actionpack 6.0.3.6 → 6.1.0.rc1

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -6,21 +6,21 @@ require "rack/utils"
 module ActionDispatch
   class ExceptionWrapper
     cattr_accessor :rescue_responses, default: Hash.new(:internal_server_error).merge!(
-      "ActionController::RoutingError"               => :not_found,
-      "AbstractController::ActionNotFound"           => :not_found,
-      "ActionController::MethodNotAllowed"           => :method_not_allowed,
-      "ActionController::UnknownHttpMethod"          => :method_not_allowed,
-      "ActionController::NotImplemented"             => :not_implemented,
-      "ActionController::UnknownFormat"              => :not_acceptable,
-      "Mime::Type::InvalidMimeType"                  => :not_acceptable,
-      "ActionController::MissingExactTemplate"       => :not_acceptable,
-      "ActionController::InvalidAuthenticityToken"   => :unprocessable_entity,
-      "ActionController::InvalidCrossOriginRequest"  => :unprocessable_entity,
-      "ActionDispatch::Http::Parameters::ParseError" => :bad_request,
-      "ActionController::BadRequest"                 => :bad_request,
-      "ActionController::ParameterMissing"           => :bad_request,
-      "Rack::QueryParser::ParameterTypeError"        => :bad_request,
-      "Rack::QueryParser::InvalidParameterError"     => :bad_request
+      "ActionController::RoutingError"                     => :not_found,
+      "AbstractController::ActionNotFound"                 => :not_found,
+      "ActionController::MethodNotAllowed"                 => :method_not_allowed,
+      "ActionController::UnknownHttpMethod"                => :method_not_allowed,
+      "ActionController::NotImplemented"                   => :not_implemented,
+      "ActionController::UnknownFormat"                    => :not_acceptable,
+      "ActionDispatch::Http::MimeNegotiation::InvalidType" => :not_acceptable,
+      "ActionController::MissingExactTemplate"             => :not_acceptable,
+      "ActionController::InvalidAuthenticityToken"         => :unprocessable_entity,
+      "ActionController::InvalidCrossOriginRequest"        => :unprocessable_entity,
+      "ActionDispatch::Http::Parameters::ParseError"       => :bad_request,
+      "ActionController::BadRequest"                       => :bad_request,
+      "ActionController::ParameterMissing"                 => :bad_request,
+      "Rack::QueryParser::ParameterTypeError"              => :bad_request,
+      "Rack::QueryParser::InvalidParameterError"           => :bad_request
     )
 
     cattr_accessor :rescue_templates, default: Hash.new("diagnostics").merge!(
@@ -36,18 +36,24 @@ module ActionDispatch
       "ActionView::Template::Error"
     ]
 
+    cattr_accessor :silent_exceptions, default: [
+      "ActionController::RoutingError",
+      "ActionDispatch::Http::MimeNegotiation::InvalidType"
+    ]
+
     attr_reader :backtrace_cleaner, :exception, :wrapped_causes, :line_number, :file
 
     def initialize(backtrace_cleaner, exception)
       @backtrace_cleaner = backtrace_cleaner
       @exception = exception
+      @exception_class_name = @exception.class.name
       @wrapped_causes = wrapped_causes_for(exception, backtrace_cleaner)
 
       expand_backtrace if exception.is_a?(SyntaxError) || exception.cause.is_a?(SyntaxError)
     end
 
     def unwrapped_exception
-      if wrapper_exceptions.include?(exception.class.to_s)
+      if wrapper_exceptions.include?(@exception_class_name)
         exception.cause
       else
         exception
@@ -55,13 +61,19 @@ module ActionDispatch
     end
 
     def rescue_template
-      @@rescue_templates[@exception.class.name]
+      @@rescue_templates[@exception_class_name]
     end
 
     def status_code
       self.class.status_code_for_exception(unwrapped_exception.class.name)
     end
 
+    def exception_trace
+      trace = application_trace
+      trace = framework_trace if trace.empty? && !silent_exceptions.include?(@exception_class_name)
+      trace
+    end
+
     def application_trace
       clean_backtrace(:silent)
     end

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -4,7 +4,12 @@ require "action_dispatch/http/request"
 
 module ActionDispatch
   # This middleware guards from DNS rebinding attacks by explicitly permitting
-  # the hosts a request can be sent to.
+  # the hosts a request can be sent to, and is passed the options set in
+  # +config.host_authorization+.
+  #
+  # Requests can opt-out of Host Authorization with +exclude+:
+  #
+  #    config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }
   #
   # When a request comes to an unauthorized host, the +response_app+
   # application will be executed and rendered. If no +response_app+ is given, a
@@ -66,9 +71,20 @@ module ActionDispatch
       }, [body]]
     end
 
-    def initialize(app, hosts, response_app = nil)
+    def initialize(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil)
       @app = app
       @permissions = Permissions.new(hosts)
+      @exclude = exclude
+
+      unless deprecated_response_app.nil?
+        ActiveSupport::Deprecation.warn(<<-MSG.squish)
+          `action_dispatch.hosts_response_app` is deprecated and will be ignored in Rails 6.2.
+          Use the Host Authorization `response_app` setting instead.
+        MSG
+
+        response_app ||= deprecated_response_app
+      end
+
       @response_app = response_app || DEFAULT_RESPONSE_APP
     end
 
@@ -77,7 +93,7 @@ module ActionDispatch
 
       request = Request.new(env)
 
-      if authorized?(request)
+      if authorized?(request) || excluded?(request)
         mark_as_authorized(request)
         @app.call(env)
       else
@@ -87,20 +103,15 @@ module ActionDispatch
 
     private
       def authorized?(request)
-        valid_host = /
-          \A
-          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
-          (:\d+)?
-          \z
-        /x
-
-        origin_host = valid_host.match(
-          request.get_header("HTTP_HOST").to_s.downcase)
-        forwarded_host = valid_host.match(
-          request.x_forwarded_host.to_s.split(/,\s?/).last)
-
-        origin_host && @permissions.allows?(origin_host[:host]) && (
-          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
+        origin_host = request.get_header("HTTP_HOST").to_s.sub(/:\d+\z/, "")
+        forwarded_host = request.x_forwarded_host.to_s.split(/,\s?/).last.to_s.sub(/:\d+\z/, "")
+
+        @permissions.allows?(origin_host) &&
+          (forwarded_host.blank? || @permissions.allows?(forwarded_host))
+      end
+
+      def excluded?(request)
+        @exclude && @exclude.call(request)
       end
 
       def mark_as_authorized(request)

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -23,7 +23,7 @@ module ActionDispatch
       status       = request.path_info[1..-1].to_i
       begin
         content_type = request.formats.first
-      rescue Mime::Type::InvalidMimeType
+      rescue ActionDispatch::Http::MimeNegotiation::InvalidType
         content_type = Mime[:text]
       end
       body = { status: status, error: Rack::Utils::HTTP_STATUS_CODES.fetch(status, Rack::Utils::HTTP_STATUS_CODES[500]) }

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -33,7 +33,7 @@ module ActionDispatch
     # not be the ultimate client IP in production, and so are discarded. See
     # https://en.wikipedia.org/wiki/Private_network for details.
     TRUSTED_PROXIES = [
-      "127.0.0.1",      # localhost IPv4
+      "127.0.0.0/8",    # localhost IPv4 range, per RFC-3330
       "::1",            # localhost IPv6
       "fc00::/7",       # private IPv6 range fc00::/7
       "10.0.0.0/8",     # private IPv4 range 10.x.x.x
@@ -143,10 +143,11 @@ module ActionDispatch
         #   - X-Forwarded-For will be a list of IPs, one per proxy, or blank
         #   - Client-Ip is propagated from the outermost proxy, or is blank
         #   - REMOTE_ADDR will be the IP that made the request to Rack
-        ips = [forwarded_ips, client_ips, remote_addr].flatten.compact
+        ips = [forwarded_ips, client_ips].flatten.compact
 
-        # If every single IP option is in the trusted list, just return REMOTE_ADDR
-        filter_proxies(ips).first || remote_addr
+        # If every single IP option is in the trusted list, return the IP
+        # that's furthest away
+        filter_proxies(ips + [remote_addr]).first || ips.last || remote_addr
       end
 
       # Memoizes the value returned by #calculate_ip and returns it for

data/lib/action_dispatch/middleware/request_id.rb

@@ -15,16 +15,15 @@ module ActionDispatch
   # The unique request id can be used to trace a request end-to-end and would typically end up being part of log files
   # from multiple pieces of the stack.
   class RequestId
-    X_REQUEST_ID = "X-Request-Id" #:nodoc:
-
-    def initialize(app)
+    def initialize(app, header:)
       @app = app
+      @header = header
     end
 
     def call(env)
       req = ActionDispatch::Request.new env
-      req.request_id = make_request_id(req.x_request_id)
-      @app.call(env).tap { |_status, headers, _body| headers[X_REQUEST_ID] = req.request_id }
+      req.request_id = make_request_id(req.headers[@header])
+      @app.call(env).tap { |_status, headers, _body| headers[@header] = req.request_id }
     end
 
     private

data/lib/action_dispatch/middleware/session/abstract_store.rb

@@ -82,7 +82,7 @@ module ActionDispatch
       include SessionObject
 
       private
-        def set_cookie(request, session_id, cookie)
+        def set_cookie(request, response, cookie)
           request.cookie_jar[key] = cookie
         end
     end
@@ -97,7 +97,7 @@ module ActionDispatch
       end
 
       private
-        def set_cookie(request, session_id, cookie)
+        def set_cookie(request, response, cookie)
           request.cookie_jar[key] = cookie
         end
     end

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -10,8 +10,8 @@ module ActionDispatch
     # dramatically faster than the alternatives.
     #
     # Sessions typically contain at most a user_id and flash message; both fit
-    # within the 4K cookie size limit. A CookieOverflow exception is raised if
-    # you attempt to store more than 4K of data.
+    # within the 4096 bytes cookie size limit. A CookieOverflow exception is raised if
+    # you attempt to store more than 4096 bytes of data.
     #
     # The cookie jar used for storage is automatically configured to be the
     # best possible option given your application's configuration.

data/lib/action_dispatch/middleware/ssl.rb

@@ -13,7 +13,7 @@ module ActionDispatch
   #
   #    Requests can opt-out of redirection with +exclude+:
   #
-  #      config.ssl_options = { redirect: { exclude: -> request { request.path =~ /healthcheck/ } } }
+  #      config.ssl_options = { redirect: { exclude: -> request { /healthcheck/.match?(request.path) } } }
   #
   #    Cookies will not be flagged as secure for excluded requests.
   #
@@ -29,7 +29,7 @@ module ActionDispatch
   #
   #    * +expires+: How long, in seconds, these settings will stick. The minimum
   #      required to qualify for browser preload lists is 1 year. Defaults to
-  #      1 year (recommended).
+  #      2 years (recommended).
   #
   #    * +subdomains+: Set to +true+ to tell the browser to apply these settings
   #      to all subdomains. This protects your cookies from interception by a
@@ -49,14 +49,14 @@ module ActionDispatch
   class SSL
     # :stopdoc:
 
-    # Default to 1 year, the minimum for browser preload lists.
-    HSTS_EXPIRES_IN = 31536000
+    # Default to 2 years as recommended on hstspreload.org.
+    HSTS_EXPIRES_IN = 63072000
 
     def self.default_hsts_options
       { expires: HSTS_EXPIRES_IN, subdomains: true, preload: false }
     end
 
-    def initialize(app, redirect: {}, hsts: {}, secure_cookies: true)
+    def initialize(app, redirect: {}, hsts: {}, secure_cookies: true, ssl_default_redirect_status: nil)
       @app = app
 
       @redirect = redirect
@@ -65,6 +65,7 @@ module ActionDispatch
       @secure_cookies = secure_cookies
 
       @hsts_header = build_hsts_header(normalize_hsts_options(hsts))
+      @ssl_default_redirect_status = ssl_default_redirect_status
     end
 
     def call(env)
@@ -126,12 +127,14 @@ module ActionDispatch
         [ @redirect.fetch(:status, redirection_status(request)),
           { "Content-Type" => "text/html",
             "Location" => https_location_for(request) },
-          @redirect.fetch(:body, []) ]
+          (@redirect[:body] || []) ]
       end
 
       def redirection_status(request)
         if request.get? || request.head?
           301 # Issue a permanent redirect via a GET request.
+        elsif @ssl_default_redirect_status
+          @ssl_default_redirect_status
         else
           307 # Issue a fresh request redirect to preserve the HTTP method.
         end

data/lib/action_dispatch/middleware/stack.rb

@@ -122,6 +122,24 @@ module ActionDispatch
       middlewares.delete_if { |m| m.klass == target }
     end
 
+    def move(target, source)
+      source_index = assert_index(source, :before)
+      source_middleware = middlewares.delete_at(source_index)
+
+      target_index = assert_index(target, :before)
+      middlewares.insert(target_index, source_middleware)
+    end
+
+    alias_method :move_before, :move
+
+    def move_after(target, source)
+      source_index = assert_index(source, :after)
+      source_middleware = middlewares.delete_at(source_index)
+
+      target_index = assert_index(target, :after)
+      middlewares.insert(target_index + 1, source_middleware)
+    end
+
     def use(klass, *args, &block)
       middlewares.push(build_middleware(klass, args, block))
     end

data/lib/action_dispatch/middleware/static.rb

@@ -4,126 +4,187 @@ require "rack/utils"
 require "active_support/core_ext/uri"
 
 module ActionDispatch
-  # This middleware returns a file's contents from disk in the body response.
-  # When initialized, it can accept optional HTTP headers, which will be set
-  # when a response containing a file's contents is delivered.
+  # This middleware serves static files from disk, if available.
+  # If no file is found, it hands off to the main app.
   #
-  # This middleware will render the file specified in <tt>env["PATH_INFO"]</tt>
-  # where the base path is in the +root+ directory. For example, if the +root+
-  # is set to +public/+, then a request with <tt>env["PATH_INFO"]</tt> of
-  # +assets/application.js+ will return a response with the contents of a file
-  # located at +public/assets/application.js+ if the file exists. If the file
-  # does not exist, a 404 "File not Found" response will be returned.
-  class FileHandler
-    def initialize(root, index: "index", headers: {})
-      @root          = root.chomp("/").b
-      @file_server   = ::Rack::File.new(@root, headers)
-      @index         = index
+  # In Rails apps, this middleware is configured to serve assets from
+  # the +public/+ directory.
+  #
+  # Only GET and HEAD requests are served. POST and other HTTP methods
+  # are handed off to the main app.
+  #
+  # Only files in the root directory are served; path traversal is denied.
+  class Static
+    def initialize(app, path, index: "index", headers: {})
+      @app = app
+      @file_handler = FileHandler.new(path, index: index, headers: headers)
     end
 
-    # Takes a path to a file. If the file is found, has valid encoding, and has
-    # correct read permissions, the return value is a URI-escaped string
-    # representing the filename. Otherwise, false is returned.
-    #
-    # Used by the +Static+ class to check the existence of a valid file
-    # in the server's +public/+ directory (see Static#call).
-    def match?(path)
-      path = ::Rack::Utils.unescape_path path
-      return false unless ::Rack::Utils.valid_path? path
-      path = ::Rack::Utils.clean_path_info path
-
-      paths = [path, "#{path}#{ext}", "#{path}/#{@index}#{ext}"]
-
-      if match = paths.detect { |p|
-        path = File.join(@root, p.b)
-        begin
-          File.file?(path) && File.readable?(path)
-        rescue SystemCallError
-          false
-        end
-      }
-        ::Rack::Utils.escape_path(match).b
-      end
+    def call(env)
+      @file_handler.attempt(env) || @app.call(env)
+    end
+  end
+
+  # This endpoint serves static files from disk using Rack::File.
+  #
+  # URL paths are matched with static files according to expected
+  # conventions: +path+, +path+.html, +path+/index.html.
+  #
+  # Precompressed versions of these files are checked first. Brotli (.br)
+  # and gzip (.gz) files are supported. If +path+.br exists, this
+  # endpoint returns that file with a +Content-Encoding: br+ header.
+  #
+  # If no matching file is found, this endpoint responds 404 Not Found.
+  #
+  # Pass the +root+ directory to search for matching files, an optional
+  # +index: "index"+ to change the default +path+/index.html, and optional
+  # additional response headers.
+  class FileHandler
+    # Accept-Encoding value -> file extension
+    PRECOMPRESSED = {
+      "br" => ".br",
+      "gzip" => ".gz",
+      "identity" => nil
+    }
+
+    def initialize(root, index: "index", headers: {}, precompressed: %i[ br gzip ], compressible_content_types: /\A(?:text\/|application\/javascript)/)
+      @root = root.chomp("/").b
+      @index = index
+
+      @precompressed = Array(precompressed).map(&:to_s) | %w[ identity ]
+      @compressible_content_types = compressible_content_types
+
+      @file_server = ::Rack::File.new(@root, headers)
     end
 
     def call(env)
-      serve(Rack::Request.new(env))
+      attempt(env) || @file_server.call(env)
     end
 
-    def serve(request)
-      path      = request.path_info
-      gzip_path = gzip_file_path(path)
+    def attempt(env)
+      request = Rack::Request.new env
 
-      if gzip_path && gzip_encoding_accepted?(request)
-        request.path_info           = gzip_path
-        status, headers, body       = @file_server.call(request.env)
-        if status == 304
-          return [status, headers, body]
+      if request.get? || request.head?
+        if found = find_file(request.path_info, accept_encoding: request.accept_encoding)
+          serve request, *found
         end
-        headers["Content-Encoding"] = "gzip"
-        headers["Content-Type"]     = content_type(path)
-      else
-        status, headers, body = @file_server.call(request.env)
       end
-
-      headers["Vary"] = "Accept-Encoding" if gzip_path
-
-      [status, headers, body]
-    ensure
-      request.path_info = path
     end
 
     private
-      def ext
-        ::ActionController::Base.default_static_extension
+      def serve(request, filepath, content_headers)
+        original, request.path_info =
+          request.path_info, ::Rack::Utils.escape_path(filepath).b
+
+        @file_server.call(request.env).tap do |status, headers, body|
+          # Omit Content-Encoding/Type/etc headers for 304 Not Modified
+          if status != 304
+            headers.update(content_headers)
+          end
+        end
+      ensure
+        request.path_info = original
       end
 
-      def content_type(path)
-        ::Rack::Mime.mime_type(::File.extname(path), "text/plain")
+      # Match a URI path to a static file to be served.
+      #
+      # Used by the +Static+ class to negotiate a servable file in the
+      # +public/+ directory (see Static#call).
+      #
+      # Checks for +path+, +path+.html, and +path+/index.html files,
+      # in that order, including .br and .gzip compressed extensions.
+      #
+      # If a matching file is found, the path and necessary response headers
+      # (Content-Type, Content-Encoding) are returned.
+      def find_file(path_info, accept_encoding:)
+        each_candidate_filepath(path_info) do |filepath, content_type|
+          if response = try_files(filepath, content_type, accept_encoding: accept_encoding)
+            return response
+          end
+        end
       end
 
-      def gzip_encoding_accepted?(request)
-        request.accept_encoding.any? { |enc, quality| enc =~ /\bgzip\b/i }
+      def try_files(filepath, content_type, accept_encoding:)
+        headers = { "Content-Type" => content_type }
+
+        if compressible? content_type
+          try_precompressed_files filepath, headers, accept_encoding: accept_encoding
+        elsif file_readable? filepath
+          [ filepath, headers ]
+        end
       end
 
-      def gzip_file_path(path)
-        can_gzip_mime = content_type(path) =~ /\A(?:text\/|application\/javascript)/
-        gzip_path     = "#{path}.gz"
-        if can_gzip_mime && File.exist?(File.join(@root, ::Rack::Utils.unescape_path(gzip_path)))
-          gzip_path
-        else
-          false
+      def try_precompressed_files(filepath, headers, accept_encoding:)
+        each_precompressed_filepath(filepath) do |content_encoding, precompressed_filepath|
+          if file_readable? precompressed_filepath
+            # Identity encoding is default, so we skip Accept-Encoding
+            # negotiation and needn't set Content-Encoding.
+            #
+            # Vary header is expected when we've found other available
+            # encodings that Accept-Encoding ruled out.
+            if content_encoding == "identity"
+              return precompressed_filepath, headers
+            else
+              headers["Vary"] = "Accept-Encoding"
+
+              if accept_encoding.any? { |enc, _| /\b#{content_encoding}\b/i.match?(enc) }
+                headers["Content-Encoding"] = content_encoding
+                return precompressed_filepath, headers
+              end
+            end
+          end
         end
       end
-  end
 
-  # This middleware will attempt to return the contents of a file's body from
-  # disk in the response. If a file is not found on disk, the request will be
-  # delegated to the application stack. This middleware is commonly initialized
-  # to serve assets from a server's +public/+ directory.
-  #
-  # This middleware verifies the path to ensure that only files
-  # living in the root directory can be rendered. A request cannot
-  # produce a directory traversal using this middleware. Only 'GET' and 'HEAD'
-  # requests will result in a file being returned.
-  class Static
-    def initialize(app, path, index: "index", headers: {})
-      @app = app
-      @file_handler = FileHandler.new(path, index: index, headers: headers)
-    end
+      def file_readable?(path)
+        file_stat = File.stat(File.join(@root, path.b))
+      rescue SystemCallError
+        false
+      else
+        file_stat.file? && file_stat.readable?
+      end
 
-    def call(env)
-      req = Rack::Request.new env
+      def compressible?(content_type)
+        @compressible_content_types.match?(content_type)
+      end
 
-      if req.get? || req.head?
-        path = req.path_info.chomp("/")
-        if match = @file_handler.match?(path)
-          req.path_info = match
-          return @file_handler.serve(req)
+      def each_precompressed_filepath(filepath)
+        @precompressed.each do |content_encoding|
+          precompressed_ext = PRECOMPRESSED.fetch(content_encoding)
+          yield content_encoding, "#{filepath}#{precompressed_ext}"
         end
+
+        nil
       end
 
-      @app.call(req.env)
-    end
+      def each_candidate_filepath(path_info)
+        return unless path = clean_path(path_info)
+
+        ext = ::File.extname(path)
+        content_type = ::Rack::Mime.mime_type(ext, nil)
+        yield path, content_type || "text/plain"
+
+        # Tack on .html and /index.html only for paths that don't have
+        # an explicit, resolvable file extension. No need to check
+        # for foo.js.html and foo.js/index.html.
+        unless content_type
+          default_ext = ::ActionController::Base.default_static_extension
+          if ext != default_ext
+            default_content_type = ::Rack::Mime.mime_type(default_ext, "text/plain")
+
+            yield "#{path}#{default_ext}", default_content_type
+            yield "#{path}/#{@index}#{default_ext}", default_content_type
+          end
+        end
+
+        nil
+      end
+
+      def clean_path(path_info)
+        path = ::Rack::Utils.unescape_path path_info.chomp("/")
+        if ::Rack::Utils.valid_path? path
+          ::Rack::Utils.clean_path_info path
+        end
+      end
   end
 end