actionpack 6.1.3.2 → 7.0.0.alpha2

data/lib/action_controller/test_case.rb

@@ -24,11 +24,14 @@ module ActionController
     def new_controller_thread # :nodoc:
       yield
     end
+
+    # Avoid a deadlock from the queue filling up
+    Buffer.queue_size = nil
   end
 
   # ActionController::TestCase will be deprecated and moved to a gem in the future.
   # Please use ActionDispatch::IntegrationTest going forward.
-  class TestRequest < ActionDispatch::TestRequest #:nodoc:
+  class TestRequest < ActionDispatch::TestRequest # :nodoc:
     DEFAULT_ENV = ActionDispatch::TestRequest::DEFAULT_ENV.dup
     DEFAULT_ENV.delete "PATH_INFO"
 
@@ -176,7 +179,7 @@ module ActionController
 
   # Methods #destroy and #load! are overridden to avoid calling methods on the
   # @store object, which does not exist for the TestSession class.
-  class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
+  class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash # :nodoc:
     DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
 
     def initialize(session = {})
@@ -211,6 +214,10 @@ module ActionController
       @data.fetch(key.to_s, *args, &block)
     end
 
+    def enabled?
+      true
+    end
+
     private
       def load!
         @id

data/lib/action_controller.rb

@@ -18,10 +18,6 @@ module ActionController
   end
 
   autoload_under "metal" do
-    eager_autoload do
-      autoload :Live
-    end
-
     autoload :ConditionalGet
     autoload :ContentSecurityPolicy
     autoload :Cookies
@@ -37,9 +33,11 @@ module ActionController
     autoload :BasicImplicitRender
     autoload :ImplicitRender
     autoload :Instrumentation
+    autoload :Live
     autoload :Logging
     autoload :MimeResponds
     autoload :ParamsWrapper
+    autoload :QueryTags
     autoload :Redirecting
     autoload :Renderers
     autoload :Rendering
@@ -65,5 +63,4 @@ require "active_support/core_ext/module/attribute_accessors"
 require "active_support/core_ext/load_error"
 require "active_support/core_ext/module/attr_internal"
 require "active_support/core_ext/name_error"
-require "active_support/core_ext/uri"
 require "active_support/inflector"

data/lib/action_dispatch/http/cache.rb

@@ -187,39 +187,45 @@ module ActionDispatch
 
           return if control.empty? && cache_control.empty?  # Let middleware handle default behavior
 
-          if extras = control.delete(:extras)
-            cache_control[:extras] ||= []
-            cache_control[:extras] += extras
-            cache_control[:extras].uniq!
+          if cache_control.any?
+            # Any caching directive coming from a controller overrides
+            # no-cache/no-store in the default Cache-Control header.
+            control.delete(:no_cache)
+            control.delete(:no_store)
+
+            if extras = control.delete(:extras)
+              cache_control[:extras] ||= []
+              cache_control[:extras] += extras
+              cache_control[:extras].uniq!
+            end
+
+            control.merge! cache_control
           end
 
-          control.merge! cache_control
+          options = []
 
           if control[:no_store]
-            self._cache_control = NO_STORE
+            options << PRIVATE if control[:private]
+            options << NO_STORE
           elsif control[:no_cache]
-            options = []
             options << PUBLIC if control[:public]
             options << NO_CACHE
             options.concat(control[:extras]) if control[:extras]
-
-            self._cache_control = options.join(", ")
           else
             extras = control[:extras]
             max_age = control[:max_age]
             stale_while_revalidate = control[:stale_while_revalidate]
             stale_if_error = control[:stale_if_error]
 
-            options = []
             options << "max-age=#{max_age.to_i}" if max_age
             options << (control[:public] ? PUBLIC : PRIVATE)
             options << MUST_REVALIDATE if control[:must_revalidate]
             options << "stale-while-revalidate=#{stale_while_revalidate.to_i}" if stale_while_revalidate
             options << "stale-if-error=#{stale_if_error.to_i}" if stale_if_error
             options.concat(extras) if extras
-
-            self._cache_control = options.join(", ")
           end
+
+          self._cache_control = options.join(", ")
         end
       end
     end

data/lib/action_dispatch/http/content_security_policy.rb

@@ -2,7 +2,7 @@
 
 require "active_support/core_ext/object/deep_dup"
 
-module ActionDispatch #:nodoc:
+module ActionDispatch # :nodoc:
   class ContentSecurityPolicy
     class Middleware
       CONTENT_TYPE = "Content-Type"
@@ -106,43 +106,47 @@ module ActionDispatch #:nodoc:
     end
 
     MAPPINGS = {
-      self:           "'self'",
-      unsafe_eval:    "'unsafe-eval'",
-      unsafe_inline:  "'unsafe-inline'",
-      none:           "'none'",
-      http:           "http:",
-      https:          "https:",
-      data:           "data:",
-      mediastream:    "mediastream:",
-      blob:           "blob:",
-      filesystem:     "filesystem:",
-      report_sample:  "'report-sample'",
-      strict_dynamic: "'strict-dynamic'",
-      ws:             "ws:",
-      wss:            "wss:"
+      self:             "'self'",
+      unsafe_eval:      "'unsafe-eval'",
+      unsafe_inline:    "'unsafe-inline'",
+      none:             "'none'",
+      http:             "http:",
+      https:            "https:",
+      data:             "data:",
+      mediastream:      "mediastream:",
+      allow_duplicates: "'allow-duplicates'",
+      blob:             "blob:",
+      filesystem:       "filesystem:",
+      report_sample:    "'report-sample'",
+      script:           "'script'",
+      strict_dynamic:   "'strict-dynamic'",
+      ws:               "ws:",
+      wss:              "wss:"
     }.freeze
 
     DIRECTIVES = {
-      base_uri:        "base-uri",
-      child_src:       "child-src",
-      connect_src:     "connect-src",
-      default_src:     "default-src",
-      font_src:        "font-src",
-      form_action:     "form-action",
-      frame_ancestors: "frame-ancestors",
-      frame_src:       "frame-src",
-      img_src:         "img-src",
-      manifest_src:    "manifest-src",
-      media_src:       "media-src",
-      object_src:      "object-src",
-      prefetch_src:    "prefetch-src",
-      script_src:      "script-src",
-      script_src_attr: "script-src-attr",
-      script_src_elem: "script-src-elem",
-      style_src:       "style-src",
-      style_src_attr:  "style-src-attr",
-      style_src_elem:  "style-src-elem",
-      worker_src:      "worker-src"
+      base_uri:                   "base-uri",
+      child_src:                  "child-src",
+      connect_src:                "connect-src",
+      default_src:                "default-src",
+      font_src:                   "font-src",
+      form_action:                "form-action",
+      frame_ancestors:            "frame-ancestors",
+      frame_src:                  "frame-src",
+      img_src:                    "img-src",
+      manifest_src:               "manifest-src",
+      media_src:                  "media-src",
+      object_src:                 "object-src",
+      prefetch_src:               "prefetch-src",
+      require_trusted_types_for:  "require-trusted-types-for",
+      script_src:                 "script-src",
+      script_src_attr:            "script-src-attr",
+      script_src_elem:            "script-src-elem",
+      style_src:                  "style-src",
+      style_src_attr:             "style-src-attr",
+      style_src_elem:             "style-src-elem",
+      trusted_types:              "trusted-types",
+      worker_src:                 "worker-src"
     }.freeze
 
     DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze

data/lib/action_dispatch/http/filter_parameters.rb

@@ -18,6 +18,11 @@ module ActionDispatch
     #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
     #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
     #
+    #   env["action_dispatch.parameter_filter"] = [ /\Apin\z/i, /\Apin_/i ]
+    #   => replaces the value for the exact (case-insensitive) key 'pin' and all
+    #   (case-insensitive) keys beginning with 'pin_', with "[FILTERED]"
+    #   Does not match keys with 'pin' as a substring, such as 'shipping_id'.
+    #
     #   env["action_dispatch.parameter_filter"] = [ "credit_card.code" ]
     #   => replaces { credit_card: {code: "xxxx"} } with "[FILTERED]", does not
     #   change { file: { code: "xxxx"} }

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -16,12 +16,13 @@ module ActionDispatch
 
       included do
         mattr_accessor :ignore_accept_header, default: false
+        cattr_accessor :return_only_media_type_on_content_type, default: false
       end
 
       # The MIME type of the HTTP request, such as Mime[:xml].
       def content_mime_type
         fetch_header("action_dispatch.request.content_type") do |k|
-          v = if get_header("CONTENT_TYPE") =~ /^([^,\;]*)/
+          v = if get_header("CONTENT_TYPE") =~ /^([^,;]*)/
             Mime::Type.lookup($1.strip.downcase)
           else
             nil
@@ -33,7 +34,16 @@ module ActionDispatch
       end
 
       def content_type
-        content_mime_type && content_mime_type.to_s
+        if self.class.return_only_media_type_on_content_type
+          ActiveSupport::Deprecation.warn(
+            "Rails 7.1 will return Content-Type header without modification." \
+            " If you want just the MIME type, please use `#media_type` instead."
+          )
+
+          content_mime_type&.to_s
+        else
+          super
+        end
       end
 
       def has_content_type? # :nodoc:
@@ -92,7 +102,7 @@ module ActionDispatch
       def variant=(variant)
         variant = Array(variant)
 
-        if variant.all? { |v| v.is_a?(Symbol) }
+        if variant.all?(Symbol)
           @variant = ActiveSupport::ArrayInquirer.new(variant)
         else
           raise ArgumentError, "request.variant must be set to a Symbol or an Array of Symbols."

data/lib/action_dispatch/http/mime_type.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require "singleton"
-require "active_support/core_ext/symbol/starts_ends_with"
 
 module Mime
   class Mimes
@@ -14,8 +13,8 @@ module Mime
       @symbols = []
     end
 
-    def each
-      @mimes.each { |x| yield x }
+    def each(&block)
+      @mimes.each(&block)
     end
 
     def <<(type)
@@ -43,9 +42,9 @@ module Mime
       Type.lookup_by_extension(type)
     end
 
-    def fetch(type)
+    def fetch(type, &block)
       return type if type.is_a?(Type)
-      EXTENSION_LOOKUP.fetch(type.to_s) { |k| yield k }
+      EXTENSION_LOOKUP.fetch(type.to_s, &block)
     end
   end
 
@@ -68,7 +67,7 @@ module Mime
     @register_callbacks = []
 
     # A simple helper class used in parsing the accept header.
-    class AcceptItem #:nodoc:
+    class AcceptItem # :nodoc:
       attr_accessor :index, :name, :q
       alias :to_s :name
 
@@ -86,7 +85,7 @@ module Mime
       end
     end
 
-    class AcceptList #:nodoc:
+    class AcceptList # :nodoc:
       def self.sort!(list)
         list.sort!
 
@@ -226,10 +225,9 @@ module Mime
     attr_reader :hash
 
     MIME_NAME = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
-    MIME_PARAMETER_KEY = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
-    MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}#{Regexp.escape('"')}?"
-    MIME_PARAMETER = "\s*\;\s*#{MIME_PARAMETER_KEY}(?:\=#{MIME_PARAMETER_VALUE})?"
-    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
+    MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?#{MIME_NAME}#{Regexp.escape('"')}?"
+    MIME_PARAMETER = "\s*;\s*#{MIME_NAME}(?:=#{MIME_PARAMETER_VALUE})?"
+    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>#{MIME_PARAMETER})*\s*)\z/
 
     class InvalidMimeType < StandardError; end
 

data/lib/action_dispatch/http/parameters.rb

@@ -17,8 +17,8 @@ module ActionDispatch
       # Raised when raw data from the request cannot be parsed by the parser
       # defined for request's content MIME type.
       class ParseError < StandardError
-        def initialize
-          super($!.message)
+        def initialize(message = $!.message)
+          super(message)
         end
       end
 
@@ -62,7 +62,7 @@ module ActionDispatch
       end
       alias :params :parameters
 
-      def path_parameters=(parameters) #:nodoc:
+      def path_parameters=(parameters) # :nodoc:
         delete_header("action_dispatch.request.parameters")
 
         parameters = Request::Utils.set_binary_encoding(self, parameters, parameters[:controller], parameters[:action])
@@ -93,7 +93,7 @@ module ActionDispatch
             strategy.call(raw_post)
           rescue # JSON or Ruby code block errors.
             log_parse_error_once
-            raise ParseError
+            raise ParseError, "Error occurred while parsing request parameters"
           end
         end
 

data/lib/action_dispatch/http/permissions_policy.rb

@@ -2,7 +2,7 @@
 
 require "active_support/core_ext/object/deep_dup"
 
-module ActionDispatch #:nodoc:
+module ActionDispatch # :nodoc:
   class PermissionsPolicy
     class Middleware
       CONTENT_TYPE = "Content-Type"

data/lib/action_dispatch/http/request.rb

@@ -42,11 +42,8 @@ module ActionDispatch
         HTTP_NEGOTIATE HTTP_PRAGMA HTTP_CLIENT_IP
         HTTP_X_FORWARDED_FOR HTTP_ORIGIN HTTP_VERSION
         HTTP_X_CSRF_TOKEN HTTP_X_REQUEST_ID HTTP_X_FORWARDED_HOST
-        SERVER_ADDR
         ].freeze
 
-    # TODO: Remove SERVER_ADDR when we remove support to Rack 2.1.
-    # See https://github.com/rack/rack/commit/c173b188d81ee437b588c1e046a1c9f031dea550
     ENV_METHODS.each do |env|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
         # frozen_string_literal: true
@@ -90,7 +87,7 @@ module ActionDispatch
         controller_param = name.underscore
         const_name = controller_param.camelize << "Controller"
         begin
-          ActiveSupport::Dependencies.constantize(const_name)
+          const_name.constantize
         rescue NameError => error
           if error.missing_name == const_name || const_name.start_with?("#{error.missing_name}::")
             raise MissingController.new(error.message, error.name)
@@ -165,7 +162,7 @@ module ActionDispatch
       set_header(routes.env_key, name.dup)
     end
 
-    def request_method=(request_method) #:nodoc:
+    def request_method=(request_method) # :nodoc:
       if check_method(request_method)
         @request_method = set_header("REQUEST_METHOD", request_method)
       end
@@ -266,7 +263,7 @@ module ActionDispatch
     #    # get "/articles"
     #    request.media_type # => "application/x-www-form-urlencoded"
     def media_type
-      content_mime_type.to_s
+      content_mime_type&.to_s
     end
 
     # Returns the content length of the request as an integer.
@@ -355,21 +352,15 @@ module ActionDispatch
       FORM_DATA_MEDIA_TYPES.include?(media_type)
     end
 
-    def body_stream #:nodoc:
+    def body_stream # :nodoc:
       get_header("rack.input")
     end
 
-    # TODO This should be broken apart into AD::Request::Session and probably
-    # be included by the session middleware.
     def reset_session
-      if session && session.respond_to?(:destroy)
-        session.destroy
-      else
-        self.session = {}
-      end
+      session.destroy
     end
 
-    def session=(session) #:nodoc:
+    def session=(session) # :nodoc:
       Session.set self, session
     end
 
@@ -434,10 +425,6 @@ module ActionDispatch
     def commit_flash
     end
 
-    def ssl?
-      super || scheme == "wss"
-    end
-
     def inspect # :nodoc:
       "#<#{self.class.name} #{method} #{original_url.dump} for #{remote_ip}>"
     end
@@ -447,6 +434,10 @@ module ActionDispatch
         HTTP_METHOD_LOOKUP[name] || raise(ActionController::UnknownHttpMethod, "#{name}, accepted HTTP methods are #{HTTP_METHODS[0...-1].join(', ')}, and #{HTTP_METHODS[-1]}")
         name
       end
+
+      def default_session
+        Session.disabled(self)
+      end
   end
 end