actionpack 5.2.8.1 → 6.0.0.beta1

data/lib/action_controller/metal/strong_parameters.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require "active_support/core_ext/hash/indifferent_access"
-require "active_support/core_ext/hash/transform_values"
 require "active_support/core_ext/array/wrap"
 require "active_support/core_ext/string/filters"
 require "active_support/core_ext/object/to_query"
@@ -59,7 +58,7 @@ module ActionController
 
   # == Action Controller \Parameters
   #
-  # Allows you to choose which attributes should be whitelisted for mass updating
+  # Allows you to choose which attributes should be permitted for mass updating
   # and thus prevent accidentally exposing that which shouldn't be exposed.
   # Provides two methods for this purpose: #require and #permit. The former is
   # used to mark parameters as required. The latter is used to set the parameter
@@ -133,6 +132,15 @@ module ActionController
     #
     # Returns a hash that can be used as the JSON representation for the parameters.
 
+    ##
+    # :method: each_key
+    #
+    # :call-seq:
+    #   each_key()
+    #
+    # Calls block once for each key in the parameters, passing the key.
+    # If no block is given, an enumerator is returned instead.
+
     ##
     # :method: empty?
     #
@@ -205,7 +213,7 @@ module ActionController
     #
     # Returns a new array of the values of the parameters.
     delegate :keys, :key?, :has_key?, :values, :has_value?, :value?, :empty?, :include?,
-      :as_json, :to_s, to: :@parameters
+      :as_json, :to_s, :each_key, to: :@parameters
 
     # By default, never raise an UnpermittedParameters exception if these
     # params are present. The default includes both 'controller' and 'action'
@@ -337,11 +345,17 @@ module ActionController
       @parameters.each_pair do |key, value|
         yield [key, convert_hashes_to_parameters(key, value)]
       end
-
-      self
     end
     alias_method :each, :each_pair
 
+    # Convert all hashes in values into parameters, then yield each value in
+    # the same way as <tt>Hash#each_value</tt>.
+    def each_value(&block)
+      @parameters.each_pair do |key, value|
+        yield convert_hashes_to_parameters(key, value)
+      end
+    end
+
     # Attribute that keeps track of converted arrays, if any, to avoid double
     # looping in the common use case permit + mass-assignment. Defined in a
     # method to instantiate it only if needed.
@@ -508,7 +522,7 @@ module ActionController
     #
     # Note that if you use +permit+ in a key that points to a hash,
     # it won't allow all the hash. You also need to specify which
-    # attributes inside the hash should be whitelisted.
+    # attributes inside the hash should be permitted.
     #
     #   params = ActionController::Parameters.new({
     #     person: {
@@ -585,20 +599,18 @@ module ActionController
       )
     end
 
-    if Hash.method_defined?(:dig)
-      # Extracts the nested parameter from the given +keys+ by calling +dig+
-      # at each step. Returns +nil+ if any intermediate step is +nil+.
-      #
-      #   params = ActionController::Parameters.new(foo: { bar: { baz: 1 } })
-      #   params.dig(:foo, :bar, :baz) # => 1
-      #   params.dig(:foo, :zot, :xyz) # => nil
-      #
-      #   params2 = ActionController::Parameters.new(foo: [10, 11, 12])
-      #   params2.dig(:foo, 1) # => 11
-      def dig(*keys)
-        convert_hashes_to_parameters(keys.first, @parameters[keys.first])
-        @parameters.dig(*keys)
-      end
+    # Extracts the nested parameter from the given +keys+ by calling +dig+
+    # at each step. Returns +nil+ if any intermediate step is +nil+.
+    #
+    #   params = ActionController::Parameters.new(foo: { bar: { baz: 1 } })
+    #   params.dig(:foo, :bar, :baz) # => 1
+    #   params.dig(:foo, :zot, :xyz) # => nil
+    #
+    #   params2 = ActionController::Parameters.new(foo: [10, 11, 12])
+    #   params2.dig(:foo, 1) # => 11
+    def dig(*keys)
+      convert_hashes_to_parameters(keys.first, @parameters[keys.first])
+      @parameters.dig(*keys)
     end
 
     # Returns a new <tt>ActionController::Parameters</tt> instance that
@@ -798,9 +810,7 @@ module ActionController
     protected
       attr_reader :parameters
 
-      def permitted=(new_permitted)
-        @permitted = new_permitted
-      end
+      attr_writer :permitted
 
       def fields_for_style?
         @parameters.all? { |k, v| k =~ /\A-?\d+\z/ && (v.is_a?(Hash) || v.is_a?(Parameters)) }
@@ -911,15 +921,28 @@ module ActionController
         PERMITTED_SCALAR_TYPES.any? { |type| value.is_a?(type) }
       end
 
-      def permitted_scalar_filter(params, key)
-        if has_key?(key) && permitted_scalar?(self[key])
-          params[key] = self[key]
+      # Adds existing keys to the params if their values are scalar.
+      #
+      # For example:
+      #
+      #   puts self.keys #=> ["zipcode(90210i)"]
+      #   params = {}
+      #
+      #   permitted_scalar_filter(params, "zipcode")
+      #
+      #   puts params.keys # => ["zipcode"]
+      def permitted_scalar_filter(params, permitted_key)
+        permitted_key = permitted_key.to_s
+
+        if has_key?(permitted_key) && permitted_scalar?(self[permitted_key])
+          params[permitted_key] = self[permitted_key]
         end
 
-        keys.grep(/\A#{Regexp.escape(key)}\(\d+[if]?\)\z/) do |k|
-          if permitted_scalar?(self[k])
-            params[k] = self[k]
-          end
+        each_key do |key|
+          next unless key =~ /\(\d+[if]?\)\z/
+          next unless $~.pre_match == permitted_key
+
+          params[key] = self[key] if permitted_scalar?(self[key])
         end
       end
 
@@ -1004,8 +1027,8 @@ module ActionController
   #
   # It provides an interface for protecting attributes from end-user
   # assignment. This makes Action Controller parameters forbidden
-  # to be used in Active Model mass assignment until they have been
-  # whitelisted.
+  # to be used in Active Model mass assignment until they have been explicitly
+  # enumerated.
   #
   # In addition, parameters can be marked as required and flow through a
   # predefined raise/rescue flow to end up as a <tt>400 Bad Request</tt> with no
@@ -1041,7 +1064,7 @@ module ActionController
   #   end
   #
   # In order to use <tt>accepts_nested_attributes_for</tt> with Strong \Parameters, you
-  # will need to specify which nested attributes should be whitelisted. You might want
+  # will need to specify which nested attributes should be permitted. You might want
   # to allow +:id+ and +:_destroy+, see ActiveRecord::NestedAttributes for more information.
   #
   #   class Person
@@ -1059,7 +1082,7 @@ module ActionController
   #     private
   #
   #       def person_params
-  #         # It's mandatory to specify the nested attributes that should be whitelisted.
+  #         # It's mandatory to specify the nested attributes that should be permitted.
   #         # If you use `permit` with just the key that points to the nested attributes hash,
   #         # it will return an empty hash.
   #         params.require(:person).permit(:name, :age, pets_attributes: [ :id, :name, :category ])

data/lib/action_controller/metal/url_for.rb

@@ -44,7 +44,7 @@ module ActionController
           options[:original_script_name] = original_script_name
         else
           if same_origin
-            options[:script_name] = request.script_name.empty? ? "".freeze : request.script_name.dup
+            options[:script_name] = request.script_name.empty? ? "" : request.script_name.dup
           else
             options[:script_name] = script_name
           end

data/lib/action_controller/metal.rb

@@ -26,10 +26,10 @@ module ActionController
       end
     end
 
-    def build(action, app = nil, &block)
+    def build(action, app = Proc.new)
       action = action.to_s
 
-      middlewares.reverse.inject(app || block) do |a, middleware|
+      middlewares.reverse.inject(app) do |a, middleware|
         middleware.valid?(action) ? middleware.build(a) : a
       end
     end

data/lib/action_controller/railties/helpers.rb

@@ -7,7 +7,7 @@ module ActionController
         super
         return unless klass.respond_to?(:helpers_path=)
 
-        if namespace = klass.parents.detect { |m| m.respond_to?(:railtie_helpers_paths) }
+        if namespace = klass.module_parents.detect { |m| m.respond_to?(:railtie_helpers_paths) }
           paths = namespace.railtie_helpers_paths
         else
           paths = ActionController::Helpers.helpers_path

data/lib/action_controller/renderer.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "active_support/core_ext/hash/keys"
-
 module ActionController
   # ActionController::Renderer allows you to render arbitrary templates
   # without requirement of being in controller actions.
@@ -71,6 +69,21 @@ module ActionController
     end
 
     # Render templates with any options from ActionController::Base#render_to_string.
+    #
+    # The primary options are:
+    # * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt> for details.
+    # * <tt>:file</tt> - Renders an explicit template file. Add <tt>:locals</tt> to pass in, if so desired.
+    #   It shouldn’t be used directly with unsanitized user input due to lack of validation.
+    # * <tt>:inline</tt> - Renders a ERB template string.
+    # * <tt>:plain</tt> - Renders provided text and sets the content type as <tt>text/plain</tt>.
+    # * <tt>:html</tt> - Renders the provided HTML safe string, otherwise
+    #   performs HTML escape on the string first. Sets the content type as <tt>text/html</tt>.
+    # * <tt>:json</tt> - Renders the provided hash or object in JSON. You don't
+    #   need to call <tt>.to_json</tt> on the object you want to render.
+    # * <tt>:body</tt> - Renders provided text and sets content type of <tt>text/plain</tt>.
+    #
+    # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, the default is
+    # to render a partial and use the second parameter as the locals hash.
     def render(*args)
       raise "missing controller" unless controller
 

data/lib/action_controller/test_case.rb

@@ -26,7 +26,7 @@ module ActionController
     end
   end
 
-  # ActionController::TestCase will be deprecated and moved to a gem in Rails 5.1.
+  # ActionController::TestCase will be deprecated and moved to a gem in the future.
   # Please use ActionDispatch::IntegrationTest going forward.
   class TestRequest < ActionDispatch::TestRequest #:nodoc:
     DEFAULT_ENV = ActionDispatch::TestRequest::DEFAULT_ENV.dup
@@ -177,12 +177,12 @@ module ActionController
 
   # Methods #destroy and #load! are overridden to avoid calling methods on the
   # @store object, which does not exist for the TestSession class.
-  class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
+  class TestSession < Rack::Session::Abstract::SessionHash #:nodoc:
     DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
 
     def initialize(session = {})
       super(nil, nil)
-      @id = Rack::Session::SessionId.new(SecureRandom.hex(16))
+      @id = SecureRandom.hex(16)
       @data = stringify_keys(session)
       @loaded = true
     end
@@ -276,9 +276,6 @@ module ActionController
   #      after calling +post+. If the various assert methods are not sufficient, then you
   #      may use this object to inspect the HTTP response in detail.
   #
-  # (Earlier versions of \Rails required each functional test to subclass
-  # Test::Unit::TestCase and define @controller, @request, @response in +setup+.)
-  #
   # == Controller is automatically inferred
   #
   # ActionController::TestCase will automatically infer the controller under test
@@ -460,7 +457,6 @@ module ActionController
       def process(action, method: "GET", params: nil, session: nil, body: nil, flash: {}, format: nil, xhr: false, as: nil)
         check_required_ivars
 
-        action = action.to_s.dup
         http_method = method.to_s.upcase
 
         @html_document = nil
@@ -492,11 +488,11 @@ module ActionController
           parameters[:format] = format
         end
 
-        generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action))
+        generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action.to_s))
         generated_path = generated_path(generated_extras)
         query_string_keys = query_parameter_names(generated_extras)
 
-        @request.assign_parameters(@routes, controller_class_name, action, parameters, generated_path, query_string_keys)
+        @request.assign_parameters(@routes, controller_class_name, action.to_s, parameters, generated_path, query_string_keys)
 
         @request.session.update(session) if session
         @request.flash.update(flash || {})

data/lib/action_controller.rb

@@ -25,6 +25,7 @@ module ActionController
     autoload :ContentSecurityPolicy
     autoload :Cookies
     autoload :DataStreaming
+    autoload :DefaultHeaders
     autoload :EtagWithTemplateDigest
     autoload :EtagWithFlash
     autoload :Flash

data/lib/action_dispatch/http/cache.rb

@@ -4,8 +4,8 @@ module ActionDispatch
   module Http
     module Cache
       module Request
-        HTTP_IF_MODIFIED_SINCE = "HTTP_IF_MODIFIED_SINCE".freeze
-        HTTP_IF_NONE_MATCH     = "HTTP_IF_NONE_MATCH".freeze
+        HTTP_IF_MODIFIED_SINCE = "HTTP_IF_MODIFIED_SINCE"
+        HTTP_IF_NONE_MATCH     = "HTTP_IF_NONE_MATCH"
 
         def if_modified_since
           if since = get_header(HTTP_IF_MODIFIED_SINCE)
@@ -124,8 +124,8 @@ module ActionDispatch
 
       private
 
-        DATE          = "Date".freeze
-        LAST_MODIFIED = "Last-Modified".freeze
+        DATE          = "Date"
+        LAST_MODIFIED = "Last-Modified"
         SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public private must-revalidate])
 
         def generate_weak_etag(validators)
@@ -166,11 +166,11 @@ module ActionDispatch
           @cache_control = cache_control_headers
         end
 
-        DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate".freeze
-        NO_CACHE              = "no-cache".freeze
-        PUBLIC                = "public".freeze
-        PRIVATE               = "private".freeze
-        MUST_REVALIDATE       = "must-revalidate".freeze
+        DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate"
+        NO_CACHE              = "no-cache"
+        PUBLIC                = "public"
+        PRIVATE               = "private"
+        MUST_REVALIDATE       = "must-revalidate"
 
         def handle_conditional_get!
           # Normally default cache control setting is handled by ETag
@@ -204,13 +204,17 @@ module ActionDispatch
 
             self._cache_control = options.join(", ")
           else
-            extras  = control[:extras]
+            extras = control[:extras]
             max_age = control[:max_age]
+            stale_while_revalidate = control[:stale_while_revalidate]
+            stale_if_error = control[:stale_if_error]
 
             options = []
             options << "max-age=#{max_age.to_i}" if max_age
             options << (control[:public] ? PUBLIC : PRIVATE)
             options << MUST_REVALIDATE if control[:must_revalidate]
+            options << "stale-while-revalidate=#{stale_while_revalidate.to_i}" if stale_while_revalidate
+            options << "stale-if-error=#{stale_if_error.to_i}" if stale_if_error
             options.concat(extras) if extras
 
             self._cache_control = options.join(", ")

data/lib/action_dispatch/http/content_disposition.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  module Http
+    class ContentDisposition # :nodoc:
+      def self.format(disposition:, filename:)
+        new(disposition: disposition, filename: filename).to_s
+      end
+
+      attr_reader :disposition, :filename
+
+      def initialize(disposition:, filename:)
+        @disposition = disposition
+        @filename = filename
+      end
+
+      TRADITIONAL_ESCAPED_CHAR = /[^ A-Za-z0-9!#$+.^_`|~-]/
+
+      def ascii_filename
+        'filename="' + percent_escape(I18n.transliterate(filename), TRADITIONAL_ESCAPED_CHAR) + '"'
+      end
+
+      RFC_5987_ESCAPED_CHAR = /[^A-Za-z0-9!#$&+.^_`|~-]/
+
+      def utf8_filename
+        "filename*=UTF-8''" + percent_escape(filename, RFC_5987_ESCAPED_CHAR)
+      end
+
+      def to_s
+        if filename
+          "#{disposition}; #{ascii_filename}; #{utf8_filename}"
+        else
+          "#{disposition}"
+        end
+      end
+
+      private
+        def percent_escape(string, pattern)
+          string.gsub(pattern) do |char|
+            char.bytes.map { |byte| "%%%02X" % byte }.join
+          end
+        end
+    end
+  end
+end

data/lib/action_dispatch/http/content_security_policy.rb

@@ -5,9 +5,9 @@ require "active_support/core_ext/object/deep_dup"
 module ActionDispatch #:nodoc:
   class ContentSecurityPolicy
     class Middleware
-      CONTENT_TYPE = "Content-Type".freeze
-      POLICY = "Content-Security-Policy".freeze
-      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only".freeze
+      CONTENT_TYPE = "Content-Type"
+      POLICY = "Content-Security-Policy"
+      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only"
 
       def initialize(app)
         @app = app
@@ -17,6 +17,7 @@ module ActionDispatch #:nodoc:
         request = ActionDispatch::Request.new env
         _, headers, _ = response = @app.call(env)
 
+        return response unless html_response?(headers)
         return response if policy_present?(headers)
 
         if policy = request.content_security_policy
@@ -29,6 +30,13 @@ module ActionDispatch #:nodoc:
       end
 
       private
+
+        def html_response?(headers)
+          if content_type = headers[CONTENT_TYPE]
+            content_type =~ /html/
+          end
+        end
+
         def header_name(request)
           if request.content_security_policy_report_only
             POLICY_REPORT_ONLY
@@ -43,10 +51,10 @@ module ActionDispatch #:nodoc:
     end
 
     module Request
-      POLICY = "action_dispatch.content_security_policy".freeze
-      POLICY_REPORT_ONLY = "action_dispatch.content_security_policy_report_only".freeze
-      NONCE_GENERATOR = "action_dispatch.content_security_policy_nonce_generator".freeze
-      NONCE = "action_dispatch.content_security_policy_nonce".freeze
+      POLICY = "action_dispatch.content_security_policy"
+      POLICY_REPORT_ONLY = "action_dispatch.content_security_policy_report_only"
+      NONCE_GENERATOR = "action_dispatch.content_security_policy_nonce_generator"
+      NONCE = "action_dispatch.content_security_policy_nonce"
 
       def content_security_policy
         get_header(POLICY)
@@ -119,12 +127,13 @@ module ActionDispatch #:nodoc:
       manifest_src:    "manifest-src",
       media_src:       "media-src",
       object_src:      "object-src",
+      prefetch_src:    "prefetch-src",
       script_src:      "script-src",
       style_src:       "style-src",
       worker_src:      "worker-src"
     }.freeze
 
-    NONCE_DIRECTIVES = %w[script-src].freeze
+    NONCE_DIRECTIVES = %w[script-src style-src].freeze
 
     private_constant :MAPPINGS, :DIRECTIVES, :NONCE_DIRECTIVES
 

data/lib/action_dispatch/http/filter_parameters.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "action_dispatch/http/parameter_filter"
+require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
@@ -9,8 +9,8 @@ module ActionDispatch
     # sub-hashes of the params hash to filter. Filtering only certain sub-keys
     # from a hash is possible by using the dot notation: 'credit_card.number'.
     # If a block is given, each key and value of the params hash and all
-    # sub-hashes is passed to it, where the value or the key can be replaced using
-    # String#replace or similar method.
+    # sub-hashes are passed to it, where the value or the key can be replaced using
+    # String#replace or similar methods.
     #
     #   env["action_dispatch.parameter_filter"] = [:password]
     #   => replaces the value to all keys matching /password/i with "[FILTERED]"
@@ -28,8 +28,8 @@ module ActionDispatch
     #   => reverses the value to all keys matching /secret/i
     module FilterParameters
       ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
-      NULL_PARAM_FILTER = ParameterFilter.new # :nodoc:
-      NULL_ENV_FILTER   = ParameterFilter.new ENV_MATCH # :nodoc:
+      NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
+      NULL_ENV_FILTER   = ActiveSupport::ParameterFilter.new ENV_MATCH # :nodoc:
 
       def initialize
         super
@@ -41,6 +41,8 @@ module ActionDispatch
       # Returns a hash of parameters with all sensitive data replaced.
       def filtered_parameters
         @filtered_parameters ||= parameter_filter.filter(parameters)
+      rescue ActionDispatch::Http::Parameters::ParseError
+        @filtered_parameters = {}
       end
 
       # Returns a hash of request.env with all sensitive data replaced.
@@ -69,7 +71,7 @@ module ActionDispatch
       end
 
       def parameter_filter_for(filters) # :doc:
-        ParameterFilter.new(filters)
+        ActiveSupport::ParameterFilter.new(filters)
       end
 
       KV_RE   = "[^&;=]+"

data/lib/action_dispatch/http/filter_redirect.rb

@@ -3,7 +3,7 @@
 module ActionDispatch
   module Http
     module FilterRedirect
-      FILTERED = "[FILTERED]".freeze # :nodoc:
+      FILTERED = "[FILTERED]" # :nodoc:
 
       def filtered_location # :nodoc:
         if location_filter_match?

data/lib/action_dispatch/http/headers.rb

@@ -121,7 +121,7 @@ module ActionDispatch
         # not contained within the headers hash.
         def env_name(key)
           key = key.to_s
-          if key =~ HTTP_HEADER
+          if HTTP_HEADER.match?(key)
             key = key.upcase.tr("-", "_")
             key = "HTTP_" + key unless CGI_VARIABLES.include?(key)
           end

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -7,6 +7,11 @@ module ActionDispatch
     module MimeNegotiation
       extend ActiveSupport::Concern
 
+      RESCUABLE_MIME_FORMAT_ERRORS = [
+        ActionController::BadRequest,
+        ActionDispatch::Http::Parameters::ParseError,
+      ]
+
       included do
         mattr_accessor :ignore_accept_header, default: false
       end
@@ -59,7 +64,7 @@ module ActionDispatch
         fetch_header("action_dispatch.request.formats") do |k|
           params_readable = begin
                               parameters[:format]
-                            rescue ActionController::BadRequest
+                            rescue *RESCUABLE_MIME_FORMAT_ERRORS
                               false
                             end
 
@@ -74,11 +79,6 @@ module ActionDispatch
           else
             [Mime[:html]]
           end
-
-          v = v.select do |format|
-            format.symbol || format.ref == "*/*"
-          end
-
           set_header k, v
         end
       end
@@ -90,10 +90,7 @@ module ActionDispatch
         if variant.all? { |v| v.is_a?(Symbol) }
           @variant = ActiveSupport::ArrayInquirer.new(variant)
         else
-          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols. " \
-            "For security reasons, never directly set the variant to a user-provided value, " \
-            "like params[:variant].to_sym. Check user-provided value against a whitelist first, " \
-            "then set the variant: request.variant = :tablet if params[:variant] == 'tablet'"
+          raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols."
         end
       end
 

data/lib/action_dispatch/http/mime_type.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-# -*- frozen-string-literal: true -*-
-
 require "singleton"
 require "active_support/core_ext/string/starts_ends_with"
 
@@ -74,7 +72,7 @@ module Mime
       def initialize(index, name, q = nil)
         @index = index
         @name = name
-        q ||= 0.0 if @name == "*/*".freeze # Default wildcard match to end of list.
+        q ||= 0.0 if @name == "*/*" # Default wildcard match to end of list.
         @q = ((q || 1.0).to_f * 100).to_i
       end
 
@@ -279,8 +277,6 @@ module Mime
 
     def all?; false; end
 
-    # TODO Change this to private once we've dropped Ruby 2.2 support.
-    # Workaround for Ruby 2.2 "private attribute?" warning.
     protected
 
       attr_reader :string, :synonyms