actionpack 5.2.8.1 → 6.0.6

data/lib/action_controller/metal/helpers.rb

@@ -34,7 +34,7 @@ module ActionController
   #     end
   #   end
   #
-  # Then, in any view rendered by <tt>EventController</tt>, the <tt>format_time</tt> method can be called:
+  # Then, in any view rendered by <tt>EventsController</tt>, the <tt>format_time</tt> method can be called:
   #
   #   <% @events.each do |event| -%>
   #     <p>
@@ -75,7 +75,7 @@ module ActionController
       # Provides a proxy to access helper methods from outside the view.
       def helpers
         @helper_proxy ||= begin
-          proxy = ActionView::Base.new
+          proxy = ActionView::Base.empty
           proxy.config = config.inheritable_copy
           proxy.extend(_helpers)
         end
@@ -100,8 +100,7 @@ module ActionController
       #   # => ["application", "chart", "rubygems"]
       def all_helpers_from_path(path)
         helpers = Array(path).flat_map do |_path|
-          extract = /^#{Regexp.quote(_path.to_s)}\/?(.*)_helper.rb$/
-          names = Dir["#{_path}/**/*_helper.rb"].map { |file| file.sub(extract, '\1'.freeze) }
+          names = Dir["#{_path}/**/*_helper.rb"].map { |file| file[_path.to_s.size + 1..-"_helper.rb".size - 1] }
           names.sort!
         end
         helpers.uniq!

data/lib/action_controller/metal/http_authentication.rb

@@ -56,8 +56,9 @@ module ActionController
     # In your integration tests, you can do something like this:
     #
     #   def test_access_granted_from_xml
-    #     @request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
-    #     get "/notes/1.xml"
+    #     authorization = ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
+    #
+    #     get "/notes/1.xml", headers: { 'HTTP_AUTHORIZATION' => authorization }
     #
     #     assert_equal 200, status
     #   end
@@ -68,21 +69,20 @@ module ActionController
         extend ActiveSupport::Concern
 
         module ClassMethods
-          def http_basic_authenticate_with(options = {})
-            before_action(options.except(:name, :password, :realm)) do
-              authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
-                # This comparison uses & so that it doesn't short circuit and
-                # uses `secure_compare` so that length information
-                # isn't leaked.
-                ActiveSupport::SecurityUtils.secure_compare(name, options[:name]) &
-                  ActiveSupport::SecurityUtils.secure_compare(password, options[:password])
-              end
-            end
+          def http_basic_authenticate_with(name:, password:, realm: nil, **options)
+            before_action(options) { http_basic_authenticate_or_request_with name: name, password: password, realm: realm }
+          end
+        end
+
+        def http_basic_authenticate_or_request_with(name:, password:, realm: nil, message: nil)
+          authenticate_or_request_with_http_basic(realm, message) do |given_name, given_password|
+            ActiveSupport::SecurityUtils.secure_compare(given_name, name) &
+              ActiveSupport::SecurityUtils.secure_compare(given_password, password)
           end
         end
 
-        def authenticate_or_request_with_http_basic(realm = "Application", message = nil, &login_procedure)
-          authenticate_with_http_basic(&login_procedure) || request_http_basic_authentication(realm, message)
+        def authenticate_or_request_with_http_basic(realm = nil, message = nil, &login_procedure)
+          authenticate_with_http_basic(&login_procedure) || request_http_basic_authentication(realm || "Application", message)
         end
 
         def authenticate_with_http_basic(&login_procedure)
@@ -126,7 +126,7 @@ module ActionController
 
       def authentication_request(controller, realm, message)
         message ||= "HTTP Basic: Access denied.\n"
-        controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.tr('"'.freeze, "".freeze)}")
+        controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.tr('"', "")}")
         controller.status = 401
         controller.response_body = message
       end
@@ -389,10 +389,9 @@ module ActionController
     # In your integration tests, you can do something like this:
     #
     #   def test_access_granted_from_xml
-    #     get(
-    #       "/notes/1.xml", nil,
-    #       'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Token.encode_credentials(users(:dhh).token)
-    #     )
+    #     authorization = ActionController::HttpAuthentication::Token.encode_credentials(users(:dhh).token)
+    #
+    #     get "/notes/1.xml", headers: { 'HTTP_AUTHORIZATION' => authorization }
     #
     #     assert_equal 200, status
     #   end
@@ -474,7 +473,7 @@ module ActionController
 
       # This removes the <tt>"</tt> characters wrapping the value.
       def rewrite_param_values(array_params)
-        array_params.each { |param| (param[1] || "".dup).gsub! %r/^"|"$/, "" }
+        array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
       end
 
       # This method takes an authorization body and splits up the key-value
@@ -511,7 +510,7 @@ module ActionController
       # Returns nothing.
       def authentication_request(controller, realm, message = nil)
         message ||= "HTTP Token: Access denied.\n"
-        controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.tr('"'.freeze, "".freeze)}")
+        controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.tr('"', "")}")
         controller.__send__ :render, plain: message, status: :unauthorized
       end
     end

data/lib/action_controller/metal/implicit_render.rb

@@ -30,9 +30,9 @@ module ActionController
     # :stopdoc:
     include BasicImplicitRender
 
-    def default_render(*args)
+    def default_render
       if template_exists?(action_name.to_s, _prefixes, variants: request.variant)
-        render(*args)
+        render
       elsif any_templates?(action_name.to_s, _prefixes)
         message = "#{self.class.name}\##{action_name} is missing a template " \
           "for this request format and variant.\n" \
@@ -41,18 +41,8 @@ module ActionController
 
         raise ActionController::UnknownFormat, message
       elsif interactive_browser_request?
-        message = "#{self.class.name}\##{action_name} is missing a template " \
-          "for this request format and variant.\n\n" \
-          "request.formats: #{request.formats.map(&:to_s).inspect}\n" \
-          "request.variant: #{request.variant.inspect}\n\n" \
-          "NOTE! For XHR/Ajax or API requests, this action would normally " \
-          "respond with 204 No Content: an empty white screen. Since you're " \
-          "loading it in a web browser, we assume that you expected to " \
-          "actually render a template, not nothing, so we're showing an " \
-          "error to be extra-clear. If you expect 204 No Content, carry on. " \
-          "That's what you'll get from an XHR or API request. Give it a shot."
-
-        raise ActionController::UnknownFormat, message
+        message = "#{self.class.name}\##{action_name} is missing a template for request formats: #{request.formats.map(&:to_s).join(',')}"
+        raise ActionController::MissingExactTemplate, message
       else
         logger.info "No template found for #{self.class.name}\##{action_name}, rendering head :no_content" if logger
         super

data/lib/action_controller/metal/instrumentation.rb

@@ -30,13 +30,11 @@ module ActionController
       ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload.dup)
 
       ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
-        begin
-          result = super
+        super.tap do
           payload[:status] = response.status
-          result
-        ensure
-          append_info_to_payload(payload)
         end
+      ensure
+        append_info_to_payload(payload)
       end
     end
 
@@ -71,7 +69,6 @@ module ActionController
     end
 
   private
-
     # A hook invoked every time a before callback is halted.
     def halted_callback_hook(filter)
       ActiveSupport::Notifications.instrument("halted_callback.action_controller", filter: filter)

data/lib/action_controller/metal/live.rb

@@ -86,7 +86,7 @@ module ActionController
     # Note: SSEs are not currently supported by IE. However, they are supported
     # by Chrome, Firefox, Opera, and Safari.
     class SSE
-      WHITELISTED_OPTIONS = %w( retry event id )
+      PERMITTED_OPTIONS = %w( retry event id )
 
       def initialize(stream, options = {})
         @stream = stream
@@ -107,17 +107,16 @@ module ActionController
       end
 
       private
-
         def perform_write(json, options)
           current_options = @options.merge(options).stringify_keys
 
-          WHITELISTED_OPTIONS.each do |option_name|
+          PERMITTED_OPTIONS.each do |option_name|
             if (option_value = current_options[option_name])
               @stream.write "#{option_name}: #{option_value}\n"
             end
           end
 
-          message = json.gsub("\n".freeze, "\ndata: ".freeze)
+          message = json.gsub("\n", "\ndata: ")
           @stream.write "data: #{message}\n\n"
         end
     end
@@ -146,7 +145,7 @@ module ActionController
 
       def write(string)
         unless @response.committed?
-          @response.set_header "Cache-Control", "no-cache"
+          @response.headers["Cache-Control"] ||= "no-cache"
           @response.delete_header "Content-Length"
         end
 
@@ -205,7 +204,6 @@ module ActionController
       end
 
       private
-
         def each_chunk(&block)
           loop do
             str = nil
@@ -220,7 +218,6 @@ module ActionController
 
     class Response < ActionDispatch::Response #:nodoc: all
       private
-
         def before_committed
           super
           jar = request.cookie_jar
@@ -280,33 +277,34 @@ module ActionController
       raise error if error
     end
 
-    # Spawn a new thread to serve up the controller in. This is to get
-    # around the fact that Rack isn't based around IOs and we need to use
-    # a thread to stream data from the response bodies. Nobody should call
-    # this method except in Rails internals. Seriously!
-    def new_controller_thread # :nodoc:
-      Thread.new {
-        t2 = Thread.current
-        t2.abort_on_exception = true
-        yield
-      }
-    end
-
-    def log_error(exception)
-      logger = ActionController::Base.logger
-      return unless logger
-
-      logger.fatal do
-        message = "\n#{exception.class} (#{exception.message}):\n".dup
-        message << exception.annoted_source_code.to_s if exception.respond_to?(:annoted_source_code)
-        message << "  " << exception.backtrace.join("\n  ")
-        "#{message}\n\n"
-      end
-    end
-
     def response_body=(body)
       super
       response.close if response
     end
+
+    private
+      # Spawn a new thread to serve up the controller in. This is to get
+      # around the fact that Rack isn't based around IOs and we need to use
+      # a thread to stream data from the response bodies. Nobody should call
+      # this method except in Rails internals. Seriously!
+      def new_controller_thread # :nodoc:
+        Thread.new {
+          t2 = Thread.current
+          t2.abort_on_exception = true
+          yield
+        }
+      end
+
+      def log_error(exception)
+        logger = ActionController::Base.logger
+        return unless logger
+
+        logger.fatal do
+          message = +"\n#{exception.class} (#{exception.message}):\n"
+          message << exception.annotated_source_code.to_s if exception.respond_to?(:annotated_source_code)
+          message << "  " << exception.backtrace.join("\n  ")
+          "#{message}\n\n"
+        end
+      end
   end
 end

data/lib/action_controller/metal/mime_responds.rb

@@ -11,7 +11,7 @@ module ActionController #:nodoc:
     #     @people = Person.all
     #   end
     #
-    # That action implicitly responds to all formats, but formats can also be whitelisted:
+    # That action implicitly responds to all formats, but formats can also be explicitly enumerated:
     #
     #   def index
     #     @people = Person.all
@@ -105,7 +105,7 @@ module ActionController #:nodoc:
     #
     #   Mime::Type.register "image/jpg", :jpg
     #
-    # Respond to also allows you to specify a common block for different formats by using +any+:
+    # +respond_to+ also allows you to specify a common block for different formats by using +any+:
     #
     #   def index
     #     @people = Person.all
@@ -124,6 +124,14 @@ module ActionController #:nodoc:
     #
     #   render json: @people
     #
+    # +any+ can also be used with no arguments, in which case it will be used for any format requested by
+    # the user:
+    #
+    #   respond_to do |format|
+    #     format.html
+    #     format.any { redirect_to support_path }
+    #   end
+    #
     # Formats can have different variants.
     #
     # The request variant is a specialization of the request format, like <tt>:tablet</tt>,
@@ -197,6 +205,9 @@ module ActionController #:nodoc:
       yield collector if block_given?
 
       if format = collector.negotiate_format(request)
+        if media_type && media_type != format
+          raise ActionController::RespondToMismatchError
+        end
         _process_format(format)
         _set_rendered_content_type format
         response = collector.response

data/lib/action_controller/metal/params_wrapper.rb

@@ -115,7 +115,7 @@ module ActionController
 
               if m.respond_to?(:nested_attributes_options) && m.nested_attributes_options.keys.any?
                 self.include += m.nested_attributes_options.keys.map do |key|
-                  key.to_s.dup.concat("_attributes")
+                  (+key.to_s).concat("_attributes")
                 end
               end
 
@@ -241,23 +241,11 @@ module ActionController
     # Performs parameters wrapping upon the request. Called automatically
     # by the metal call stack.
     def process_action(*args)
-      if _wrapper_enabled?
-        wrapped_hash = _wrap_parameters request.request_parameters
-        wrapped_keys = request.request_parameters.keys
-        wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
-
-        # This will make the wrapped hash accessible from controller and view.
-        request.parameters.merge! wrapped_hash
-        request.request_parameters.merge! wrapped_hash
-
-        # This will display the wrapped hash in the log file.
-        request.filtered_parameters.merge! wrapped_filtered_hash
-      end
+      _perform_parameter_wrapping if _wrapper_enabled?
       super
     end
 
     private
-
       # Returns the wrapper key which will be used to store wrapped parameters.
       def _wrapper_key
         _wrapper_options.name
@@ -287,7 +275,23 @@ module ActionController
         return false unless request.has_content_type?
 
         ref = request.content_mime_type.ref
+
         _wrapper_formats.include?(ref) && _wrapper_key && !request.parameters.key?(_wrapper_key)
+      rescue ActionDispatch::Http::Parameters::ParseError
+        false
+      end
+
+      def _perform_parameter_wrapping
+        wrapped_hash = _wrap_parameters request.request_parameters
+        wrapped_keys = request.request_parameters.keys
+        wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
+
+        # This will make the wrapped hash accessible from controller and view.
+        request.parameters.merge! wrapped_hash
+        request.request_parameters.merge! wrapped_hash
+
+        # This will display the wrapped hash in the log file.
+        request.filtered_parameters.merge! wrapped_filtered_hash
       end
   end
 end

data/lib/action_controller/metal/redirecting.rb

@@ -55,11 +55,11 @@ module ActionController
     # Statements after +redirect_to+ in our controller get executed, so +redirect_to+ doesn't stop the execution of the function.
     # To terminate the execution of the function immediately after the +redirect_to+, use return.
     #   redirect_to post_url(@post) and return
-    def redirect_to(options = {}, response_status = {})
+    def redirect_to(options = {}, response_options = {})
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
       raise AbstractController::DoubleRenderError if response_body
 
-      self.status        = _extract_redirect_to_status(options, response_status)
+      self.status        = _extract_redirect_to_status(options, response_options)
       self.location      = _compute_redirect_to_location(request, options)
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
@@ -114,11 +114,11 @@ module ActionController
     public :_compute_redirect_to_location
 
     private
-      def _extract_redirect_to_status(options, response_status)
+      def _extract_redirect_to_status(options, response_options)
         if options.is_a?(Hash) && options.key?(:status)
           Rack::Utils.status_code(options.delete(:status))
-        elsif response_status.key?(:status)
-          Rack::Utils.status_code(response_status[:status])
+        elsif response_options.key?(:status)
+          Rack::Utils.status_code(response_options[:status])
         else
           302
         end

data/lib/action_controller/metal/renderers.rb

@@ -157,24 +157,24 @@ module ActionController
       json = json.to_json(options) unless json.kind_of?(String)
 
       if options[:callback].present?
-        if content_type.nil? || content_type == Mime[:json]
+        if media_type.nil? || media_type == Mime[:json]
           self.content_type = Mime[:js]
         end
 
         "/**/#{options[:callback]}(#{json})"
       else
-        self.content_type ||= Mime[:json]
+        self.content_type = Mime[:json] if media_type.nil?
         json
       end
     end
 
     add :js do |js, options|
-      self.content_type ||= Mime[:js]
+      self.content_type = Mime[:js] if media_type.nil?
       js.respond_to?(:to_js) ? js.to_js(options) : js
     end
 
     add :xml do |xml, options|
-      self.content_type ||= Mime[:xml]
+      self.content_type = Mime[:xml] if media_type.nil?
       xml.respond_to?(:to_xml) ? xml.to_xml(options) : xml
     end
   end

data/lib/action_controller/metal/rendering.rb

@@ -40,7 +40,7 @@ module ActionController
     def render_to_string(*)
       result = super
       if result.respond_to?(:each)
-        string = "".dup
+        string = +""
         result.each { |r| string << r }
         string
       else
@@ -53,7 +53,6 @@ module ActionController
     end
 
     private
-
       def _process_variant(options)
         if defined?(request) && !request.nil? && request.variant.present?
           options[:variant] = request.variant
@@ -73,7 +72,7 @@ module ActionController
       end
 
       def _set_rendered_content_type(format)
-        if format && !response.content_type
+        if format && !response.media_type
           self.content_type = format.to_s
         end
       end

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -3,7 +3,6 @@
 require "rack/session/abstract/id"
 require "action_controller/metal/exceptions"
 require "active_support/security_utils"
-require "active_support/core_ext/string/strip"
 
 module ActionController #:nodoc:
   class InvalidAuthenticityToken < ActionControllerError #:nodoc:
@@ -18,7 +17,7 @@ module ActionController #:nodoc:
   # access. When a request reaches your application, \Rails verifies the received
   # token with the token in the session. All requests are checked except GET requests
   # as these should be idempotent. Keep in mind that all session-oriented requests
-  # should be CSRF protected, including JavaScript and HTML requests.
+  # are CSRF protected by default, including JavaScript and HTML requests.
   #
   # Since HTML and JavaScript requests are typically made from the browser, we
   # need to ensure to verify request authenticity for the web browser. We can
@@ -31,31 +30,30 @@ module ActionController #:nodoc:
   # URL on your site. When your JavaScript response loads on their site, it executes.
   # With carefully crafted JavaScript on their end, sensitive data in your JavaScript
   # response may be extracted. To prevent this, only XmlHttpRequest (known as XHR or
-  # Ajax) requests are allowed to make GET requests for JavaScript responses.
+  # Ajax) requests are allowed to make requests for JavaScript responses.
   #
-  # It's important to remember that XML or JSON requests are also affected and if
-  # you're building an API you should change forgery protection method in
-  # <tt>ApplicationController</tt> (by default: <tt>:exception</tt>):
+  # Subclasses of <tt>ActionController::Base</tt> are protected by default with the
+  # <tt>:exception</tt> strategy, which raises an
+  # <tt>ActionController::InvalidAuthenticityToken</tt> error on unverified requests.
+  #
+  # APIs may want to disable this behavior since they are typically designed to be
+  # state-less: that is, the request API client handles the session instead of Rails.
+  # One way to achieve this is to use the <tt>:null_session</tt> strategy instead,
+  # which allows unverified requests to be handled, but with an empty session:
   #
   #   class ApplicationController < ActionController::Base
-  #     protect_from_forgery unless: -> { request.format.json? }
+  #     protect_from_forgery with: :null_session
   #   end
   #
-  # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method.
-  # By default <tt>protect_from_forgery</tt> protects your session with
-  # <tt>:null_session</tt> method, which provides an empty session
-  # during request.
-  #
-  # We may want to disable CSRF protection for APIs since they are typically
-  # designed to be state-less. That is, the request API client will handle
-  # the session for you instead of Rails.
+  # Note that API only applications don't include this module or a session middleware
+  # by default, and so don't require CSRF protection to be configured.
   #
   # The token parameter is named <tt>authenticity_token</tt> by default. The name and
   # value of this token must be added to every layout that renders forms by including
   # <tt>csrf_meta_tags</tt> in the HTML +head+.
   #
   # Learn more about CSRF attacks and securing your application in the
-  # {Ruby on Rails Security Guide}[http://guides.rubyonrails.org/security.html].
+  # {Ruby on Rails Security Guide}[https://guides.rubyonrails.org/security.html].
   module RequestForgeryProtection
     extend ActiveSupport::Concern
 
@@ -149,7 +147,6 @@ module ActionController #:nodoc:
       end
 
       private
-
         def protection_method_class(name)
           ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
         rescue NameError
@@ -173,7 +170,6 @@ module ActionController #:nodoc:
         end
 
         private
-
           class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
             def initialize(req)
               super(nil, req)
@@ -280,7 +276,7 @@ module ActionController #:nodoc:
 
       # Check for cross-origin JavaScript responses.
       def non_xhr_javascript_response? # :doc:
-        content_type =~ %r(\Atext/javascript) && !request.xhr?
+        %r(\A(?:text|application)/javascript).match?(media_type) && !request.xhr?
       end
 
       AUTHENTICITY_TOKEN_LENGTH = 32
@@ -425,9 +421,14 @@ module ActionController #:nodoc:
       end
 
       def xor_byte_strings(s1, s2) # :doc:
-        s2_bytes = s2.bytes
-        s1.each_byte.with_index { |c1, i| s2_bytes[i] ^= c1 }
-        s2_bytes.pack("C*")
+        s2 = s2.dup
+        size = s1.bytesize
+        i = 0
+        while i < size
+          s2.setbyte(i, s1.getbyte(i) ^ s2.getbyte(i))
+          i += 1
+        end
+        s2
       end
 
       # The form's authenticity parameter. Override to provide your own.
@@ -440,11 +441,11 @@ module ActionController #:nodoc:
         allow_forgery_protection
       end
 
-      NULL_ORIGIN_MESSAGE = <<-MSG.strip_heredoc
+      NULL_ORIGIN_MESSAGE = <<~MSG
         The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually
         means you have the 'no-referrer' Referrer-Policy header enabled, or that the request came from a site that
         refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the
-        best solution is to change your referrer policy to something less strict like same-origin or strict-same-origin.
+        best solution is to change your referrer policy to something less strict like same-origin or strict-origin.
         If you cannot change the referrer policy, you can disable origin checking with the
         Rails.application.config.action_controller.forgery_protection_origin_check setting.
       MSG
@@ -474,30 +475,6 @@ module ActionController #:nodoc:
         end
       end
 
-      if RUBY_VERSION.start_with?("2.2")
-        # Backported https://github.com/ruby/ruby/commit/6b6680945ed3274cddbc34fdfd410d74081a3e94
-        using Module.new {
-          refine Base64.singleton_class do
-            def urlsafe_encode64(bin, padding: true)
-              str = strict_encode64(bin).tr("+/", "-_")
-              str = str.delete("=") unless padding
-              str
-            end
-
-            def urlsafe_decode64(str)
-              # NOTE: RFC 4648 does say nothing about unpadded input, but says that
-              # "the excess pad characters MAY also be ignored", so it is inferred that
-              # unpadded input is also acceptable.
-              str = str.tr("-_", "+/")
-              if !str.end_with?("=") && str.length % 4 != 0
-                str = str.ljust((str.length + 3) & ~3, "=")
-              end
-              strict_decode64(str)
-            end
-          end
-        }
-      end
-
       def encode_csrf_token(csrf_token) # :nodoc:
         if urlsafe_csrf_tokens
           Base64.urlsafe_encode64(csrf_token, padding: false)

data/lib/action_controller/metal/streaming.rb

@@ -196,7 +196,6 @@ module ActionController #:nodoc:
     extend ActiveSupport::Concern
 
     private
-
       # Set proper cache control and transfer encoding when streaming
       def _process_options(options)
         super