actionpack 6.0.2.1 → 6.0.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fb4d2886c2ddd45b39d89f4adb1d70764435a236d046d4db4d703ad93318e464
-  data.tar.gz: 776bd2d00abd923d4a80437fb99fd77741d90ca0269b16ca2e03b3de99e966aa
+  metadata.gz: 8b64b66c90800df2c6d807903bf40f902efb79bc47ca5b83dbd1b247e1bdffcf
+  data.tar.gz: 93e1f48c69ef9d057a40d0b838eea0535bf66d1b683ee5971f7c6c181467a98c
 SHA512:
-  metadata.gz: 9858771c2bcabdc985dcd72927c56ec47fc4e54d3c1a1e0e116111fcf70046f8add6a4cde9448611552fae7131b6e87e68eec389212ff989174ebd7e997bb675
-  data.tar.gz: 3761566fbc2835aa652aee777633857b29e3dfab4556c3fc0a1f16ffa53f28cb3f7166fb42f04917bdf3df79e75320e0eea865f12ad4762deb6c5e0d47a969c8
+  metadata.gz: 15c8497c65a02f8b1d25c441ba2df08f9a815b96d503ebdfb5bffd396094b6dd8383adafaf8c1c72dffd8c52d1544418b6051e12b22d41d335e222b1e45751cd
+  data.tar.gz: d7de3f0b1c8e0a1d8ca347786a348cbee449cad8583b2255aa33d79d65de8f182e9a105bc750ee8e498ffc2a8899770f5f9cab1cc2a40c7ceb939fcbdb327a73

data/CHANGELOG.md

@@ -1,3 +1,34 @@
+## Rails 6.0.3.2 (June 17, 2020) ##
+
+*   [CVE-2020-8185] Only allow ActionableErrors if show_detailed_exceptions is enabled
+
+## Rails 6.0.3.1 (May 18, 2020) ##
+
+*   [CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token
+
+*   [CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw @parameters hash
+
+## Rails 6.0.3 (May 06, 2020) ##
+
+*   Include child session assertion count in ActionDispatch::IntegrationTest
+
+    `IntegrationTest#open_session` uses `dup` to create the new session, which
+    meant it had its own copy of `@assertions`. This prevented the assertions
+    from being correctly counted and reported.
+
+    Child sessions now have their `attr_accessor` overriden to delegate to the
+    root session.
+
+    Fixes #32142
+
+    *Sam Bostock*
+
+
+## Rails 6.0.2.2 (March 19, 2020) ##
+
+*   No changes.
+
+
 ## Rails 6.0.2.1 (December 18, 2019) ##
 
 *   Fix possible information leak / session hijacking vulnerability.

data/README.rdoc

@@ -55,4 +55,4 @@ Bug reports for the Ruby on Rails project can be filed here:
 
 Feature requests should be discussed on the rails-core mailing list here:
 
-* https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-core
+* https://discuss.rubyonrails.org/c/rubyonrails-core

data/lib/abstract_controller/base.rb

@@ -176,7 +176,6 @@ module AbstractController
     end
 
     private
-
       # Returns true if the name can be considered an action because
       # it has a method defined in the controller.
       #

data/lib/abstract_controller/caching.rb

@@ -15,7 +15,7 @@ module AbstractController
       end
 
       def cache_store=(store)
-        config.cache_store = ActiveSupport::Cache.lookup_store(store)
+        config.cache_store = ActiveSupport::Cache.lookup_store(*store)
       end
 
       private

data/lib/abstract_controller/collector.rb

@@ -22,7 +22,6 @@ module AbstractController
     end
 
   private
-
     def method_missing(symbol, &block)
       unless mime_constant = Mime[symbol]
         raise NoMethodError, "To respond to a custom format, register it as a MIME type first: " \

data/lib/abstract_controller/helpers.rb

@@ -61,11 +61,12 @@ module AbstractController
         meths.flatten!
         self._helper_methods += meths
 
-        meths.each do |meth|
+        meths.each do |method|
           _helpers.class_eval <<-ruby_eval, __FILE__, __LINE__ + 1
-            def #{meth}(*args, &blk)                               # def current_user(*args, &blk)
-              controller.send(%(#{meth}), *args, &blk)             #   controller.send(:current_user, *args, &blk)
-            end                                                    # end
+            def #{method}(*args, &blk)                     # def current_user(*args, &blk)
+              controller.send(%(#{method}), *args, &blk)   #   controller.send(:current_user, *args, &blk)
+            end                                            # end
+            ruby2_keywords(%(#{method})) if respond_to?(:ruby2_keywords, true)
           ruby_eval
         end
       end

data/lib/abstract_controller/translation.rb

@@ -10,8 +10,7 @@ module AbstractController
     # <tt>I18n.translate("people.index.foo")</tt>. This makes it less repetitive
     # to translate many keys within the same controller / action and gives you a
     # simple framework for scoping them consistently.
-    def translate(key, options = {})
-      options = options.dup
+    def translate(key, **options)
       if key.to_s.first == "."
         path = controller_path.tr("/", ".")
         defaults = [:"#{path}#{key}"]
@@ -19,13 +18,13 @@ module AbstractController
         options[:default] = defaults.flatten
         key = "#{path}.#{action_name}#{key}"
       end
-      I18n.translate(key, options)
+      I18n.translate(key, **options)
     end
     alias :t :translate
 
     # Delegates to <tt>I18n.localize</tt>. Also aliased as <tt>l</tt>.
-    def localize(*args)
-      I18n.localize(*args)
+    def localize(object, **options)
+      I18n.localize(object, **options)
     end
     alias :l :localize
   end

data/lib/action_controller/caching.rb

@@ -30,7 +30,6 @@ module ActionController
     end
 
     private
-
       def instrument_payload(key)
         {
           controller: controller_name,

data/lib/action_controller/metal.rb

@@ -35,7 +35,6 @@ module ActionController
     end
 
     private
-
       INCLUDE = ->(list, action) { list.include? action }
       EXCLUDE = ->(list, action) { !list.include? action }
       NULL    = ->(list, action) { true }
@@ -217,10 +216,13 @@ module ActionController
       super
     end
 
-    # Pushes the given Rack middleware and its arguments to the bottom of the
-    # middleware stack.
-    def self.use(*args, &block)
-      middleware_stack.use(*args, &block)
+    class << self
+      # Pushes the given Rack middleware and its arguments to the bottom of the
+      # middleware stack.
+      def use(*args, &block)
+        middleware_stack.use(*args, &block)
+      end
+      ruby2_keywords(:use) if respond_to?(:ruby2_keywords, true)
     end
 
     # Alias for +middleware_stack+.

data/lib/action_controller/metal/content_security_policy.rb

@@ -36,7 +36,6 @@ module ActionController #:nodoc:
     end
 
     private
-
       def content_security_policy?
         request.content_security_policy
       end

data/lib/action_controller/metal/instrumentation.rb

@@ -69,7 +69,6 @@ module ActionController
     end
 
   private
-
     # A hook invoked every time a before callback is halted.
     def halted_callback_hook(filter)
       ActiveSupport::Notifications.instrument("halted_callback.action_controller", filter: filter)

data/lib/action_controller/metal/live.rb

@@ -107,7 +107,6 @@ module ActionController
       end
 
       private
-
         def perform_write(json, options)
           current_options = @options.merge(options).stringify_keys
 
@@ -205,7 +204,6 @@ module ActionController
       end
 
       private
-
         def each_chunk(&block)
           loop do
             str = nil
@@ -220,7 +218,6 @@ module ActionController
 
     class Response < ActionDispatch::Response #:nodoc: all
       private
-
         def before_committed
           super
           jar = request.cookie_jar
@@ -286,7 +283,6 @@ module ActionController
     end
 
     private
-
       # Spawn a new thread to serve up the controller in. This is to get
       # around the fact that Rack isn't based around IOs and we need to use
       # a thread to stream data from the response bodies. Nobody should call

data/lib/action_controller/metal/params_wrapper.rb

@@ -246,7 +246,6 @@ module ActionController
     end
 
     private
-
       # Returns the wrapper key which will be used to store wrapped parameters.
       def _wrapper_key
         _wrapper_options.name

data/lib/action_controller/metal/rendering.rb

@@ -53,7 +53,6 @@ module ActionController
     end
 
     private
-
       def _process_variant(options)
         if defined?(request) && !request.nil? && request.variant.present?
           options[:variant] = request.variant

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -151,7 +151,6 @@ module ActionController #:nodoc:
       end
 
       private
-
         def protection_method_class(name)
           ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
         rescue NameError
@@ -175,7 +174,6 @@ module ActionController #:nodoc:
         end
 
         private
-
           class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
             def initialize(req)
               super(nil, req)
@@ -324,13 +322,10 @@ module ActionController #:nodoc:
           action_path = normalize_action_path(action)
           per_form_csrf_token(session, action_path, method)
         else
-          real_csrf_token(session)
+          global_csrf_token(session)
         end
 
-        one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
-        encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
-        masked_token = one_time_pad + encrypted_csrf_token
-        Base64.strict_encode64(masked_token)
+        mask_token(raw_token)
       end
 
       # Checks the client's masked token to see if it matches the
@@ -360,7 +355,8 @@ module ActionController #:nodoc:
         elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
           csrf_token = unmask_token(masked_token)
 
-          compare_with_real_token(csrf_token, session) ||
+          compare_with_global_token(csrf_token, session) ||
+            compare_with_real_token(csrf_token, session) ||
             valid_per_form_csrf_token?(csrf_token, session)
         else
           false # Token is malformed.
@@ -375,10 +371,21 @@ module ActionController #:nodoc:
         xor_byte_strings(one_time_pad, encrypted_csrf_token)
       end
 
+      def mask_token(raw_token) # :doc:
+        one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
+        encrypted_csrf_token = xor_byte_strings(one_time_pad, raw_token)
+        masked_token = one_time_pad + encrypted_csrf_token
+        Base64.strict_encode64(masked_token)
+      end
+
       def compare_with_real_token(token, session) # :doc:
         ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
       end
 
+      def compare_with_global_token(token, session) # :doc:
+        ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
+      end
+
       def valid_per_form_csrf_token?(token, session) # :doc:
         if per_form_csrf_tokens
           correct_token = per_form_csrf_token(
@@ -399,10 +406,21 @@ module ActionController #:nodoc:
       end
 
       def per_form_csrf_token(session, action_path, method) # :doc:
+        csrf_token_hmac(session, [action_path, method.downcase].join("#"))
+      end
+
+      GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
+      private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
+
+      def global_csrf_token(session) # :doc:
+        csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
+      end
+
+      def csrf_token_hmac(session, identifier) # :doc:
         OpenSSL::HMAC.digest(
           OpenSSL::Digest::SHA256.new,
           real_csrf_token(session),
-          [action_path, method.downcase].join("#")
+          identifier
         )
       end
 

data/lib/action_controller/metal/streaming.rb

@@ -196,7 +196,6 @@ module ActionController #:nodoc:
     extend ActiveSupport::Concern
 
     private
-
       # Set proper cache control and transfer encoding when streaming
       def _process_options(options)
         super

data/lib/action_controller/metal/strong_parameters.rb

@@ -344,6 +344,8 @@ module ActionController
       @parameters.each_pair do |key, value|
         yield [key, convert_hashes_to_parameters(key, value)]
       end
+
+      self
     end
     alias_method :each, :each_pair
 
@@ -353,6 +355,8 @@ module ActionController
       @parameters.each_pair do |key, value|
         yield convert_hashes_to_parameters(key, value)
       end
+
+      self
     end
 
     # Attribute that keeps track of converted arrays, if any, to avoid double

data/lib/action_controller/test_case.rb

@@ -158,7 +158,6 @@ module ActionController
     end.new
 
     private
-
       def params_parsers
         super.merge @custom_param_parsers
       end
@@ -177,12 +176,12 @@ module ActionController
 
   # Methods #destroy and #load! are overridden to avoid calling methods on the
   # @store object, which does not exist for the TestSession class.
-  class TestSession < Rack::Session::Abstract::SessionHash #:nodoc:
+  class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
     DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
 
     def initialize(session = {})
       super(nil, nil)
-      @id = SecureRandom.hex(16)
+      @id = Rack::Session::SessionId.new(SecureRandom.hex(16))
       @data = stringify_keys(session)
       @loaded = true
     end
@@ -203,12 +202,16 @@ module ActionController
       clear
     end
 
+    def dig(*keys)
+      keys = keys.map.with_index { |key, i| i.zero? ? key.to_s : key }
+      @data.dig(*keys)
+    end
+
     def fetch(key, *args, &block)
       @data.fetch(key.to_s, *args, &block)
     end
 
     private
-
       def load!
         @id
       end
@@ -595,7 +598,6 @@ module ActionController
       end
 
       private
-
         def scrub_env!(env)
           env.delete_if { |k, v| k =~ /^(action_dispatch|rack)\.request/ }
           env.delete_if { |k, v| k =~ /^action_dispatch\.rescue/ }

data/lib/action_dispatch.rb

@@ -40,6 +40,9 @@ module ActionDispatch
   class IllegalStateError < StandardError
   end
 
+  class MissingController < NameError
+  end
+
   eager_autoload do
     autoload_under "http" do
       autoload :ContentSecurityPolicy

data/lib/action_dispatch/http/cache.rb

@@ -123,7 +123,6 @@ module ActionDispatch
         end
 
       private
-
         DATE          = "Date"
         LAST_MODIFIED = "Last-Modified"
         SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public private must-revalidate])

data/lib/action_dispatch/http/content_security_policy.rb

@@ -31,7 +31,6 @@ module ActionDispatch #:nodoc:
       end
 
       private
-
         def html_response?(headers)
           if content_type = headers[CONTENT_TYPE]
             content_type =~ /html/
@@ -101,7 +100,6 @@ module ActionDispatch #:nodoc:
       end
 
       private
-
         def generate_content_security_policy_nonce
           content_security_policy_nonce_generator.call(self)
         end

data/lib/action_dispatch/http/filter_parameters.rb

@@ -56,7 +56,6 @@ module ActionDispatch
       end
 
     private
-
       def parameter_filter # :doc:
         parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
           return NULL_PARAM_FILTER

data/lib/action_dispatch/http/filter_redirect.rb

@@ -14,7 +14,6 @@ module ActionDispatch
       end
 
     private
-
       def location_filters
         if request
           request.get_header("action_dispatch.redirect_filter") || []

data/lib/action_dispatch/http/headers.rb

@@ -116,7 +116,6 @@ module ActionDispatch
       def env; @req.env.dup; end
 
       private
-
         # Converts an HTTP header name to an environment variable name if it is
         # not contained within the headers hash.
         def env_name(key)