actionpack 6.1.7.3 → 7.0.8

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -4,11 +4,11 @@ require "rack/session/abstract/id"
 require "action_controller/metal/exceptions"
 require "active_support/security_utils"
 
-module ActionController #:nodoc:
-  class InvalidAuthenticityToken < ActionControllerError #:nodoc:
+module ActionController # :nodoc:
+  class InvalidAuthenticityToken < ActionControllerError # :nodoc:
   end
 
-  class InvalidCrossOriginRequest < ActionControllerError #:nodoc:
+  class InvalidCrossOriginRequest < ActionControllerError # :nodoc:
   end
 
   # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
@@ -32,7 +32,7 @@ module ActionController #:nodoc:
   # response may be extracted. To prevent this, only XmlHttpRequest (known as XHR or
   # Ajax) requests are allowed to make requests for JavaScript responses.
   #
-  # Subclasses of <tt>ActionController::Base</tt> are protected by default with the
+  # Subclasses of ActionController::Base are protected by default with the
   # <tt>:exception</tt> strategy, which raises an
   # <tt>ActionController::InvalidAuthenticityToken</tt> error on unverified requests.
   #
@@ -92,7 +92,16 @@ module ActionController #:nodoc:
 
       # Controls whether URL-safe CSRF tokens are generated.
       config_accessor :urlsafe_csrf_tokens, instance_writer: false
-      self.urlsafe_csrf_tokens = false
+      self.urlsafe_csrf_tokens = true
+
+      singleton_class.redefine_method(:urlsafe_csrf_tokens=) do |urlsafe_csrf_tokens|
+        if urlsafe_csrf_tokens
+          ActiveSupport::Deprecation.warn("URL-safe CSRF tokens are now the default. Use 6.1 defaults or above.")
+        else
+          ActiveSupport::Deprecation.warn("Non-URL-safe CSRF tokens are deprecated. Use 6.1 defaults or above.")
+        end
+        config.urlsafe_csrf_tokens = urlsafe_csrf_tokens
+      end
 
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
@@ -109,14 +118,16 @@ module ActionController #:nodoc:
       #     protect_from_forgery except: :index
       #   end
       #
-      # You can disable forgery protection on controller by skipping the verification before_action:
+      # You can disable forgery protection on a controller using skip_forgery_protection:
       #
-      #   skip_before_action :verify_authenticity_token
+      #   class BarController < ApplicationController
+      #     skip_forgery_protection
+      #   end
       #
       # Valid Options:
       #
-      # * <tt>:only/:except</tt> - Only apply forgery protection to a subset of actions. For example <tt>only: [ :create, :create_all ]</tt>.
-      # * <tt>:if/:unless</tt> - Turn off the forgery protection entirely depending on the passed Proc or method reference.
+      # * <tt>:only</tt> / <tt>:except</tt> - Only apply forgery protection to a subset of actions. For example <tt>only: [ :create, :create_all ]</tt>.
+      # * <tt>:if</tt> / <tt>:unless</tt> - Turn off the forgery protection entirely depending on the passed Proc or method reference.
       # * <tt>:prepend</tt> - By default, the verification of the authentication token will be added at the position of the
       #   protect_from_forgery call in your application. This means any callbacks added before are run first. This is useful
       #   when you want your forgery protection to depend on other callbacks, like authentication methods (Oauth vs Cookie auth).
@@ -124,10 +135,26 @@ module ActionController #:nodoc:
       #   If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
       # * <tt>:with</tt> - Set the method to handle unverified request.
       #
-      # Valid unverified request handling methods are:
+      # Built-in unverified request handling methods are:
       # * <tt>:exception</tt> - Raises ActionController::InvalidAuthenticityToken exception.
       # * <tt>:reset_session</tt> - Resets the session.
       # * <tt>:null_session</tt> - Provides an empty session during request but doesn't reset it completely. Used as default if <tt>:with</tt> option is not specified.
+      #
+      # You can also implement custom strategy classes for unverified request handling:
+      #
+      #    class CustomStrategy
+      #      def initialize(controller)
+      #        @controller = controller
+      #      end
+      #
+      #      def handle_unverified_request
+      #        # Custom behaviour for unverfied request
+      #      end
+      #    end
+      #
+      #    class ApplicationController < ActionController:x:Base
+      #      protect_from_forgery with: CustomStrategy
+      #    end
       def protect_from_forgery(options = {})
         options = options.reverse_merge(prepend: false)
 
@@ -143,14 +170,23 @@ module ActionController #:nodoc:
       #
       # See +skip_before_action+ for allowed options.
       def skip_forgery_protection(options = {})
-        skip_before_action :verify_authenticity_token, options
+        skip_before_action :verify_authenticity_token, options.reverse_merge(raise: false)
       end
 
       private
         def protection_method_class(name)
-          ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
-        rescue NameError
-          raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, or :reset_session"
+          case name
+          when :null_session
+            ProtectionMethods::NullSession
+          when :reset_session
+            ProtectionMethods::ResetSession
+          when :exception
+            ProtectionMethods::Exception
+          when Class
+            name
+          else
+            raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, :reset_session, or a custom forgery protection class."
+          end
         end
     end
 
@@ -170,7 +206,7 @@ module ActionController #:nodoc:
         end
 
         private
-          class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
+          class NullSessionHash < Rack::Session::Abstract::SessionHash # :nodoc:
             def initialize(req)
               super(nil, req)
               @data = {}
@@ -183,9 +219,13 @@ module ActionController #:nodoc:
             def exists?
               true
             end
+
+            def enabled?
+              false
+            end
           end
 
-          class NullCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc:
+          class NullCookieJar < ActionDispatch::Cookies::CookieJar # :nodoc:
             def write(*)
               # nothing
             end
@@ -203,12 +243,14 @@ module ActionController #:nodoc:
       end
 
       class Exception
+        attr_accessor :warning_message
+
         def initialize(controller)
           @controller = controller
         end
 
         def handle_unverified_request
-          raise ActionController::InvalidAuthenticityToken
+          raise ActionController::InvalidAuthenticityToken, warning_message
         end
       end
     end
@@ -228,22 +270,31 @@ module ActionController #:nodoc:
         mark_for_same_origin_verification!
 
         if !verified_request?
-          if logger && log_warning_on_csrf_failure
-            if valid_request_origin?
-              logger.warn "Can't verify CSRF token authenticity."
-            else
-              logger.warn "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
-            end
-          end
+          logger.warn unverified_request_warning_message if logger && log_warning_on_csrf_failure
+
           handle_unverified_request
         end
       end
 
       def handle_unverified_request # :doc:
-        forgery_protection_strategy.new(self).handle_unverified_request
+        protection_strategy = forgery_protection_strategy.new(self)
+
+        if protection_strategy.respond_to?(:warning_message)
+          protection_strategy.warning_message = unverified_request_warning_message
+        end
+
+        protection_strategy.handle_unverified_request
+      end
+
+      def unverified_request_warning_message # :nodoc:
+        if valid_request_origin?
+          "Can't verify CSRF token authenticity."
+        else
+          "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
+        end
       end
 
-      #:nodoc:
+      # :nodoc:
       CROSS_ORIGIN_JAVASCRIPT_WARNING = "Security warning: an embedded " \
         "<script> tag on another site requested protected JavaScript. " \
         "If you know what you're doing, go ahead and disable forgery " \
@@ -285,7 +336,7 @@ module ActionController #:nodoc:
       #
       # * Is it a GET or HEAD request? GETs should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
-      # * Does the X-CSRF-Token header match the form_authenticity_token?
+      # * Does the +X-CSRF-Token+ header match the form_authenticity_token?
       def verified_request? # :doc:
         !protect_against_forgery? || request.get? || request.head? ||
           (valid_request_origin? && any_authenticity_token_valid?)
@@ -303,15 +354,15 @@ module ActionController #:nodoc:
         [form_authenticity_param, request.x_csrf_token]
       end
 
-      # Sets the token value for the current session.
-      def form_authenticity_token(form_options: {})
+      # Creates the authenticity token for the current request.
+      def form_authenticity_token(form_options: {}) # :doc:
         masked_authenticity_token(session, form_options: form_options)
       end
 
       # Creates a masked version of the authenticity token that varies
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
-      def masked_authenticity_token(session, form_options: {}) # :doc:
+      def masked_authenticity_token(session, form_options: {})
         action, method = form_options.values_at(:action, :method)
 
         raw_token = if per_form_csrf_tokens && action && method
@@ -438,7 +489,7 @@ module ActionController #:nodoc:
 
       # Checks if the controller allows forgery protection.
       def protect_against_forgery? # :doc:
-        allow_forgery_protection
+        allow_forgery_protection && (!session.respond_to?(:enabled?) || session.enabled?)
       end
 
       NULL_ORIGIN_MESSAGE = <<~MSG
@@ -469,7 +520,7 @@ module ActionController #:nodoc:
 
       def generate_csrf_token # :nodoc:
         if urlsafe_csrf_tokens
-          SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
+          SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
         else
           SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
         end

data/lib/action_controller/metal/rescue.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
-  # This module is responsible for providing +rescue_from+ helpers
-  # to controllers and configuring when detailed exceptions must be
-  # shown.
+module ActionController # :nodoc:
+  # This module is responsible for providing
+  # {rescue_from}[rdoc-ref:ActiveSupport::Rescuable::ClassMethods#rescue_from]
+  # to controllers, wrapping actions to handle configured errors, and
+  # configuring when detailed exceptions must be shown.
   module Rescue
     extend ActiveSupport::Concern
     include ActiveSupport::Rescuable

data/lib/action_controller/metal/streaming.rb

@@ -2,7 +2,7 @@
 
 require "rack/chunked"
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   # Allows views to be streamed back to the client as they are rendered.
   #
   # By default, Rails renders views by first rendering the template
@@ -24,7 +24,7 @@ module ActionController #:nodoc:
   # Ruby implementation).
   #
   # Streaming can be added to a given template easily, all you need to do is
-  # to pass the :stream option.
+  # to pass the +:stream+ option.
   #
   #   class PostsController
   #     def index
@@ -59,8 +59,8 @@ module ActionController #:nodoc:
   #     render stream: true
   #   end
   #
-  # Notice that :stream only works with templates. Rendering :json
-  # or :xml with :stream won't work.
+  # Notice that +:stream+ only works with templates. Rendering +:json+
+  # or +:xml+ with +:stream+ won't work.
   #
   # == Communication between layout and template
   #
@@ -72,7 +72,7 @@ module ActionController #:nodoc:
   # variables set in the template to be used in the layout, they won't
   # work once you move to streaming. The proper way to communicate
   # between layout and template, regardless of whether you use streaming
-  # or not, is by using +content_for+, +provide+ and +yield+.
+  # or not, is by using +content_for+, +provide+, and +yield+.
   #
   # Take a simple example where the layout expects the template to tell
   # which title to use:
@@ -132,7 +132,7 @@ module ActionController #:nodoc:
   # That said, when streaming, you need to properly check your templates
   # and choose when to use +provide+ and +content_for+.
   #
-  # == Headers, cookies, session and flash
+  # == Headers, cookies, session, and flash
   #
   # When streaming, the HTTP headers are sent to the client right before
   # it renders the first line. This means that, modifying headers, cookies,
@@ -147,7 +147,7 @@ module ActionController #:nodoc:
   # needs to inject contents in the HTML body.
   #
   # Also <tt>Rack::Cache</tt> won't work with streaming as it does not support
-  # streaming bodies yet. Whenever streaming Cache-Control is automatically
+  # streaming bodies yet. Whenever streaming +Cache-Control+ is automatically
   # set to "no-cache".
   #
   # == Errors
@@ -193,8 +193,6 @@ module ActionController #:nodoc:
   # To be described.
   #
   module Streaming
-    extend ActiveSupport::Concern
-
     private
       # Set proper cache control and transfer encoding when streaming
       def _process_options(options)