actionpack 6.1.7.3 → 7.0.8

data/lib/action_dispatch/journey/gtg/transition_table.rb

@@ -10,11 +10,15 @@ module ActionDispatch
 
         attr_reader :memos
 
+        DEFAULT_EXP = /[^.\/?]+/
+        DEFAULT_EXP_ANCHORED = /\A#{DEFAULT_EXP}\Z/
+
         def initialize
-          @regexp_states = {}
-          @string_states = {}
-          @accepting     = {}
-          @memos         = Hash.new { |h, k| h[k] = [] }
+          @stdparam_states = {}
+          @regexp_states   = {}
+          @string_states   = {}
+          @accepting       = {}
+          @memos           = Hash.new { |h, k| h[k] = [] }
         end
 
         def add_accepting(state)
@@ -41,22 +45,54 @@ module ActionDispatch
           Array(t)
         end
 
-        def move(t, a)
+        def move(t, full_string, start_index, end_index)
           return [] if t.empty?
 
-          regexps = []
-          strings = []
+          next_states = []
 
-          t.each { |s|
-            if states = @regexp_states[s]
-              states.each { |re, v| regexps << v if re.match?(a) && !v.nil? }
+          tok = full_string.slice(start_index, end_index - start_index)
+          token_matches_default_component = DEFAULT_EXP_ANCHORED.match?(tok)
+
+          t.each { |s, previous_start|
+            if previous_start.nil?
+              # In the simple case of a "default" param regex do this fast-path
+              # and add all next states.
+              if token_matches_default_component && states = @stdparam_states[s]
+                states.each { |re, v| next_states << [v, nil].freeze if !v.nil? }
+              end
+
+              # When we have a literal string, we can just pull the next state
+              if states = @string_states[s]
+                next_states << [states[tok], nil].freeze unless states[tok].nil?
+              end
             end
 
-            if states = @string_states[s]
-              strings << states[a] unless states[a].nil?
+            # For regexes that aren't the "default" style, they may potentially
+            # not be terminated by the first "token" [./?], so we need to continue
+            # to attempt to match this regexp as well as any successful paths that
+            # continue out of it. both paths could be valid.
+            if states = @regexp_states[s]
+              slice_start = if previous_start.nil?
+                start_index
+              else
+                previous_start
+              end
+
+              slice_length = end_index - slice_start
+              curr_slice = full_string.slice(slice_start, slice_length)
+
+              states.each { |re, v|
+                # if we match, we can try moving past this
+                next_states << [v, nil].freeze if !v.nil? && re.match?(curr_slice)
+              }
+
+              # and regardless, we must continue accepting tokens and retrying this regexp.
+              # we need to remember where we started as well so we can take bigger slices.
+              next_states << [s, slice_start].freeze
             end
           }
-          strings.concat regexps
+
+          next_states
         end
 
         def as_json(options = nil)
@@ -69,9 +105,10 @@ module ActionDispatch
           end
 
           {
-            regexp_states: simple_regexp,
-            string_states: @string_states,
-            accepting:     @accepting
+            regexp_states:   simple_regexp,
+            string_states:   @string_states,
+            stdparam_states: @stdparam_states,
+            accepting:       @accepting
           }
         end
 
@@ -93,7 +130,7 @@ module ActionDispatch
           states    = "function tt() { return #{to_json}; }"
 
           fun_routes = paths.sample(3).map do |ast|
-            ast.map { |n|
+            ast.filter_map { |n|
               case n
               when Nodes::Symbol
                 case n.left
@@ -106,7 +143,7 @@ module ActionDispatch
               else
                 nil
               end
-            }.compact.join
+            }.join
           end
 
           stylesheets = [fsm_css]
@@ -125,18 +162,33 @@ module ActionDispatch
 
         def []=(from, to, sym)
           to_mappings = states_hash_for(sym)[from] ||= {}
+          case sym
+          when Regexp
+            # we must match the whole string to a token boundary
+            if sym == DEFAULT_EXP
+              sym = DEFAULT_EXP_ANCHORED
+            else
+              sym = /\A#{sym}\Z/
+            end
+          when Symbol
+            # account for symbols in the constraints the same as strings
+            sym = sym.to_s
+          end
           to_mappings[sym] = to
         end
 
         def states
           ss = @string_states.keys + @string_states.values.flat_map(&:values)
+          ps = @stdparam_states.keys + @stdparam_states.values.flat_map(&:values)
           rs = @regexp_states.keys + @regexp_states.values.flat_map(&:values)
-          (ss + rs).uniq
+          (ss + ps + rs).uniq
         end
 
         def transitions
           @string_states.flat_map { |from, hash|
             hash.map { |s, to| [from, s, to] }
+          } + @stdparam_states.flat_map { |from, hash|
+            hash.map { |s, to| [from, s, to] }
           } + @regexp_states.flat_map { |from, hash|
             hash.map { |s, to| [from, s, to] }
           }
@@ -145,10 +197,14 @@ module ActionDispatch
         private
           def states_hash_for(sym)
             case sym
-            when String
+            when String, Symbol
               @string_states
             when Regexp
-              @regexp_states
+              if sym == DEFAULT_EXP
+                @stdparam_states
+              else
+                @regexp_states
+              end
             else
               raise ArgumentError, "unknown symbol: %s" % sym.class
             end

data/lib/action_dispatch/journey/nodes/node.rb

@@ -4,6 +4,66 @@ require "action_dispatch/journey/visitors"
 
 module ActionDispatch
   module Journey # :nodoc:
+    class Ast # :nodoc:
+      attr_reader :names, :path_params, :tree, :wildcard_options, :terminals
+      alias :root :tree
+
+      def initialize(tree, formatted)
+        @tree = tree
+        @path_params = []
+        @names = []
+        @symbols = []
+        @stars = []
+        @terminals = []
+        @wildcard_options = {}
+
+        visit_tree(formatted)
+      end
+
+      def requirements=(requirements)
+        # inject any regexp requirements for `star` nodes so they can be
+        # determined nullable, which requires knowing if the regex accepts an
+        # empty string.
+        (symbols + stars).each do |node|
+          re = requirements[node.to_sym]
+          node.regexp = re if re
+        end
+      end
+
+      def route=(route)
+        terminals.each { |n| n.memo = route }
+      end
+
+      def glob?
+        stars.any?
+      end
+
+      private
+        attr_reader :symbols, :stars
+
+        def visit_tree(formatted)
+          tree.each do |node|
+            if node.symbol?
+              path_params << node.to_sym
+              names << node.name
+              symbols << node
+            elsif node.star?
+              stars << node
+
+              if formatted != false
+                # Add a constraint for wildcard route to make it non-greedy and
+                # match the optional format part of the route by default.
+                wildcard_options[node.name.to_sym] ||= /.+?/m
+              end
+            end
+
+            if node.terminal?
+              terminals << node
+            end
+          end
+        end
+    end
+
     module Nodes # :nodoc:
       class Node # :nodoc:
         include Enumerable
@@ -78,7 +138,7 @@ module ActionDispatch
         alias :symbol :regexp
         attr_reader :name
 
-        DEFAULT_EXP = /[^\.\/\?]+/
+        DEFAULT_EXP = /[^.\/?]+/
         GREEDY_EXP = /(.+)/
         def initialize(left, regexp = DEFAULT_EXP)
           super(left)
@@ -86,10 +146,6 @@ module ActionDispatch
           @name = -left.tr("*:", "")
         end
 
-        def default_regexp?
-          regexp == DEFAULT_EXP
-        end
-
         def type; :SYMBOL; end
         def symbol?; true; end
       end
@@ -104,6 +160,15 @@ module ActionDispatch
       end
 
       class Star < Unary # :nodoc:
+        attr_accessor :regexp
+
+        def initialize(left)
+          super(left)
+
+          # By default wildcard routes are non-greedy and must match something.
+          @regexp = /.+?/m
+        end
+
         def star?; true; end
         def type; :STAR; end
 

data/lib/action_dispatch/journey/path/pattern.rb

@@ -4,15 +4,16 @@ module ActionDispatch
   module Journey # :nodoc:
     module Path # :nodoc:
       class Pattern # :nodoc:
-        attr_reader :spec, :requirements, :anchored
+        attr_reader :ast, :names, :requirements, :anchored, :spec
 
         def initialize(ast, requirements, separators, anchored)
-          @spec         = ast
+          @ast          = ast
+          @spec         = ast.root
           @requirements = requirements
           @separators   = separators
           @anchored     = anchored
 
-          @names          = nil
+          @names          = ast.names
           @optional_names = nil
           @required_names = nil
           @re             = nil
@@ -27,20 +28,28 @@ module ActionDispatch
           required_names
           offsets
           to_regexp
-          nil
+          @ast = nil
         end
 
-        def ast
-          @spec.find_all(&:symbol?).each do |node|
-            re = @requirements[node.to_sym]
-            node.regexp = re if re
-          end
+        def requirements_anchored?
+          # each required param must not be surrounded by a literal, otherwise it isn't simple to chunk-match the url piecemeal
+          terminals = ast.terminals
 
-          @spec
-        end
+          terminals.each_with_index { |s, index|
+            next if index < 1
+            next if s.type == :DOT || s.type == :SLASH
+
+            back = terminals[index - 1]
+            fwd = terminals[index + 1]
+
+            # we also don't support this yet, constraints must be regexps
+            return false if s.symbol? && s.regexp.is_a?(Array)
+
+            return false if back.literal?
+            return false if !fwd.nil? && fwd.literal?
+          }
 
-        def names
-          @names ||= spec.find_all(&:symbol?).map(&:name)
+          true
         end
 
         def required_names

data/lib/action_dispatch/journey/route.rb

@@ -5,7 +5,7 @@ module ActionDispatch
   module Journey
     class Route
       attr_reader :app, :path, :defaults, :name, :precedence, :constraints,
-                  :internal, :scope_options
+                  :internal, :scope_options, :ast
 
       alias :conditions :constraints
 
@@ -65,29 +65,22 @@ module ActionDispatch
         @_required_defaults = required_defaults
         @required_parts    = nil
         @parts             = nil
-        @decorated_ast     = nil
         @precedence        = precedence
         @path_formatter    = @path.build_formatter
         @scope_options     = scope_options
         @internal          = internal
+
+        @ast = @path.ast.root
+        @path.ast.route = self
       end
 
       def eager_load!
         path.eager_load!
-        ast
         parts
         required_defaults
         nil
       end
 
-      def ast
-        @decorated_ast ||= begin
-          decorated_ast = path.ast
-          decorated_ast.find_all(&:terminal?).each { |n| n.memo = self }
-          decorated_ast
-        end
-      end
-
       # Needed for `bin/rails routes`. Picks up succinctly defined requirements
       # for a route, for example route
       #
@@ -98,7 +91,7 @@ module ActionDispatch
       # as requirements.
       def requirements
         @defaults.merge(path.requirements).delete_if { |_, v|
-          /.+?/ == v
+          /.+?/m == v
         }
       end
 
@@ -142,7 +135,7 @@ module ActionDispatch
       end
 
       def glob?
-        path.spec.any?(Nodes::Star)
+        path.ast.glob?
       end
 
       def dispatcher?

data/lib/action_dispatch/journey/router/utils.rb

@@ -35,7 +35,7 @@ module ActionDispatch
           US_ASCII = Encoding::US_ASCII
           UTF_8    = Encoding::UTF_8
           EMPTY    = (+"").force_encoding(US_ASCII).freeze
-          DEC2HEX  = (0..255).to_a.map { |i| ENCODE % i }.map { |s| s.force_encoding(US_ASCII) }
+          DEC2HEX  = (0..255).map { |i| (ENCODE % i).force_encoding(US_ASCII) }
 
           ALPHA = "a-zA-Z"
           DIGIT = "0-9"
@@ -44,7 +44,7 @@ module ActionDispatch
 
           ESCAPED  = /%[a-zA-Z0-9]{2}/.freeze
 
-          FRAGMENT = /[^#{UNRESERVED}#{SUB_DELIMS}:@\/\?]/.freeze
+          FRAGMENT = /[^#{UNRESERVED}#{SUB_DELIMS}:@\/?]/.freeze
           SEGMENT  = /[^#{UNRESERVED}#{SUB_DELIMS}:@]/.freeze
           PATH     = /[^#{UNRESERVED}#{SUB_DELIMS}:@\/]/.freeze
 

data/lib/action_dispatch/journey/router.rb

@@ -85,7 +85,7 @@ module ActionDispatch
       private
         def partitioned_routes
           routes.partition { |r|
-            r.path.anchored && r.ast.grep(Nodes::Symbol).all? { |n| n.default_regexp?  }
+            r.path.anchored && r.path.requirements_anchored?
           }
         end
 

data/lib/action_dispatch/journey/routes.rb

@@ -41,7 +41,7 @@ module ActionDispatch
       end
 
       def partition_route(route)
-        if route.path.anchored && route.ast.grep(Nodes::Symbol).all?(&:default_regexp?)
+        if route.path.anchored && route.path.requirements_anchored?
           anchored_routes << route
         else
           custom_routes << route
@@ -50,8 +50,8 @@ module ActionDispatch
 
       def ast
         @ast ||= begin
-          asts = anchored_routes.map(&:ast)
-          Nodes::Or.new(asts)
+          nodes = anchored_routes.map(&:ast)
+          Nodes::Or.new(nodes)
         end
       end
 

data/lib/action_dispatch/journey/visualizer/fsm.js

@@ -68,7 +68,7 @@ function highlight_state(index, color) {
 }
 
 function highlight_finish(index) {
-  svg_nodes[index].select('polygon')
+  svg_nodes[index].select('ellipse')
     .style("fill", "while")
     .transition().duration(500)
     .style("fill", "blue");
@@ -76,54 +76,79 @@ function highlight_finish(index) {
 
 function match(input) {
   reset_graph();
-  var table         = tt();
-  var states        = [0];
-  var regexp_states = table['regexp_states'];
-  var string_states = table['string_states'];
-  var accepting     = table['accepting'];
+  var table           = tt();
+  var states          = [[0, null]];
+  var regexp_states   = table['regexp_states'];
+  var string_states   = table['string_states'];
+  var stdparam_states = table['stdparam_states'];
+  var accepting       = table['accepting'];
+  var default_re      = new RegExp("^[^.\/?]+$");
+  var start_index     = 0;
 
   highlight_state(0);
 
   tokenize(input, function(token) {
+    var end_index = start_index + token.length;
+
     var new_states = [];
     for(var key in states) {
-      var state = states[key];
+      var state_parts = states[key];
+      var state = state_parts[0];
+      var previous_start = state_parts[1];
+
+      if(previous_start == null) {
+        if(string_states[state] && string_states[state][token]) {
+          var new_state = string_states[state][token];
+          highlight_edge(state, new_state);
+          highlight_state(new_state);
+          new_states.push([new_state, null]);
+        }
 
-      if(string_states[state] && string_states[state][token]) {
-        var new_state = string_states[state][token];
-        highlight_edge(state, new_state);
-        highlight_state(new_state);
-        new_states.push(new_state);
+        if(stdparam_states[state] && default_re.test(token)) {
+          for(var key in stdparam_states[state]) {
+            var new_state = stdparam_states[state][key];
+            highlight_edge(state, new_state);
+            highlight_state(new_state);
+            new_states.push([new_state, null]);
+          }
+        }
       }
 
       if(regexp_states[state]) {
+        var slice_start = previous_start != null ? previous_start : start_index;
+
         for(var key in regexp_states[state]) {
           var re = new RegExp("^" + key + "$");
-          if(re.test(token)) {
+
+          var accumulation = input.slice(slice_start, end_index);
+
+          if(re.test(accumulation)) {
             var new_state = regexp_states[state][key];
             highlight_edge(state, new_state);
             highlight_state(new_state);
-            new_states.push(new_state);
+            new_states.push([new_state, null]);
           }
+
+          // retry the same regexp with the accumulated data either way
+          new_states.push([state, slice_start]);
         }
       }
     }
 
-    if(new_states.length == 0) {
-      return;
-    }
     states = new_states;
+    start_index = end_index;
   });
 
   for(var key in states) {
-    var state = states[key];
+    var state_parts = states[key];
+    var state = state_parts[0];
+    var slice_start = state_parts[1];
+
+    // we must ignore ones that are still accepting more data
+    if (slice_start != null) continue;
+
     if(accepting[state]) {
-      for(var mkey in svg_edges[state]) {
-        if(!regexp_states[mkey] && !string_states[mkey]) {
-          highlight_edge(state, mkey);
-          highlight_finish(mkey);
-        }
-      }
+      highlight_finish(state);
     } else {
       highlight_state(state, "red");
     }

data/lib/action_dispatch/journey/visualizer/index.html.erb

@@ -8,7 +8,7 @@
         <%= style %>
       <% end %>
     </style>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/d3/3.4.8/d3.min.js" type="text/javascript"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/d3/3.4.8/d3.min.js"></script>
   </head>
   <body>
     <div id="wrapper">

data/lib/action_dispatch/middleware/actionable_exceptions.rb

@@ -2,7 +2,6 @@
 
 require "erb"
 require "uri"
-require "action_dispatch/http/request"
 require "active_support/actionable_error"
 
 module ActionDispatch

data/lib/action_dispatch/middleware/cookies.rb

@@ -7,7 +7,7 @@ require "active_support/json"
 require "rack/utils"
 
 module ActionDispatch
-  class Request
+  module RequestCookieMethods
     def cookie_jar
       fetch_header("action_dispatch.cookies") do
         self.cookie_jar = Cookies::CookieJar.build(self, cookies)
@@ -88,10 +88,14 @@ module ActionDispatch
     # :startdoc:
   end
 
-  # Read and write data to cookies through ActionController#cookies.
+  ActiveSupport.on_load(:action_dispatch_request) do
+    include RequestCookieMethods
+  end
+
+  # Read and write data to cookies through ActionController::Base#cookies.
   #
   # When reading cookie data, the data is read from the HTTP request header, Cookie.
-  # When writing cookie data, the data is sent out in the HTTP response header, Set-Cookie.
+  # When writing cookie data, the data is sent out in the HTTP response header, +Set-Cookie+.
   #
   # Examples of writing:
   #
@@ -99,7 +103,7 @@ module ActionDispatch
   #   # This cookie will be deleted when the user's browser is closed.
   #   cookies[:user_name] = "david"
   #
-  #   # Cookie values are String based. Other data types need to be serialized.
+  #   # Cookie values are String-based. Other data types need to be serialized.
   #   cookies[:lat_lon] = JSON.generate([47.68, -122.37])
   #
   #   # Sets a cookie that expires in 1 hour.
@@ -135,7 +139,7 @@ module ActionDispatch
   #
   #   cookies.delete :user_name
   #
-  # Please note that if you specify a :domain when setting a cookie, you must also specify the domain when deleting the cookie:
+  # Please note that if you specify a +:domain+ when setting a cookie, you must also specify the domain when deleting the cookie:
   #
   #  cookies[:name] = {
   #    value: 'a yummy cookie',
@@ -172,6 +176,9 @@ module ActionDispatch
   #   Default is +false+.
   # * <tt>:httponly</tt> - Whether this cookie is accessible via scripting or
   #   only HTTP. Defaults to +false+.
+  # * <tt>:same_site</tt> - The value of the +SameSite+ cookie attribute, which
+  #   determines how this cookie should be restricted in cross-site contexts.
+  #   Possible values are +:none+, +:lax+, and +:strict+. Defaults to +:lax+.
   class Cookies
     HTTP_HEADER   = "Set-Cookie"
     GENERATOR_KEY = "action_dispatch.key_generator"
@@ -195,7 +202,7 @@ module ActionDispatch
     # Raised when storing more than 4K of session data.
     CookieOverflow = Class.new StandardError
 
-    # Include in a cookie jar to allow chaining, e.g. cookies.permanent.signed.
+    # Include in a cookie jar to allow chaining, e.g. +cookies.permanent.signed+.
     module ChainedCookieJars
       # Returns a jar that'll automatically set the assigned cookies to have an expiration date 20 years from now. Example:
       #
@@ -280,7 +287,7 @@ module ActionDispatch
         end
     end
 
-    class CookieJar #:nodoc:
+    class CookieJar # :nodoc:
       include Enumerable, ChainedCookieJars
 
       def self.build(req, cookies)
@@ -421,7 +428,7 @@ module ActionDispatch
         end
 
         def write_cookie?(cookie)
-          request.ssl? || !cookie[:secure] || always_write_cookie
+          request.ssl? || !cookie[:secure] || always_write_cookie || request.host.end_with?(".onion")
         end
 
         def handle_options(options)
@@ -436,7 +443,7 @@ module ActionDispatch
 
           if options[:domain] == :all || options[:domain] == "all"
             cookie_domain = ""
-            dot_splitted_host = request.host.split('.', -1)
+            dot_splitted_host = request.host.split(".", -1)
 
             # Case where request.host is not an IP address or it's an invalid domain
             # (ip confirms to the domain structure we expect so we explicitly check for ip)
@@ -446,10 +453,10 @@ module ActionDispatch
             end
 
             # If there is a provided tld length then we use it otherwise default domain.
-            if options[:tld_length].present? 
+            if options[:tld_length].present?
               # Case where the tld_length provided is valid
               if dot_splitted_host.length >= options[:tld_length]
-                cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
+                cookie_domain = dot_splitted_host.last(options[:tld_length]).join(".")
               end
             # Case where tld_length is not provided
             else
@@ -458,7 +465,7 @@ module ActionDispatch
                 cookie_domain = dot_splitted_host.last(2).join(".")
               # **.**, ***.** style TLDs like co.uk and com.au
               else
-                cookie_domain = dot_splitted_host.last(3).join('.')
+                cookie_domain = dot_splitted_host.last(3).join(".")
               end
             end
 
@@ -676,7 +683,7 @@ module ActionDispatch
           deserialize(name) do |rotate|
             @encryptor.decrypt_and_verify(encrypted_message, on_rotation: rotate, purpose: purpose)
           end
-        rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature
+        rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature, JSON::ParserError
           nil
         end