actionpack 5.2.8.1 → 6.0.0.beta1

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -162,14 +162,12 @@ module ActionDispatch
         # Split the comma-separated list into an array of strings.
         ips = header.strip.split(/[,\s]+/)
         ips.select do |ip|
-          begin
-            # Only return IPs that are valid according to the IPAddr#new method.
-            range = IPAddr.new(ip).to_range
-            # We want to make sure nobody is sneaking a netmask in.
-            range.begin == range.end
-          rescue ArgumentError
-            nil
-          end
+          # Only return IPs that are valid according to the IPAddr#new method.
+          range = IPAddr.new(ip).to_range
+          # We want to make sure nobody is sneaking a netmask in.
+          range.begin == range.end
+        rescue ArgumentError
+          nil
         end
       end
 

data/lib/action_dispatch/middleware/request_id.rb

@@ -15,7 +15,7 @@ module ActionDispatch
   # The unique request id can be used to trace a request end-to-end and would typically end up being part of log files
   # from multiple pieces of the stack.
   class RequestId
-    X_REQUEST_ID = "X-Request-Id".freeze #:nodoc:
+    X_REQUEST_ID = "X-Request-Id" #:nodoc:
 
     def initialize(app)
       @app = app
@@ -30,7 +30,7 @@ module ActionDispatch
     private
       def make_request_id(request_id)
         if request_id.presence
-          request_id.gsub(/[^\w\-@]/, "".freeze).first(255)
+          request_id.gsub(/[^\w\-@]/, "").first(255)
         else
           internal_request_id
         end

data/lib/action_dispatch/middleware/session/abstract_store.rb

@@ -83,21 +83,7 @@ module ActionDispatch
       include SessionObject
 
       private
-        def set_cookie(request, session_id, cookie)
-          request.cookie_jar[key] = cookie
-        end
-    end
-
-    class AbstractSecureStore < Rack::Session::Abstract::PersistedSecure
-      include Compatibility
-      include StaleSessionCheck
-      include SessionObject
-
-      def generate_sid
-        Rack::Session::SessionId.new(super)
-      end
 
-      private
         def set_cookie(request, session_id, cookie)
           request.cookie_jar[key] = cookie
         end

data/lib/action_dispatch/middleware/session/cache_store.rb

@@ -12,7 +12,7 @@ module ActionDispatch
     # * <tt>cache</tt>         - The cache to use. If it is not specified, <tt>Rails.cache</tt> will be used.
     # * <tt>expire_after</tt>  - The length of time a session will be stored before automatically expiring.
     #   By default, the <tt>:expires_in</tt> option of the cache is used.
-    class CacheStore < AbstractSecureStore
+    class CacheStore < AbstractStore
       def initialize(app, options = {})
         @cache = options[:cache] || Rails.cache
         options[:expire_after] ||= @cache.options[:expires_in]
@@ -21,7 +21,7 @@ module ActionDispatch
 
       # Get a session from the cache.
       def find_session(env, sid)
-        unless sid && (session = get_session_with_fallback(sid))
+        unless sid && (session = @cache.read(cache_key(sid)))
           sid, session = generate_sid, {}
         end
         [sid, session]
@@ -29,7 +29,7 @@ module ActionDispatch
 
       # Set a session in the cache.
       def write_session(env, sid, session, options)
-        key = cache_key(sid.private_id)
+        key = cache_key(sid)
         if session
           @cache.write(key, session, expires_in: options[:expire_after])
         else
@@ -40,19 +40,14 @@ module ActionDispatch
 
       # Remove a session from the cache.
       def delete_session(env, sid, options)
-        @cache.delete(cache_key(sid.private_id))
-        @cache.delete(cache_key(sid.public_id))
+        @cache.delete(cache_key(sid))
         generate_sid
       end
 
       private
         # Turn the session id into a cache key.
-        def cache_key(id)
-          "_session_id:#{id}"
-        end
-
-        def get_session_with_fallback(sid)
-          @cache.read(cache_key(sid.private_id)) || @cache.read(cache_key(sid.public_id))
+        def cache_key(sid)
+          "_session_id:#{sid}"
         end
     end
   end

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -16,23 +16,17 @@ module ActionDispatch
     # The cookie jar used for storage is automatically configured to be the
     # best possible option given your application's configuration.
     #
-    # If you only have secret_token set, your cookies will be signed, but
-    # not encrypted. This means a user cannot alter their +user_id+ without
-    # knowing your app's secret key, but can easily read their +user_id+. This
-    # was the default for Rails 3 apps.
-    #
     # Your cookies will be encrypted using your apps secret_key_base. This
     # goes a step further than signed cookies in that encrypted cookies cannot
     # be altered or read by users. This is the default starting in Rails 4.
     #
-    # Configure your session store in <tt>config/initializers/session_store.rb</tt>:
+    # Configure your session store in an initializer:
     #
     #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
     #
-    # In the development and test environments your application's secret key base is
-    # generated by Rails and stored in a temporary file in <tt>tmp/development_secret.txt</tt>.
-    # In all other environments, it is stored encrypted in the
-    # <tt>config/credentials.yml.enc</tt> file.
+    # By default, your secret key base is derived from your application name in
+    # the test and development environments. In all other environments, it is stored
+    # encrypted in the <tt>config/credentials.yml.enc</tt> file.
     #
     # If your application was not updated to Rails 5.2 defaults, the secret_key_base
     # will be found in the old <tt>config/secrets.yml</tt> file.
@@ -51,16 +45,7 @@ module ActionDispatch
     # would set the session cookie to expire automatically 14 days after creation.
     # Other useful options include <tt>:key</tt>, <tt>:secure</tt> and
     # <tt>:httponly</tt>.
-    class CookieStore < AbstractSecureStore
-      class SessionId < DelegateClass(Rack::Session::SessionId)
-        attr_reader :cookie_value
-
-        def initialize(session_id, cookie_value = {})
-          super(session_id)
-          @cookie_value = cookie_value
-        end
-      end
-
+    class CookieStore < AbstractStore
       def initialize(app, options = {})
         super(app, options.merge!(cookie_only: true))
       end
@@ -68,7 +53,7 @@ module ActionDispatch
       def delete_session(req, session_id, options)
         new_sid = generate_sid unless options[:drop]
         # Reset hash and Assign the new session id
-        req.set_header("action_dispatch.request.unsigned_session_cookie", new_sid ? { "session_id" => new_sid.public_id } : {})
+        req.set_header("action_dispatch.request.unsigned_session_cookie", new_sid ? { "session_id" => new_sid } : {})
         new_sid
       end
 
@@ -76,7 +61,7 @@ module ActionDispatch
         stale_session_check! do
           data = unpacked_cookie_data(req)
           data = persistent_session_id!(data)
-          [Rack::Session::SessionId.new(data["session_id"]), data]
+          [data["session_id"], data]
         end
       end
 
@@ -84,8 +69,7 @@ module ActionDispatch
 
         def extract_session_id(req)
           stale_session_check! do
-            sid = unpacked_cookie_data(req)["session_id"]
-            sid && Rack::Session::SessionId.new(sid)
+            unpacked_cookie_data(req)["session_id"]
           end
         end
 
@@ -103,13 +87,13 @@ module ActionDispatch
 
         def persistent_session_id!(data, sid = nil)
           data ||= {}
-          data["session_id"] ||= sid || generate_sid.public_id
+          data["session_id"] ||= sid || generate_sid
           data
         end
 
         def write_session(req, sid, session_data, options)
-          session_data["session_id"] = sid.public_id
-          SessionId.new(sid, session_data)
+          session_data["session_id"] = sid
+          session_data
         end
 
         def set_cookie(request, session_id, cookie)

data/lib/action_dispatch/middleware/ssl.rb

@@ -83,7 +83,7 @@ module ActionDispatch
 
     private
       def set_hsts_header!(headers)
-        headers["Strict-Transport-Security".freeze] ||= @hsts_header
+        headers["Strict-Transport-Security"] ||= @hsts_header
       end
 
       def normalize_hsts_options(options)
@@ -102,23 +102,23 @@ module ActionDispatch
 
       # https://tools.ietf.org/html/rfc6797#section-6.1
       def build_hsts_header(hsts)
-        value = "max-age=#{hsts[:expires].to_i}".dup
+        value = +"max-age=#{hsts[:expires].to_i}"
         value << "; includeSubDomains" if hsts[:subdomains]
         value << "; preload" if hsts[:preload]
         value
       end
 
       def flag_cookies_as_secure!(headers)
-        if cookies = headers["Set-Cookie".freeze]
-          cookies = cookies.split("\n".freeze)
+        if cookies = headers["Set-Cookie"]
+          cookies = cookies.split("\n")
 
-          headers["Set-Cookie".freeze] = cookies.map { |cookie|
-            if cookie !~ /;\s*secure\s*(;|$)/i
+          headers["Set-Cookie"] = cookies.map { |cookie|
+            if !/;\s*secure\s*(;|$)/i.match?(cookie)
               "#{cookie}; secure"
             else
               cookie
             end
-          }.join("\n".freeze)
+          }.join("\n")
         end
       end
 
@@ -141,7 +141,7 @@ module ActionDispatch
         host = @redirect[:host] || request.host
         port = @redirect[:port] || request.port
 
-        location = "https://#{host}".dup
+        location = +"https://#{host}"
         location << ":#{port}" if port != 80 && port != 443
         location << request.fullpath
         location

data/lib/action_dispatch/middleware/stack.rb

@@ -97,8 +97,8 @@ module ActionDispatch
       middlewares.push(build_middleware(klass, args, block))
     end
 
-    def build(app = nil, &block)
-      middlewares.freeze.reverse.inject(app || block) { |a, e| e.build(a) }
+    def build(app = Proc.new)
+      middlewares.freeze.reverse.inject(app) { |a, e| e.build(a) }
     end
 
     private

data/lib/action_dispatch/middleware/static.rb

@@ -41,7 +41,6 @@ module ActionDispatch
         rescue SystemCallError
           false
         end
-
       }
         return ::Rack::Utils.escape_path(match).b
       end
@@ -69,7 +68,7 @@ module ActionDispatch
 
       headers["Vary"] = "Accept-Encoding" if gzip_path
 
-      return [status, headers, body]
+      [status, headers, body]
     ensure
       request.path_info = path
     end
@@ -80,7 +79,7 @@ module ActionDispatch
       end
 
       def content_type(path)
-        ::Rack::Mime.mime_type(::File.extname(path), "text/plain".freeze)
+        ::Rack::Mime.mime_type(::File.extname(path), "text/plain")
       end
 
       def gzip_encoding_accepted?(request)
@@ -90,8 +89,8 @@ module ActionDispatch
       def gzip_file_path(path)
         can_gzip_mime = content_type(path) =~ /\A(?:text\/|application\/javascript)/
         gzip_path     = "#{path}.gz"
-        if can_gzip_mime && File.exist?(File.join(@root, ::Rack::Utils.unescape_path(gzip_path).b))
-          gzip_path.b
+        if can_gzip_mime && File.exist?(File.join(@root, ::Rack::Utils.unescape_path(gzip_path)))
+          gzip_path
         else
           false
         end
@@ -117,7 +116,7 @@ module ActionDispatch
       req = Rack::Request.new env
 
       if req.get? || req.head?
-        path = req.path_info.chomp("/".freeze)
+        path = req.path_info.chomp("/")
         if match = @file_handler.match?(path)
           req.path_info = match
           return @file_handler.serve(req)

data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb

@@ -1,6 +1,8 @@
-<% @source_extracts.each_with_index do |source_extract, index| %>
+<% error_index = local_assigns[:error_index] || 0 %>
+
+<% source_extracts.each_with_index do |source_extract, index| %>
   <% if source_extract[:code] %>
-    <div class="source <%="hidden" if @show_source_idx != index%>" id="frame-source-<%=index%>">
+    <div class="source <%= "hidden" if show_source_idx != index %>" id="frame-source-<%= error_index %>-<%= index %>">
       <div class="info">
         Extracted source (around line <strong>#<%= source_extract[:line_number] %></strong>):
       </div>

data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb

@@ -1,52 +1,62 @@
-<% names = @traces.keys %>
+<% names = traces.keys %>
+<% error_index = local_assigns[:error_index] || 0 %>
 
 <p><code>Rails.root: <%= defined?(Rails) && Rails.respond_to?(:root) ? Rails.root : "unset" %></code></p>
 
-<div id="traces">
+<div id="traces-<%= error_index %>">
   <% names.each do |name| %>
     <%
-      show = "show('#{name.gsub(/\s/, '-')}');"
-      hide = (names - [name]).collect {|hide_name| "hide('#{hide_name.gsub(/\s/, '-')}');"}
+      show = "show('#{name.gsub(/\s/, '-')}-#{error_index}');"
+      hide = (names - [name]).collect {|hide_name| "hide('#{hide_name.gsub(/\s/, '-')}-#{error_index}');"}
     %>
     <a href="#" onclick="<%= hide.join %><%= show %>; return false;"><%= name %></a> <%= '|' unless names.last == name %>
   <% end %>
 
-  <% @traces.each do |name, trace| %>
-    <div id="<%= name.gsub(/\s/, '-') %>" style="display: <%= (name == @trace_to_show) ? 'block' : 'none' %>;">
-      <pre><code><% trace.each do |frame| %><a class="trace-frames" data-frame-id="<%= frame[:id] %>" href="#"><%= frame[:trace] %></a><br><% end %></code></pre>
+  <% traces.each do |name, trace| %>
+    <div id="<%= "#{name.gsub(/\s/, '-')}-#{error_index}" %>" style="display: <%= (name == trace_to_show) ? 'block' : 'none' %>;">
+      <code style="font-size: 11px;">
+        <% trace.each do |frame| %>
+          <a class="trace-frames trace-frames-<%= error_index %>" data-exception-object-id="<%= frame[:exception_object_id] %>" data-frame-id="<%= frame[:id] %>" href="#">
+            <%= frame[:trace] %>
+          </a>
+          <br>
+        <% end %>
+      </code>
     </div>
   <% end %>
 
   <script type="text/javascript">
-    var traceFrames = document.getElementsByClassName('trace-frames');
-    var selectedFrame, currentSource = document.getElementById('frame-source-0');
-
-    // Add click listeners for all stack frames
-    for (var i = 0; i < traceFrames.length; i++) {
-      traceFrames[i].addEventListener('click', function(e) {
-        e.preventDefault();
-        var target = e.target;
-        var frame_id = target.dataset.frameId;
-
-        if (selectedFrame) {
-          selectedFrame.className = selectedFrame.className.replace("selected", "");
-        }
-
-        target.className += " selected";
-        selectedFrame = target;
-
-        // Change the extracted source code
-        changeSourceExtract(frame_id);
-      });
-
-      function changeSourceExtract(frame_id) {
-        var el = document.getElementById('frame-source-' + frame_id);
-        if (currentSource && el) {
-          currentSource.className += " hidden";
-          el.className = el.className.replace(" hidden", "");
-          currentSource = el;
+    (function() {
+      var traceFrames = document.getElementsByClassName('trace-frames-<%= error_index %>');
+      var selectedFrame, currentSource = document.getElementById('frame-source-<%= error_index %>-0');
+
+      // Add click listeners for all stack frames
+      for (var i = 0; i < traceFrames.length; i++) {
+        traceFrames[i].addEventListener('click', function(e) {
+          e.preventDefault();
+          var target = e.target;
+          var frame_id = target.dataset.frameId;
+
+          if (selectedFrame) {
+            selectedFrame.className = selectedFrame.className.replace("selected", "");
+          }
+
+          target.className += " selected";
+          selectedFrame = target;
+
+          // Change the extracted source code
+          changeSourceExtract(frame_id);
+        });
+
+        function changeSourceExtract(frame_id) {
+          var el = document.getElementById('frame-source-<%= error_index %>-' + frame_id);
+          if (currentSource && el) {
+            currentSource.className += " hidden";
+            el.className = el.className.replace(" hidden", "");
+            currentSource = el;
+          }
         }
       }
-    }
+    })();
   </script>
 </div>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb

@@ -0,0 +1,7 @@
+<header>
+  <h1>Blocked host: <%= @host %></h1>
+</header>
+<div id="container">
+  <h2>To allow requests to <%= @host %>, add the following configuration:</h2>
+  <pre>Rails.application.config.hosts &lt;&lt; "<%= @host %>"</pre>
+</div>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb

@@ -0,0 +1,5 @@
+Blocked host: <%= @host %>
+
+To allow requests to <%= @host %>, add the following configuration:
+
+  Rails.application.config.hosts << "<%= @host %>"

data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb

@@ -10,7 +10,25 @@
 <div id="container">
   <h2><%= h @exception.message %></h2>
 
-  <%= render template: "rescues/_source" %>
-  <%= render template: "rescues/_trace" %>
+  <%= render "rescues/source", source_extracts: @source_extracts, show_source_idx: @show_source_idx, error_index: 0 %>
+  <%= render "rescues/trace", traces: @traces, trace_to_show: @trace_to_show, error_index: 0 %>
+
+  <% if @exception.cause %>
+    <h2>Exception Causes</h2>
+  <% end %>
+
+  <% @exception_wrapper.wrapped_causes.each.with_index(1) do |wrapper, index| %>
+    <div class="details">
+      <a class="summary" href="#" style="color: #F0F0F0; text-decoration: none; background: #C52F24; border-bottom: none;" onclick="return toggle(<%= wrapper.exception.object_id %>)">
+        <%= wrapper.exception.class.name %>: <%= h wrapper.exception.message %>
+      </a>
+    </div>
+
+    <div id="<%= wrapper.exception.object_id %>" style="display: none;">
+      <%= render "rescues/source", source_extracts: wrapper.source_extracts, show_source_idx: wrapper.source_to_show_id, error_index: index %>
+      <%= render "rescues/trace", traces: wrapper.traces, trace_to_show: wrapper.trace_to_show, error_index: index %>
+    </div>
+  <% end %>
+
   <%= render template: "rescues/_request_and_response" %>
 </div>

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb

@@ -10,12 +10,12 @@
 <div id="container">
   <h2>
     <%= h @exception.message %>
-    <% if %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}.match?(@exception.message) %>
-      <br />To resolve this issue run: bin/rails active_storage:install
+    <% if @exception.message.match? %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}} %>
+      <br />To resolve this issue run: rails active_storage:install
     <% end %>
   </h2>
 
-  <%= render template: "rescues/_source" %>
-  <%= render template: "rescues/_trace" %>
+  <%= render "rescues/source", source_extracts: @source_extracts, show_source_idx: @show_source_idx %>
+  <%= render "rescues/trace", traces: @traces, trace_to_show: @trace_to_show %>
   <%= render template: "rescues/_request_and_response" %>
 </div>

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb

@@ -4,8 +4,8 @@
 <% end %>
 
 <%= @exception.message %>
-<% if %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}.match?(@exception.message) %>
-To resolve this issue run: bin/rails active_storage:install
+<% if @exception.message.match? %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}} %>
+To resolve this issue run: rails active_storage:install
 <% end %>
 
 <%= render template: "rescues/_source" %>

data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb

@@ -0,0 +1,19 @@
+<header>
+  <h1>No template for interactive request</h1>
+</header>
+
+<div id="container">
+  <h2><%= h @exception.message %></h2>
+
+  <p class="summary">
+    <strong>NOTE!</strong><br>
+    Unless told otherwise, Rails expects an action to render a template with the same name,<br>
+    contained in a folder named after its controller.
+
+    If this controller is an API responding with 204 (No Content), <br>
+    which does not require a template,
+    then this error will occur when trying to access it via browser,<br>
+    since we expect an HTML template
+    to be rendered for such requests. If that's the case, carry on.
+  </p>
+</div>

data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.text.erb

@@ -0,0 +1,3 @@
+Missing exact template
+
+<%= @exception.message %>

data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb

@@ -5,7 +5,7 @@
 <div id="container">
   <h2><%= h @exception.message %></h2>
 
-  <%= render template: "rescues/_source" %>
-  <%= render template: "rescues/_trace" %>
+  <%= render "rescues/source", source_extracts: @source_extracts, show_source_idx: @show_source_idx %>
+  <%= render "rescues/trace", traces: @traces, trace_to_show: @trace_to_show %>
   <%= render template: "rescues/_request_and_response" %>
 </div>

data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb

@@ -14,7 +14,7 @@
     </p>
   <% end %>
 
-  <%= render template: "rescues/_trace" %>
+  <%= render "rescues/trace", traces: @traces, trace_to_show: @trace_to_show %>
 
   <% if @routes_inspector %>
     <h2>

data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb

@@ -11,10 +11,10 @@
   </p>
   <pre><code><%= h @exception.message %></code></pre>
 
-  <%= render template: "rescues/_source" %>
+  <%= render "rescues/source", source_extracts: @source_extracts, show_source_idx: @show_source_idx %>
 
   <p><%= @exception.sub_template_message %></p>
 
-  <%= render template: "rescues/_trace" %>
+  <%= render "rescues/trace", traces: @traces, trace_to_show: @trace_to_show %>
   <%= render template: "rescues/_request_and_response" %>
 </div>

data/lib/action_dispatch/middleware/templates/routes/_table.html.erb

@@ -197,4 +197,7 @@
 
   setupMatchPaths();
   setupRouteToggleHelperLinks();
+
+  // Focus the search input after page has loaded
+  document.getElementById('search').focus();
 </script>

data/lib/action_dispatch/railtie.rb

@@ -21,6 +21,7 @@ module ActionDispatch
     config.action_dispatch.encrypted_signed_cookie_salt = "signed encrypted cookie"
     config.action_dispatch.authenticated_encrypted_cookie_salt = "authenticated encrypted cookie"
     config.action_dispatch.use_authenticated_cookie_encryption = false
+    config.action_dispatch.use_cookies_with_metadata = false
     config.action_dispatch.perform_deep_munge = true
 
     config.action_dispatch.default_headers = {

data/lib/action_dispatch/request/session.rb

@@ -90,13 +90,15 @@ module ActionDispatch
       # +nil+ if the given key is not found in the session.
       def [](key)
         load_for_read!
-        key = key.to_s
+        @delegate[key.to_s]
+      end
 
-        if key == "session_id"
-          id && id.public_id
-        else
-          @delegate[key]
-        end
+      # Returns the nested value specified by the sequence of keys, returning
+      # +nil+ if any intermediate step is +nil+.
+      def dig(*keys)
+        load_for_read!
+        keys = keys.map.with_index { |key, i| i.zero? ? key.to_s : key }
+        @delegate.dig(*keys)
       end
 
       # Returns true if the session has the given key or false.