actionpack 6.0.0.beta1 → 6.0.1.rc1

data/lib/action_controller/metal/renderers.rb

@@ -157,24 +157,24 @@ module ActionController
       json = json.to_json(options) unless json.kind_of?(String)
 
       if options[:callback].present?
-        if content_type.nil? || content_type == Mime[:json]
+        if media_type.nil? || media_type == Mime[:json]
           self.content_type = Mime[:js]
         end
 
         "/**/#{options[:callback]}(#{json})"
       else
-        self.content_type ||= Mime[:json]
+        self.content_type = Mime[:json] if media_type.nil?
         json
       end
     end
 
     add :js do |js, options|
-      self.content_type ||= Mime[:js]
+      self.content_type = Mime[:js] if media_type.nil?
       js.respond_to?(:to_js) ? js.to_js(options) : js
     end
 
     add :xml do |xml, options|
-      self.content_type ||= Mime[:xml]
+      self.content_type = Mime[:xml] if media_type.nil?
       xml.respond_to?(:to_xml) ? xml.to_xml(options) : xml
     end
   end

data/lib/action_controller/metal/rendering.rb

@@ -73,7 +73,7 @@ module ActionController
       end
 
       def _set_rendered_content_type(format)
-        if format && !response.content_type
+        if format && !response.media_type
           self.content_type = format.to_s
         end
       end

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -282,7 +282,7 @@ module ActionController #:nodoc:
 
       # Check for cross-origin JavaScript responses.
       def non_xhr_javascript_response? # :doc:
-        content_type =~ %r(\A(?:text|application)/javascript) && !request.xhr?
+        %r(\A(?:text|application)/javascript).match?(media_type) && !request.xhr?
       end
 
       AUTHENTICITY_TOKEN_LENGTH = 32
@@ -431,7 +431,7 @@ module ActionController #:nodoc:
         The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually
         means you have the 'no-referrer' Referrer-Policy header enabled, or that the request came from a site that
         refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the
-        best solution is to change your referrer policy to something less strict like same-origin or strict-same-origin.
+        best solution is to change your referrer policy to something less strict like same-origin or strict-origin.
         If you cannot change the referrer policy, you can disable origin checking with the
         Rails.application.config.action_controller.forgery_protection_origin_check setting.
       MSG

data/lib/action_controller/metal/strong_parameters.rb

@@ -4,7 +4,6 @@ require "active_support/core_ext/hash/indifferent_access"
 require "active_support/core_ext/array/wrap"
 require "active_support/core_ext/string/filters"
 require "active_support/core_ext/object/to_query"
-require "active_support/rescuable"
 require "action_dispatch/http/upload"
 require "rack/test"
 require "stringio"
@@ -674,18 +673,16 @@ module ActionController
     # Returns a new <tt>ActionController::Parameters</tt> instance with the
     # results of running +block+ once for every key. The values are unchanged.
     def transform_keys(&block)
-      if block
-        new_instance_with_inherited_permitted_status(
-          @parameters.transform_keys(&block)
-        )
-      else
-        @parameters.transform_keys
-      end
+      return to_enum(:transform_keys) unless block_given?
+      new_instance_with_inherited_permitted_status(
+        @parameters.transform_keys(&block)
+      )
     end
 
     # Performs keys transformation and returns the altered
     # <tt>ActionController::Parameters</tt> instance.
     def transform_keys!(&block)
+      return to_enum(:transform_keys!) unless block_given?
       @parameters.transform_keys!(&block)
       self
     end
@@ -795,7 +792,7 @@ module ActionController
         @permitted  = coder.map["ivars"][:@permitted]
       when "!ruby/object:ActionController::Parameters"
         # YAML's Object format. Only needed because of the format
-        # backwardscompability above, otherwise equivalent to YAML's initialization.
+        # backwards compatibility above, otherwise equivalent to YAML's initialization.
         @parameters, @permitted = coder.map["parameters"], coder.map["permitted"]
       end
     end
@@ -1092,9 +1089,6 @@ module ActionController
   # See ActionController::Parameters.require and ActionController::Parameters.permit
   # for more information.
   module StrongParameters
-    extend ActiveSupport::Concern
-    include ActiveSupport::Rescuable
-
     # Returns a new ActionController::Parameters object that
     # has been instantiated with the <tt>request.parameters</tt>.
     def params

data/lib/action_controller/renderer.rb

@@ -74,7 +74,7 @@ module ActionController
     # * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt> for details.
     # * <tt>:file</tt> - Renders an explicit template file. Add <tt>:locals</tt> to pass in, if so desired.
     #   It shouldn’t be used directly with unsanitized user input due to lack of validation.
-    # * <tt>:inline</tt> - Renders a ERB template string.
+    # * <tt>:inline</tt> - Renders an ERB template string.
     # * <tt>:plain</tt> - Renders provided text and sets the content type as <tt>text/plain</tt>.
     # * <tt>:html</tt> - Renders the provided HTML safe string, otherwise
     #   performs HTML escape on the string first. Sets the content type as <tt>text/html</tt>.
@@ -116,7 +116,7 @@ module ActionController
 
       RACK_VALUE_TRANSLATION = {
         https: ->(v) { v ? "on" : "off" },
-        method: ->(v) { v.upcase },
+        method: ->(v) { -v.upcase },
       }
 
       def rack_key_for(key)

data/lib/action_controller/template_assertions.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module ActionController
-  module TemplateAssertions
+  module TemplateAssertions # :nodoc:
     def assert_template(options = {}, message = nil)
       raise NoMethodError,
         "assert_template has been extracted to a gem. To continue using it,

data/lib/action_controller/test_case.rb

@@ -457,6 +457,7 @@ module ActionController
       def process(action, method: "GET", params: nil, session: nil, body: nil, flash: {}, format: nil, xhr: false, as: nil)
         check_required_ivars
 
+        action = +action.to_s
         http_method = method.to_s.upcase
 
         @html_document = nil
@@ -488,11 +489,11 @@ module ActionController
           parameters[:format] = format
         end
 
-        generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action.to_s))
+        generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action))
         generated_path = generated_path(generated_extras)
         query_string_keys = query_parameter_names(generated_extras)
 
-        @request.assign_parameters(@routes, controller_class_name, action.to_s, parameters, generated_path, query_string_keys)
+        @request.assign_parameters(@routes, controller_class_name, action, parameters, generated_path, query_string_keys)
 
         @request.session.update(session) if session
         @request.flash.update(flash || {})

data/lib/action_dispatch.rb

@@ -53,6 +53,7 @@ module ActionDispatch
     autoload :RequestId
     autoload :Callbacks
     autoload :Cookies
+    autoload :ActionableExceptions
     autoload :DebugExceptions
     autoload :DebugLocks
     autoload :DebugView
@@ -79,7 +80,6 @@ module ActionDispatch
     autoload :MimeNegotiation
     autoload :Parameters
     autoload :ParameterFilter
-    autoload :Upload
     autoload :UploadedFile, "action_dispatch/http/upload"
     autoload :URL
   end

data/lib/action_dispatch/http/content_security_policy.rb

@@ -22,8 +22,9 @@ module ActionDispatch #:nodoc:
 
         if policy = request.content_security_policy
           nonce = request.content_security_policy_nonce
+          nonce_directives = request.content_security_policy_nonce_directives
           context = request.controller_instance || request
-          headers[header_name(request)] = policy.build(context, nonce)
+          headers[header_name(request)] = policy.build(context, nonce, nonce_directives)
         end
 
         response
@@ -55,6 +56,7 @@ module ActionDispatch #:nodoc:
       POLICY_REPORT_ONLY = "action_dispatch.content_security_policy_report_only"
       NONCE_GENERATOR = "action_dispatch.content_security_policy_nonce_generator"
       NONCE = "action_dispatch.content_security_policy_nonce"
+      NONCE_DIRECTIVES = "action_dispatch.content_security_policy_nonce_directives"
 
       def content_security_policy
         get_header(POLICY)
@@ -80,6 +82,14 @@ module ActionDispatch #:nodoc:
         set_header(NONCE_GENERATOR, generator)
       end
 
+      def content_security_policy_nonce_directives
+        get_header(NONCE_DIRECTIVES)
+      end
+
+      def content_security_policy_nonce_directives=(generator)
+        set_header(NONCE_DIRECTIVES, generator)
+      end
+
       def content_security_policy_nonce
         if content_security_policy_nonce_generator
           if nonce = get_header(NONCE)
@@ -133,9 +143,9 @@ module ActionDispatch #:nodoc:
       worker_src:      "worker-src"
     }.freeze
 
-    NONCE_DIRECTIVES = %w[script-src style-src].freeze
+    DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze
 
-    private_constant :MAPPINGS, :DIRECTIVES, :NONCE_DIRECTIVES
+    private_constant :MAPPINGS, :DIRECTIVES, :DEFAULT_NONCE_DIRECTIVES
 
     attr_reader :directives
 
@@ -204,8 +214,9 @@ module ActionDispatch #:nodoc:
       end
     end
 
-    def build(context = nil, nonce = nil)
-      build_directives(context, nonce).compact.join("; ")
+    def build(context = nil, nonce = nil, nonce_directives = nil)
+      nonce_directives = DEFAULT_NONCE_DIRECTIVES if nonce_directives.nil?
+      build_directives(context, nonce, nonce_directives).compact.join("; ")
     end
 
     private
@@ -228,10 +239,10 @@ module ActionDispatch #:nodoc:
         end
       end
 
-      def build_directives(context, nonce)
+      def build_directives(context, nonce, nonce_directives)
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
-            if nonce && nonce_directive?(directive)
+            if nonce && nonce_directive?(directive, nonce_directives)
               "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
             else
               "#{directive} #{build_directive(sources, context).join(' ')}"
@@ -266,8 +277,8 @@ module ActionDispatch #:nodoc:
         end
       end
 
-      def nonce_directive?(directive)
-        NONCE_DIRECTIVES.include?(directive)
+      def nonce_directive?(directive, nonce_directives)
+        nonce_directives.include?(directive)
       end
   end
 end

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -79,6 +79,11 @@ module ActionDispatch
           else
             [Mime[:html]]
           end
+
+          v = v.select do |format|
+            format.symbol || format.ref == "*/*"
+          end
+
           set_header k, v
         end
       end

data/lib/action_dispatch/http/mime_type.rb

@@ -170,6 +170,7 @@ module Mime
       def parse(accept_header)
         if !accept_header.include?(",")
           accept_header = accept_header.split(PARAMETER_SEPARATOR_REGEXP).first
+          return [] unless accept_header
           parse_trailing_star(accept_header) || [Mime::Type.lookup(accept_header)].compact
         else
           list, index = [], 0
@@ -221,7 +222,18 @@ module Mime
 
     attr_reader :hash
 
+    MIME_NAME = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
+    MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
+    MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
+    MIME_PARAMETER = "\s*\;\s+#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
+    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?:\s*#{MIME_PARAMETER}\s*)*)\z/
+
+    class InvalidMimeType < StandardError; end
+
     def initialize(string, symbol = nil, synonyms = [])
+      unless MIME_REGEXP.match?(string)
+        raise InvalidMimeType, "#{string.inspect} is not a valid MIME type"
+      end
       @symbol, @synonyms = symbol, synonyms
       @string = string
       @hash = [@string, @synonyms, @symbol].hash
@@ -303,7 +315,7 @@ module Mime
     include Singleton
 
     def initialize
-      super "*/*", :all
+      super "*/*", nil
     end
 
     def all?; true; end

data/lib/action_dispatch/http/response.rb

@@ -85,6 +85,7 @@ module ActionDispatch # :nodoc:
 
     cattr_accessor :default_charset, default: "utf-8"
     cattr_accessor :default_headers
+    cattr_accessor :return_only_media_type_on_content_type, default: false
 
     include Rack::Response::Helpers
     # Aliasing these off because AD::Http::Cache::Response defines them.
@@ -242,8 +243,22 @@ module ActionDispatch # :nodoc:
     end
 
     # Content type of response.
-    # It returns just MIME type and does NOT contain charset part.
     def content_type
+      if self.class.return_only_media_type_on_content_type
+        ActiveSupport::Deprecation.warn(
+          "Rails 6.1 will return Content-Type header without modification." \
+          " If you want just the MIME type, please use `#media_type` instead."
+        )
+
+        content_type = super
+        content_type ? content_type.split(/;\s*charset=/)[0].presence : content_type
+      else
+        super.presence
+      end
+    end
+
+    # Media type of response.
+    def media_type
       parsed_content_type_header.mime_type
     end
 
@@ -404,15 +419,18 @@ module ActionDispatch # :nodoc:
     end
 
   private
-
     ContentTypeHeader = Struct.new :mime_type, :charset
     NullContentTypeHeader = ContentTypeHeader.new nil, nil
 
+    CONTENT_TYPE_PARSER = /
+      \A
+      (?<mime_type>[^;\s]+\s*(?:;\s*(?:(?!charset)[^;\s])+)*)?
+      (?:;\s*charset=(?<quote>"?)(?<charset>[^;\s]+)\k<quote>)?
+    /x # :nodoc:
+
     def parse_content_type(content_type)
-      if content_type
-        type, charset = content_type.split(/;\s*charset=/)
-        type = nil if type && type.empty?
-        ContentTypeHeader.new(type, charset)
+      if content_type && match = CONTENT_TYPE_PARSER.match(content_type)
+        ContentTypeHeader.new(match[:mime_type], match[:charset])
       else
         NullContentTypeHeader
       end
@@ -459,7 +477,7 @@ module ActionDispatch # :nodoc:
     end
 
     def assign_default_content_type_and_charset!
-      return if content_type
+      return if media_type
 
       ct = parsed_content_type_header
       set_content_type(ct.mime_type || Mime[:html].to_s,
@@ -517,4 +535,6 @@ module ActionDispatch # :nodoc:
       end
     end
   end
+
+  ActiveSupport.run_load_hooks(:action_dispatch_response, Response)
 end

data/lib/action_dispatch/http/upload.rb

@@ -20,7 +20,6 @@ module ActionDispatch
       # A +Tempfile+ object with the actual uploaded file. Note that some of
       # its interface is available directly.
       attr_accessor :tempfile
-      alias :to_io :tempfile
 
       # A string with the headers of the multipart request.
       attr_accessor :headers
@@ -84,6 +83,10 @@ module ActionDispatch
       def eof?
         @tempfile.eof?
       end
+
+      def to_io
+        @tempfile.to_io
+      end
     end
   end
 end

data/lib/action_dispatch/journey/formatter.rb

@@ -67,7 +67,7 @@ module ActionDispatch
           parameterized_parts = recall.merge(options)
 
           keys_to_keep = route.parts.reverse_each.drop_while { |part|
-            !options.key?(part) || (options[part] || recall[part]).nil?
+            !(options.key?(part) || route.scope_options.key?(part)) || (options[part] || recall[part]).nil?
           } | route.required_parts
 
           parameterized_parts.delete_if do |bad_key, _|

data/lib/action_dispatch/journey/path/pattern.rb

@@ -119,7 +119,8 @@ module ActionDispatch
 
         class UnanchoredRegexp < AnchoredRegexp # :nodoc:
           def accept(node)
-            %r{\A#{visit node}}
+            path = visit node
+            path == "/" ? %r{\A/} : %r{\A#{path}(?:\b|\Z|/)}
           end
         end
 
@@ -136,6 +137,10 @@ module ActionDispatch
             Array.new(length - 1) { |i| self[i + 1] }
           end
 
+          def named_captures
+            @names.zip(captures).to_h
+          end
+
           def [](x)
             idx = @offsets[x - 1] + x
             @match[idx]

data/lib/action_dispatch/journey/route.rb

@@ -4,9 +4,9 @@ module ActionDispatch
   # :stopdoc:
   module Journey
     class Route
-      attr_reader :app, :path, :defaults, :name, :precedence
+      attr_reader :app, :path, :defaults, :name, :precedence, :constraints,
+                  :internal, :scope_options
 
-      attr_reader :constraints, :internal
       alias :conditions :constraints
 
       module VerbMatchers
@@ -51,13 +51,13 @@ module ActionDispatch
 
       def self.build(name, app, path, constraints, required_defaults, defaults)
         request_method_match = verb_matcher(constraints.delete(:request_method))
-        new name, app, path, constraints, required_defaults, defaults, request_method_match, 0
+        new name, app, path, constraints, required_defaults, defaults, request_method_match, 0, {}
       end
 
       ##
       # +path+ is a path constraint.
       # +constraints+ is a hash of constraints to be applied to this route.
-      def initialize(name, app, path, constraints, required_defaults, defaults, request_method_match, precedence, internal = false)
+      def initialize(name, app, path, constraints, required_defaults, defaults, request_method_match, precedence, scope_options, internal = false)
         @name        = name
         @app         = app
         @path        = path
@@ -72,6 +72,7 @@ module ActionDispatch
         @decorated_ast     = nil
         @precedence        = precedence
         @path_formatter    = @path.build_formatter
+        @scope_options     = scope_options
         @internal          = internal
       end