actionpack 5.2.7.1 → 6.0.0.beta1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

Files changed (108) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +109 -472
  3. data/MIT-LICENSE +1 -1
  4. data/README.rdoc +1 -1
  5. data/lib/abstract_controller/base.rb +4 -2
  6. data/lib/abstract_controller/caching/fragments.rb +6 -21
  7. data/lib/abstract_controller/callbacks.rb +12 -0
  8. data/lib/abstract_controller/collector.rb +1 -1
  9. data/lib/abstract_controller/helpers.rb +2 -2
  10. data/lib/abstract_controller/railties/routes_helpers.rb +1 -1
  11. data/lib/action_controller/api.rb +2 -1
  12. data/lib/action_controller/base.rb +2 -7
  13. data/lib/action_controller/caching.rb +1 -1
  14. data/lib/action_controller/log_subscriber.rb +8 -5
  15. data/lib/action_controller/metal/conditional_get.rb +9 -3
  16. data/lib/action_controller/metal/data_streaming.rb +5 -6
  17. data/lib/action_controller/metal/default_headers.rb +17 -0
  18. data/lib/action_controller/metal/exceptions.rb +22 -1
  19. data/lib/action_controller/metal/flash.rb +5 -5
  20. data/lib/action_controller/metal/force_ssl.rb +17 -57
  21. data/lib/action_controller/metal/head.rb +1 -1
  22. data/lib/action_controller/metal/helpers.rb +1 -2
  23. data/lib/action_controller/metal/http_authentication.rb +21 -22
  24. data/lib/action_controller/metal/implicit_render.rb +2 -12
  25. data/lib/action_controller/metal/instrumentation.rb +3 -5
  26. data/lib/action_controller/metal/live.rb +28 -26
  27. data/lib/action_controller/metal/mime_responds.rb +13 -2
  28. data/lib/action_controller/metal/params_wrapper.rb +18 -14
  29. data/lib/action_controller/metal/redirecting.rb +32 -11
  30. data/lib/action_controller/metal/rendering.rb +1 -1
  31. data/lib/action_controller/metal/request_forgery_protection.rb +32 -97
  32. data/lib/action_controller/metal/strong_parameters.rb +57 -34
  33. data/lib/action_controller/metal/url_for.rb +1 -1
  34. data/lib/action_controller/metal.rb +2 -2
  35. data/lib/action_controller/railties/helpers.rb +1 -1
  36. data/lib/action_controller/renderer.rb +15 -2
  37. data/lib/action_controller/test_case.rb +5 -9
  38. data/lib/action_controller.rb +1 -0
  39. data/lib/action_dispatch/http/cache.rb +14 -10
  40. data/lib/action_dispatch/http/content_disposition.rb +45 -0
  41. data/lib/action_dispatch/http/content_security_policy.rb +17 -8
  42. data/lib/action_dispatch/http/filter_parameters.rb +8 -6
  43. data/lib/action_dispatch/http/filter_redirect.rb +1 -1
  44. data/lib/action_dispatch/http/headers.rb +1 -1
  45. data/lib/action_dispatch/http/mime_negotiation.rb +7 -10
  46. data/lib/action_dispatch/http/mime_type.rb +1 -5
  47. data/lib/action_dispatch/http/parameter_filter.rb +5 -79
  48. data/lib/action_dispatch/http/parameters.rb +13 -3
  49. data/lib/action_dispatch/http/request.rb +10 -13
  50. data/lib/action_dispatch/http/response.rb +14 -14
  51. data/lib/action_dispatch/http/upload.rb +5 -0
  52. data/lib/action_dispatch/http/url.rb +81 -81
  53. data/lib/action_dispatch/journey/formatter.rb +1 -1
  54. data/lib/action_dispatch/journey/nfa/simulator.rb +0 -2
  55. data/lib/action_dispatch/journey/nodes/node.rb +9 -8
  56. data/lib/action_dispatch/journey/path/pattern.rb +3 -4
  57. data/lib/action_dispatch/journey/router/utils.rb +10 -10
  58. data/lib/action_dispatch/journey/router.rb +0 -3
  59. data/lib/action_dispatch/journey/scanner.rb +11 -4
  60. data/lib/action_dispatch/journey/visitors.rb +1 -1
  61. data/lib/action_dispatch/middleware/callbacks.rb +2 -4
  62. data/lib/action_dispatch/middleware/cookies.rb +49 -70
  63. data/lib/action_dispatch/middleware/debug_exceptions.rb +32 -58
  64. data/lib/action_dispatch/middleware/debug_locks.rb +5 -5
  65. data/lib/action_dispatch/middleware/debug_view.rb +50 -0
  66. data/lib/action_dispatch/middleware/exception_wrapper.rb +36 -7
  67. data/lib/action_dispatch/middleware/executor.rb +1 -1
  68. data/lib/action_dispatch/middleware/flash.rb +1 -1
  69. data/lib/action_dispatch/middleware/host_authorization.rb +103 -0
  70. data/lib/action_dispatch/middleware/remote_ip.rb +6 -8
  71. data/lib/action_dispatch/middleware/request_id.rb +2 -2
  72. data/lib/action_dispatch/middleware/session/abstract_store.rb +0 -14
  73. data/lib/action_dispatch/middleware/session/cache_store.rb +6 -11
  74. data/lib/action_dispatch/middleware/session/cookie_store.rb +11 -27
  75. data/lib/action_dispatch/middleware/ssl.rb +8 -8
  76. data/lib/action_dispatch/middleware/stack.rb +2 -2
  77. data/lib/action_dispatch/middleware/static.rb +5 -6
  78. data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +4 -2
  79. data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +45 -35
  80. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb +7 -0
  81. data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb +5 -0
  82. data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb +20 -2
  83. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb +4 -4
  84. data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb +2 -2
  85. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +19 -0
  86. data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb +3 -0
  87. data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +2 -2
  88. data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb +1 -1
  89. data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +2 -2
  90. data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +3 -0
  91. data/lib/action_dispatch/railtie.rb +1 -0
  92. data/lib/action_dispatch/request/session.rb +8 -6
  93. data/lib/action_dispatch/routing/inspector.rb +99 -50
  94. data/lib/action_dispatch/routing/mapper.rb +36 -29
  95. data/lib/action_dispatch/routing/polymorphic_routes.rb +7 -12
  96. data/lib/action_dispatch/routing/route_set.rb +11 -12
  97. data/lib/action_dispatch/routing/url_for.rb +1 -0
  98. data/lib/action_dispatch/routing.rb +3 -2
  99. data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +3 -3
  100. data/lib/action_dispatch/testing/assertions/response.rb +2 -3
  101. data/lib/action_dispatch/testing/assertions/routing.rb +7 -2
  102. data/lib/action_dispatch/testing/integration.rb +11 -5
  103. data/lib/action_dispatch/testing/test_process.rb +2 -2
  104. data/lib/action_dispatch/testing/test_response.rb +4 -32
  105. data/lib/action_dispatch.rb +7 -6
  106. data/lib/action_pack/gem_version.rb +4 -4
  107. data/lib/action_pack.rb +1 -1
  108. metadata +25 -23
@@ -86,7 +86,7 @@ module ActionController
86
86
  # Note: SSEs are not currently supported by IE. However, they are supported
87
87
  # by Chrome, Firefox, Opera, and Safari.
88
88
  class SSE
89
- WHITELISTED_OPTIONS = %w( retry event id )
89
+ PERMITTED_OPTIONS = %w( retry event id )
90
90
 
91
91
  def initialize(stream, options = {})
92
92
  @stream = stream
@@ -111,13 +111,13 @@ module ActionController
111
111
  def perform_write(json, options)
112
112
  current_options = @options.merge(options).stringify_keys
113
113
 
114
- WHITELISTED_OPTIONS.each do |option_name|
114
+ PERMITTED_OPTIONS.each do |option_name|
115
115
  if (option_value = current_options[option_name])
116
116
  @stream.write "#{option_name}: #{option_value}\n"
117
117
  end
118
118
  end
119
119
 
120
- message = json.gsub("\n".freeze, "\ndata: ".freeze)
120
+ message = json.gsub("\n", "\ndata: ")
121
121
  @stream.write "data: #{message}\n\n"
122
122
  end
123
123
  end
@@ -280,33 +280,35 @@ module ActionController
280
280
  raise error if error
281
281
  end
282
282
 
283
- # Spawn a new thread to serve up the controller in. This is to get
284
- # around the fact that Rack isn't based around IOs and we need to use
285
- # a thread to stream data from the response bodies. Nobody should call
286
- # this method except in Rails internals. Seriously!
287
- def new_controller_thread # :nodoc:
288
- Thread.new {
289
- t2 = Thread.current
290
- t2.abort_on_exception = true
291
- yield
292
- }
283
+ def response_body=(body)
284
+ super
285
+ response.close if response
293
286
  end
294
287
 
295
- def log_error(exception)
296
- logger = ActionController::Base.logger
297
- return unless logger
288
+ private
298
289
 
299
- logger.fatal do
300
- message = "\n#{exception.class} (#{exception.message}):\n".dup
301
- message << exception.annoted_source_code.to_s if exception.respond_to?(:annoted_source_code)
302
- message << " " << exception.backtrace.join("\n ")
303
- "#{message}\n\n"
290
+ # Spawn a new thread to serve up the controller in. This is to get
291
+ # around the fact that Rack isn't based around IOs and we need to use
292
+ # a thread to stream data from the response bodies. Nobody should call
293
+ # this method except in Rails internals. Seriously!
294
+ def new_controller_thread # :nodoc:
295
+ Thread.new {
296
+ t2 = Thread.current
297
+ t2.abort_on_exception = true
298
+ yield
299
+ }
304
300
  end
305
- end
306
301
 
307
- def response_body=(body)
308
- super
309
- response.close if response
310
- end
302
+ def log_error(exception)
303
+ logger = ActionController::Base.logger
304
+ return unless logger
305
+
306
+ logger.fatal do
307
+ message = +"\n#{exception.class} (#{exception.message}):\n"
308
+ message << exception.annoted_source_code.to_s if exception.respond_to?(:annoted_source_code)
309
+ message << " " << exception.backtrace.join("\n ")
310
+ "#{message}\n\n"
311
+ end
312
+ end
311
313
  end
312
314
  end
@@ -11,7 +11,7 @@ module ActionController #:nodoc:
11
11
  # @people = Person.all
12
12
  # end
13
13
  #
14
- # That action implicitly responds to all formats, but formats can also be whitelisted:
14
+ # That action implicitly responds to all formats, but formats can also be explicitly enumerated:
15
15
  #
16
16
  # def index
17
17
  # @people = Person.all
@@ -105,7 +105,7 @@ module ActionController #:nodoc:
105
105
  #
106
106
  # Mime::Type.register "image/jpg", :jpg
107
107
  #
108
- # Respond to also allows you to specify a common block for different formats by using +any+:
108
+ # +respond_to+ also allows you to specify a common block for different formats by using +any+:
109
109
  #
110
110
  # def index
111
111
  # @people = Person.all
@@ -124,6 +124,14 @@ module ActionController #:nodoc:
124
124
  #
125
125
  # render json: @people
126
126
  #
127
+ # +any+ can also be used with no arguments, in which case it will be used for any format requested by
128
+ # the user:
129
+ #
130
+ # respond_to do |format|
131
+ # format.html
132
+ # format.any { redirect_to support_path }
133
+ # end
134
+ #
127
135
  # Formats can have different variants.
128
136
  #
129
137
  # The request variant is a specialization of the request format, like <tt>:tablet</tt>,
@@ -197,6 +205,9 @@ module ActionController #:nodoc:
197
205
  yield collector if block_given?
198
206
 
199
207
  if format = collector.negotiate_format(request)
208
+ if content_type && content_type != format
209
+ raise ActionController::RespondToMismatchError
210
+ end
200
211
  _process_format(format)
201
212
  _set_rendered_content_type format
202
213
  response = collector.response
@@ -93,7 +93,7 @@ module ActionController
93
93
  end
94
94
 
95
95
  def model
96
- super || self.model = _default_wrap_model
96
+ super || synchronize { super || self.model = _default_wrap_model }
97
97
  end
98
98
 
99
99
  def include
@@ -115,7 +115,7 @@ module ActionController
115
115
 
116
116
  if m.respond_to?(:nested_attributes_options) && m.nested_attributes_options.keys.any?
117
117
  self.include += m.nested_attributes_options.keys.map do |key|
118
- key.to_s.dup.concat("_attributes")
118
+ key.to_s.concat("_attributes")
119
119
  end
120
120
  end
121
121
 
@@ -241,18 +241,7 @@ module ActionController
241
241
  # Performs parameters wrapping upon the request. Called automatically
242
242
  # by the metal call stack.
243
243
  def process_action(*args)
244
- if _wrapper_enabled?
245
- wrapped_hash = _wrap_parameters request.request_parameters
246
- wrapped_keys = request.request_parameters.keys
247
- wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
248
-
249
- # This will make the wrapped hash accessible from controller and view.
250
- request.parameters.merge! wrapped_hash
251
- request.request_parameters.merge! wrapped_hash
252
-
253
- # This will display the wrapped hash in the log file.
254
- request.filtered_parameters.merge! wrapped_filtered_hash
255
- end
244
+ _perform_parameter_wrapping if _wrapper_enabled?
256
245
  super
257
246
  end
258
247
 
@@ -289,5 +278,20 @@ module ActionController
289
278
  ref = request.content_mime_type.ref
290
279
  _wrapper_formats.include?(ref) && _wrapper_key && !request.parameters.key?(_wrapper_key)
291
280
  end
281
+
282
+ def _perform_parameter_wrapping
283
+ wrapped_hash = _wrap_parameters request.request_parameters
284
+ wrapped_keys = request.request_parameters.keys
285
+ wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
286
+
287
+ # This will make the wrapped hash accessible from controller and view.
288
+ request.parameters.merge! wrapped_hash
289
+ request.request_parameters.merge! wrapped_hash
290
+
291
+ # This will display the wrapped hash in the log file.
292
+ request.filtered_parameters.merge! wrapped_filtered_hash
293
+ rescue ActionDispatch::Http::Parameters::ParseError
294
+ # swallow parse error exception
295
+ end
292
296
  end
293
297
  end
@@ -55,12 +55,12 @@ module ActionController
55
55
  # Statements after +redirect_to+ in our controller get executed, so +redirect_to+ doesn't stop the execution of the function.
56
56
  # To terminate the execution of the function immediately after the +redirect_to+, use return.
57
57
  # redirect_to post_url(@post) and return
58
- def redirect_to(options = {}, response_status = {})
58
+ def redirect_to(options = {}, response_options = {})
59
59
  raise ActionControllerError.new("Cannot redirect to nil!") unless options
60
60
  raise AbstractController::DoubleRenderError if response_body
61
61
 
62
- self.status = _extract_redirect_to_status(options, response_status)
63
- self.location = _compute_redirect_to_location(request, options)
62
+ self.status = _extract_redirect_to_status(options, response_options)
63
+ self.location = _compute_safe_redirect_to_location(request, options, response_options)
64
64
  self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
65
65
  end
66
66
 
@@ -88,9 +88,13 @@ module ActionController
88
88
  # All other options that can be passed to <tt>redirect_to</tt> are accepted as
89
89
  # options and the behavior is identical.
90
90
  def redirect_back(fallback_location:, allow_other_host: true, **args)
91
- referer = request.headers["Referer"]
92
- redirect_to_referer = referer && (allow_other_host || _url_host_allowed?(referer))
93
- redirect_to redirect_to_referer ? referer : fallback_location, **args
91
+ referer = request.headers.fetch("Referer", fallback_location)
92
+ response_options = {
93
+ fallback_location: fallback_location,
94
+ allow_other_host: allow_other_host,
95
+ **args,
96
+ }
97
+ redirect_to referer, response_options
94
98
  end
95
99
 
96
100
  def _compute_redirect_to_location(request, options) #:nodoc:
@@ -114,18 +118,35 @@ module ActionController
114
118
  public :_compute_redirect_to_location
115
119
 
116
120
  private
117
- def _extract_redirect_to_status(options, response_status)
121
+ def _compute_safe_redirect_to_location(request, options, response_options)
122
+ location = _compute_redirect_to_location(request, options)
123
+ location_options = options.is_a?(Hash) ? options : {}
124
+ if response_options[:allow_other_host] || _url_host_allowed?(location, location_options)
125
+ location
126
+ else
127
+ fallback_location = response_options.fetch(:fallback_location) do
128
+ raise ArgumentError, <<~MSG.squish
129
+ Unsafe redirect #{location.inspect},
130
+ use :fallback_location to specify a fallback
131
+ or :allow_other_host to redirect anyway.
132
+ MSG
133
+ end
134
+ _compute_redirect_to_location(request, fallback_location)
135
+ end
136
+ end
137
+
138
+ def _extract_redirect_to_status(options, response_options)
118
139
  if options.is_a?(Hash) && options.key?(:status)
119
140
  Rack::Utils.status_code(options.delete(:status))
120
- elsif response_status.key?(:status)
121
- Rack::Utils.status_code(response_status[:status])
141
+ elsif response_options.key?(:status)
142
+ Rack::Utils.status_code(response_options[:status])
122
143
  else
123
144
  302
124
145
  end
125
146
  end
126
147
 
127
- def _url_host_allowed?(url)
128
- URI(url.to_s).host == request.host
148
+ def _url_host_allowed?(url, options = {})
149
+ URI(url.to_s).host.in?([request.host, options[:host]])
129
150
  rescue ArgumentError, URI::Error
130
151
  false
131
152
  end
@@ -40,7 +40,7 @@ module ActionController
40
40
  def render_to_string(*)
41
41
  result = super
42
42
  if result.respond_to?(:each)
43
- string = "".dup
43
+ string = +""
44
44
  result.each { |r| string << r }
45
45
  string
46
46
  else
@@ -3,7 +3,6 @@
3
3
  require "rack/session/abstract/id"
4
4
  require "action_controller/metal/exceptions"
5
5
  require "active_support/security_utils"
6
- require "active_support/core_ext/string/strip"
7
6
 
8
7
  module ActionController #:nodoc:
9
8
  class InvalidAuthenticityToken < ActionControllerError #:nodoc:
@@ -18,7 +17,7 @@ module ActionController #:nodoc:
18
17
  # access. When a request reaches your application, \Rails verifies the received
19
18
  # token with the token in the session. All requests are checked except GET requests
20
19
  # as these should be idempotent. Keep in mind that all session-oriented requests
21
- # should be CSRF protected, including JavaScript and HTML requests.
20
+ # are CSRF protected by default, including JavaScript and HTML requests.
22
21
  #
23
22
  # Since HTML and JavaScript requests are typically made from the browser, we
24
23
  # need to ensure to verify request authenticity for the web browser. We can
@@ -31,16 +30,23 @@ module ActionController #:nodoc:
31
30
  # URL on your site. When your JavaScript response loads on their site, it executes.
32
31
  # With carefully crafted JavaScript on their end, sensitive data in your JavaScript
33
32
  # response may be extracted. To prevent this, only XmlHttpRequest (known as XHR or
34
- # Ajax) requests are allowed to make GET requests for JavaScript responses.
33
+ # Ajax) requests are allowed to make requests for JavaScript responses.
35
34
  #
36
- # It's important to remember that XML or JSON requests are also affected and if
37
- # you're building an API you should change forgery protection method in
35
+ # It's important to remember that XML or JSON requests are also checked by default. If
36
+ # you're building an API or an SPA you could change forgery protection method in
38
37
  # <tt>ApplicationController</tt> (by default: <tt>:exception</tt>):
39
38
  #
40
39
  # class ApplicationController < ActionController::Base
41
40
  # protect_from_forgery unless: -> { request.format.json? }
42
41
  # end
43
42
  #
43
+ # It is generally safe to exclude XHR requests from CSRF protection
44
+ # (like the code snippet above does), because XHR requests can only be made from
45
+ # the same origin. Note however that any cross-origin third party domain
46
+ # allowed via {CORS}[https://en.wikipedia.org/wiki/Cross-origin_resource_sharing]
47
+ # will also be able to create XHR requests. Be sure to check your
48
+ # CORS configuration before disabling forgery protection for XHR.
49
+ #
44
50
  # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method.
45
51
  # By default <tt>protect_from_forgery</tt> protects your session with
46
52
  # <tt>:null_session</tt> method, which provides an empty session
@@ -55,7 +61,7 @@ module ActionController #:nodoc:
55
61
  # <tt>csrf_meta_tags</tt> in the HTML +head+.
56
62
  #
57
63
  # Learn more about CSRF attacks and securing your application in the
58
- # {Ruby on Rails Security Guide}[http://guides.rubyonrails.org/security.html].
64
+ # {Ruby on Rails Security Guide}[https://guides.rubyonrails.org/security.html].
59
65
  module RequestForgeryProtection
60
66
  extend ActiveSupport::Concern
61
67
 
@@ -92,10 +98,6 @@ module ActionController #:nodoc:
92
98
  config_accessor :default_protect_from_forgery
93
99
  self.default_protect_from_forgery = false
94
100
 
95
- # Controls whether URL-safe CSRF tokens are generated.
96
- config_accessor :urlsafe_csrf_tokens, instance_writer: false
97
- self.urlsafe_csrf_tokens = false
98
-
99
101
  helper_method :form_authenticity_token
100
102
  helper_method :protect_against_forgery?
101
103
  end
@@ -280,7 +282,7 @@ module ActionController #:nodoc:
280
282
 
281
283
  # Check for cross-origin JavaScript responses.
282
284
  def non_xhr_javascript_response? # :doc:
283
- content_type =~ %r(\Atext/javascript) && !request.xhr?
285
+ content_type =~ %r(\A(?:text|application)/javascript) && !request.xhr?
284
286
  end
285
287
 
286
288
  AUTHENTICITY_TOKEN_LENGTH = 32
@@ -322,10 +324,13 @@ module ActionController #:nodoc:
322
324
  action_path = normalize_action_path(action)
323
325
  per_form_csrf_token(session, action_path, method)
324
326
  else
325
- global_csrf_token(session)
327
+ real_csrf_token(session)
326
328
  end
327
329
 
328
- mask_token(raw_token)
330
+ one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
331
+ encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
332
+ masked_token = one_time_pad + encrypted_csrf_token
333
+ Base64.strict_encode64(masked_token)
329
334
  end
330
335
 
331
336
  # Checks the client's masked token to see if it matches the
@@ -337,7 +342,7 @@ module ActionController #:nodoc:
337
342
  end
338
343
 
339
344
  begin
340
- masked_token = decode_csrf_token(encoded_masked_token)
345
+ masked_token = Base64.strict_decode64(encoded_masked_token)
341
346
  rescue ArgumentError # encoded_masked_token is invalid Base64
342
347
  return false
343
348
  end
@@ -355,8 +360,7 @@ module ActionController #:nodoc:
355
360
  elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
356
361
  csrf_token = unmask_token(masked_token)
357
362
 
358
- compare_with_global_token(csrf_token, session) ||
359
- compare_with_real_token(csrf_token, session) ||
363
+ compare_with_real_token(csrf_token, session) ||
360
364
  valid_per_form_csrf_token?(csrf_token, session)
361
365
  else
362
366
  false # Token is malformed.
@@ -371,21 +375,10 @@ module ActionController #:nodoc:
371
375
  xor_byte_strings(one_time_pad, encrypted_csrf_token)
372
376
  end
373
377
 
374
- def mask_token(raw_token) # :doc:
375
- one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
376
- encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
377
- masked_token = one_time_pad + encrypted_csrf_token
378
- encode_csrf_token(masked_token)
379
- end
380
-
381
378
  def compare_with_real_token(token, session) # :doc:
382
379
  ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
383
380
  end
384
381
 
385
- def compare_with_global_token(token, session) # :doc:
386
- ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
387
- end
388
-
389
382
  def valid_per_form_csrf_token?(token, session) # :doc:
390
383
  if per_form_csrf_tokens
391
384
  correct_token = per_form_csrf_token(
@@ -401,33 +394,27 @@ module ActionController #:nodoc:
401
394
  end
402
395
 
403
396
  def real_csrf_token(session) # :doc:
404
- session[:_csrf_token] ||= generate_csrf_token
405
- decode_csrf_token(session[:_csrf_token])
397
+ session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
398
+ Base64.strict_decode64(session[:_csrf_token])
406
399
  end
407
400
 
408
401
  def per_form_csrf_token(session, action_path, method) # :doc:
409
- csrf_token_hmac(session, [action_path, method.downcase].join("#"))
410
- end
411
-
412
- GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
413
- private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
414
-
415
- def global_csrf_token(session) # :doc:
416
- csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
417
- end
418
-
419
- def csrf_token_hmac(session, identifier) # :doc:
420
402
  OpenSSL::HMAC.digest(
421
403
  OpenSSL::Digest::SHA256.new,
422
404
  real_csrf_token(session),
423
- identifier
405
+ [action_path, method.downcase].join("#")
424
406
  )
425
407
  end
426
408
 
427
409
  def xor_byte_strings(s1, s2) # :doc:
428
- s2_bytes = s2.bytes
429
- s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 }
430
- s2_bytes.pack("C*")
410
+ s2 = s2.dup
411
+ size = s1.bytesize
412
+ i = 0
413
+ while i < size
414
+ s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i))
415
+ i += 1
416
+ end
417
+ s2
431
418
  end
432
419
 
433
420
  # The form's authenticity parameter. Override to provide your own.
@@ -440,7 +427,7 @@ module ActionController #:nodoc:
440
427
  allow_forgery_protection
441
428
  end
442
429
 
443
- NULL_ORIGIN_MESSAGE = <<-MSG.strip_heredoc
430
+ NULL_ORIGIN_MESSAGE = <<~MSG
444
431
  The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually
445
432
  means you have the 'no-referrer' Referrer-Policy header enabled, or that the request came from a site that
446
433
  refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the
@@ -465,57 +452,5 @@ module ActionController #:nodoc:
465
452
  uri = URI.parse(action_path)
466
453
  uri.path.chomp("/")
467
454
  end
468
-
469
- def generate_csrf_token # :nodoc:
470
- if urlsafe_csrf_tokens
471
- SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
472
- else
473
- SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
474
- end
475
- end
476
-
477
- if RUBY_VERSION.start_with?("2.2")
478
- # Backported https://github.com/ruby/ruby/commit/6b6680945ed3274cddbc34fdfd410d74081a3e94
479
- using Module.new {
480
- refine Base64.singleton_class do
481
- def urlsafe_encode64(bin, padding: true)
482
- str = strict_encode64(bin).tr("+/", "-_")
483
- str = str.delete("=") unless padding
484
- str
485
- end
486
-
487
- def urlsafe_decode64(str)
488
- # NOTE: RFC 4648 does say nothing about unpadded input, but says that
489
- # "the excess pad characters MAY also be ignored", so it is inferred that
490
- # unpadded input is also acceptable.
491
- str = str.tr("-_", "+/")
492
- if !str.end_with?("=") && str.length % 4 != 0
493
- str = str.ljust((str.length + 3) & ~3, "=")
494
- end
495
- strict_decode64(str)
496
- end
497
- end
498
- }
499
- end
500
-
501
- def encode_csrf_token(csrf_token) # :nodoc:
502
- if urlsafe_csrf_tokens
503
- Base64.urlsafe_encode64(csrf_token, padding: false)
504
- else
505
- Base64.strict_encode64(csrf_token)
506
- end
507
- end
508
-
509
- def decode_csrf_token(encoded_csrf_token) # :nodoc:
510
- if urlsafe_csrf_tokens
511
- Base64.urlsafe_decode64(encoded_csrf_token)
512
- else
513
- begin
514
- Base64.strict_decode64(encoded_csrf_token)
515
- rescue ArgumentError
516
- Base64.urlsafe_decode64(encoded_csrf_token)
517
- end
518
- end
519
- end
520
455
  end
521
456
  end