actionpack 5.2.6 → 6.1.4.4

data/lib/action_dispatch/http/filter_parameters.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "action_dispatch/http/parameter_filter"
+require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
@@ -9,8 +9,8 @@ module ActionDispatch
     # sub-hashes of the params hash to filter. Filtering only certain sub-keys
     # from a hash is possible by using the dot notation: 'credit_card.number'.
     # If a block is given, each key and value of the params hash and all
-    # sub-hashes is passed to it, where the value or the key can be replaced using
-    # String#replace or similar method.
+    # sub-hashes are passed to it, where the value or the key can be replaced using
+    # String#replace or similar methods.
     #
     #   env["action_dispatch.parameter_filter"] = [:password]
     #   => replaces the value to all keys matching /password/i with "[FILTERED]"
@@ -23,13 +23,13 @@ module ActionDispatch
     #   change { file: { code: "xxxx"} }
     #
     #   env["action_dispatch.parameter_filter"] = -> (k, v) do
-    #     v.reverse! if k =~ /secret/i
+    #     v.reverse! if k.match?(/secret/i)
     #   end
     #   => reverses the value to all keys matching /secret/i
     module FilterParameters
       ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
-      NULL_PARAM_FILTER = ParameterFilter.new # :nodoc:
-      NULL_ENV_FILTER   = ParameterFilter.new ENV_MATCH # :nodoc:
+      NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
+      NULL_ENV_FILTER   = ActiveSupport::ParameterFilter.new ENV_MATCH # :nodoc:
 
       def initialize
         super
@@ -41,6 +41,8 @@ module ActionDispatch
       # Returns a hash of parameters with all sensitive data replaced.
       def filtered_parameters
         @filtered_parameters ||= parameter_filter.filter(parameters)
+      rescue ActionDispatch::Http::Parameters::ParseError
+        @filtered_parameters = {}
       end
 
       # Returns a hash of request.env with all sensitive data replaced.
@@ -54,7 +56,6 @@ module ActionDispatch
       end
 
     private
-
       def parameter_filter # :doc:
         parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
           return NULL_PARAM_FILTER
@@ -69,7 +70,7 @@ module ActionDispatch
       end
 
       def parameter_filter_for(filters) # :doc:
-        ParameterFilter.new(filters)
+        ActiveSupport::ParameterFilter.new(filters)
       end
 
       KV_RE   = "[^&;=]+"

data/lib/action_dispatch/http/filter_redirect.rb

@@ -3,7 +3,7 @@
 module ActionDispatch
   module Http
     module FilterRedirect
-      FILTERED = "[FILTERED]".freeze # :nodoc:
+      FILTERED = "[FILTERED]" # :nodoc:
 
       def filtered_location # :nodoc:
         if location_filter_match?
@@ -14,7 +14,6 @@ module ActionDispatch
       end
 
     private
-
       def location_filters
         if request
           request.get_header("action_dispatch.redirect_filter") || []
@@ -28,7 +27,7 @@ module ActionDispatch
           if String === filter
             location.include?(filter)
           elsif Regexp === filter
-            location =~ filter
+            location.match?(filter)
           end
         end
       end

data/lib/action_dispatch/http/headers.rb

@@ -116,14 +116,14 @@ module ActionDispatch
       def env; @req.env.dup; end
 
       private
-
         # Converts an HTTP header name to an environment variable name if it is
         # not contained within the headers hash.
         def env_name(key)
           key = key.to_s
-          if key =~ HTTP_HEADER
-            key = key.upcase.tr("-", "_")
-            key = "HTTP_" + key unless CGI_VARIABLES.include?(key)
+          if HTTP_HEADER.match?(key)
+            key = key.upcase
+            key.tr!("-", "_")
+            key.prepend("HTTP_") unless CGI_VARIABLES.include?(key)
           end
           key
         end

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -7,6 +7,13 @@ module ActionDispatch
     module MimeNegotiation
       extend ActiveSupport::Concern
 
+      class InvalidType < ::Mime::Type::InvalidMimeType; end
+
+      RESCUABLE_MIME_FORMAT_ERRORS = [
+        ActionController::BadRequest,
+        ActionDispatch::Http::Parameters::ParseError,
+      ]
+
       included do
         mattr_accessor :ignore_accept_header, default: false
       end
@@ -20,6 +27,8 @@ module ActionDispatch
             nil
           end
           set_header k, v
+        rescue ::Mime::Type::InvalidMimeType => e
+          raise InvalidType, e.message
         end
       end
 
@@ -42,6 +51,8 @@ module ActionDispatch
             Mime::Type.parse(header)
           end
           set_header k, v
+        rescue ::Mime::Type::InvalidMimeType => e
+          raise InvalidType, e.message
         end
       end
 
@@ -57,13 +68,7 @@ module ActionDispatch
 
       def formats
         fetch_header("action_dispatch.request.formats") do |k|
-          params_readable = begin
-                              parameters[:format]
-                            rescue ActionController::BadRequest
-                              false
-                            end
-
-          v = if params_readable
+          v = if params_readable?
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
             accepts
@@ -90,10 +95,7 @@ module ActionDispatch
         if variant.all? { |v| v.is_a?(Symbol) }
           @variant = ActiveSupport::ArrayInquirer.new(variant)
         else
-          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols. " \
-            "For security reasons, never directly set the variant to a user-provided value, " \
-            "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
-            "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols."
         end
       end
 
@@ -151,13 +153,24 @@ module ActionDispatch
         order.include?(Mime::ALL) ? format : nil
       end
 
-      private
+      def should_apply_vary_header?
+        !params_readable? && use_accept_header && valid_accept_header
+      end
 
+      private
+        # We use normal content negotiation unless you include */* in your list,
+        # in which case we assume you're a browser and send HTML.
         BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
 
+        def params_readable? # :doc:
+          parameters[:format]
+        rescue *RESCUABLE_MIME_FORMAT_ERRORS
+          false
+        end
+
         def valid_accept_header # :doc:
           (xhr? && (accept.present? || content_mime_type)) ||
-            (accept.present? && accept !~ BROWSER_LIKE_ACCEPTS)
+            (accept.present? && !accept.match?(BROWSER_LIKE_ACCEPTS))
         end
 
         def use_accept_header # :doc:

data/lib/action_dispatch/http/mime_type.rb

@@ -1,17 +1,17 @@
 # frozen_string_literal: true
 
-# -*- frozen-string-literal: true -*-
-
 require "singleton"
-require "active_support/core_ext/string/starts_ends_with"
+require "active_support/core_ext/symbol/starts_ends_with"
 
 module Mime
   class Mimes
+    attr_reader :symbols
+
     include Enumerable
 
     def initialize
       @mimes = []
-      @symbols = nil
+      @symbols = []
     end
 
     def each
@@ -20,15 +20,16 @@ module Mime
 
     def <<(type)
       @mimes << type
-      @symbols = nil
+      @symbols << type.to_sym
     end
 
     def delete_if
-      @mimes.delete_if { |x| yield x }.tap { @symbols = nil }
-    end
-
-    def symbols
-      @symbols ||= map(&:to_sym)
+      @mimes.delete_if do |x|
+        if yield x
+          @symbols.delete(x.to_sym)
+          true
+        end
+      end
     end
   end
 
@@ -74,7 +75,7 @@ module Mime
       def initialize(index, name, q = nil)
         @index = index
         @name = name
-        q ||= 0.0 if @name == "*/*".freeze # Default wildcard match to end of list.
+        q ||= 0.0 if @name == "*/*" # Default wildcard match to end of list.
         @q = ((q || 1.0).to_f * 100).to_i
       end
 
@@ -116,7 +117,7 @@ module Mime
             type = list[idx]
             break if type.q < app_xml.q
 
-            if type.name.ends_with? "+xml"
+            if type.name.end_with? "+xml"
               list[app_xml_idx], list[idx] = list[idx], app_xml
               app_xml_idx = idx
             end
@@ -172,6 +173,7 @@ module Mime
       def parse(accept_header)
         if !accept_header.include?(",")
           accept_header = accept_header.split(PARAMETER_SEPARATOR_REGEXP).first
+          return [] unless accept_header
           parse_trailing_star(accept_header) || [Mime::Type.lookup(accept_header)].compact
         else
           list, index = [], 0
@@ -203,7 +205,7 @@ module Mime
       # For an input of <tt>'application'</tt>, returns <tt>[Mime[:html], Mime[:js],
       # Mime[:xml], Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]</tt>.
       def parse_data_with_trailing_star(type)
-        Mime::SET.select { |m| m =~ type }
+        Mime::SET.select { |m| m.match?(type) }
       end
 
       # This method is opposite of register method.
@@ -223,7 +225,18 @@ module Mime
 
     attr_reader :hash
 
+    MIME_NAME = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
+    MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
+    MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
+    MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
+    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
+
+    class InvalidMimeType < StandardError; end
+
     def initialize(string, symbol = nil, synonyms = [])
+      unless MIME_REGEXP.match?(string)
+        raise InvalidMimeType, "#{string.inspect} is not a valid MIME type"
+      end
       @symbol, @synonyms = symbol, synonyms
       @string = string
       @hash = [@string, @synonyms, @symbol].hash
@@ -273,25 +286,27 @@ module Mime
       @synonyms.any? { |synonym| synonym.to_s =~ regexp } || @string =~ regexp
     end
 
+    def match?(mime_type)
+      return false unless mime_type
+      regexp = Regexp.new(Regexp.quote(mime_type.to_s))
+      @synonyms.any? { |synonym| synonym.to_s.match?(regexp) } || @string.match?(regexp)
+    end
+
     def html?
-      symbol == :html || @string =~ /html/
+      (symbol == :html) || /html/.match?(@string)
     end
 
     def all?; false; end
 
-    # TODO Change this to private once we've dropped Ruby 2.2 support.
-    # Workaround for Ruby 2.2 "private attribute?" warning.
     protected
-
       attr_reader :string, :synonyms
 
     private
-
       def to_ary; end
       def to_a; end
 
       def method_missing(method, *args)
-        if method.to_s.ends_with? "?"
+        if method.end_with?("?")
           method[0..-2].downcase.to_sym == to_sym
         else
           super
@@ -299,7 +314,7 @@ module Mime
       end
 
       def respond_to_missing?(method, include_private = false)
-        (method.to_s.ends_with? "?") || super
+        method.end_with?("?") || super
       end
   end
 
@@ -307,7 +322,7 @@ module Mime
     include Singleton
 
     def initialize
-      super "*/*", :all
+      super "*/*", nil
     end
 
     def all?; true; end
@@ -315,7 +330,7 @@ module Mime
   end
 
   # ALL isn't a real MIME type, so we don't register it for lookup with the
-  # other concrete types. It's a wildcard match that we use for `respond_to`
+  # other concrete types. It's a wildcard match that we use for +respond_to+
   # negotiation internals.
   ALL = AllType.instance
 
@@ -326,15 +341,19 @@ module Mime
       true
     end
 
+    def to_s
+      ""
+    end
+
     def ref; end
 
     private
       def respond_to_missing?(method, _)
-        method.to_s.ends_with? "?"
+        method.end_with?("?")
       end
 
       def method_missing(method, *args)
-        false if method.to_s.ends_with? "?"
+        false if method.end_with?("?")
       end
   end
 end

data/lib/action_dispatch/http/parameters.rb

@@ -57,7 +57,6 @@ module ActionDispatch
                    query_parameters.dup
                  end
         params.merge!(path_parameters)
-        params = set_binary_encoding(params, params[:controller], params[:action])
         set_header("action_dispatch.request.parameters", params)
         params
       end
@@ -66,7 +65,7 @@ module ActionDispatch
       def path_parameters=(parameters) #:nodoc:
         delete_header("action_dispatch.request.parameters")
 
-        parameters = set_binary_encoding(parameters, parameters[:controller], parameters[:action])
+        parameters = Request::Utils.set_binary_encoding(self, parameters, parameters[:controller], parameters[:action])
         # If any of the path parameters has an invalid encoding then
         # raise since it's likely to trigger errors further on.
         Request::Utils.check_param_encoding(parameters)
@@ -85,24 +84,6 @@ module ActionDispatch
       end
 
       private
-
-        def set_binary_encoding(params, controller, action)
-          return params unless controller && controller.valid_encoding?
-
-          if binary_params_for?(controller, action)
-            ActionDispatch::Request::Utils.each_param_value(params) do |param|
-              param.force_encoding ::Encoding::ASCII_8BIT
-            end
-          end
-          params
-        end
-
-        def binary_params_for?(controller, action)
-          controller_class_for(controller).binary_params_for?(action)
-        rescue NameError
-          false
-        end
-
         def parse_formatted_parameters(parsers)
           return yield if content_length.zero? || content_mime_type.nil?
 
@@ -111,13 +92,23 @@ module ActionDispatch
           begin
             strategy.call(raw_post)
           rescue # JSON or Ruby code block errors.
-            my_logger = logger || ActiveSupport::Logger.new($stderr)
-            my_logger.debug "Error occurred while parsing request parameters.\nContents:\n\n#{raw_post}"
-
+            log_parse_error_once
             raise ParseError
           end
         end
 
+        def log_parse_error_once
+          @parse_error_logged ||= begin
+            parse_logger = logger || ActiveSupport::Logger.new($stderr)
+            parse_logger.debug <<~MSG.chomp
+              Error occurred while parsing request parameters.
+              Contents:
+
+              #{raw_post}
+            MSG
+          end
+        end
+
         def params_parsers
           ActionDispatch::Request.parameter_parsers
         end

data/lib/action_dispatch/http/permissions_policy.rb

@@ -0,0 +1,173 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/object/deep_dup"
+
+module ActionDispatch #:nodoc:
+  class PermissionsPolicy
+    class Middleware
+      CONTENT_TYPE = "Content-Type"
+      # The Feature-Policy header has been renamed to Permissions-Policy.
+      # The Permissions-Policy requires a different implementation and isn't
+      # yet supported by all browsers. To avoid having to rename this
+      # middleware in the future we use the new name for the middleware but
+      # keep the old header name and implementation for now.
+      POLICY       = "Feature-Policy"
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = ActionDispatch::Request.new(env)
+        _, headers, _ = response = @app.call(env)
+
+        return response unless html_response?(headers)
+        return response if policy_present?(headers)
+
+        if policy = request.permissions_policy
+          headers[POLICY] = policy.build(request.controller_instance)
+        end
+
+        if policy_empty?(policy)
+          headers.delete(POLICY)
+        end
+
+        response
+      end
+
+      private
+        def html_response?(headers)
+          if content_type = headers[CONTENT_TYPE]
+            /html/.match?(content_type)
+          end
+        end
+
+        def policy_present?(headers)
+          headers[POLICY]
+        end
+
+        def policy_empty?(policy)
+          policy&.directives&.empty?
+        end
+    end
+
+    module Request
+      POLICY = "action_dispatch.permissions_policy"
+
+      def permissions_policy
+        get_header(POLICY)
+      end
+
+      def permissions_policy=(policy)
+        set_header(POLICY, policy)
+      end
+    end
+
+    MAPPINGS = {
+      self: "'self'",
+      none: "'none'",
+    }.freeze
+
+    # List of available permissions can be found at
+    # https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#policy-controlled-features
+    DIRECTIVES = {
+      accelerometer:        "accelerometer",
+      ambient_light_sensor: "ambient-light-sensor",
+      autoplay:             "autoplay",
+      camera:               "camera",
+      encrypted_media:      "encrypted-media",
+      fullscreen:           "fullscreen",
+      geolocation:          "geolocation",
+      gyroscope:            "gyroscope",
+      magnetometer:         "magnetometer",
+      microphone:           "microphone",
+      midi:                 "midi",
+      payment:              "payment",
+      picture_in_picture:   "picture-in-picture",
+      speaker:              "speaker",
+      usb:                  "usb",
+      vibrate:              "vibrate",
+      vr:                   "vr",
+    }.freeze
+
+    private_constant :MAPPINGS, :DIRECTIVES
+
+    attr_reader :directives
+
+    def initialize
+      @directives = {}
+      yield self if block_given?
+    end
+
+    def initialize_copy(other)
+      @directives = other.directives.deep_dup
+    end
+
+    DIRECTIVES.each do |name, directive|
+      define_method(name) do |*sources|
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
+
+    def build(context = nil)
+      build_directives(context).compact.join("; ")
+    end
+
+    private
+      def apply_mappings(sources)
+        sources.map do |source|
+          case source
+          when Symbol
+            apply_mapping(source)
+          when String, Proc
+            source
+          else
+            raise ArgumentError, "Invalid HTTP permissions policy source: #{source.inspect}"
+          end
+        end
+      end
+
+      def apply_mapping(source)
+        MAPPINGS.fetch(source) do
+          raise ArgumentError, "Unknown HTTP permissions policy source mapping: #{source.inspect}"
+        end
+      end
+
+      def build_directives(context)
+        @directives.map do |directive, sources|
+          if sources.is_a?(Array)
+            "#{directive} #{build_directive(sources, context).join(' ')}"
+          elsif sources
+            directive
+          else
+            nil
+          end
+        end
+      end
+
+      def build_directive(sources, context)
+        sources.map { |source| resolve_source(source, context) }
+      end
+
+      def resolve_source(source, context)
+        case source
+        when String
+          source
+        when Symbol
+          source.to_s
+        when Proc
+          if context.nil?
+            raise RuntimeError, "Missing context for the dynamic permissions policy source: #{source.inspect}"
+          else
+            context.instance_exec(&source)
+          end
+        else
+          raise RuntimeError, "Unexpected permissions policy source: #{source.inspect}"
+        end
+      end
+  end
+end