309
- class PostsController < ApplicationController
310
- content_security_policy do |p|
311
- p.upgrade_insecure_requests true
312
- end
313
- end
265
+ * `respond_to#any` no longer returns a response's Content-Type based on the
266
+ request format but based on the block given.
314
267
 
315
- # Using literal values
316
- class PostsController < ApplicationController
317
- content_security_policy do |p|
318
- p.base_uri "https://www.example.com"
319
- end
320
- end
268
+ Example:
321
269
 
322
- # Using mixed static and dynamic values
323
- class PostsController < ApplicationController
324
- content_security_policy do |p|
325
- p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
326
- end
270
+ ```ruby
271
+ def my_action
272
+ respond_to do |format|
273
+ format.any { render(json: { foo: 'bar' }) }
327
274
  end
275
+ end
328
276
 
329
- Allows you to also only report content violations for migrating
330
- legacy content using the `content_security_policy_report_only`
331
- configuration attribute, e.g;
332
-
333
- # config/initializers/content_security_policy.rb
334
- Rails.application.config.content_security_policy_report_only = true
335
-
336
- # controller override
337
- class PostsController < ApplicationController
338
- content_security_policy_report_only only: :index
339
- end
340
-
341
- Note that this feature does not validate the header for performance
342
- reasons since the header is calculated at runtime.
343
-
344
- *Andrew White*
345
-
346
- * Make `assert_recognizes` to traverse mounted engines.
347
-
348
- *Yuichiro Kaneko*
349
-
350
- * Remove deprecated `ActionController::ParamsParser::ParseError`.
277
+ get('my_action.csv')
278
+ ```
351
279
 
352
- *Rafael Mendonça França*
280
+ The previous behaviour was to respond with a `text/csv` Content-Type which
281
+ is inaccurate since a JSON response is being rendered.
353
282
 
354
- * Add `:allow_other_host` option to `redirect_back` method.
283
+ Now it correctly returns a `application/json` Content-Type.
355
284
 
356
- When `allow_other_host` is set to `false`, the `redirect_back` will not allow redirecting from a
357
- different host. `allow_other_host` is `true` by default.
285
+ *Edouard Chin*
358
286
 
359
- *Tim Masliuchenko*
287
+ * Replaces (back)slashes in failure screenshot image paths with dashes.
360
288
 
361
- * Add headless chrome support to System Tests.
289
+ If a failed test case contained a slash or a backslash, a screenshot would be created in a
290
+ nested directory, causing issues with `tmp:clear`.
362
291
 
363
- *Yuji Yaginuma*
292
+ *Damir Zekic*
364
293
 
365
- * Add ability to enable Early Hints for HTTP/2
294
+ * Add `params.member?` to mimic Hash behavior.
366
295
 
367
- If supported by the server, and enabled in Puma this allows H2 Early Hints to be used.
296
+ *Younes Serraj*
368
297
 
369
- The `javascript_include_tag` and the `stylesheet_link_tag` automatically add Early Hints if requested.
298
+ * `process_action.action_controller` notifications now include the following in their payloads:
370
299
 
371
- *Eileen M. Uchitelle*, *Aaron Patterson*
300
+ * `:request` - the `ActionDispatch::Request`
301
+ * `:response` - the `ActionDispatch::Response`
372
302
 
373
- * Simplify cookies middleware with key rotation support
303
+ *George Claghorn*
374
304
 
375
- Use the `rotate` method for both `MessageEncryptor` and
376
- `MessageVerifier` to add key rotation support for encrypted and
377
- signed cookies. This also helps simplify support for legacy cookie
378
- security.
305
+ * Updated `ActionDispatch::Request.remote_ip` setter to clear set the instance
306
+ `remote_ip` to `nil` before setting the header that the value is derived
307
+ from.
379
308
 
380
- *Michael J Coyne*
309
+ Fixes #37383.
381
310
 
382
- * Use Capybara registered `:puma` server config.
311
+ *Norm Provost*
383
312
 
384
- The Capybara registered `:puma` server ensures the puma server is run in process so
385
- connection sharing and open request detection work correctly by default.
313
+ * `ActionController::Base.log_at` allows setting a different log level per request.
386
314
 
387
- *Thomas Walpole*
388
-
389
- * Cookies `:expires` option supports `ActiveSupport::Duration` object.
315
+ ```ruby
316
+ # Use the debug level if a particular cookie is set.
317
+ class ApplicationController < ActionController::Base
318
+ log_at :debug, if: -> { cookies[:debug] }
319
+ end
320
+ ```
390
321
 
391
- cookies[:user_name] = { value: "assain", expires: 1.hour }
392
- cookies[:key] = { value: "a yummy cookie", expires: 6.months }
322
+ *George Claghorn*
393
323
 
394
- Pull Request: #30121
324
+ * Allow system test screen shots to be taken more than once in
325
+ a test by prefixing the file name with an incrementing counter.
395
326
 
396
- *Assain Jaleel*
327
+ Add an environment variable `RAILS_SYSTEM_TESTING_SCREENSHOT_HTML` to
328
+ enable saving of HTML during a screenshot in addition to the image.
329
+ This uses the same image name, with the extension replaced with `.html`
397
330
 
398
- * Enforce signed/encrypted cookie expiry server side.
331
+ *Tom Fakes*
399
332
 
400
- Rails can thwart attacks by malicious clients that don't honor a cookie's expiry.
333
+ * Add `Vary: Accept` header when using `Accept` header for response.
401
334
 
402
- It does so by stashing the expiry within the written cookie and relying on the
403
- signing/encrypting to vouch that it hasn't been tampered with. Then on a
404
- server-side read, the expiry is verified and any expired cookie is discarded.
335
+ For some requests like `/users/1`, Rails uses requests' `Accept`
336
+ header to determine what to return. And if we don't add `Vary`
337
+ in the response header, browsers might accidentally cache different
338
+ types of content, which would cause issues: e.g. javascript got displayed
339
+ instead of html content. This PR fixes these issues by adding `Vary: Accept`
340
+ in these types of requests. For more detailed problem description, please read:
405
341
 
406
- Pull Request: #30121
342
+ https://github.com/rails/rails/pull/36213
407
343
 
408
- *Assain Jaleel*
344
+ Fixes #25842.
409
345
 
410
- * Make `take_failed_screenshot` work within engine.
346
+ *Stan Lo*
411
347
 
412
- Fixes #30405.
348
+ * Fix IntegrationTest `follow_redirect!` to follow redirection using the same HTTP verb when following
349
+ a 307 redirection.
413
350
 
414
- *Yuji Yaginuma*
351
+ *Edouard Chin*
415
352
 
416
- * Deprecate `ActionDispatch::TestResponse` response aliases.
353
+ * System tests require Capybara 3.26 or newer.
417
354
 
418
- `#success?`, `#missing?` & `#error?` are not supported by the actual
419
- `ActionDispatch::Response` object and can produce false-positives. Instead,
420
- use the response helpers provided by `Rack::Response`.
355
+ *George Claghorn*
421
356
 
422
- *Trevor Wistaff*
357
+ * Reduced log noise handling ActionController::RoutingErrors.
423
358
 
424
- * Protect from forgery by default
359
+ *Alberto Fernández-Capel*
425
360
 
426
- Rather than protecting from forgery in the generated `ApplicationController`,
427
- add it to `ActionController::Base` depending on
428
- `config.action_controller.default_protect_from_forgery`. This configuration
429
- defaults to false to support older versions which have removed it from their
430
- `ApplicationController`, but is set to true for Rails 5.2.
361
+ * Add DSL for configuring HTTP Feature Policy.
431
362
 
432
- *Lisa Ugray*
363
+ This new DSL provides a way to configure an HTTP Feature Policy at a
364
+ global or per-controller level. Full details of HTTP Feature Policy
365
+ specification and guidelines can be found at MDN:
433
366
 
434
- * Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
367
+ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
435
368
 
436
- *Kir Shatrov*
369
+ Example global policy:
437
370
 
438
- * `driven_by` now registers poltergeist and capybara-webkit.
371
+ ```ruby
372
+ Rails.application.config.feature_policy do |f|
373
+ f.camera :none
374
+ f.gyroscope :none
375
+ f.microphone :none
376
+ f.usb :none
377
+ f.fullscreen :self
378
+ f.payment :self, "https://secure.example.com"
379
+ end
380
+ ```
439
381
 
440
- If poltergeist or capybara-webkit are set as drivers is set for System Tests,
441
- `driven_by` will register the driver and set additional options passed via
442
- the `:options` parameter.
382
+ Example controller level policy:
443
383
 
444
- Refer to the respective driver's documentation to see what options can be passed.
384
+ ```ruby
385
+ class PagesController < ApplicationController
386
+ feature_policy do |p|
387
+ p.geolocation "https://example.com"
388
+ end
389
+ end
390
+ ```
445
391
 
446
- *Mario Chavez*
392
+ *Jacob Bednarz*
447
393
 
448
- * AEAD encrypted cookies and sessions with GCM.
394
+ * Add the ability to set the CSP nonce only to the specified directives.
449
395
 
450
- Encrypted cookies now use AES-GCM which couples authentication and
451
- encryption in one faster step and produces shorter ciphertexts. Cookies
452
- encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
453
- this new mode is enabled via the
454
- `action_dispatch.use_authenticated_cookie_encryption` configuration value.
396
+ Fixes #35137.
455
397
 
456
- *Michael J Coyne*
398
+ *Yuji Yaginuma*
457
399
 
458
- * Change the cache key format for fragments to make it easier to debug key churn. The new format is:
400
+ * Keep part when scope option has value.
459
401
 
460
- views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
461
- ^template path ^template tree digest ^class ^id
402
+ When a route was defined within an optional scope, if that route didn't
403
+ take parameters the scope was lost when using path helpers. This commit
404
+ ensures scope is kept both when the route takes parameters or when it
405
+ doesn't.
462
406
 
463
- *DHH*
407
+ Fixes #33219.
464
408
 
465
- * Add support for recyclable cache keys with fragment caching. This uses the new versioned entries in the
466
- `ActiveSupport::Cache` stores and relies on the fact that Active Record has split `#cache_key` and `#cache_version`
467
- to support it.
409
+ *Alberto Almagro*
468
410
 
469
- *DHH*
411
+ * Added `deep_transform_keys` and `deep_transform_keys!` methods to ActionController::Parameters.
470
412
 
471
- * Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
413
+ *Gustavo Gutierrez*
472
414
 
473
- `ActionController::Base` and `ActionController::API` have differing implementations. This means that
474
- the one umbrella hook `action_controller` is not able to address certain situations where a method
475
- may not exist in a certain implementation.
415
+ * Calling `ActionController::Parameters#transform_keys`/`!` without a block now returns
416
+ an enumerator for the parameters instead of the underlying hash.
476
417
 
477
- This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
418
+ *Eugene Kenny*
478
419
 
479
- Fixes #27013.
420
+ * Fix strong parameters blocks all attributes even when only some keys are invalid (non-numerical).
421
+ It should only block invalid key's values instead.
480
422
 
481
- *Julian Nadeau*
423
+ *Stan Lo*
482
424
 
483
425
 
484
- Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionpack/CHANGELOG.md) for previous changes.
426
+ Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionpack/CHANGELOG.md) for previous changes.