actionpack 6.0.6.1 → 6.1.7.6

data/lib/action_controller/metal/strong_parameters.rb

@@ -19,12 +19,36 @@ module ActionController
   #   params.require(:a)
   #   # => ActionController::ParameterMissing: param is missing or the value is empty: a
   class ParameterMissing < KeyError
-    attr_reader :param # :nodoc:
+    attr_reader :param, :keys # :nodoc:
 
-    def initialize(param) # :nodoc:
+    def initialize(param, keys = nil) # :nodoc:
       @param = param
+      @keys  = keys
       super("param is missing or the value is empty: #{param}")
     end
+
+    class Correction
+      def initialize(error)
+        @error = error
+      end
+
+      def corrections
+        if @error.param && @error.keys
+          maybe_these = @error.keys
+
+          maybe_these.sort_by { |n|
+            DidYouMean::Jaro.distance(@error.param.to_s, n)
+          }.reverse.first(4)
+        else
+          []
+        end
+      end
+    end
+
+    # We may not have DYM, and DYM might not let us register error handlers
+    if defined?(DidYouMean) && DidYouMean.respond_to?(:correct_error)
+      DidYouMean.correct_error(self, Correction)
+    end
   end
 
   # Raised when a supplied parameter is not expected and
@@ -180,6 +204,14 @@ module ActionController
     #
     # Returns true if the given key is present in the parameters.
 
+    ##
+    # :method: member?
+    #
+    # :call-seq:
+    #   member?(key)
+    #
+    # Returns true if the given key is present in the parameters.
+
     ##
     # :method: keys
     #
@@ -211,7 +243,7 @@ module ActionController
     #   values()
     #
     # Returns a new array of the values of the parameters.
-    delegate :keys, :key?, :has_key?, :values, :has_value?, :value?, :empty?, :include?,
+    delegate :keys, :key?, :has_key?, :member?, :values, :has_value?, :value?, :empty?, :include?,
       :as_json, :to_s, :each_key, to: :@parameters
 
     # By default, never raise an UnpermittedParameters exception if these
@@ -220,9 +252,15 @@ module ActionController
     # to change these is to specify `always_permitted_parameters` in your
     # config. For instance:
     #
-    #    config.always_permitted_parameters = %w( controller action format )
+    #    config.action_controller.always_permitted_parameters = %w( controller action format )
     cattr_accessor :always_permitted_parameters, default: %w( controller action )
 
+    class << self
+      def nested_attribute?(key, value) # :nodoc:
+        /\A-?\d+\z/.match?(key) && (value.is_a?(Hash) || value.is_a?(Parameters))
+      end
+    end
+
     # Returns a new instance of <tt>ActionController::Parameters</tt>.
     # Also, sets the +permitted+ attribute to the default value of
     # <tt>ActionController::Parameters.permit_all_parameters</tt>.
@@ -253,6 +291,11 @@ module ActionController
         @parameters == other
       end
     end
+    alias eql? ==
+
+    def hash
+      [@parameters.hash, @permitted].hash
+    end
 
     # Returns a safe <tt>ActiveSupport::HashWithIndifferentAccess</tt>
     # representation of the parameters with all unpermitted keys removed.
@@ -341,6 +384,7 @@ module ActionController
     # Convert all hashes in values into parameters, then yield each pair in
     # the same way as <tt>Hash#each_pair</tt>.
     def each_pair(&block)
+      return to_enum(__callee__) unless block_given?
       @parameters.each_pair do |key, value|
         yield [key, convert_hashes_to_parameters(key, value)]
       end
@@ -352,6 +396,7 @@ module ActionController
     # Convert all hashes in values into parameters, then yield each value in
     # the same way as <tt>Hash#each_value</tt>.
     def each_value(&block)
+      return to_enum(:each_value) unless block_given?
       @parameters.each_pair do |key, value|
         yield convert_hashes_to_parameters(key, value)
       end
@@ -459,7 +504,7 @@ module ActionController
       if value.present? || value == false
         value
       else
-        raise ParameterMissing.new(key)
+        raise ParameterMissing.new(key, @parameters.keys)
       end
     end
 
@@ -596,7 +641,7 @@ module ActionController
           if block_given?
             yield
           else
-            args.fetch(0) { raise ActionController::ParameterMissing.new(key) }
+            args.fetch(0) { raise ActionController::ParameterMissing.new(key, @parameters.keys) }
           end
         }
       )
@@ -691,6 +736,23 @@ module ActionController
       self
     end
 
+    # Returns a new <tt>ActionController::Parameters</tt> instance with the
+    # results of running +block+ once for every key. This includes the keys
+    # from the root hash and from all nested hashes and arrays. The values are unchanged.
+    def deep_transform_keys(&block)
+      new_instance_with_inherited_permitted_status(
+        @parameters.deep_transform_keys(&block)
+      )
+    end
+
+    # Returns the <tt>ActionController::Parameters</tt> instance changing its keys.
+    # This includes the keys from the root hash and from all nested hashes and arrays.
+    # The values are unchanged.
+    def deep_transform_keys!(&block)
+      @parameters.deep_transform_keys!(&block)
+      self
+    end
+
     # Deletes a key-value pair from +Parameters+ and returns the value. If
     # +key+ is not found, returns +nil+ (or, with optional code block, yields
     # +key+ and returns the result). Cf. +#extract!+, which returns the
@@ -725,6 +787,28 @@ module ActionController
     end
     alias_method :delete_if, :reject!
 
+    # Returns a new instance of <tt>ActionController::Parameters</tt> with +nil+ values removed.
+    def compact
+      new_instance_with_inherited_permitted_status(@parameters.compact)
+    end
+
+    # Removes all +nil+ values in place and returns +self+, or +nil+ if no changes were made.
+    def compact!
+      self if @parameters.compact!
+    end
+
+    # Returns a new instance of <tt>ActionController::Parameters</tt> without the blank values.
+    # Uses Object#blank? for determining if a value is blank.
+    def compact_blank
+      reject { |_k, v| v.blank? }
+    end
+
+    # Removes all blank values in place and returns self.
+    # Uses Object#blank? for determining if a value is blank.
+    def compact_blank!
+      reject! { |_k, v| v.blank? }
+    end
+
     # Returns values that were assigned to the given +keys+. Note that all the
     # +Hash+ objects will be converted to <tt>ActionController::Parameters</tt>.
     def values_at(*keys)
@@ -771,7 +855,7 @@ module ActionController
     end
 
     def inspect
-      "<#{self.class} #{@parameters} permitted: #{@permitted}>"
+      "#<#{self.class} #{@parameters} permitted: #{@permitted}>"
     end
 
     def self.hook_into_yaml_loading # :nodoc:
@@ -813,8 +897,14 @@ module ActionController
 
       attr_writer :permitted
 
-      def fields_for_style?
-        @parameters.all? { |k, v| k =~ /\A-?\d+\z/ && (v.is_a?(Hash) || v.is_a?(Parameters)) }
+      def nested_attributes?
+        @parameters.any? { |k, v| Parameters.nested_attribute?(k, v) }
+      end
+
+      def each_nested_attribute
+        hash = self.class.new
+        self.each { |k, v| hash[k] = yield v if Parameters.nested_attribute?(k, v) }
+        hash
       end
 
     private
@@ -850,7 +940,7 @@ module ActionController
         when Array
           return value if converted_arrays.member?(value)
           converted = value.map { |_| convert_value_to_parameters(_) }
-          converted_arrays << converted
+          converted_arrays << converted.dup
           converted
         when Hash
           self.class.new(value)
@@ -859,15 +949,13 @@ module ActionController
         end
       end
 
-      def each_element(object)
+      def each_element(object, &block)
         case object
         when Array
           object.grep(Parameters).map { |el| yield el }.compact
         when Parameters
-          if object.fields_for_style?
-            hash = object.class.new
-            object.each { |k, v| hash[k] = yield v }
-            hash
+          if object.nested_attributes?
+            object.each_nested_attribute(&block)
           else
             yield object
           end
@@ -895,7 +983,7 @@ module ActionController
       # --- Filtering ----------------------------------------------------------
       #
 
-      # This is a white list of permitted scalar types that includes the ones
+      # This is a list of permitted scalar types that includes the ones
       # supported in XML and JSON requests.
       #
       # This list is in particular used to filter ordinary requests, String goes

data/lib/action_controller/metal.rb

@@ -126,7 +126,7 @@ module ActionController
     # ==== Returns
     # * <tt>string</tt>
     def self.controller_name
-      @controller_name ||= name.demodulize.sub(/Controller$/, "").underscore
+      @controller_name ||= (name.demodulize.delete_suffix("Controller").underscore unless anonymous?)
     end
 
     def self.make_response!(request)
@@ -135,7 +135,7 @@ module ActionController
       end
     end
 
-    def self.binary_params_for?(action) # :nodoc:
+    def self.action_encoding_template(action) # :nodoc:
       false
     end
 

data/lib/action_controller/renderer.rb

@@ -65,7 +65,7 @@ module ActionController
     def initialize(controller, env, defaults)
       @controller = controller
       @defaults = defaults
-      @env = normalize_keys defaults.merge(env)
+      @env = normalize_keys defaults, env
     end
 
     # Render templates with any options from ActionController::Base#render_to_string.
@@ -82,8 +82,12 @@ module ActionController
     #   need to call <tt>.to_json</tt> on the object you want to render.
     # * <tt>:body</tt> - Renders provided text and sets content type of <tt>text/plain</tt>.
     #
-    # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, the default is
-    # to render a partial and use the second parameter as the locals hash.
+    # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, then:
+    #
+    # If an object responding to +render_in+ is passed, +render_in+ is called on the object,
+    # passing in the current view context.
+    #
+    # Otherwise, a partial is rendered using the second parameter as the locals hash.
     def render(*args)
       raise "missing controller" unless controller
 
@@ -98,9 +102,15 @@ module ActionController
     alias_method :render_to_string, :render # :nodoc:
 
     private
-      def normalize_keys(env)
+      def normalize_keys(defaults, env)
         new_env = {}
         env.each_pair { |k, v| new_env[rack_key_for(k)] = rack_value_for(k, v) }
+
+        defaults.each_pair do |k, v|
+          key = rack_key_for(k)
+          new_env[key] = rack_value_for(k, v) unless new_env.key?(key)
+        end
+
         new_env["rack.url_scheme"] = new_env["HTTPS"] == "on" ? "https" : "http"
         new_env
       end
@@ -113,19 +123,19 @@ module ActionController
         input:       "rack.input"
       }
 
-      IDENTITY = ->(_) { _ }
-
-      RACK_VALUE_TRANSLATION = {
-        https: ->(v) { v ? "on" : "off" },
-        method: ->(v) { -v.upcase },
-      }
-
       def rack_key_for(key)
-        RACK_KEY_TRANSLATION.fetch(key, key.to_s)
+        RACK_KEY_TRANSLATION[key] || key.to_s
       end
 
       def rack_value_for(key, value)
-        RACK_VALUE_TRANSLATION.fetch(key, IDENTITY).call value
+        case key
+        when :https
+          value ? "on" : "off"
+        when :method
+          -value.upcase
+        else
+          value
+        end
       end
   end
 end

data/lib/action_controller/test_case.rb

@@ -24,6 +24,9 @@ module ActionController
     def new_controller_thread # :nodoc:
       yield
     end
+
+    # Avoid a deadlock from the queue filling up
+    Buffer.queue_size = nil
   end
 
   # ActionController::TestCase will be deprecated and moved to a gem in the future.
@@ -84,7 +87,7 @@ module ActionController
             value = value.to_param
           end
 
-          path_parameters[key] = value
+          path_parameters[key.to_sym] = value
         end
       end
 
@@ -492,57 +495,8 @@ module ActionController
           parameters[:format] = format
         end
 
-        generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action))
-        generated_path = generated_path(generated_extras)
-        query_string_keys = query_parameter_names(generated_extras)
-
-        @request.assign_parameters(@routes, controller_class_name, action, parameters, generated_path, query_string_keys)
-
-        @request.session.update(session) if session
-        @request.flash.update(flash || {})
-
-        if xhr
-          @request.set_header "HTTP_X_REQUESTED_WITH", "XMLHttpRequest"
-          @request.fetch_header("HTTP_ACCEPT") do |k|
-            @request.set_header k, [Mime[:js], Mime[:html], Mime[:xml], "text/xml", "*/*"].join(", ")
-          end
-        end
-
-        @request.fetch_header("SCRIPT_NAME") do |k|
-          @request.set_header k, @controller.config.relative_url_root
-        end
-
-        begin
-          @controller.recycle!
-          @controller.dispatch(action, @request, @response)
-        ensure
-          @request = @controller.request
-          @response = @controller.response
-
-          if @request.have_cookie_jar?
-            unless @request.cookie_jar.committed?
-              @request.cookie_jar.write(@response)
-              cookies.update(@request.cookie_jar.instance_variable_get(:@cookies))
-            end
-          end
-          @response.prepare!
-
-          if flash_value = @request.flash.to_session_value
-            @request.session["flash"] = flash_value
-          else
-            @request.session.delete("flash")
-          end
-
-          if xhr
-            @request.delete_header "HTTP_X_REQUESTED_WITH"
-            @request.delete_header "HTTP_ACCEPT"
-          end
-          @request.query_string = ""
-
-          @response.sent!
-        end
-
-        @response
+        setup_request(controller_class_name, action, parameters, session, flash, xhr)
+        process_controller_response(action, cookies, xhr)
       end
 
       def controller_class_name
@@ -598,11 +552,66 @@ module ActionController
       end
 
       private
+        def setup_request(controller_class_name, action, parameters, session, flash, xhr)
+          generated_extras = @routes.generate_extras(parameters.merge(controller: controller_class_name, action: action))
+          generated_path = generated_path(generated_extras)
+          query_string_keys = query_parameter_names(generated_extras)
+
+          @request.assign_parameters(@routes, controller_class_name, action, parameters, generated_path, query_string_keys)
+
+          @request.session.update(session) if session
+          @request.flash.update(flash || {})
+
+          if xhr
+            @request.set_header "HTTP_X_REQUESTED_WITH", "XMLHttpRequest"
+            @request.fetch_header("HTTP_ACCEPT") do |k|
+              @request.set_header k, [Mime[:js], Mime[:html], Mime[:xml], "text/xml", "*/*"].join(", ")
+            end
+          end
+
+          @request.fetch_header("SCRIPT_NAME") do |k|
+            @request.set_header k, @controller.config.relative_url_root
+          end
+        end
+
+        def process_controller_response(action, cookies, xhr)
+          begin
+            @controller.recycle!
+            @controller.dispatch(action, @request, @response)
+          ensure
+            @request = @controller.request
+            @response = @controller.response
+
+            if @request.have_cookie_jar?
+              unless @request.cookie_jar.committed?
+                @request.cookie_jar.write(@response)
+                cookies.update(@request.cookie_jar.instance_variable_get(:@cookies))
+              end
+            end
+            @response.prepare!
+
+            if flash_value = @request.flash.to_session_value
+              @request.session["flash"] = flash_value
+            else
+              @request.session.delete("flash")
+            end
+
+            if xhr
+              @request.delete_header "HTTP_X_REQUESTED_WITH"
+              @request.delete_header "HTTP_ACCEPT"
+            end
+            @request.query_string = ""
+
+            @response.sent!
+          end
+
+          @response
+        end
+
         def scrub_env!(env)
-          env.delete_if { |k, v| k =~ /^(action_dispatch|rack)\.request/ }
-          env.delete_if { |k, v| k =~ /^action_dispatch\.rescue/ }
-          env.delete "action_dispatch.request.query_parameters"
-          env.delete "action_dispatch.request.request_parameters"
+          env.delete_if do |k, _|
+            k.start_with?("rack.request", "action_dispatch.request", "action_dispatch.rescue")
+          end
           env["rack.input"] = StringIO.new
           env.delete "CONTENT_LENGTH"
           env.delete "RAW_POST_DATA"

data/lib/action_controller.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "active_support/rails"
 require "abstract_controller"
 require "action_dispatch"
 require "action_controller/metal/strong_parameters"
@@ -11,7 +10,6 @@ module ActionController
   autoload :API
   autoload :Base
   autoload :Metal
-  autoload :Middleware
   autoload :Renderer
   autoload :FormBuilder
 
@@ -31,14 +29,15 @@ module ActionController
     autoload :DefaultHeaders
     autoload :EtagWithTemplateDigest
     autoload :EtagWithFlash
+    autoload :PermissionsPolicy
     autoload :Flash
-    autoload :ForceSSL
     autoload :Head
     autoload :Helpers
     autoload :HttpAuthentication
     autoload :BasicImplicitRender
     autoload :ImplicitRender
     autoload :Instrumentation
+    autoload :Logging
     autoload :MimeResponds
     autoload :ParamsWrapper
     autoload :Redirecting

data/lib/action_dispatch/http/cache.rb

@@ -18,7 +18,7 @@ module ActionDispatch
         end
 
         def if_none_match_etags
-          if_none_match ? if_none_match.split(/\s*,\s*/) : []
+          if_none_match ? if_none_match.split(",").each(&:strip!) : []
         end
 
         def not_modified?(modified_at)
@@ -114,7 +114,7 @@ module ActionDispatch
 
         # True if an ETag is set and it's a weak validator (preceded with W/)
         def weak_etag?
-          etag? && etag.starts_with?('W/"')
+          etag? && etag.start_with?('W/"')
         end
 
         # True if an ETag is set and it isn't a weak validator (not preceded with W/)
@@ -125,7 +125,7 @@ module ActionDispatch
       private
         DATE          = "Date"
         LAST_MODIFIED = "Last-Modified"
-        SPECIAL_KEYS  = Set.new(%w[extras no-cache max-age public private must-revalidate])
+        SPECIAL_KEYS  = Set.new(%w[extras no-store no-cache max-age public private must-revalidate])
 
         def generate_weak_etag(validators)
           "W/#{generate_strong_etag(validators)}"
@@ -150,8 +150,8 @@ module ActionDispatch
             directive, argument = segment.split("=", 2)
 
             if SPECIAL_KEYS.include? directive
-              key = directive.tr("-", "_")
-              cache_control[key.to_sym] = argument || true
+              directive.tr!("-", "_")
+              cache_control[directive.to_sym] = argument || true
             else
               cache_control[:extras] ||= []
               cache_control[:extras] << segment
@@ -166,6 +166,7 @@ module ActionDispatch
         end
 
         DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate"
+        NO_STORE              = "no-store"
         NO_CACHE              = "no-cache"
         PUBLIC                = "public"
         PRIVATE               = "private"
@@ -182,42 +183,42 @@ module ActionDispatch
         end
 
         def merge_and_normalize_cache_control!(cache_control)
-          control = {}
-          cc_headers = cache_control_headers
-          if extras = cc_headers.delete(:extras)
+          control = cache_control_headers
+
+          return if control.empty? && cache_control.empty?  # Let middleware handle default behavior
+
+          if extras = control.delete(:extras)
             cache_control[:extras] ||= []
             cache_control[:extras] += extras
             cache_control[:extras].uniq!
           end
 
-          control.merge! cc_headers
           control.merge! cache_control
 
-          if control.empty?
-            # Let middleware handle default behavior
+          options = []
+
+          if control[:no_store]
+            options << PRIVATE if control[:private]
+            options << NO_STORE
           elsif control[:no_cache]
-            options = []
             options << PUBLIC if control[:public]
             options << NO_CACHE
             options.concat(control[:extras]) if control[:extras]
-
-            self._cache_control = options.join(", ")
           else
             extras = control[:extras]
             max_age = control[:max_age]
             stale_while_revalidate = control[:stale_while_revalidate]
             stale_if_error = control[:stale_if_error]
 
-            options = []
             options << "max-age=#{max_age.to_i}" if max_age
             options << (control[:public] ? PUBLIC : PRIVATE)
             options << MUST_REVALIDATE if control[:must_revalidate]
             options << "stale-while-revalidate=#{stale_while_revalidate.to_i}" if stale_while_revalidate
             options << "stale-if-error=#{stale_if_error.to_i}" if stale_if_error
             options.concat(extras) if extras
-
-            self._cache_control = options.join(", ")
           end
+
+          self._cache_control = options.join(", ")
         end
       end
     end

data/lib/action_dispatch/http/content_security_policy.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "active_support/core_ext/object/deep_dup"
+require "active_support/core_ext/array/wrap"
 
 module ActionDispatch #:nodoc:
   class ContentSecurityPolicy
@@ -130,7 +131,11 @@ module ActionDispatch #:nodoc:
       object_src:      "object-src",
       prefetch_src:    "prefetch-src",
       script_src:      "script-src",
+      script_src_attr: "script-src-attr",
+      script_src_elem: "script-src-elem",
       style_src:       "style-src",
+      style_src_attr:  "style-src-attr",
+      style_src_elem:  "style-src-elem",
       worker_src:      "worker-src"
     }.freeze
 
@@ -261,7 +266,7 @@ module ActionDispatch #:nodoc:
             raise RuntimeError, "Missing context for the dynamic content security policy source: #{source.inspect}"
           else
             resolved = context.instance_exec(&source)
-            resolved.is_a?(Symbol) ? apply_mapping(resolved) : resolved
+            apply_mappings(Array.wrap(resolved))
           end
         else
           raise RuntimeError, "Unexpected content security policy source: #{source.inspect}"

data/lib/action_dispatch/http/filter_parameters.rb

@@ -23,7 +23,7 @@ module ActionDispatch
     #   change { file: { code: "xxxx"} }
     #
     #   env["action_dispatch.parameter_filter"] = -> (k, v) do
-    #     v.reverse! if k =~ /secret/i
+    #     v.reverse! if k.match?(/secret/i)
     #   end
     #   => reverses the value to all keys matching /secret/i
     module FilterParameters

data/lib/action_dispatch/http/filter_redirect.rb

@@ -27,7 +27,7 @@ module ActionDispatch
           if String === filter
             location.include?(filter)
           elsif Regexp === filter
-            location =~ filter
+            location.match?(filter)
           end
         end
       end

data/lib/action_dispatch/http/headers.rb

@@ -121,8 +121,9 @@ module ActionDispatch
         def env_name(key)
           key = key.to_s
           if HTTP_HEADER.match?(key)
-            key = key.upcase.tr("-", "_")
-            key = "HTTP_" + key unless CGI_VARIABLES.include?(key)
+            key = key.upcase
+            key.tr!("-", "_")
+            key.prepend("HTTP_") unless CGI_VARIABLES.include?(key)
           end
           key
         end