actionpack 5.2.8.1 → 6.0.0.beta1

data/lib/action_controller/metal/live.rb

@@ -86,7 +86,7 @@ module ActionController
     # Note: SSEs are not currently supported by IE. However, they are supported
     # by Chrome, Firefox, Opera, and Safari.
     class SSE
-      WHITELISTED_OPTIONS = %w( retry event id )
+      PERMITTED_OPTIONS = %w( retry event id )
 
       def initialize(stream, options = {})
         @stream = stream
@@ -111,13 +111,13 @@ module ActionController
         def perform_write(json, options)
           current_options = @options.merge(options).stringify_keys
 
-          WHITELISTED_OPTIONS.each do |option_name|
+          PERMITTED_OPTIONS.each do |option_name|
             if (option_value = current_options[option_name])
               @stream.write "#{option_name}: #{option_value}\n"
             end
           end
 
-          message = json.gsub("\n".freeze, "\ndata: ".freeze)
+          message = json.gsub("\n", "\ndata: ")
           @stream.write "data: #{message}\n\n"
         end
     end
@@ -280,33 +280,35 @@ module ActionController
       raise error if error
     end
 
-    # Spawn a new thread to serve up the controller in. This is to get
-    # around the fact that Rack isn't based around IOs and we need to use
-    # a thread to stream data from the response bodies. Nobody should call
-    # this method except in Rails internals. Seriously!
-    def new_controller_thread # :nodoc:
-      Thread.new {
-        t2 = Thread.current
-        t2.abort_on_exception = true
-        yield
-      }
+    def response_body=(body)
+      super
+      response.close if response
     end
 
-    def log_error(exception)
-      logger = ActionController::Base.logger
-      return unless logger
+    private
 
-      logger.fatal do
-        message = "\n#{exception.class} (#{exception.message}):\n".dup
-        message << exception.annoted_source_code.to_s if exception.respond_to?(:annoted_source_code)
-        message << "  " << exception.backtrace.join("\n  ")
-        "#{message}\n\n"
+      # Spawn a new thread to serve up the controller in. This is to get
+      # around the fact that Rack isn't based around IOs and we need to use
+      # a thread to stream data from the response bodies. Nobody should call
+      # this method except in Rails internals. Seriously!
+      def new_controller_thread # :nodoc:
+        Thread.new {
+          t2 = Thread.current
+          t2.abort_on_exception = true
+          yield
+        }
       end
-    end
 
-    def response_body=(body)
-      super
-      response.close if response
-    end
+      def log_error(exception)
+        logger = ActionController::Base.logger
+        return unless logger
+
+        logger.fatal do
+          message = +"\n#{exception.class} (#{exception.message}):\n"
+          message << exception.annoted_source_code.to_s if exception.respond_to?(:annoted_source_code)
+          message << "  " << exception.backtrace.join("\n  ")
+          "#{message}\n\n"
+        end
+      end
   end
 end

data/lib/action_controller/metal/mime_responds.rb

@@ -11,7 +11,7 @@ module ActionController #:nodoc:
     #     @people = Person.all
     #   end
     #
-    # That action implicitly responds to all formats, but formats can also be whitelisted:
+    # That action implicitly responds to all formats, but formats can also be explicitly enumerated:
     #
     #   def index
     #     @people = Person.all
@@ -105,7 +105,7 @@ module ActionController #:nodoc:
     #
     #   Mime::Type.register "image/jpg", :jpg
     #
-    # Respond to also allows you to specify a common block for different formats by using +any+:
+    # +respond_to+ also allows you to specify a common block for different formats by using +any+:
     #
     #   def index
     #     @people = Person.all
@@ -124,6 +124,14 @@ module ActionController #:nodoc:
     #
     #   render json: @people
     #
+    # +any+ can also be used with no arguments, in which case it will be used for any format requested by
+    # the user:
+    #
+    #   respond_to do |format|
+    #     format.html
+    #     format.any { redirect_to support_path }
+    #   end
+    #
     # Formats can have different variants.
     #
     # The request variant is a specialization of the request format, like <tt>:tablet</tt>,
@@ -197,6 +205,9 @@ module ActionController #:nodoc:
       yield collector if block_given?
 
       if format = collector.negotiate_format(request)
+        if content_type && content_type != format
+          raise ActionController::RespondToMismatchError
+        end
         _process_format(format)
         _set_rendered_content_type format
         response = collector.response

data/lib/action_controller/metal/params_wrapper.rb

@@ -93,7 +93,7 @@ module ActionController
       end
 
       def model
-        super || self.model = _default_wrap_model
+        super || synchronize { super || self.model = _default_wrap_model }
       end
 
       def include
@@ -115,7 +115,7 @@ module ActionController
 
               if m.respond_to?(:nested_attributes_options) && m.nested_attributes_options.keys.any?
                 self.include += m.nested_attributes_options.keys.map do |key|
-                  key.to_s.dup.concat("_attributes")
+                  key.to_s.concat("_attributes")
                 end
               end
 
@@ -241,18 +241,7 @@ module ActionController
     # Performs parameters wrapping upon the request. Called automatically
     # by the metal call stack.
     def process_action(*args)
-      if _wrapper_enabled?
-        wrapped_hash = _wrap_parameters request.request_parameters
-        wrapped_keys = request.request_parameters.keys
-        wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
-
-        # This will make the wrapped hash accessible from controller and view.
-        request.parameters.merge! wrapped_hash
-        request.request_parameters.merge! wrapped_hash
-
-        # This will display the wrapped hash in the log file.
-        request.filtered_parameters.merge! wrapped_filtered_hash
-      end
+      _perform_parameter_wrapping if _wrapper_enabled?
       super
     end
 
@@ -289,5 +278,20 @@ module ActionController
         ref = request.content_mime_type.ref
         _wrapper_formats.include?(ref) && _wrapper_key && !request.parameters.key?(_wrapper_key)
       end
+
+      def _perform_parameter_wrapping
+        wrapped_hash = _wrap_parameters request.request_parameters
+        wrapped_keys = request.request_parameters.keys
+        wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
+
+        # This will make the wrapped hash accessible from controller and view.
+        request.parameters.merge! wrapped_hash
+        request.request_parameters.merge! wrapped_hash
+
+        # This will display the wrapped hash in the log file.
+        request.filtered_parameters.merge! wrapped_filtered_hash
+      rescue ActionDispatch::Http::Parameters::ParseError
+        # swallow parse error exception
+      end
   end
 end

data/lib/action_controller/metal/redirecting.rb

@@ -55,12 +55,12 @@ module ActionController
     # Statements after +redirect_to+ in our controller get executed, so +redirect_to+ doesn't stop the execution of the function.
     # To terminate the execution of the function immediately after the +redirect_to+, use return.
     #   redirect_to post_url(@post) and return
-    def redirect_to(options = {}, response_status = {})
+    def redirect_to(options = {}, response_options = {})
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
       raise AbstractController::DoubleRenderError if response_body
 
-      self.status        = _extract_redirect_to_status(options, response_status)
-      self.location      = _compute_redirect_to_location(request, options)
+      self.status        = _extract_redirect_to_status(options, response_options)
+      self.location      = _compute_safe_redirect_to_location(request, options, response_options)
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
 
@@ -88,9 +88,13 @@ module ActionController
     # All other options that can be passed to <tt>redirect_to</tt> are accepted as
     # options and the behavior is identical.
     def redirect_back(fallback_location:, allow_other_host: true, **args)
-      referer = request.headers["Referer"]
-      redirect_to_referer = referer && (allow_other_host || _url_host_allowed?(referer))
-      redirect_to redirect_to_referer ? referer : fallback_location, **args
+      referer = request.headers.fetch("Referer", fallback_location)
+      response_options = {
+        fallback_location: fallback_location,
+        allow_other_host: allow_other_host,
+        **args,
+      }
+      redirect_to referer, response_options
     end
 
     def _compute_redirect_to_location(request, options) #:nodoc:
@@ -114,18 +118,35 @@ module ActionController
     public :_compute_redirect_to_location
 
     private
-      def _extract_redirect_to_status(options, response_status)
+      def _compute_safe_redirect_to_location(request, options, response_options)
+        location = _compute_redirect_to_location(request, options)
+        location_options = options.is_a?(Hash) ? options : {}
+        if response_options[:allow_other_host] || _url_host_allowed?(location, location_options)
+          location
+        else
+          fallback_location = response_options.fetch(:fallback_location) do
+            raise ArgumentError, <<~MSG.squish
+              Unsafe redirect #{location.inspect},
+              use :fallback_location to specify a fallback
+              or :allow_other_host to redirect anyway.
+            MSG
+          end
+          _compute_redirect_to_location(request, fallback_location)
+        end
+      end
+
+      def _extract_redirect_to_status(options, response_options)
         if options.is_a?(Hash) && options.key?(:status)
           Rack::Utils.status_code(options.delete(:status))
-        elsif response_status.key?(:status)
-          Rack::Utils.status_code(response_status[:status])
+        elsif response_options.key?(:status)
+          Rack::Utils.status_code(response_options[:status])
         else
           302
         end
       end
 
-      def _url_host_allowed?(url)
-        URI(url.to_s).host == request.host
+      def _url_host_allowed?(url, options = {})
+        URI(url.to_s).host.in?([request.host, options[:host]])
       rescue ArgumentError, URI::Error
         false
       end

data/lib/action_controller/metal/rendering.rb

@@ -40,7 +40,7 @@ module ActionController
     def render_to_string(*)
       result = super
       if result.respond_to?(:each)
-        string = "".dup
+        string = +""
         result.each { |r| string << r }
         string
       else

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -3,7 +3,6 @@
 require "rack/session/abstract/id"
 require "action_controller/metal/exceptions"
 require "active_support/security_utils"
-require "active_support/core_ext/string/strip"
 
 module ActionController #:nodoc:
   class InvalidAuthenticityToken < ActionControllerError #:nodoc:
@@ -18,7 +17,7 @@ module ActionController #:nodoc:
   # access. When a request reaches your application, \Rails verifies the received
   # token with the token in the session. All requests are checked except GET requests
   # as these should be idempotent. Keep in mind that all session-oriented requests
-  # should be CSRF protected, including JavaScript and HTML requests.
+  # are CSRF protected by default, including JavaScript and HTML requests.
   #
   # Since HTML and JavaScript requests are typically made from the browser, we
   # need to ensure to verify request authenticity for the web browser. We can
@@ -31,16 +30,23 @@ module ActionController #:nodoc:
   # URL on your site. When your JavaScript response loads on their site, it executes.
   # With carefully crafted JavaScript on their end, sensitive data in your JavaScript
   # response may be extracted. To prevent this, only XmlHttpRequest (known as XHR or
-  # Ajax) requests are allowed to make GET requests for JavaScript responses.
+  # Ajax) requests are allowed to make requests for JavaScript responses.
   #
-  # It's important to remember that XML or JSON requests are also affected and if
-  # you're building an API you should change forgery protection method in
+  # It's important to remember that XML or JSON requests are also checked by default. If
+  # you're building an API or an SPA you could change forgery protection method in
   # <tt>ApplicationController</tt> (by default: <tt>:exception</tt>):
   #
   #   class ApplicationController < ActionController::Base
   #     protect_from_forgery unless: -> { request.format.json? }
   #   end
   #
+  # It is generally safe to exclude XHR requests from CSRF protection
+  # (like the code snippet above does), because XHR requests can only be made from
+  # the same origin. Note however that any cross-origin third party domain
+  # allowed via {CORS}[https://en.wikipedia.org/wiki/Cross-origin_resource_sharing]
+  # will also be able to create XHR requests. Be sure to check your
+  # CORS configuration before disabling forgery protection for XHR.
+  #
   # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method.
   # By default <tt>protect_from_forgery</tt> protects your session with
   # <tt>:null_session</tt> method, which provides an empty session
@@ -55,7 +61,7 @@ module ActionController #:nodoc:
   # <tt>csrf_meta_tags</tt> in the HTML +head+.
   #
   # Learn more about CSRF attacks and securing your application in the
-  # {Ruby on Rails Security Guide}[http://guides.rubyonrails.org/security.html].
+  # {Ruby on Rails Security Guide}[https://guides.rubyonrails.org/security.html].
   module RequestForgeryProtection
     extend ActiveSupport::Concern
 
@@ -92,10 +98,6 @@ module ActionController #:nodoc:
       config_accessor :default_protect_from_forgery
       self.default_protect_from_forgery = false
 
-      # Controls whether URL-safe CSRF tokens are generated.
-      config_accessor :urlsafe_csrf_tokens, instance_writer: false
-      self.urlsafe_csrf_tokens = false
-
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
     end
@@ -280,7 +282,7 @@ module ActionController #:nodoc:
 
       # Check for cross-origin JavaScript responses.
       def non_xhr_javascript_response? # :doc:
-        content_type =~ %r(\Atext/javascript) && !request.xhr?
+        content_type =~ %r(\A(?:text|application)/javascript) && !request.xhr?
       end
 
       AUTHENTICITY_TOKEN_LENGTH = 32
@@ -322,10 +324,13 @@ module ActionController #:nodoc:
           action_path = normalize_action_path(action)
           per_form_csrf_token(session, action_path, method)
         else
-          global_csrf_token(session)
+          real_csrf_token(session)
         end
 
-        mask_token(raw_token)
+        one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
+        encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
+        masked_token = one_time_pad + encrypted_csrf_token
+        Base64.strict_encode64(masked_token)
       end
 
       # Checks the client's masked token to see if it matches the
@@ -337,7 +342,7 @@ module ActionController #:nodoc:
         end
 
         begin
-          masked_token = decode_csrf_token(encoded_masked_token)
+          masked_token = Base64.strict_decode64(encoded_masked_token)
         rescue ArgumentError # encoded_masked_token is invalid Base64
           return false
         end
@@ -355,8 +360,7 @@ module ActionController #:nodoc:
         elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
           csrf_token = unmask_token(masked_token)
 
-          compare_with_global_token(csrf_token, session) ||
-            compare_with_real_token(csrf_token, session) ||
+          compare_with_real_token(csrf_token, session) ||
             valid_per_form_csrf_token?(csrf_token, session)
         else
           false # Token is malformed.
@@ -371,21 +375,10 @@ module ActionController #:nodoc:
         xor_byte_strings(one_time_pad, encrypted_csrf_token)
       end
 
-      def mask_token(raw_token) # :doc:
-        one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
-        encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
-        masked_token = one_time_pad + encrypted_csrf_token
-        encode_csrf_token(masked_token)
-      end
-
       def compare_with_real_token(token, session) # :doc:
         ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
       end
 
-      def compare_with_global_token(token, session) # :doc:
-        ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
-      end
-
       def valid_per_form_csrf_token?(token, session) # :doc:
         if per_form_csrf_tokens
           correct_token = per_form_csrf_token(
@@ -401,33 +394,27 @@ module ActionController #:nodoc:
       end
 
       def real_csrf_token(session) # :doc:
-        session[:_csrf_token] ||= generate_csrf_token
-        decode_csrf_token(session[:_csrf_token])
+        session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
+        Base64.strict_decode64(session[:_csrf_token])
       end
 
       def per_form_csrf_token(session, action_path, method) # :doc:
-        csrf_token_hmac(session, [action_path, method.downcase].join("#"))
-      end
-
-      GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
-      private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
-
-      def global_csrf_token(session) # :doc:
-        csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
-      end
-
-      def csrf_token_hmac(session, identifier) # :doc:
         OpenSSL::HMAC.digest(
           OpenSSL::Digest::SHA256.new,
           real_csrf_token(session),
-          identifier
+          [action_path, method.downcase].join("#")
         )
       end
 
       def xor_byte_strings(s1, s2) # :doc:
-        s2_bytes = s2.bytes
-        s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 }
-        s2_bytes.pack("C*")
+        s2 = s2.dup
+        size = s1.bytesize
+        i = 0
+        while i < size
+          s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i))
+          i += 1
+        end
+        s2
       end
 
       # The form's authenticity parameter. Override to provide your own.
@@ -440,7 +427,7 @@ module ActionController #:nodoc:
         allow_forgery_protection
       end
 
-      NULL_ORIGIN_MESSAGE = <<-MSG.strip_heredoc
+      NULL_ORIGIN_MESSAGE = <<~MSG
         The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually
         means you have the 'no-referrer' Referrer-Policy header enabled, or that the request came from a site that
         refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the
@@ -465,57 +452,5 @@ module ActionController #:nodoc:
         uri = URI.parse(action_path)
         uri.path.chomp("/")
       end
-
-      def generate_csrf_token # :nodoc:
-        if urlsafe_csrf_tokens
-          SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
-        else
-          SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
-        end
-      end
-
-      if RUBY_VERSION.start_with?("2.2")
-        # Backported https://github.com/ruby/ruby/commit/6b6680945ed3274cddbc34fdfd410d74081a3e94
-        using Module.new {
-          refine Base64.singleton_class do
-            def urlsafe_encode64(bin, padding: true)
-              str = strict_encode64(bin).tr("+/", "-_")
-              str = str.delete("=") unless padding
-              str
-            end
-
-            def urlsafe_decode64(str)
-              # NOTE: RFC 4648 does say nothing about unpadded input, but says that
-              # "the excess pad characters MAY also be ignored", so it is inferred that
-              # unpadded input is also acceptable.
-              str = str.tr("-_", "+/")
-              if !str.end_with?("=") && str.length % 4 != 0
-                str = str.ljust((str.length + 3) & ~3, "=")
-              end
-              strict_decode64(str)
-            end
-          end
-        }
-      end
-
-      def encode_csrf_token(csrf_token) # :nodoc:
-        if urlsafe_csrf_tokens
-          Base64.urlsafe_encode64(csrf_token, padding: false)
-        else
-          Base64.strict_encode64(csrf_token)
-        end
-      end
-
-      def decode_csrf_token(encoded_csrf_token) # :nodoc:
-        if urlsafe_csrf_tokens
-          Base64.urlsafe_decode64(encoded_csrf_token)
-        else
-          begin
-            Base64.strict_decode64(encoded_csrf_token)
-          rescue ArgumentError
-            Base64.urlsafe_decode64(encoded_csrf_token)
-          end
-        end
-      end
   end
 end