actionpack 5.2.7.1 → 6.1.4.6

data/lib/action_controller/renderer.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "active_support/core_ext/hash/keys"
-
 module ActionController
   # ActionController::Renderer allows you to render arbitrary templates
   # without requirement of being in controller actions.
@@ -67,10 +65,29 @@ module ActionController
     def initialize(controller, env, defaults)
       @controller = controller
       @defaults = defaults
-      @env = normalize_keys defaults.merge(env)
+      @env = normalize_keys defaults, env
     end
 
     # Render templates with any options from ActionController::Base#render_to_string.
+    #
+    # The primary options are:
+    # * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt> for details.
+    # * <tt>:file</tt> - Renders an explicit template file. Add <tt>:locals</tt> to pass in, if so desired.
+    #   It shouldn’t be used directly with unsanitized user input due to lack of validation.
+    # * <tt>:inline</tt> - Renders an ERB template string.
+    # * <tt>:plain</tt> - Renders provided text and sets the content type as <tt>text/plain</tt>.
+    # * <tt>:html</tt> - Renders the provided HTML safe string, otherwise
+    #   performs HTML escape on the string first. Sets the content type as <tt>text/html</tt>.
+    # * <tt>:json</tt> - Renders the provided hash or object in JSON. You don't
+    #   need to call <tt>.to_json</tt> on the object you want to render.
+    # * <tt>:body</tt> - Renders provided text and sets content type of <tt>text/plain</tt>.
+    #
+    # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, then:
+    #
+    # If an object responding to +render_in+ is passed, +render_in+ is called on the object,
+    # passing in the current view context.
+    #
+    # Otherwise, a partial is rendered using the second parameter as the locals hash.
     def render(*args)
       raise "missing controller" unless controller
 
@@ -82,11 +99,18 @@ module ActionController
       instance.set_response! controller.make_response!(request)
       instance.render_to_string(*args)
     end
+    alias_method :render_to_string, :render # :nodoc:
 
     private
-      def normalize_keys(env)
+      def normalize_keys(defaults, env)
         new_env = {}
         env.each_pair { |k, v| new_env[rack_key_for(k)] = rack_value_for(k, v) }
+
+        defaults.each_pair do |k, v|
+          key = rack_key_for(k)
+          new_env[key] = rack_value_for(k, v) unless new_env.key?(key)
+        end
+
         new_env["rack.url_scheme"] = new_env["HTTPS"] == "on" ? "https" : "http"
         new_env
       end
@@ -99,19 +123,19 @@ module ActionController
         input:       "rack.input"
       }
 
-      IDENTITY = ->(_) { _ }
-
-      RACK_VALUE_TRANSLATION = {
-        https: ->(v) { v ? "on" : "off" },
-        method: ->(v) { v.upcase },
-      }
-
       def rack_key_for(key)
-        RACK_KEY_TRANSLATION.fetch(key, key.to_s)
+        RACK_KEY_TRANSLATION[key] || key.to_s
       end
 
       def rack_value_for(key, value)
-        RACK_VALUE_TRANSLATION.fetch(key, IDENTITY).call value
+        case key
+        when :https
+          value ? "on" : "off"
+        when :method
+          -value.upcase
+        else
+          value
+        end
       end
   end
 end

data/lib/action_controller/template_assertions.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module ActionController
-  module TemplateAssertions
+  module TemplateAssertions # :nodoc:
     def assert_template(options = {}, message = nil)
       raise NoMethodError,
         "assert_template has been extracted to a gem. To continue using it,

data/lib/action_controller/test_case.rb

@@ -24,9 +24,12 @@ module ActionController
     def new_controller_thread # :nodoc:
       yield
     end
+
+    # Avoid a deadlock from the queue filling up
+    Buffer.queue_size = nil
   end
 
-  # ActionController::TestCase will be deprecated and moved to a gem in Rails 5.1.
+  # ActionController::TestCase will be deprecated and moved to a gem in the future.
   # Please use ActionDispatch::IntegrationTest going forward.
   class TestRequest < ActionDispatch::TestRequest #:nodoc:
     DEFAULT_ENV = ActionDispatch::TestRequest::DEFAULT_ENV.dup
@@ -84,7 +87,7 @@ module ActionController
             value = value.to_param
           end
 
-          path_parameters[key] = value
+          path_parameters[key.to_sym] = value
         end
       end
 
@@ -158,7 +161,6 @@ module ActionController
     end.new
 
     private
-
       def params_parsers
         super.merge @custom_param_parsers
       end
@@ -203,12 +205,16 @@ module ActionController
       clear
     end
 
+    def dig(*keys)
+      keys = keys.map.with_index { |key, i| i.zero? ? key.to_s : key }
+      @data.dig(*keys)
+    end
+
     def fetch(key, *args, &block)
       @data.fetch(key.to_s, *args, &block)
     end
 
     private
-
       def load!
         @id
       end
@@ -276,9 +282,6 @@ module ActionController
   #      after calling +post+. If the various assert methods are not sufficient, then you
   #      may use this object to inspect the HTTP response in detail.
   #
-  # (Earlier versions of \Rails required each functional test to subclass
-  # Test::Unit::TestCase and define @controller, @request, @response in +setup+.)
-  #
   # == Controller is automatically inferred
   #
   # ActionController::TestCase will automatically infer the controller under test
@@ -460,7 +463,7 @@ module ActionController
       def process(action, method: "GET", params: nil, session: nil, body: nil, flash: {}, format: nil, xhr: false, as: nil)
         check_required_ivars
 
-        action = action.to_s.dup
+        action = +action.to_s
         http_method = method.to_s.upcase
 
         @html_document = nil
@@ -492,57 +495,8 @@ module ActionController
           parameters[:format] = format
         end
 
-        generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action))
-        generated_path = generated_path(generated_extras)
-        query_string_keys = query_parameter_names(generated_extras)
-
-        @request.assign_parameters(@routes, controller_class_name, action, parameters, generated_path, query_string_keys)
-
-        @request.session.update(session) if session
-        @request.flash.update(flash || {})
-
-        if xhr
-          @request.set_header "HTTP_X_REQUESTED_WITH", "XMLHttpRequest"
-          @request.fetch_header("HTTP_ACCEPT") do |k|
-            @request.set_header k, [Mime[:js], Mime[:html], Mime[:xml], "text/xml", "*/*"].join(", ")
-          end
-        end
-
-        @request.fetch_header("SCRIPT_NAME") do |k|
-          @request.set_header k, @controller.config.relative_url_root
-        end
-
-        begin
-          @controller.recycle!
-          @controller.dispatch(action, @request, @response)
-        ensure
-          @request = @controller.request
-          @response = @controller.response
-
-          if @request.have_cookie_jar?
-            unless @request.cookie_jar.committed?
-              @request.cookie_jar.write(@response)
-              cookies.update(@request.cookie_jar.instance_variable_get(:@cookies))
-            end
-          end
-          @response.prepare!
-
-          if flash_value = @request.flash.to_session_value
-            @request.session["flash"] = flash_value
-          else
-            @request.session.delete("flash")
-          end
-
-          if xhr
-            @request.delete_header "HTTP_X_REQUESTED_WITH"
-            @request.delete_header "HTTP_ACCEPT"
-          end
-          @request.query_string = ""
-
-          @response.sent!
-        end
-
-        @response
+        setup_request(controller_class_name, action, parameters, session, flash, xhr)
+        process_controller_response(action, cookies, xhr)
       end
 
       def controller_class_name
@@ -598,12 +552,66 @@ module ActionController
       end
 
       private
+        def setup_request(controller_class_name, action, parameters, session, flash, xhr)
+          generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action))
+          generated_path = generated_path(generated_extras)
+          query_string_keys = query_parameter_names(generated_extras)
+
+          @request.assign_parameters(@routes, controller_class_name, action, parameters, generated_path, query_string_keys)
+
+          @request.session.update(session) if session
+          @request.flash.update(flash || {})
+
+          if xhr
+            @request.set_header "HTTP_X_REQUESTED_WITH", "XMLHttpRequest"
+            @request.fetch_header("HTTP_ACCEPT") do |k|
+              @request.set_header k, [Mime[:js], Mime[:html], Mime[:xml], "text/xml", "*/*"].join(", ")
+            end
+          end
+
+          @request.fetch_header("SCRIPT_NAME") do |k|
+            @request.set_header k, @controller.config.relative_url_root
+          end
+        end
+
+        def process_controller_response(action, cookies, xhr)
+          begin
+            @controller.recycle!
+            @controller.dispatch(action, @request, @response)
+          ensure
+            @request = @controller.request
+            @response = @controller.response
+
+            if @request.have_cookie_jar?
+              unless @request.cookie_jar.committed?
+                @request.cookie_jar.write(@response)
+                cookies.update(@request.cookie_jar.instance_variable_get(:@cookies))
+              end
+            end
+            @response.prepare!
+
+            if flash_value = @request.flash.to_session_value
+              @request.session["flash"] = flash_value
+            else
+              @request.session.delete("flash")
+            end
+
+            if xhr
+              @request.delete_header "HTTP_X_REQUESTED_WITH"
+              @request.delete_header "HTTP_ACCEPT"
+            end
+            @request.query_string = ""
+
+            @response.sent!
+          end
+
+          @response
+        end
 
         def scrub_env!(env)
-          env.delete_if { |k, v| k =~ /^(action_dispatch|rack)\.request/ }
-          env.delete_if { |k, v| k =~ /^action_dispatch\.rescue/ }
-          env.delete "action_dispatch.request.query_parameters"
-          env.delete "action_dispatch.request.request_parameters"
+          env.delete_if do |k, _|
+            k.start_with?("rack.request", "action_dispatch.request", "action_dispatch.rescue")
+          end
           env["rack.input"] = StringIO.new
           env.delete "CONTENT_LENGTH"
           env.delete "RAW_POST_DATA"

data/lib/action_controller.rb

@@ -1,9 +1,7 @@
 # frozen_string_literal: true
 
-require "active_support/rails"
 require "abstract_controller"
 require "action_dispatch"
-require "action_controller/metal/live"
 require "action_controller/metal/strong_parameters"
 
 module ActionController
@@ -12,7 +10,6 @@ module ActionController
   autoload :API
   autoload :Base
   autoload :Metal
-  autoload :Middleware
   autoload :Renderer
   autoload :FormBuilder
 
@@ -21,20 +18,26 @@ module ActionController
   end
 
   autoload_under "metal" do
+    eager_autoload do
+      autoload :Live
+    end
+
     autoload :ConditionalGet
     autoload :ContentSecurityPolicy
     autoload :Cookies
     autoload :DataStreaming
+    autoload :DefaultHeaders
     autoload :EtagWithTemplateDigest
     autoload :EtagWithFlash
+    autoload :PermissionsPolicy
     autoload :Flash
-    autoload :ForceSSL
     autoload :Head
     autoload :Helpers
     autoload :HttpAuthentication
     autoload :BasicImplicitRender
     autoload :ImplicitRender
     autoload :Instrumentation
+    autoload :Logging
     autoload :MimeResponds
     autoload :ParamsWrapper
     autoload :Redirecting

data/lib/action_dispatch/http/cache.rb

@@ -4,8 +4,8 @@ module ActionDispatch
   module Http
     module Cache
       module Request
-        HTTP_IF_MODIFIED_SINCE = "HTTP_IF_MODIFIED_SINCE".freeze
-        HTTP_IF_NONE_MATCH     = "HTTP_IF_NONE_MATCH".freeze
+        HTTP_IF_MODIFIED_SINCE = "HTTP_IF_MODIFIED_SINCE"
+        HTTP_IF_NONE_MATCH     = "HTTP_IF_NONE_MATCH"
 
         def if_modified_since
           if since = get_header(HTTP_IF_MODIFIED_SINCE)
@@ -114,7 +114,7 @@ module ActionDispatch
 
         # True if an ETag is set and it's a weak validator (preceded with W/)
         def weak_etag?
-          etag? && etag.starts_with?('W/"')
+          etag? && etag.start_with?('W/"')
         end
 
         # True if an ETag is set and it isn't a weak validator (not preceded with W/)
@@ -123,10 +123,9 @@ module ActionDispatch
         end
 
       private
-
-        DATE          = "Date".freeze
-        LAST_MODIFIED = "Last-Modified".freeze
-        SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public private must-revalidate])
+        DATE          = "Date"
+        LAST_MODIFIED = "Last-Modified"
+        SPECIAL_KEYS  = Set.new(%w[extras no-store no-cache max-age public private must-revalidate])
 
         def generate_weak_etag(validators)
           "W/#{generate_strong_etag(validators)}"
@@ -151,8 +150,8 @@ module ActionDispatch
             directive, argument = segment.split("=", 2)
 
             if SPECIAL_KEYS.include? directive
-              key = directive.tr("-", "_")
-              cache_control[key.to_sym] = argument || true
+              directive.tr!("-", "_")
+              cache_control[directive.to_sym] = argument || true
             else
               cache_control[:extras] ||= []
               cache_control[:extras] << segment
@@ -166,11 +165,12 @@ module ActionDispatch
           @cache_control = cache_control_headers
         end
 
-        DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate".freeze
-        NO_CACHE              = "no-cache".freeze
-        PUBLIC                = "public".freeze
-        PRIVATE               = "private".freeze
-        MUST_REVALIDATE       = "must-revalidate".freeze
+        DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate"
+        NO_STORE              = "no-store"
+        NO_CACHE              = "no-cache"
+        PUBLIC                = "public"
+        PRIVATE               = "private"
+        MUST_REVALIDATE       = "must-revalidate"
 
         def handle_conditional_get!
           # Normally default cache control setting is handled by ETag
@@ -183,38 +183,42 @@ module ActionDispatch
         end
 
         def merge_and_normalize_cache_control!(cache_control)
-          control = {}
-          cc_headers = cache_control_headers
-          if extras = cc_headers.delete(:extras)
+          control = cache_control_headers
+
+          return if control.empty? && cache_control.empty?  # Let middleware handle default behavior
+
+          if extras = control.delete(:extras)
             cache_control[:extras] ||= []
             cache_control[:extras] += extras
             cache_control[:extras].uniq!
           end
 
-          control.merge! cc_headers
           control.merge! cache_control
 
-          if control.empty?
-            # Let middleware handle default behavior
+          options = []
+
+          if control[:no_store]
+            options << PRIVATE if control[:private]
+            options << NO_STORE
           elsif control[:no_cache]
-            options = []
             options << PUBLIC if control[:public]
             options << NO_CACHE
             options.concat(control[:extras]) if control[:extras]
-
-            self._cache_control = options.join(", ")
           else
-            extras  = control[:extras]
+            extras = control[:extras]
             max_age = control[:max_age]
+            stale_while_revalidate = control[:stale_while_revalidate]
+            stale_if_error = control[:stale_if_error]
 
-            options = []
             options << "max-age=#{max_age.to_i}" if max_age
             options << (control[:public] ? PUBLIC : PRIVATE)
             options << MUST_REVALIDATE if control[:must_revalidate]
+            options << "stale-while-revalidate=#{stale_while_revalidate.to_i}" if stale_while_revalidate
+            options << "stale-if-error=#{stale_if_error.to_i}" if stale_if_error
             options.concat(extras) if extras
-
-            self._cache_control = options.join(", ")
           end
+
+          self._cache_control = options.join(", ")
         end
       end
     end

data/lib/action_dispatch/http/content_disposition.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  module Http
+    class ContentDisposition # :nodoc:
+      def self.format(disposition:, filename:)
+        new(disposition: disposition, filename: filename).to_s
+      end
+
+      attr_reader :disposition, :filename
+
+      def initialize(disposition:, filename:)
+        @disposition = disposition
+        @filename = filename
+      end
+
+      TRADITIONAL_ESCAPED_CHAR = /[^ A-Za-z0-9!\#$+.^_`|~-]/
+
+      def ascii_filename
+        'filename="' + percent_escape(I18n.transliterate(filename), TRADITIONAL_ESCAPED_CHAR) + '"'
+      end
+
+      RFC_5987_ESCAPED_CHAR = /[^A-Za-z0-9!\#$&+.^_`|~-]/
+
+      def utf8_filename
+        "filename*=UTF-8''" + percent_escape(filename, RFC_5987_ESCAPED_CHAR)
+      end
+
+      def to_s
+        if filename
+          "#{disposition}; #{ascii_filename}; #{utf8_filename}"
+        else
+          "#{disposition}"
+        end
+      end
+
+      private
+        def percent_escape(string, pattern)
+          string.gsub(pattern) do |char|
+            char.bytes.map { |byte| "%%%02X" % byte }.join
+          end
+        end
+    end
+  end
+end

data/lib/action_dispatch/http/content_security_policy.rb

@@ -5,9 +5,9 @@ require "active_support/core_ext/object/deep_dup"
 module ActionDispatch #:nodoc:
   class ContentSecurityPolicy
     class Middleware
-      CONTENT_TYPE = "Content-Type".freeze
-      POLICY = "Content-Security-Policy".freeze
-      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only".freeze
+      CONTENT_TYPE = "Content-Type"
+      POLICY = "Content-Security-Policy"
+      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only"
 
       def initialize(app)
         @app = app
@@ -17,18 +17,26 @@ module ActionDispatch #:nodoc:
         request = ActionDispatch::Request.new env
         _, headers, _ = response = @app.call(env)
 
+        return response unless html_response?(headers)
         return response if policy_present?(headers)
 
         if policy = request.content_security_policy
           nonce = request.content_security_policy_nonce
+          nonce_directives = request.content_security_policy_nonce_directives
           context = request.controller_instance || request
-          headers[header_name(request)] = policy.build(context, nonce)
+          headers[header_name(request)] = policy.build(context, nonce, nonce_directives)
         end
 
         response
       end
 
       private
+        def html_response?(headers)
+          if content_type = headers[CONTENT_TYPE]
+            /html/.match?(content_type)
+          end
+        end
+
         def header_name(request)
           if request.content_security_policy_report_only
             POLICY_REPORT_ONLY
@@ -43,10 +51,11 @@ module ActionDispatch #:nodoc:
     end
 
     module Request
-      POLICY = "action_dispatch.content_security_policy".freeze
-      POLICY_REPORT_ONLY = "action_dispatch.content_security_policy_report_only".freeze
-      NONCE_GENERATOR = "action_dispatch.content_security_policy_nonce_generator".freeze
-      NONCE = "action_dispatch.content_security_policy_nonce".freeze
+      POLICY = "action_dispatch.content_security_policy"
+      POLICY_REPORT_ONLY = "action_dispatch.content_security_policy_report_only"
+      NONCE_GENERATOR = "action_dispatch.content_security_policy_nonce_generator"
+      NONCE = "action_dispatch.content_security_policy_nonce"
+      NONCE_DIRECTIVES = "action_dispatch.content_security_policy_nonce_directives"
 
       def content_security_policy
         get_header(POLICY)
@@ -72,6 +81,14 @@ module ActionDispatch #:nodoc:
         set_header(NONCE_GENERATOR, generator)
       end
 
+      def content_security_policy_nonce_directives
+        get_header(NONCE_DIRECTIVES)
+      end
+
+      def content_security_policy_nonce_directives=(generator)
+        set_header(NONCE_DIRECTIVES, generator)
+      end
+
       def content_security_policy_nonce
         if content_security_policy_nonce_generator
           if nonce = get_header(NONCE)
@@ -83,7 +100,6 @@ module ActionDispatch #:nodoc:
       end
 
       private
-
         def generate_content_security_policy_nonce
           content_security_policy_nonce_generator.call(self)
         end
@@ -119,14 +135,19 @@ module ActionDispatch #:nodoc:
       manifest_src:    "manifest-src",
       media_src:       "media-src",
       object_src:      "object-src",
+      prefetch_src:    "prefetch-src",
       script_src:      "script-src",
+      script_src_attr: "script-src-attr",
+      script_src_elem: "script-src-elem",
       style_src:       "style-src",
+      style_src_attr:  "style-src-attr",
+      style_src_elem:  "style-src-elem",
       worker_src:      "worker-src"
     }.freeze
 
-    NONCE_DIRECTIVES = %w[script-src].freeze
+    DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze
 
-    private_constant :MAPPINGS, :DIRECTIVES, :NONCE_DIRECTIVES
+    private_constant :MAPPINGS, :DIRECTIVES, :DEFAULT_NONCE_DIRECTIVES
 
     attr_reader :directives
 
@@ -195,8 +216,9 @@ module ActionDispatch #:nodoc:
       end
     end
 
-    def build(context = nil, nonce = nil)
-      build_directives(context, nonce).compact.join("; ")
+    def build(context = nil, nonce = nil, nonce_directives = nil)
+      nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil?
+      build_directives(context, nonce, nonce_directives).compact.join("; ")
     end
 
     private
@@ -219,10 +241,10 @@ module ActionDispatch #:nodoc:
         end
       end
 
-      def build_directives(context, nonce)
+      def build_directives(context, nonce, nonce_directives)
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
-            if nonce && nonce_directive?(directive)
+            if nonce && nonce_directive?(directive, nonce_directives)
               "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
             else
               "#{directive} #{build_directive(sources, context).join(' ')}"
@@ -257,8 +279,8 @@ module ActionDispatch #:nodoc:
         end
       end
 
-      def nonce_directive?(directive)
-        NONCE_DIRECTIVES.include?(directive)
+      def nonce_directive?(directive, nonce_directives)
+        nonce_directives.include?(directive)
       end
   end
 end