actionpack 6.0.5.1 → 6.1.0

data/lib/action_dispatch/http/permissions_policy.rb

@@ -0,0 +1,173 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/object/deep_dup"
+
+module ActionDispatch #:nodoc:
+  class PermissionsPolicy
+    class Middleware
+      CONTENT_TYPE = "Content-Type"
+      # The Feature-Policy header has been renamed to Permissions-Policy.
+      # The Permissions-Policy requires a different implementation and isn't
+      # yet supported by all browsers. To avoid having to rename this
+      # middleware in the future we use the new name for the middleware but
+      # keep the old header name and implementation for now.
+      POLICY       = "Feature-Policy"
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        request = ActionDispatch::Request.new(env)
+        _, headers, _ = response = @app.call(env)
+
+        return response unless html_response?(headers)
+        return response if policy_present?(headers)
+
+        if policy = request.permissions_policy
+          headers[POLICY] = policy.build(request.controller_instance)
+        end
+
+        if policy_empty?(policy)
+          headers.delete(POLICY)
+        end
+
+        response
+      end
+
+      private
+        def html_response?(headers)
+          if content_type = headers[CONTENT_TYPE]
+            /html/.match?(content_type)
+          end
+        end
+
+        def policy_present?(headers)
+          headers[POLICY]
+        end
+
+        def policy_empty?(policy)
+          policy&.directives&.empty?
+        end
+    end
+
+    module Request
+      POLICY = "action_dispatch.permissions_policy"
+
+      def permissions_policy
+        get_header(POLICY)
+      end
+
+      def permissions_policy=(policy)
+        set_header(POLICY, policy)
+      end
+    end
+
+    MAPPINGS = {
+      self: "'self'",
+      none: "'none'",
+    }.freeze
+
+    # List of available permissions can be found at
+    # https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#policy-controlled-features
+    DIRECTIVES = {
+      accelerometer:        "accelerometer",
+      ambient_light_sensor: "ambient-light-sensor",
+      autoplay:             "autoplay",
+      camera:               "camera",
+      encrypted_media:      "encrypted-media",
+      fullscreen:           "fullscreen",
+      geolocation:          "geolocation",
+      gyroscope:            "gyroscope",
+      magnetometer:         "magnetometer",
+      microphone:           "microphone",
+      midi:                 "midi",
+      payment:              "payment",
+      picture_in_picture:   "picture-in-picture",
+      speaker:              "speaker",
+      usb:                  "usb",
+      vibrate:              "vibrate",
+      vr:                   "vr",
+    }.freeze
+
+    private_constant :MAPPINGS, :DIRECTIVES
+
+    attr_reader :directives
+
+    def initialize
+      @directives = {}
+      yield self if block_given?
+    end
+
+    def initialize_copy(other)
+      @directives = other.directives.deep_dup
+    end
+
+    DIRECTIVES.each do |name, directive|
+      define_method(name) do |*sources|
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
+
+    def build(context = nil)
+      build_directives(context).compact.join("; ")
+    end
+
+    private
+      def apply_mappings(sources)
+        sources.map do |source|
+          case source
+          when Symbol
+            apply_mapping(source)
+          when String, Proc
+            source
+          else
+            raise ArgumentError, "Invalid HTTP permissions policy source: #{source.inspect}"
+          end
+        end
+      end
+
+      def apply_mapping(source)
+        MAPPINGS.fetch(source) do
+          raise ArgumentError, "Unknown HTTP permissions policy source mapping: #{source.inspect}"
+        end
+      end
+
+      def build_directives(context)
+        @directives.map do |directive, sources|
+          if sources.is_a?(Array)
+            "#{directive} #{build_directive(sources, context).join(' ')}"
+          elsif sources
+            directive
+          else
+            nil
+          end
+        end
+      end
+
+      def build_directive(sources, context)
+        sources.map { |source| resolve_source(source, context) }
+      end
+
+      def resolve_source(source, context)
+        case source
+        when String
+          source
+        when Symbol
+          source.to_s
+        when Proc
+          if context.nil?
+            raise RuntimeError, "Missing context for the dynamic permissions policy source: #{source.inspect}"
+          else
+            context.instance_exec(&source)
+          end
+        else
+          raise RuntimeError, "Unexpected permissions policy source: #{source.inspect}"
+        end
+      end
+  end
+end

data/lib/action_dispatch/http/request.rb

@@ -23,6 +23,7 @@ module ActionDispatch
     include ActionDispatch::Http::FilterParameters
     include ActionDispatch::Http::URL
     include ActionDispatch::ContentSecurityPolicy::Request
+    include ActionDispatch::PermissionsPolicy::Request
     include Rack::Request::Env
 
     autoload :Session, "action_dispatch/request/session"
@@ -44,11 +45,14 @@ module ActionDispatch
         SERVER_ADDR
         ].freeze
 
+    # TODO: Remove SERVER_ADDR when we remove support to Rack 2.1.
+    # See https://github.com/rack/rack/commit/c173b188d81ee437b588c1e046a1c9f031dea550
     ENV_METHODS.each do |env|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
-        def #{env.sub(/^HTTP_/n, '').downcase}  # def accept_charset
-          get_header "#{env}".freeze            #   get_header "HTTP_ACCEPT_CHARSET".freeze
-        end                                     # end
+        # frozen_string_literal: true
+        def #{env.delete_prefix("HTTP_").downcase}  # def accept_charset
+          get_header "#{env}"                       #   get_header "HTTP_ACCEPT_CHARSET"
+        end                                         # end
       METHOD
     end
 
@@ -72,7 +76,7 @@ module ActionDispatch
     PASS_NOT_FOUND = Class.new { # :nodoc:
       def self.action(_); self; end
       def self.call(_); [404, { "X-Cascade" => "pass" }, []]; end
-      def self.binary_params_for?(action); false; end
+      def self.action_encoding_template(action); false; end
     }
 
     def controller_class
@@ -84,7 +88,7 @@ module ActionDispatch
     def controller_class_for(name)
       if name
         controller_param = name.underscore
-        const_name = "#{controller_param.camelize}Controller"
+        const_name = controller_param.camelize << "Controller"
         begin
           ActiveSupport::Dependencies.constantize(const_name)
         rescue NameError => error
@@ -274,7 +278,7 @@ module ActionDispatch
     # (case-insensitive), which may need to be manually added depending on the
     # choice of JavaScript libraries and frameworks.
     def xml_http_request?
-      get_header("HTTP_X_REQUESTED_WITH") =~ /XMLHttpRequest/i
+      /XMLHttpRequest/i.match?(get_header("HTTP_X_REQUESTED_WITH"))
     end
     alias :xhr? :xml_http_request?
 
@@ -290,6 +294,7 @@ module ActionDispatch
     end
 
     def remote_ip=(remote_ip)
+      @remote_ip = nil
       set_header "action_dispatch.remote_ip", remote_ip
     end
 
@@ -331,7 +336,7 @@ module ActionDispatch
     # variable is already set, wrap it in a StringIO.
     def body
       if raw_post = get_header("RAW_POST_DATA")
-        raw_post = raw_post.dup.force_encoding(Encoding::BINARY)
+        raw_post = (+raw_post).force_encoding(Encoding::BINARY)
         StringIO.new(raw_post)
       else
         body_stream
@@ -376,6 +381,9 @@ module ActionDispatch
     def GET
       fetch_header("action_dispatch.request.query_parameters") do |k|
         rack_query_params = super || {}
+        controller = path_parameters[:controller]
+        action = path_parameters[:action]
+        rack_query_params = Request::Utils.set_binary_encoding(self, rack_query_params, controller, action)
         # Check for non UTF-8 parameter values, which would cause errors later
         Request::Utils.check_param_encoding(rack_query_params)
         set_header k, Request::Utils.normalize_encode_params(rack_query_params)
@@ -391,6 +399,8 @@ module ActionDispatch
         pr = parse_formatted_parameters(params_parsers) do |params|
           super || {}
         end
+        pr = Request::Utils.set_binary_encoding(self, pr, path_parameters[:controller], path_parameters[:action])
+        Request::Utils.check_param_encoding(pr)
         self.request_parameters = Request::Utils.normalize_encode_params(pr)
       end
     rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
@@ -409,7 +419,7 @@ module ActionDispatch
 
     # True if the request came from localhost, 127.0.0.1, or ::1.
     def local?
-      LOCALHOST =~ remote_addr && LOCALHOST =~ remote_ip
+      LOCALHOST.match?(remote_addr) && LOCALHOST.match?(remote_ip)
     end
 
     def request_parameters=(params)
@@ -428,6 +438,10 @@ module ActionDispatch
       super || scheme == "wss"
     end
 
+    def inspect # :nodoc:
+      "#<#{self.class.name} #{method} #{original_url.dump} for #{remote_ip}>"
+    end
+
     private
       def check_method(name)
         HTTP_METHOD_LOOKUP[name] || raise(ActionController::UnknownHttpMethod, "#{name}, accepted HTTP methods are #{HTTP_METHODS[0...-1].join(', ')}, and #{HTTP_METHODS[-1]}")
@@ -435,3 +449,5 @@ module ActionDispatch
       end
   end
 end
+
+ActiveSupport.run_load_hooks :action_dispatch_request, ActionDispatch::Request

data/lib/action_dispatch/http/response.rb

@@ -81,11 +81,22 @@ module ActionDispatch # :nodoc:
     CONTENT_TYPE = "Content-Type"
     SET_COOKIE   = "Set-Cookie"
     LOCATION     = "Location"
-    NO_CONTENT_CODES = [100, 101, 102, 204, 205, 304]
+    NO_CONTENT_CODES = [100, 101, 102, 103, 204, 205, 304]
 
     cattr_accessor :default_charset, default: "utf-8"
     cattr_accessor :default_headers
-    cattr_accessor :return_only_media_type_on_content_type, default: false
+
+    def self.return_only_media_type_on_content_type=(*)
+      ActiveSupport::Deprecation.warn(
+        ".return_only_media_type_on_content_type= is dreprecated with no replacement and will be removed in 6.2."
+      )
+    end
+
+    def self.return_only_media_type_on_content_type
+      ActiveSupport::Deprecation.warn(
+        ".return_only_media_type_on_content_type is dreprecated with no replacement and will be removed in 6.2."
+      )
+    end
 
     include Rack::Response::Helpers
     # Aliasing these off because AD::Http::Cache::Response defines them.
@@ -243,17 +254,7 @@ module ActionDispatch # :nodoc:
 
     # Content type of response.
     def content_type
-      if self.class.return_only_media_type_on_content_type
-        ActiveSupport::Deprecation.warn(
-          "Rails 6.1 will return Content-Type header without modification." \
-          " If you want just the MIME type, please use `#media_type` instead."
-        )
-
-        content_type = super
-        content_type ? content_type.split(/;\s*charset=/)[0].presence : content_type
-      else
-        super.presence
-      end
+      super.presence
     end
 
     # Media type of response.
@@ -442,8 +443,8 @@ module ActionDispatch # :nodoc:
     end
 
     def set_content_type(content_type, charset)
-      type = (content_type || "").dup
-      type << "; charset=#{charset.to_s.downcase}" if charset
+      type = content_type || ""
+      type = "#{type}; charset=#{charset.to_s.downcase}" if charset
       set_header CONTENT_TYPE, type
     end
 
@@ -503,7 +504,7 @@ module ActionDispatch # :nodoc:
       end
 
       def respond_to?(method, include_private = false)
-        if method.to_s == "to_path"
+        if method.to_sym == :to_path
           @response.stream.respond_to?(method)
         else
           super

data/lib/action_dispatch/http/url.rb

@@ -9,6 +9,7 @@ module ActionDispatch
       HOST_REGEXP     = /(^[^:]+:\/\/)?(\[[^\]]+\]|[^:]+)(?::(\d+$))?/
       PROTOCOL_REGEXP = /^([^:]+)(:)?(\/\/)?$/
 
+      mattr_accessor :secure_protocol, default: false
       mattr_accessor :tld_length, default: 1
 
       class << self
@@ -133,13 +134,13 @@ module ActionDispatch
           end
 
           def named_host?(host)
-            IP_HOST_REGEXP !~ host
+            !IP_HOST_REGEXP.match?(host)
           end
 
           def normalize_protocol(protocol)
             case protocol
             when nil
-              "http://"
+              secure_protocol ? "https://" : "http://"
             when false, "//"
               "//"
             when PROTOCOL_REGEXP

data/lib/action_dispatch/journey/formatter.rb

@@ -15,12 +15,53 @@ module ActionDispatch
         @cache  = nil
       end
 
-      def generate(name, options, path_parameters, parameterize = nil)
+      class RouteWithParams
+        attr_reader :params
+
+        def initialize(route, parameterized_parts, params)
+          @route = route
+          @parameterized_parts = parameterized_parts
+          @params = params
+        end
+
+        def path(_)
+          @route.format(@parameterized_parts)
+        end
+      end
+
+      class MissingRoute
+        attr_reader :routes, :name, :constraints, :missing_keys, :unmatched_keys
+
+        def initialize(constraints, missing_keys, unmatched_keys, routes, name)
+          @constraints = constraints
+          @missing_keys = missing_keys
+          @unmatched_keys = unmatched_keys
+          @routes = routes
+          @name = name
+        end
+
+        def path(method_name)
+          raise ActionController::UrlGenerationError.new(message, routes, name, method_name)
+        end
+
+        def params
+          path("unknown")
+        end
+
+        def message
+          message = +"No route matches #{Hash[constraints.sort_by { |k, v| k.to_s }].inspect}"
+          message << ", missing required keys: #{missing_keys.sort.inspect}" if missing_keys && !missing_keys.empty?
+          message << ", possible unmatched constraints: #{unmatched_keys.sort.inspect}" if unmatched_keys && !unmatched_keys.empty?
+          message
+        end
+      end
+
+      def generate(name, options, path_parameters)
         constraints = path_parameters.merge(options)
         missing_keys = nil
 
         match_route(name, constraints) do |route|
-          parameterized_parts = extract_parameterized_parts(route, options, path_parameters, parameterize)
+          parameterized_parts = extract_parameterized_parts(route, options, path_parameters)
 
           # Skip this route unless a name has been provided or it is a
           # standard Rails route since we can't determine whether an options
@@ -44,17 +85,13 @@ module ActionDispatch
             parameterized_parts.delete(key)
           end
 
-          return [route.format(parameterized_parts), params]
+          return RouteWithParams.new(route, parameterized_parts, params)
         end
 
         unmatched_keys = (missing_keys || []) & constraints.keys
         missing_keys = (missing_keys || []) - unmatched_keys
 
-        message = +"No route matches #{Hash[constraints.sort_by { |k, v| k.to_s }].inspect}"
-        message << ", missing required keys: #{missing_keys.sort.inspect}" if missing_keys && !missing_keys.empty?
-        message << ", possible unmatched constraints: #{unmatched_keys.sort.inspect}" if unmatched_keys && !unmatched_keys.empty?
-
-        raise ActionController::UrlGenerationError, message
+        MissingRoute.new(constraints, missing_keys, unmatched_keys, routes, name)
       end
 
       def clear
@@ -62,7 +99,7 @@ module ActionDispatch
       end
 
       private
-        def extract_parameterized_parts(route, options, recall, parameterize = nil)
+        def extract_parameterized_parts(route, options, recall)
           parameterized_parts = recall.merge(options)
 
           keys_to_keep = route.parts.reverse_each.drop_while { |part|
@@ -73,9 +110,11 @@ module ActionDispatch
             !keys_to_keep.include?(bad_key)
           end
 
-          if parameterize
-            parameterized_parts.each do |k, v|
-              parameterized_parts[k] = parameterize.call(k, v)
+          parameterized_parts.each do |k, v|
+            if k == :controller
+              parameterized_parts[k] = v
+            else
+              parameterized_parts[k] = v.to_param
             end
           end
 
@@ -125,19 +164,10 @@ module ActionDispatch
           routes
         end
 
-        module RegexCaseComparator
-          DEFAULT_INPUT = /[-_.a-zA-Z0-9]+\/[-_.a-zA-Z0-9]+/
-          DEFAULT_REGEX = /\A#{DEFAULT_INPUT}\Z/
-
-          def self.===(regex)
-            DEFAULT_INPUT == regex
-          end
-        end
-
         # Returns an array populated with missing keys if any are present.
         def missing_keys(route, parts)
           missing_keys = nil
-          tests = route.path.requirements
+          tests = route.path.requirements_for_missing_keys_check
           route.required_parts.each { |key|
             case tests[key]
             when nil
@@ -145,13 +175,8 @@ module ActionDispatch
                 missing_keys ||= []
                 missing_keys << key
               end
-            when RegexCaseComparator
-              unless RegexCaseComparator::DEFAULT_REGEX === parts[key]
-                missing_keys ||= []
-                missing_keys << key
-              end
             else
-              unless /\A#{tests[key]}\Z/ === parts[key]
+              unless tests[key].match?(parts[key])
                 missing_keys ||= []
                 missing_keys << key
               end

data/lib/action_dispatch/journey/gtg/builder.rb

@@ -13,45 +13,44 @@ module ActionDispatch
         def initialize(root)
           @root      = root
           @ast       = Nodes::Cat.new root, DUMMY
-          @followpos = nil
+          @followpos = build_followpos
         end
 
         def transition_table
           dtrans   = TransitionTable.new
-          marked   = {}
-          state_id = Hash.new { |h, k| h[k] = h.length }
+          marked   = {}.compare_by_identity
+          state_id = Hash.new { |h, k| h[k] = h.length }.compare_by_identity
+          dstates  = [firstpos(root)]
 
-          start   = firstpos(root)
-          dstates = [start]
           until dstates.empty?
             s = dstates.shift
             next if marked[s]
             marked[s] = true # mark s
 
             s.group_by { |state| symbol(state) }.each do |sym, ps|
-              u = ps.flat_map { |l| followpos(l) }
+              u = ps.flat_map { |l| @followpos[l] }
               next if u.empty?
 
-              if u.uniq == [DUMMY]
-                from = state_id[s]
-                to   = state_id[Object.new]
-                dtrans[from, to] = sym
+              from = state_id[s]
 
+              if u.all? { |pos| pos == DUMMY }
+                to = state_id[Object.new]
+                dtrans[from, to] = sym
                 dtrans.add_accepting(to)
+
                 ps.each { |state| dtrans.add_memo(to, state.memo) }
               else
-                dtrans[state_id[s], state_id[u]] = sym
+                to = state_id[u]
+                dtrans[from, to] = sym
 
                 if u.include?(DUMMY)
-                  to = state_id[u]
-
-                  accepting = ps.find_all { |l| followpos(l).include?(DUMMY) }
-
-                  accepting.each { |accepting_state|
-                    dtrans.add_memo(to, accepting_state.memo)
-                  }
+                  ps.each do |state|
+                    if @followpos[state].include?(DUMMY)
+                      dtrans.add_memo(to, state.memo)
+                    end
+                  end
 
-                  dtrans.add_accepting(state_id[u])
+                  dtrans.add_accepting(to)
                 end
               end
 
@@ -92,7 +91,7 @@ module ActionDispatch
               firstpos(node.left)
             end
           when Nodes::Or
-            node.children.flat_map { |c| firstpos(c) }.uniq
+            node.children.flat_map { |c| firstpos(c) }.tap(&:uniq!)
           when Nodes::Unary
             firstpos(node.left)
           when Nodes::Terminal
@@ -107,7 +106,7 @@ module ActionDispatch
           when Nodes::Star
             firstpos(node.left)
           when Nodes::Or
-            node.children.flat_map { |c| lastpos(c) }.uniq
+            node.children.flat_map { |c| lastpos(c) }.tap(&:uniq!)
           when Nodes::Cat
             if nullable?(node.right)
               lastpos(node.left) | lastpos(node.right)
@@ -123,17 +122,9 @@ module ActionDispatch
           end
         end
 
-        def followpos(node)
-          followpos_table[node]
-        end
-
         private
-          def followpos_table
-            @followpos ||= build_followpos
-          end
-
           def build_followpos
-            table = Hash.new { |h, k| h[k] = [] }
+            table = Hash.new { |h, k| h[k] = [] }.compare_by_identity
             @ast.each do |n|
               case n
               when Nodes::Cat
@@ -150,12 +141,7 @@ module ActionDispatch
           end
 
           def symbol(edge)
-            case edge
-            when Journey::Nodes::Symbol
-              edge.regexp
-            else
-              edge.left
-            end
+            edge.symbol? ? edge.regexp : edge.left
           end
       end
     end

data/lib/action_dispatch/journey/gtg/simulator.rb

@@ -14,6 +14,8 @@ module ActionDispatch
       end
 
       class Simulator # :nodoc:
+        INITIAL_STATE = [0].freeze
+
         attr_reader :tt
 
         def initialize(transition_table)
@@ -22,18 +24,17 @@ module ActionDispatch
 
         def memos(string)
           input = StringScanner.new(string)
-          state = [0]
+          state = INITIAL_STATE
+
           while sym = input.scan(%r([/.?]|[^/.?]+))
             state = tt.move(state, sym)
           end
 
-          acceptance_states = state.find_all { |s|
-            tt.accepting? s
-          }
-
-          return yield if acceptance_states.empty?
+          acceptance_states = state.each_with_object([]) do |s, memos|
+            memos.concat(tt.memo(s)) if tt.accepting?(s)
+          end
 
-          acceptance_states.flat_map { |x| tt.memo(x) }.compact
+          acceptance_states.empty? ? yield : acceptance_states
         end
       end
     end

data/lib/action_dispatch/journey/gtg/transition_table.rb

@@ -45,16 +45,18 @@ module ActionDispatch
           return [] if t.empty?
 
           regexps = []
+          strings = []
 
-          t.map { |s|
+          t.each { |s|
             if states = @regexp_states[s]
-              regexps.concat states.map { |re, v| re === a ? v : nil }
+              states.each { |re, v| regexps << v if re.match?(a) && !v.nil? }
             end
 
             if states = @string_states[s]
-              states[a]
+              strings << states[a] unless states[a].nil?
             end
-          }.compact.concat regexps
+          }
+          strings.concat regexps
         end
 
         def as_json(options = nil)