actionpack 6.0.0.beta1 → 6.0.1.rc1

data/lib/action_dispatch/journey/routes.rb

@@ -56,7 +56,6 @@ module ActionDispatch
       end
 
       def simulator
-        return if ast.nil?
         @simulator ||= begin
           gtg = GTG::Builder.new(ast).transition_table
           GTG::Simulator.new(gtg)

data/lib/action_dispatch/middleware/actionable_exceptions.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "erb"
+require "action_dispatch/http/request"
+require "active_support/actionable_error"
+
+module ActionDispatch
+  class ActionableExceptions # :nodoc:
+    cattr_accessor :endpoint, default: "/rails/actions"
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      request = ActionDispatch::Request.new(env)
+      return @app.call(env) unless actionable_request?(request)
+
+      ActiveSupport::ActionableError.dispatch(request.params[:error].to_s.safe_constantize, request.params[:action])
+
+      redirect_to request.params[:location]
+    end
+
+    private
+      def actionable_request?(request)
+        request.show_exceptions? && request.post? && request.path == endpoint
+      end
+
+      def redirect_to(location)
+        body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
+
+        [302, {
+          "Content-Type" => "text/html; charset=#{Response.default_charset}",
+          "Content-Length" => body.bytesize.to_s,
+          "Location" => location,
+        }, [body]]
+      end
+  end
+end

data/lib/action_dispatch/middleware/cookies.rb

@@ -338,7 +338,7 @@ module ActionDispatch
 
       def update_cookies_from_jar
         request_jar = @request.cookie_jar.instance_variable_get(:@cookies)
-        set_cookies = request_jar.reject { |k, _| @delete_cookies.key?(k) }
+        set_cookies = request_jar.reject { |k, _| @delete_cookies.key?(k) || @set_cookies.key?(k) }
 
         @cookies.update set_cookies if set_cookies
       end
@@ -488,13 +488,8 @@ module ActionDispatch
         end
 
         def cookie_metadata(name, options)
-          if request.use_cookies_with_metadata
-            metadata = expiry_options(options)
-            metadata[:purpose] = "cookie.#{name}"
-
-            metadata
-          else
-            {}
+          expiry_options(options).tap do |metadata|
+            metadata[:purpose] = "cookie.#{name}" if request.use_cookies_with_metadata
           end
         end
 
@@ -539,9 +534,13 @@ module ActionDispatch
           if value
             case
             when needs_migration?(value)
-              self[name] = Marshal.load(value)
+              Marshal.load(value).tap do |v|
+                self[name] = { value: v }
+              end
             when rotate
-              self[name] = serializer.load(value)
+              serializer.load(value).tap do |v|
+                self[name] = { value: v }
+              end
             else
               serializer.load(value)
             end

data/lib/action_dispatch/middleware/debug_exceptions.rb

@@ -4,6 +4,8 @@ require "action_dispatch/http/request"
 require "action_dispatch/middleware/exception_wrapper"
 require "action_dispatch/routing/inspector"
 
+require "active_support/actionable_error"
+
 require "action_view"
 require "action_view/base"
 
@@ -60,7 +62,11 @@ module ActionDispatch
         log_error(request, wrapper)
 
         if request.get_header("action_dispatch.show_detailed_exceptions")
-          content_type = request.formats.first
+          begin
+            content_type = request.formats.first
+          rescue Mime::Type::InvalidMimeType
+            render_for_api_request(Mime[:text], wrapper)
+          end
 
           if api_request?(content_type)
             render_for_api_request(content_type, wrapper)
@@ -142,7 +148,7 @@ module ActionDispatch
           message = []
           message << "  "
           message << "#{exception.class} (#{exception.message}):"
-          message.concat(exception.annoted_source_code) if exception.respond_to?(:annoted_source_code)
+          message.concat(exception.annotated_source_code) if exception.respond_to?(:annotated_source_code)
           message << "  "
           message.concat(trace)
 

data/lib/action_dispatch/middleware/debug_view.rb

@@ -10,7 +10,13 @@ module ActionDispatch
     RESCUES_TEMPLATE_PATH = File.expand_path("templates", __dir__)
 
     def initialize(assigns)
-      super([RESCUES_TEMPLATE_PATH], assigns)
+      paths = [RESCUES_TEMPLATE_PATH]
+      lookup_context = ActionView::LookupContext.new(paths)
+      super(lookup_context, assigns)
+    end
+
+    def compiled_method_container
+      self.class
     end
 
     def debug_params(params)
@@ -46,5 +52,17 @@ module ActionDispatch
         super
       end
     end
+
+    def protect_against_forgery?
+      false
+    end
+
+    def params_valid?
+      begin
+        @request.parameters
+      rescue ActionController::BadRequest
+        false
+      end
+    end
   end
 end

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -12,6 +12,7 @@ module ActionDispatch
       "ActionController::UnknownHttpMethod"          => :method_not_allowed,
       "ActionController::NotImplemented"             => :not_implemented,
       "ActionController::UnknownFormat"              => :not_acceptable,
+      "Mime::Type::InvalidMimeType"                  => :not_acceptable,
       "ActionController::MissingExactTemplate"       => :not_acceptable,
       "ActionController::InvalidAuthenticityToken"   => :unprocessable_entity,
       "ActionController::InvalidCrossOriginRequest"  => :unprocessable_entity,
@@ -31,22 +32,34 @@ module ActionDispatch
       "ActionController::MissingExactTemplate" => "missing_exact_template",
     )
 
+    cattr_accessor :wrapper_exceptions, default: [
+      "ActionView::Template::Error"
+    ]
+
     attr_reader :backtrace_cleaner, :exception, :wrapped_causes, :line_number, :file
 
     def initialize(backtrace_cleaner, exception)
       @backtrace_cleaner = backtrace_cleaner
-      @exception = original_exception(exception)
+      @exception = exception
       @wrapped_causes = wrapped_causes_for(exception, backtrace_cleaner)
 
       expand_backtrace if exception.is_a?(SyntaxError) || exception.cause.is_a?(SyntaxError)
     end
 
+    def unwrapped_exception
+      if wrapper_exceptions.include?(exception.class.to_s)
+        exception.cause
+      else
+        exception
+      end
+    end
+
     def rescue_template
       @@rescue_templates[@exception.class.name]
     end
 
     def status_code
-      self.class.status_code_for_exception(@exception.class.name)
+      self.class.status_code_for_exception(unwrapped_exception.class.name)
     end
 
     def application_trace
@@ -122,14 +135,6 @@ module ActionDispatch
         Array(@exception.backtrace)
       end
 
-      def original_exception(exception)
-        if @@rescue_responses.has_key?(exception.cause.class.name)
-          exception.cause
-        else
-          exception
-        end
-      end
-
       def causes_for(exception)
         return enum_for(__method__, exception) unless block_given?
 

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -3,8 +3,8 @@
 require "action_dispatch/http/request"
 
 module ActionDispatch
-  # This middleware guards from DNS rebinding attacks by white-listing the
-  # hosts a request can be sent to.
+  # This middleware guards from DNS rebinding attacks by explicitly permitting
+  # the hosts a request can be sent to.
   #
   # When a request comes to an unauthorized host, the +response_app+
   # application will be executed and rendered. If no +response_app+ is given, a

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -21,8 +21,12 @@ module ActionDispatch
     def call(env)
       request      = ActionDispatch::Request.new(env)
       status       = request.path_info[1..-1].to_i
-      content_type = request.formats.first
-      body         = { status: status, error: Rack::Utils::HTTP_STATUS_CODES.fetch(status, Rack::Utils::HTTP_STATUS_CODES[500]) }
+      begin
+        content_type = request.formats.first
+      rescue Mime::Type::InvalidMimeType
+        content_type = Mime[:text]
+      end
+      body = { status: status, error: Rack::Utils::HTTP_STATUS_CODES.fetch(status, Rack::Utils::HTTP_STATUS_CODES[500]) }
 
       render(status, content_type, body)
     end

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -8,13 +8,13 @@ module ActionDispatch
   # contain the address, and then picking the last-set address that is not
   # on the list of trusted IPs. This follows the precedent set by e.g.
   # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453],
-  # with {reasoning explained at length}[http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection]
+  # with {reasoning explained at length}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection]
   # by @gingerlime. A more detailed explanation of the algorithm is given
   # at GetIp#calculate_ip.
   #
   # Some Rack servers concatenate repeated headers, like {HTTP RFC 2616}[https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]
   # requires. Some Rack servers simply drop preceding headers, and only report
-  # the value that was {given in the last header}[http://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-servers].
+  # the value that was {given in the last header}[https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-servers].
   # If you are behind multiple proxy servers (like NGINX to HAProxy to Unicorn)
   # then you should test your Rack server to make sure your data is good.
   #
@@ -102,7 +102,7 @@ module ActionDispatch
       # proxies, that header may contain a list of IPs. Other proxy services
       # set the Client-Ip header instead, so we check that too.
       #
-      # As discussed in {this post about Rails IP Spoofing}[http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
+      # As discussed in {this post about Rails IP Spoofing}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
       # while the first IP in the list is likely to be the "originating" IP,
       # it could also have been set by the client maliciously.
       #

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -24,9 +24,10 @@ module ActionDispatch
     #
     #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
     #
-    # By default, your secret key base is derived from your application name in
-    # the test and development environments. In all other environments, it is stored
-    # encrypted in the <tt>config/credentials.yml.enc</tt> file.
+    # In the development and test environments your application's secret key base is
+    # generated by Rails and stored in a temporary file in <tt>tmp/development_secret.txt</tt>.
+    # In all other environments, it is stored encrypted in the
+    # <tt>config/credentials.yml.enc</tt> file.
     #
     # If your application was not updated to Rails 5.2 defaults, the secret_key_base
     # will be found in the old <tt>config/secrets.yml</tt> file.

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -45,7 +45,7 @@ module ActionDispatch
         backtrace_cleaner = request.get_header "action_dispatch.backtrace_cleaner"
         wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
         status  = wrapper.status_code
-        request.set_header "action_dispatch.exception", wrapper.exception
+        request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
         request.set_header "action_dispatch.original_path", request.path_info
         request.path_info = "/#{status}"
         response = @exceptions_app.call(request.env)

data/lib/action_dispatch/middleware/stack.rb

@@ -36,6 +36,31 @@ module ActionDispatch
       def build(app)
         klass.new(app, *args, &block)
       end
+
+      def build_instrumented(app)
+        InstrumentationProxy.new(build(app), inspect)
+      end
+    end
+
+    # This class is used to instrument the execution of a single middleware.
+    # It proxies the `call` method transparently and instruments the method
+    # call.
+    class InstrumentationProxy
+      EVENT_NAME = "process_middleware.action_dispatch"
+
+      def initialize(middleware, class_name)
+        @middleware = middleware
+
+        @payload = {
+          middleware: class_name,
+        }
+      end
+
+      def call(env)
+        ActiveSupport::Notifications.instrument(EVENT_NAME, @payload) do
+          @middleware.call(env)
+        end
+      end
     end
 
     include Enumerable
@@ -97,8 +122,15 @@ module ActionDispatch
       middlewares.push(build_middleware(klass, args, block))
     end
 
-    def build(app = Proc.new)
-      middlewares.freeze.reverse.inject(app) { |a, e| e.build(a) }
+    def build(app = nil, &block)
+      instrumenting = ActiveSupport::Notifications.notifier.listening?(InstrumentationProxy::EVENT_NAME)
+      middlewares.freeze.reverse.inject(app || block) do |a, e|
+        if instrumenting
+          e.build_instrumented(a)
+        else
+          e.build(a)
+        end
+      end
     end
 
     private

data/lib/action_dispatch/middleware/templates/rescues/_actions.html.erb

@@ -0,0 +1,13 @@
+<% actions = ActiveSupport::ActionableError.actions(exception) %>
+
+<% if actions.any? %>
+  <div class="actions">
+    <% actions.each do |action, _| %>
+      <%= button_to action, ActionDispatch::ActionableExceptions.endpoint, params: {
+        error: exception.class.name,
+        action: action,
+        location: request.path
+      } %>
+    <% end %>
+  </div>
+<% end %>

data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.html.erb

@@ -6,7 +6,9 @@
 <% end %>
 
 <h2 style="margin-top: 30px">Request</h2>
-<p><b>Parameters</b>:</p> <pre><%= debug_params(@request.filtered_parameters) %></pre>
+<% if params_valid? %>
+  <p><b>Parameters</b>:</p> <pre><%= debug_params(@request.filtered_parameters) %></pre>
+<% end %>
 
 <div class="details">
   <div class="summary"><a href="#" onclick="return toggleSessionDump()">Toggle session dump</a></div>

data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb

@@ -1,5 +1,5 @@
 <%
-  clean_params = @request.filtered_parameters.clone
+  clean_params = params_valid? ? @request.filtered_parameters.clone : {}
   clean_params.delete("action")
   clean_params.delete("controller")
 

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb

@@ -2,6 +2,6 @@
   <h1>Blocked host: <%= @host %></h1>
 </header>
 <div id="container">
-  <h2>To allow requests to <%= @host %>, add the following configuration:</h2>
-  <pre>Rails.application.config.hosts &lt;&lt; "<%= @host %>"</pre>
+  <h2>To allow requests to <%= @host %>, add the following to your environment configuration:</h2>
+  <pre>config.hosts &lt;&lt; "<%= @host %>"</pre>
 </div>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.text.erb

@@ -1,5 +1,5 @@
 Blocked host: <%= @host %>
 
-To allow requests to <%= @host %>, add the following configuration:
+To allow requests to <%= @host %>, add the following to your environment configuration:
 
-  Rails.application.config.hosts << "<%= @host %>"
+  config.hosts << "<%= @host %>"

data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb

@@ -1,14 +1,18 @@
 <header>
   <h1>
     <%= @exception.class.to_s %>
-    <% if @request.parameters['controller'] %>
+    <% if params_valid? && @request.parameters['controller'] %>
       in <%= @request.parameters['controller'].camelize %>Controller<% if @request.parameters['action'] %>#<%= @request.parameters['action'] %><% end %>
     <% end %>
   </h1>
 </header>
 
 <div id="container">
-  <h2><%= h @exception.message %></h2>
+  <h2>
+    <%= h @exception.message %>
+
+    <%= render "rescues/actions", exception: @exception, request: @request %>
+  </h2>
 
   <%= render "rescues/source", source_extracts: @source_extracts, show_source_idx: @show_source_idx, error_index: 0 %>
   <%= render "rescues/trace", traces: @traces, trace_to_show: @trace_to_show, error_index: 0 %>

data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb

@@ -1,5 +1,5 @@
 <%= @exception.class.to_s %><%
-  if @request.parameters['controller']
+  if params_valid? && @request.parameters['controller']
 %> in <%= @request.parameters['controller'].camelize %>Controller<% if @request.parameters['action'] %>#<%= @request.parameters['action'] %><% end %>
 <% end %>
 

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb

@@ -10,9 +10,12 @@
 <div id="container">
   <h2>
     <%= h @exception.message %>
-    <% if @exception.message.match? %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}} %>
+    <% if defined?(ActiveStorage) && @exception.message.match?(%r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}) %>
       <br />To resolve this issue run: rails active_storage:install
     <% end %>
+    <% if defined?(ActionMailbox) && @exception.message.match?(%r{#{ActionMailbox::InboundEmail.table_name}}) %>
+      <br />To resolve this issue run: rails action_mailbox:install
+    <% end %>
   </h2>
 
   <%= render "rescues/source", source_extracts: @source_extracts, show_source_idx: @show_source_idx %>

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb

@@ -4,8 +4,10 @@
 <% end %>
 
 <%= @exception.message %>
-<% if @exception.message.match? %r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}} %>
+<% if defined?(ActiveStorage) && @exception.message.match?(%r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}) %>
 To resolve this issue run: rails active_storage:install
+<% if defined?(ActionMailbox) && @exception.message.match?(%r{#{ActionMailbox::InboundEmail.table_name}}) %>
+To resolve this issue run: rails action_mailbox:install
 <% end %>
 
 <%= render template: "rescues/_source" %>