actionpack 6.1.3.2 → 7.0.0.alpha2

data/lib/action_controller/metal/flash.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   module Flash
     extend ActiveSupport::Concern
 
@@ -41,10 +41,14 @@ module ActionController #:nodoc:
           self._flash_types += [type]
         end
       end
+
+      def action_methods # :nodoc:
+        @action_methods ||= super - _flash_types.map(&:to_s).to_set
+      end
     end
 
     private
-      def redirect_to(options = {}, response_options_and_flash = {}) #:doc:
+      def redirect_to(options = {}, response_options_and_flash = {}) # :doc:
         self.class._flash_types.each do |flash_type|
           if type = response_options_and_flash.delete(flash_type)
             flash[flash_type] = type

data/lib/action_controller/metal/http_authentication.rb

@@ -4,9 +4,9 @@ require "base64"
 require "active_support/security_utils"
 
 module ActionController
-  # Makes it dead easy to do HTTP Basic, Digest and Token authentication.
+  # HTTP Basic, Digest and Token authentication.
   module HttpAuthentication
-    # Makes it dead easy to do HTTP \Basic authentication.
+    # HTTP \Basic authentication.
     #
     # === Simple \Basic example
     #
@@ -24,8 +24,8 @@ module ActionController
     #
     # === Advanced \Basic example
     #
-    # Here is a more advanced \Basic example where only Atom feeds and the XML API is protected by HTTP authentication,
-    # the regular HTML interface is protected by a session approach:
+    # Here is a more advanced \Basic example where only Atom feeds and the XML API are protected by HTTP authentication.
+    # The regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
     #     before_action :set_account, :authenticate
@@ -134,15 +134,15 @@ module ActionController
       end
     end
 
-    # Makes it dead easy to do HTTP \Digest authentication.
+    # HTTP \Digest authentication.
     #
     # === Simple \Digest example
     #
-    #   require "digest/md5"
+    #   require "openssl"
     #   class PostsController < ApplicationController
     #     REALM = "SuperSecret"
     #     USERS = {"dhh" => "secret", #plain text password
-    #              "dap" => Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password
+    #              "dap" => OpenSSL::Digest::MD5.hexdigest(["dap",REALM,"secret"].join(":"))}  #ha1 digest password
     #
     #     before_action :authenticate, except: [:index]
     #
@@ -230,12 +230,12 @@ module ActionController
       # of a plain-text password.
       def expected_response(http_method, uri, credentials, password, password_is_ha1 = true)
         ha1 = password_is_ha1 ? password : ha1(credentials, password)
-        ha2 = ::Digest::MD5.hexdigest([http_method.to_s.upcase, uri].join(":"))
-        ::Digest::MD5.hexdigest([ha1, credentials[:nonce], credentials[:nc], credentials[:cnonce], credentials[:qop], ha2].join(":"))
+        ha2 = OpenSSL::Digest::MD5.hexdigest([http_method.to_s.upcase, uri].join(":"))
+        OpenSSL::Digest::MD5.hexdigest([ha1, credentials[:nonce], credentials[:nc], credentials[:cnonce], credentials[:qop], ha2].join(":"))
       end
 
       def ha1(credentials, password)
-        ::Digest::MD5.hexdigest([credentials[:username], credentials[:realm], password].join(":"))
+        OpenSSL::Digest::MD5.hexdigest([credentials[:username], credentials[:realm], password].join(":"))
       end
 
       def encode_credentials(http_method, credentials, password, password_is_ha1)
@@ -309,7 +309,7 @@ module ActionController
       def nonce(secret_key, time = Time.now)
         t = time.to_i
         hashed = [t, secret_key]
-        digest = ::Digest::MD5.hexdigest(hashed.join(":"))
+        digest = OpenSSL::Digest::MD5.hexdigest(hashed.join(":"))
         ::Base64.strict_encode64("#{t}:#{digest}")
       end
 
@@ -326,11 +326,11 @@ module ActionController
 
       # Opaque based on digest of secret key
       def opaque(secret_key)
-        ::Digest::MD5.hexdigest(secret_key)
+        OpenSSL::Digest::MD5.hexdigest(secret_key)
       end
     end
 
-    # Makes it dead easy to do HTTP Token authentication.
+    # HTTP Token authentication.
     #
     # Simple Token example:
     #
@@ -358,8 +358,8 @@ module ActionController
     #   end
     #
     #
-    # Here is a more advanced Token example where only Atom feeds and the XML API is protected by HTTP token authentication,
-    # the regular HTML interface is protected by a session approach:
+    # Here is a more advanced Token example where only Atom feeds and the XML API are protected by HTTP token authentication.
+    # The regular HTML interface is protected by a session approach:
     #
     #   class ApplicationController < ActionController::Base
     #     before_action :set_account, :authenticate

data/lib/action_controller/metal/instrumentation.rb

@@ -16,30 +16,6 @@ module ActionController
 
     attr_internal :view_runtime
 
-    def process_action(*)
-      raw_payload = {
-        controller: self.class.name,
-        action: action_name,
-        request: request,
-        params: request.filtered_parameters,
-        headers: request.headers,
-        format: request.format.ref,
-        method: request.request_method,
-        path: request.fullpath
-      }
-
-      ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload)
-
-      ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
-        result = super
-        payload[:response] = response
-        payload[:status]   = response.status
-        result
-      ensure
-        append_info_to_payload(payload)
-      end
-    end
-
     def render(*)
       render_output = nil
       self.view_runtime = cleanup_view_runtime do
@@ -70,37 +46,64 @@ module ActionController
       end
     end
 
-  private
-    # A hook invoked every time a before callback is halted.
-    def halted_callback_hook(filter, _)
-      ActiveSupport::Notifications.instrument("halted_callback.action_controller", filter: filter)
-    end
+    private
+      def process_action(*)
+        raw_payload = {
+          controller: self.class.name,
+          action: action_name,
+          request: request,
+          params: request.filtered_parameters,
+          headers: request.headers,
+          format: request.format.ref,
+          method: request.request_method,
+          path: request.fullpath
+        }
 
-    # A hook which allows you to clean up any time, wrongly taken into account in
-    # views, like database querying time.
-    #
-    #   def cleanup_view_runtime
-    #     super - time_taken_in_something_expensive
-    #   end
-    def cleanup_view_runtime # :doc:
-      yield
-    end
+        ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload)
 
-    # Every time after an action is processed, this method is invoked
-    # with the payload, so you can add more information.
-    def append_info_to_payload(payload) # :doc:
-      payload[:view_runtime] = view_runtime
-    end
+        ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
+          result = super
+          payload[:response] = response
+          payload[:status]   = response.status
+          result
+        rescue => error
+          payload[:status] = ActionDispatch::ExceptionWrapper.status_code_for_exception(error.class.name)
+          raise
+        ensure
+          append_info_to_payload(payload)
+        end
+      end
 
-    module ClassMethods
-      # A hook which allows other frameworks to log what happened during
-      # controller process action. This method should return an array
-      # with the messages to be added.
-      def log_process_action(payload) #:nodoc:
-        messages, view_runtime = [], payload[:view_runtime]
-        messages << ("Views: %.1fms" % view_runtime.to_f) if view_runtime
-        messages
+      # A hook invoked every time a before callback is halted.
+      def halted_callback_hook(filter, _)
+        ActiveSupport::Notifications.instrument("halted_callback.action_controller", filter: filter)
+      end
+
+      # A hook which allows you to clean up any time, wrongly taken into account in
+      # views, like database querying time.
+      #
+      #   def cleanup_view_runtime
+      #     super - time_taken_in_something_expensive
+      #   end
+      def cleanup_view_runtime # :doc:
+        yield
+      end
+
+      # Every time after an action is processed, this method is invoked
+      # with the payload, so you can add more information.
+      def append_info_to_payload(payload) # :doc:
+        payload[:view_runtime] = view_runtime
+      end
+
+      module ClassMethods
+        # A hook which allows other frameworks to log what happened during
+        # controller process action. This method should return an array
+        # with the messages to be added.
+        def log_process_action(payload) # :nodoc:
+          messages, view_runtime = [], payload[:view_runtime]
+          messages << ("Views: %.1fms" % view_runtime.to_f) if view_runtime
+          messages
+        end
       end
-    end
   end
 end

data/lib/action_controller/metal/live.rb

@@ -124,9 +124,14 @@ module ActionController
     class ClientDisconnected < RuntimeError
     end
 
-    class Buffer < ActionDispatch::Response::Buffer #:nodoc:
+    class Buffer < ActionDispatch::Response::Buffer # :nodoc:
       include MonitorMixin
 
+      class << self
+        attr_accessor :queue_size
+      end
+      @queue_size = 10
+
       # Ignore that the client has disconnected.
       #
       # If this value is `true`, calling `write` after the client
@@ -136,7 +141,7 @@ module ActionController
       attr_accessor :ignore_disconnect
 
       def initialize(response)
-        super(response, SizedQueue.new(10))
+        super(response, build_queue(self.class.queue_size))
         @error_callback = lambda { true }
         @cv = new_cond
         @aborted = false
@@ -163,6 +168,11 @@ module ActionController
         end
       end
 
+      # Same as +write+ but automatically include a newline at the end of the string.
+      def writeln(string)
+        write string.end_with?("\n") ? string : "#{string}\n"
+      end
+
       # Write a 'close' event to the buffer; the producer/writing thread
       # uses this to notify us that it's finished supplying content.
       #
@@ -214,9 +224,13 @@ module ActionController
             yield str
           end
         end
+
+        def build_queue(queue_size)
+          queue_size ? SizedQueue.new(queue_size) : Queue.new
+        end
     end
 
-    class Response < ActionDispatch::Response #:nodoc: all
+    class Response < ActionDispatch::Response # :nodoc: all
       private
         def before_committed
           super
@@ -282,6 +296,41 @@ module ActionController
       response.close if response
     end
 
+    # Sends a stream to the browser, which is helpful when you're generating exports or other running data where you
+    # don't want the entire file buffered in memory first. Similar to send_data, but where the data is generated live.
+    #
+    # Options:
+    # * <tt>:filename</tt> - suggests a filename for the browser to use.
+    # * <tt>:type</tt> - specifies an HTTP content type.
+    #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
+    #   If omitted, type will be inferred from the file extension specified in <tt>:filename</tt>.
+    #   If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
+    # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
+    #   Valid values are 'inline' and 'attachment' (default).
+    #
+    # Example of generating a csv export:
+    #
+    #    send_stream(filename: "subscribers.csv") do |stream|
+    #      stream.write "email_address,updated_at\n"
+    #
+    #      @subscribers.find_each do |subscriber|
+    #        stream.write "#{subscriber.email_address},#{subscriber.updated_at}\n"
+    #      end
+    #    end
+    def send_stream(filename:, disposition: "attachment", type: nil)
+      response.headers["Content-Type"] =
+        (type.is_a?(Symbol) ? Mime[type].to_s : type) ||
+        Mime::Type.lookup_by_extension(File.extname(filename).downcase.delete(".")) ||
+        "application/octet-stream"
+
+      response.headers["Content-Disposition"] =
+        ActionDispatch::Http::ContentDisposition.format(disposition: disposition, filename: filename)
+
+      yield response.stream
+    ensure
+      response.stream.close
+    end
+
     private
       # Spawn a new thread to serve up the controller in. This is to get
       # around the fact that Rack isn't based around IOs and we need to use

data/lib/action_controller/metal/mime_responds.rb

@@ -2,7 +2,7 @@
 
 require "abstract_controller/collector"
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   module MimeResponds
     # Without web-service support, an action which collects the data for displaying a list of people
     # might look something like this:
@@ -103,7 +103,7 @@ module ActionController #:nodoc:
     # If you need to use a MIME type which isn't supported by default, you can register your own handlers in
     # +config/initializers/mime_types.rb+ as follows.
     #
-    #   Mime::Type.register "image/jpg", :jpg
+    #   Mime::Type.register "image/jpeg", :jpg
     #
     # +respond_to+ also allows you to specify a common block for different formats by using +any+:
     #
@@ -289,7 +289,7 @@ module ActionController #:nodoc:
         @format = request.negotiate_mime(@responses.keys)
       end
 
-      class VariantCollector #:nodoc:
+      class VariantCollector # :nodoc:
         def initialize(variant = nil)
           @variant = variant
           @variants = {}

data/lib/action_controller/metal/params_wrapper.rb

@@ -242,14 +242,14 @@ module ActionController
       end
     end
 
-    # Performs parameters wrapping upon the request. Called automatically
-    # by the metal call stack.
-    def process_action(*)
-      _perform_parameter_wrapping if _wrapper_enabled?
-      super
-    end
-
     private
+      # Performs parameters wrapping upon the request. Called automatically
+      # by the metal call stack.
+      def process_action(*)
+        _perform_parameter_wrapping if _wrapper_enabled?
+        super
+      end
+
       # Returns the wrapper key which will be used to store wrapped parameters.
       def _wrapper_key
         _wrapper_options.name
@@ -281,7 +281,10 @@ module ActionController
         return false unless request.has_content_type?
 
         ref = request.content_mime_type.ref
+
         _wrapper_formats.include?(ref) && _wrapper_key && !request.parameters.key?(_wrapper_key)
+      rescue ActionDispatch::Http::Parameters::ParseError
+        false
       end
 
       def _perform_parameter_wrapping
@@ -295,8 +298,6 @@ module ActionController
 
         # This will display the wrapped hash in the log file.
         request.filtered_parameters.merge! wrapped_filtered_hash
-      rescue ActionDispatch::Http::Parameters::ParseError
-        # swallow parse error exception
       end
   end
 end

data/lib/action_controller/metal/permissions_policy.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   # HTTP Permissions Policy is a web standard for defining a mechanism to
   # allow and deny the use of browser permissions in its own context, and
   # in content within any <iframe> elements in the document.

data/lib/action_controller/metal/query_tags.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ActionController
+  module QueryTags # :nodoc:
+    extend ActiveSupport::Concern
+
+    included do
+      around_action :expose_controller_to_query_logs
+    end
+
+    private
+      def expose_controller_to_query_logs(&block)
+        ActiveRecord::QueryLogs.set_context(controller: self, &block)
+      end
+  end
+end

data/lib/action_controller/metal/redirecting.rb

@@ -7,6 +7,10 @@ module ActionController
     include AbstractController::Logger
     include ActionController::UrlFor
 
+    included do
+      mattr_accessor :raise_on_open_redirects, default: false
+    end
+
     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
     #
     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
@@ -54,16 +58,28 @@ module ActionController
     #
     # Statements after +redirect_to+ in our controller get executed, so +redirect_to+ doesn't stop the execution of the function.
     # To terminate the execution of the function immediately after the +redirect_to+, use return.
+    #
     #   redirect_to post_url(@post) and return
+    #
+    # Passing user input directly into +redirect_to+ is considered dangerous (e.g. `redirect_to(params[:location])`).
+    # Always use regular expressions or a permitted list when redirecting to a user specified location.
     def redirect_to(options = {}, response_options = {})
+      response_options[:allow_other_host] ||= _allow_other_host unless response_options.key?(:allow_other_host)
+
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_options)
-      self.location      = _compute_redirect_to_location(request, options)
+      self.location      = _compute_safe_redirect_to_location(request, options, response_options)
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
 
+    # Soft deprecated alias for <tt>redirect_back_or_to</tt> where the fallback_location location is supplied as a keyword argument instead
+    # of the first positional argument.
+    def redirect_back(fallback_location:, allow_other_host: _allow_other_host, **args)
+      redirect_back_or_to fallback_location, allow_other_host: allow_other_host, **args
+    end
+
     # Redirects the browser to the page that issued the request (the referrer)
     # if possible, otherwise redirects to the provided default fallback
     # location.
@@ -73,35 +89,49 @@ module ActionController
     # subject to browser security settings and user preferences. If the request
     # is missing this header, the <tt>fallback_location</tt> will be used.
     #
-    #   redirect_back fallback_location: { action: "show", id: 5 }
-    #   redirect_back fallback_location: @post
-    #   redirect_back fallback_location: "http://www.rubyonrails.org"
-    #   redirect_back fallback_location: "/images/screenshot.jpg"
-    #   redirect_back fallback_location: posts_url
-    #   redirect_back fallback_location: proc { edit_post_url(@post) }
-    #   redirect_back fallback_location: '/', allow_other_host: false
+    #   redirect_back_or_to({ action: "show", id: 5 })
+    #   redirect_back_or_to @post
+    #   redirect_back_or_to "http://www.rubyonrails.org"
+    #   redirect_back_or_to "/images/screenshot.jpg"
+    #   redirect_back_or_to posts_url
+    #   redirect_back_or_to proc { edit_post_url(@post) }
+    #   redirect_back_or_to '/', allow_other_host: false
     #
     # ==== Options
-    # * <tt>:fallback_location</tt> - The default fallback location that will be used on missing +Referer+ header.
     # * <tt>:allow_other_host</tt> - Allow or disallow redirection to the host that is different to the current host, defaults to true.
     #
     # All other options that can be passed to #redirect_to are accepted as
     # options and the behavior is identical.
-    def redirect_back(fallback_location:, allow_other_host: true, **args)
-      referer = request.headers["Referer"]
-      redirect_to_referer = referer && (allow_other_host || _url_host_allowed?(referer))
-      redirect_to redirect_to_referer ? referer : fallback_location, **args
+    def redirect_back_or_to(fallback_location, allow_other_host: _allow_other_host, **options)
+      location = request.referer || fallback_location
+      location = fallback_location unless allow_other_host || _url_host_allowed?(request.referer)
+      allow_other_host = true if _allow_other_host && !allow_other_host # if the fallback is an open redirect
+
+      redirect_to location, allow_other_host: allow_other_host, **options
     end
 
-    def _compute_redirect_to_location(request, options) #:nodoc:
+    def _compute_safe_redirect_to_location(request, options, response_options)
+      location = _compute_redirect_to_location(request, options)
+
+      if response_options[:allow_other_host] || _url_host_allowed?(location)
+        location
+      else
+        raise(ArgumentError, <<~MSG.squish)
+          Unsafe redirect #{location.truncate(100).inspect},
+          use :allow_other_host to redirect anyway.
+        MSG
+      end
+    end
+
+    def _compute_redirect_to_location(request, options) # :nodoc:
       case options
       # The scheme name consist of a letter followed by any combination of
       # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
       # characters; and is terminated by a colon (":").
       # See https://tools.ietf.org/html/rfc3986#section-3.1
       # The protocol relative scheme starts with a double slash "//".
-      when /\A([a-z][a-z\d\-+\.]*:|\/\/).*/i
-        options
+      when /\A([a-z][a-z\d\-+.]*:|\/\/).*/i
+        options.to_str
       when String
         request.protocol + request.host_with_port + options
       when Proc
@@ -114,6 +144,10 @@ module ActionController
     public :_compute_redirect_to_location
 
     private
+      def _allow_other_host
+        !raise_on_open_redirects
+      end
+
       def _extract_redirect_to_status(options, response_options)
         if options.is_a?(Hash) && options.key?(:status)
           Rack::Utils.status_code(options.delete(:status))