actionpack 5.2.4.rc1 → 6.0.0.rc2

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -21,8 +21,12 @@ module ActionDispatch
     def call(env)
       request      = ActionDispatch::Request.new(env)
       status       = request.path_info[1..-1].to_i
-      content_type = request.formats.first
-      body         = { status: status, error: Rack::Utils::HTTP_STATUS_CODES.fetch(status, Rack::Utils::HTTP_STATUS_CODES[500]) }
+      begin
+        content_type = request.formats.first
+      rescue Mime::Type::InvalidMimeType
+        content_type = Mime[:text]
+      end
+      body = { status: status, error: Rack::Utils::HTTP_STATUS_CODES.fetch(status, Rack::Utils::HTTP_STATUS_CODES[500]) }
 
       render(status, content_type, body)
     end

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -162,14 +162,12 @@ module ActionDispatch
         # Split the comma-separated list into an array of strings.
         ips = header.strip.split(/[,\s]+/)
         ips.select do |ip|
-          begin
-            # Only return IPs that are valid according to the IPAddr#new method.
-            range = IPAddr.new(ip).to_range
-            # We want to make sure nobody is sneaking a netmask in.
-            range.begin == range.end
-          rescue ArgumentError
-            nil
-          end
+          # Only return IPs that are valid according to the IPAddr#new method.
+          range = IPAddr.new(ip).to_range
+          # We want to make sure nobody is sneaking a netmask in.
+          range.begin == range.end
+        rescue ArgumentError
+          nil
         end
       end
 

data/lib/action_dispatch/middleware/request_id.rb

@@ -15,7 +15,7 @@ module ActionDispatch
   # The unique request id can be used to trace a request end-to-end and would typically end up being part of log files
   # from multiple pieces of the stack.
   class RequestId
-    X_REQUEST_ID = "X-Request-Id".freeze #:nodoc:
+    X_REQUEST_ID = "X-Request-Id" #:nodoc:
 
     def initialize(app)
       @app = app
@@ -30,7 +30,7 @@ module ActionDispatch
     private
       def make_request_id(request_id)
         if request_id.presence
-          request_id.gsub(/[^\w\-@]/, "".freeze).first(255)
+          request_id.gsub(/[^\w\-@]/, "").first(255)
         else
           internal_request_id
         end

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -16,16 +16,11 @@ module ActionDispatch
     # The cookie jar used for storage is automatically configured to be the
     # best possible option given your application's configuration.
     #
-    # If you only have secret_token set, your cookies will be signed, but
-    # not encrypted. This means a user cannot alter their +user_id+ without
-    # knowing your app's secret key, but can easily read their +user_id+. This
-    # was the default for Rails 3 apps.
-    #
     # Your cookies will be encrypted using your apps secret_key_base. This
     # goes a step further than signed cookies in that encrypted cookies cannot
     # be altered or read by users. This is the default starting in Rails 4.
     #
-    # Configure your session store in <tt>config/initializers/session_store.rb</tt>:
+    # Configure your session store in an initializer:
     #
     #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
     #

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -45,7 +45,7 @@ module ActionDispatch
         backtrace_cleaner = request.get_header "action_dispatch.backtrace_cleaner"
         wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
         status  = wrapper.status_code
-        request.set_header "action_dispatch.exception", wrapper.exception
+        request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
         request.set_header "action_dispatch.original_path", request.path_info
         request.path_info = "/#{status}"
         response = @exceptions_app.call(request.env)

data/lib/action_dispatch/middleware/ssl.rb

@@ -83,7 +83,7 @@ module ActionDispatch
 
     private
       def set_hsts_header!(headers)
-        headers["Strict-Transport-Security".freeze] ||= @hsts_header
+        headers["Strict-Transport-Security"] ||= @hsts_header
       end
 
       def normalize_hsts_options(options)
@@ -102,23 +102,23 @@ module ActionDispatch
 
       # https://tools.ietf.org/html/rfc6797#section-6.1
       def build_hsts_header(hsts)
-        value = "max-age=#{hsts[:expires].to_i}".dup
+        value = +"max-age=#{hsts[:expires].to_i}"
         value << "; includeSubDomains" if hsts[:subdomains]
         value << "; preload" if hsts[:preload]
         value
       end
 
       def flag_cookies_as_secure!(headers)
-        if cookies = headers["Set-Cookie".freeze]
-          cookies = cookies.split("\n".freeze)
+        if cookies = headers["Set-Cookie"]
+          cookies = cookies.split("\n")
 
-          headers["Set-Cookie".freeze] = cookies.map { |cookie|
-            if cookie !~ /;\s*secure\s*(;|$)/i
+          headers["Set-Cookie"] = cookies.map { |cookie|
+            if !/;\s*secure\s*(;|$)/i.match?(cookie)
               "#{cookie}; secure"
             else
               cookie
             end
-          }.join("\n".freeze)
+          }.join("\n")
         end
       end
 
@@ -141,7 +141,7 @@ module ActionDispatch
         host = @redirect[:host] || request.host
         port = @redirect[:port] || request.port
 
-        location = "https://#{host}".dup
+        location = +"https://#{host}"
         location << ":#{port}" if port != 80 && port != 443
         location << request.fullpath
         location

data/lib/action_dispatch/middleware/stack.rb

@@ -36,6 +36,31 @@ module ActionDispatch
       def build(app)
         klass.new(app, *args, &block)
       end
+
+      def build_instrumented(app)
+        InstrumentationProxy.new(build(app), inspect)
+      end
+    end
+
+    # This class is used to instrument the execution of a single middleware.
+    # It proxies the `call` method transparently and instruments the method
+    # call.
+    class InstrumentationProxy
+      EVENT_NAME = "process_middleware.action_dispatch"
+
+      def initialize(middleware, class_name)
+        @middleware = middleware
+
+        @payload = {
+          middleware: class_name,
+        }
+      end
+
+      def call(env)
+        ActiveSupport::Notifications.instrument(EVENT_NAME, @payload) do
+          @middleware.call(env)
+        end
+      end
     end
 
     include Enumerable
@@ -98,7 +123,14 @@ module ActionDispatch
     end
 
     def build(app = nil, &block)
-      middlewares.freeze.reverse.inject(app || block) { |a, e| e.build(a) }
+      instrumenting = ActiveSupport::Notifications.notifier.listening?(InstrumentationProxy::EVENT_NAME)
+      middlewares.freeze.reverse.inject(app || block) do |a, e|
+        if instrumenting
+          e.build_instrumented(a)
+        else
+          e.build(a)
+        end
+      end
     end
 
     private

data/lib/action_dispatch/middleware/static.rb

@@ -41,7 +41,6 @@ module ActionDispatch
         rescue SystemCallError
           false
         end
-
       }
         return ::Rack::Utils.escape_path(match).b
       end
@@ -69,7 +68,7 @@ module ActionDispatch
 
       headers["Vary"] = "Accept-Encoding" if gzip_path
 
-      return [status, headers, body]
+      [status, headers, body]
     ensure
       request.path_info = path
     end
@@ -80,7 +79,7 @@ module ActionDispatch
       end
 
       def content_type(path)
-        ::Rack::Mime.mime_type(::File.extname(path), "text/plain".freeze)
+        ::Rack::Mime.mime_type(::File.extname(path), "text/plain")
       end
 
       def gzip_encoding_accepted?(request)
@@ -90,8 +89,8 @@ module ActionDispatch
       def gzip_file_path(path)
         can_gzip_mime = content_type(path) =~ /\A(?:text\/|application\/javascript)/
         gzip_path     = "#{path}.gz"
-        if can_gzip_mime && File.exist?(File.join(@root, ::Rack::Utils.unescape_path(gzip_path).b))
-          gzip_path.b
+        if can_gzip_mime && File.exist?(File.join(@root, ::Rack::Utils.unescape_path(gzip_path)))
+          gzip_path
         else
           false
         end
@@ -117,7 +116,7 @@ module ActionDispatch
       req = Rack::Request.new env
 
       if req.get? || req.head?
-        path = req.path_info.chomp("/".freeze)
+        path = req.path_info.chomp("/")
         if match = @file_handler.match?(path)
           req.path_info = match
           return @file_handler.serve(req)

data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb

@@ -0,0 +1,13 @@
+<% actions = ActiveSupport::ActionableError.actions(exception) %>
+
+<% if actions.any? %>
+  <div class="actions">
+    <% actions.each do |action, _| %>
+      <%= button_to action, ActionDispatch::ActionableExceptions.endpoint, params: {
+        error: exception.class.name,
+        action: action,
+        location: request.path
+      } %>
+    <% end %>
+  </div>
+<% end %>

data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb

@@ -6,7 +6,9 @@
 <% end %>
 
 <h2 style="margin-top: 30px">Request</h2>
-<p><b>Parameters</b>:</p> <pre><%= debug_params(@request.filtered_parameters) %></pre>
+<% if params_valid? %>
+  <p><b>Parameters</b>:</p> <pre><%= debug_params(@request.filtered_parameters) %></pre>
+<% end %>
 
 <div class="details">
   <div class="summary"><a href="#" onclick="return toggleSessionDump()">Toggle session dump</a></div>

data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb

@@ -1,5 +1,5 @@
 <%
-  clean_params = @request.filtered_parameters.clone
+  clean_params = params_valid? ? @request.filtered_parameters.clone : {}
   clean_params.delete("action")
   clean_params.delete("controller")
 

data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb

@@ -1,6 +1,8 @@
-<% @source_extracts.each_with_index do |source_extract, index| %>
+<% error_index = local_assigns[:error_index] || 0 %>
+
+<% source_extracts.each_with_index do |source_extract, index| %>
   <% if source_extract[:code] %>
-    <div class="source <%="hidden" if @show_source_idx != index%>" id="frame-source-<%=index%>">
+    <div class="source <%= "hidden" if show_source_idx != index %>" id="frame-source-<%= error_index %>-<%= index %>">
       <div class="info">
         Extracted source (around line <strong>#<%= source_extract[:line_number] %></strong>):
       </div>

data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb

@@ -1,52 +1,62 @@
-<% names = @traces.keys %>
+<% names = traces.keys %>
+<% error_index = local_assigns[:error_index] || 0 %>
 
 <p><code>Rails.root: <%= defined?(Rails) && Rails.respond_to?(:root) ? Rails.root : "unset" %></code></p>
 
-<div id="traces">
+<div id="traces-<%= error_index %>">
   <% names.each do |name| %>
     <%
-      show = "show('#{name.gsub(/\s/, '-')}');"
-      hide = (names - [name]).collect {|hide_name| "hide('#{hide_name.gsub(/\s/, '-')}');"}
+      show = "show('#{name.gsub(/\s/, '-')}-#{error_index}');"
+      hide = (names - [name]).collect {|hide_name| "hide('#{hide_name.gsub(/\s/, '-')}-#{error_index}');"}
     %>
     <a href="#" onclick="<%= hide.join %><%= show %>; return false;"><%= name %></a> <%= '|' unless names.last == name %>
   <% end %>
 
-  <% @traces.each do |name, trace| %>
-    <div id="<%= name.gsub(/\s/, '-') %>" style="display: <%= (name == @trace_to_show) ? 'block' : 'none' %>;">
-      <pre><code><% trace.each do |frame| %><a class="trace-frames" data-frame-id="<%= frame[:id] %>" href="#"><%= frame[:trace] %></a><br><% end %></code></pre>
+  <% traces.each do |name, trace| %>
+    <div id="<%= "#{name.gsub(/\s/, '-')}-#{error_index}" %>" style="display: <%= (name == trace_to_show) ? 'block' : 'none' %>;">
+      <code style="font-size: 11px;">
+        <% trace.each do |frame| %>
+          <a class="trace-frames trace-frames-<%= error_index %>" data-exception-object-id="<%= frame[:exception_object_id] %>" data-frame-id="<%= frame[:id] %>" href="#">
+            <%= frame[:trace] %>
+          </a>
+          <br>
+        <% end %>
+      </code>
     </div>
   <% end %>
 
   <script type="text/javascript">
-    var traceFrames = document.getElementsByClassName('trace-frames');
-    var selectedFrame, currentSource = document.getElementById('frame-source-0');
-
-    // Add click listeners for all stack frames
-    for (var i = 0; i < traceFrames.length; i++) {
-      traceFrames[i].addEventListener('click', function(e) {
-        e.preventDefault();
-        var target = e.target;
-        var frame_id = target.dataset.frameId;
-
-        if (selectedFrame) {
-          selectedFrame.className = selectedFrame.className.replace("selected", "");
-        }
-
-        target.className += " selected";
-        selectedFrame = target;
-
-        // Change the extracted source code
-        changeSourceExtract(frame_id);
-      });
-
-      function changeSourceExtract(frame_id) {
-        var el = document.getElementById('frame-source-' + frame_id);
-        if (currentSource && el) {
-          currentSource.className += " hidden";
-          el.className = el.className.replace(" hidden", "");
-          currentSource = el;
+    (function() {
+      var traceFrames = document.getElementsByClassName('trace-frames-<%= error_index %>');
+      var selectedFrame, currentSource = document.getElementById('frame-source-<%= error_index %>-0');
+
+      // Add click listeners for all stack frames
+      for (var i = 0; i < traceFrames.length; i++) {
+        traceFrames[i].addEventListener('click', function(e) {
+          e.preventDefault();
+          var target = e.target;
+          var frame_id = target.dataset.frameId;
+
+          if (selectedFrame) {
+            selectedFrame.className = selectedFrame.className.replace("selected", "");
+          }
+
+          target.className += " selected";
+          selectedFrame = target;
+
+          // Change the extracted source code
+          changeSourceExtract(frame_id);
+        });
+
+        function changeSourceExtract(frame_id) {
+          var el = document.getElementById('frame-source-<%= error_index %>-' + frame_id);
+          if (currentSource && el) {
+            currentSource.className += " hidden";
+            el.className = el.className.replace(" hidden", "");
+            currentSource = el;
+          }
         }
       }
-    }
+    })();
   </script>
 </div>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb

@@ -0,0 +1,7 @@
+<header>
+  <h1>Blocked host: <%= @host %></h1>
+</header>
+<div id="container">
+  <h2>To allow requests to <%= @host %>, add the following to your environment configuration:</h2>
+  <pre>config.hosts &lt;&lt; "<%= @host %>"</pre>
+</div>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb

@@ -0,0 +1,5 @@
+Blocked host: <%= @host %>
+
+To allow requests to <%= @host %>, add the following to your environment configuration:
+
+  config.hosts << "<%= @host %>"

data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb

@@ -1,16 +1,38 @@
 <header>
   <h1>
     <%= @exception.class.to_s %>
-    <% if @request.parameters['controller'] %>
+    <% if params_valid? && @request.parameters['controller'] %>
       in <%= @request.parameters['controller'].camelize %>Controller<% if @request.parameters['action'] %>#<%= @request.parameters['action'] %><% end %>
     <% end %>
   </h1>
 </header>
 
 <div id="container">
-  <h2><%= h @exception.message %></h2>
+  <h2>
+    <%= h @exception.message %>
+
+    <%= render "rescues/actions", exception: @exception, request: @request %>
+  </h2>
+
+  <%= render "rescues/source", source_extracts: @source_extracts, show_source_idx: @show_source_idx, error_index: 0 %>
+  <%= render "rescues/trace", traces: @traces, trace_to_show: @trace_to_show, error_index: 0 %>
+
+  <% if @exception.cause %>
+    <h2>Exception Causes</h2>
+  <% end %>
+
+  <% @exception_wrapper.wrapped_causes.each.with_index(1) do |wrapper, index| %>
+    <div class="details">
+      <a class="summary" href="#" style="color: #F0F0F0; text-decoration: none; background: #C52F24; border-bottom: none;" onclick="return toggle(<%= wrapper.exception.object_id %>)">
+        <%= wrapper.exception.class.name %>: <%= h wrapper.exception.message %>
+      </a>
+    </div>
+
+    <div id="<%= wrapper.exception.object_id %>" style="display: none;">
+      <%= render "rescues/source", source_extracts: wrapper.source_extracts, show_source_idx: wrapper.source_to_show_id, error_index: index %>
+      <%= render "rescues/trace", traces: wrapper.traces, trace_to_show: wrapper.trace_to_show, error_index: index %>
+    </div>
+  <% end %>
 
-  <%= render template: "rescues/_source" %>
-  <%= render template: "rescues/_trace" %>
   <%= render template: "rescues/_request_and_response" %>
 </div>

data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb

@@ -1,5 +1,5 @@
 <%= @exception.class.to_s %><%
-  if @request.parameters['controller']
+  if params_valid? && @request.parameters['controller']
 %> in <%= @request.parameters['controller'].camelize %>Controller<% if @request.parameters['action'] %>#<%= @request.parameters['action'] %><% end %>
 <% end %>
 

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb

@@ -10,12 +10,15 @@
 <div id="container">
   <h2>
     <%= h @exception.message %>
-    <% if %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}.match?(@exception.message) %>
-      <br />To resolve this issue run: bin/rails active_storage:install
+    <% if defined?(ActiveStorage) && @exception.message.match?(%r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}) %>
+      <br />To resolve this issue run: rails active_storage:install
+    <% end %>
+    <% if defined?(ActionMailbox) && @exception.message.match?(%r{#{ActionMailbox::InboundEmail.table_name}}) %>
+      <br />To resolve this issue run: rails action_mailbox:install
     <% end %>
   </h2>
 
-  <%= render template: "rescues/_source" %>
-  <%= render template: "rescues/_trace" %>
+  <%= render "rescues/source", source_extracts: @source_extracts, show_source_idx: @show_source_idx %>
+  <%= render "rescues/trace", traces: @traces, trace_to_show: @trace_to_show %>
   <%= render template: "rescues/_request_and_response" %>
 </div>