actionpack 6.1.7.5 → 7.0.8

data/lib/action_controller/metal/params_wrapper.rb

@@ -9,11 +9,14 @@ module ActionController
   # Wraps the parameters hash into a nested hash. This will allow clients to
   # submit requests without having to specify any root elements.
   #
-  # This functionality is enabled in +config/initializers/wrap_parameters.rb+
-  # and can be customized.
+  # This functionality is enabled by default for JSON, and can be customized by
+  # setting the format array:
   #
-  # You could also turn it on per controller by setting the format array to
-  # a non-empty array:
+  #     class ApplicationController < ActionController::Base
+  #       wrap_parameters format: [:json, :xml]
+  #     end
+  #
+  # You could also turn it on per controller:
   #
   #     class UsersController < ApplicationController
   #       wrap_parameters format: [:json, :xml, :url_encoded_form, :multipart_form]
@@ -68,6 +71,12 @@ module ActionController
   # will try to check if <tt>Admin::User</tt> or +User+ model exists, and use it to
   # determine the wrapper key respectively. If both models don't exist,
   # it will then fallback to use +user+ as the key.
+  #
+  # To disable this functionality for a controller:
+  #
+  #     class UsersController < ApplicationController
+  #       wrap_parameters false
+  #     end
   module ParamsWrapper
     extend ActiveSupport::Concern
 
@@ -242,14 +251,14 @@ module ActionController
       end
     end
 
-    # Performs parameters wrapping upon the request. Called automatically
-    # by the metal call stack.
-    def process_action(*)
-      _perform_parameter_wrapping if _wrapper_enabled?
-      super
-    end
-
     private
+      # Performs parameters wrapping upon the request. Called automatically
+      # by the metal call stack.
+      def process_action(*)
+        _perform_parameter_wrapping if _wrapper_enabled?
+        super
+      end
+
       # Returns the wrapper key which will be used to store wrapped parameters.
       def _wrapper_key
         _wrapper_options.name

data/lib/action_controller/metal/permissions_policy.rb

@@ -1,37 +1,28 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
-  # HTTP Permissions Policy is a web standard for defining a mechanism to
-  # allow and deny the use of browser permissions in its own context, and
-  # in content within any <iframe> elements in the document.
-  #
-  # Full details of HTTP Permissions Policy specification and guidelines can
-  # be found at MDN:
-  #
-  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
-  #
-  # Examples of usage:
-  #
-  #   # Global policy
-  #   Rails.application.config.permissions_policy do |f|
-  #     f.camera      :none
-  #     f.gyroscope   :none
-  #     f.microphone  :none
-  #     f.usb         :none
-  #     f.fullscreen  :self
-  #     f.payment     :self, "https://secure.example.com"
-  #   end
-  #
-  #   # Controller level policy
-  #   class PagesController < ApplicationController
-  #     permissions_policy do |p|
-  #       p.geolocation "https://example.com"
-  #     end
-  #   end
+module ActionController # :nodoc:
   module PermissionsPolicy
     extend ActiveSupport::Concern
 
     module ClassMethods
+      # Overrides parts of the globally configured +Feature-Policy+
+      # header:
+      #
+      #   class PagesController < ApplicationController
+      #     permissions_policy do |policy|
+      #       policy.geolocation "https://example.com"
+      #     end
+      #   end
+      #
+      # Options can be passed similar to +before_action+. For example, pass
+      # <tt>only: :index</tt> to override the header on the index action only:
+      #
+      #   class PagesController < ApplicationController
+      #     permissions_policy(only: :index) do |policy|
+      #       policy.camera :self
+      #     end
+      #   end
+      #
       def permissions_policy(**options, &block)
         before_action(options) do
           if block_given?

data/lib/action_controller/metal/redirecting.rb

@@ -4,13 +4,17 @@ module ActionController
   module Redirecting
     extend ActiveSupport::Concern
 
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+
     include AbstractController::Logger
     include ActionController::UrlFor
 
-    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
-
     class UnsafeRedirectError < StandardError; end
 
+    included do
+      mattr_accessor :raise_on_open_redirects, default: false
+    end
+
     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
     #
     # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
@@ -58,20 +62,46 @@ module ActionController
     #
     # Statements after +redirect_to+ in our controller get executed, so +redirect_to+ doesn't stop the execution of the function.
     # To terminate the execution of the function immediately after the +redirect_to+, use return.
+    #
     #   redirect_to post_url(@post) and return
+    #
+    # === Open Redirect protection
+    #
+    # By default, Rails protects against redirecting to external hosts for your app's safety, so called open redirects.
+    # Note: this was a new default in Rails 7.0, after upgrading opt-in by uncommenting the line with +raise_on_open_redirects+ in <tt>config/initializers/new_framework_defaults_7_0.rb</tt>
+    #
+    # Here #redirect_to automatically validates the potentially-unsafe URL:
+    #
+    #   redirect_to params[:redirect_url]
+    #
+    # Raises UnsafeRedirectError in the case of an unsafe redirect.
+    #
+    # To allow any external redirects pass <tt>allow_other_host: true</tt>, though using a user-provided param in that case is unsafe.
+    #
+    #   redirect_to "https://rubyonrails.org", allow_other_host: true
+    #
+    # See #url_from for more information on what an internal and safe URL is, or how to fall back to an alternate redirect URL in the unsafe case.
     def redirect_to(options = {}, response_options = {})
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
       raise AbstractController::DoubleRenderError if response_body
 
-      self.status        = _extract_redirect_to_status(options, response_options)
+      allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
+
+      self.status = _extract_redirect_to_status(options, response_options)
 
       redirect_to_location = _compute_redirect_to_location(request, options)
       _ensure_url_is_http_header_safe(redirect_to_location)
 
-      self.location      = redirect_to_location
+      self.location      = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
 
+    # Soft deprecated alias for #redirect_back_or_to where the +fallback_location+ location is supplied as a keyword argument instead
+    # of the first positional argument.
+    def redirect_back(fallback_location:, allow_other_host: _allow_other_host, **args)
+      redirect_back_or_to fallback_location, allow_other_host: allow_other_host, **args
+    end
+
     # Redirects the browser to the page that issued the request (the referrer)
     # if possible, otherwise redirects to the provided default fallback
     # location.
@@ -81,35 +111,37 @@ module ActionController
     # subject to browser security settings and user preferences. If the request
     # is missing this header, the <tt>fallback_location</tt> will be used.
     #
-    #   redirect_back fallback_location: { action: "show", id: 5 }
-    #   redirect_back fallback_location: @post
-    #   redirect_back fallback_location: "http://www.rubyonrails.org"
-    #   redirect_back fallback_location: "/images/screenshot.jpg"
-    #   redirect_back fallback_location: posts_url
-    #   redirect_back fallback_location: proc { edit_post_url(@post) }
-    #   redirect_back fallback_location: '/', allow_other_host: false
+    #   redirect_back_or_to({ action: "show", id: 5 })
+    #   redirect_back_or_to @post
+    #   redirect_back_or_to "http://www.rubyonrails.org"
+    #   redirect_back_or_to "/images/screenshot.jpg"
+    #   redirect_back_or_to posts_url
+    #   redirect_back_or_to proc { edit_post_url(@post) }
+    #   redirect_back_or_to '/', allow_other_host: false
     #
     # ==== Options
-    # * <tt>:fallback_location</tt> - The default fallback location that will be used on missing +Referer+ header.
     # * <tt>:allow_other_host</tt> - Allow or disallow redirection to the host that is different to the current host, defaults to true.
     #
     # All other options that can be passed to #redirect_to are accepted as
-    # options and the behavior is identical.
-    def redirect_back(fallback_location:, allow_other_host: true, **args)
-      referer = request.headers["Referer"]
-      redirect_to_referer = referer && (allow_other_host || _url_host_allowed?(referer))
-      redirect_to redirect_to_referer ? referer : fallback_location, **args
+    # options, and the behavior is identical.
+    def redirect_back_or_to(fallback_location, allow_other_host: _allow_other_host, **options)
+      if request.referer && (allow_other_host || _url_host_allowed?(request.referer))
+        redirect_to request.referer, allow_other_host: allow_other_host, **options
+      else
+        # The method level `allow_other_host` doesn't apply in the fallback case, omit and let the `redirect_to` handling take over.
+        redirect_to fallback_location, **options
+      end
     end
 
-    def _compute_redirect_to_location(request, options) #:nodoc:
+    def _compute_redirect_to_location(request, options) # :nodoc:
       case options
       # The scheme name consist of a letter followed by any combination of
       # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
       # characters; and is terminated by a colon (":").
       # See https://tools.ietf.org/html/rfc3986#section-3.1
       # The protocol relative scheme starts with a double slash "//".
-      when /\A([a-z][a-z\d\-+\.]*:|\/\/).*/i
-        options
+      when /\A([a-z][a-z\d\-+.]*:|\/\/).*/i
+        options.to_str
       when String
         request.protocol + request.host_with_port + options
       when Proc
@@ -121,7 +153,35 @@ module ActionController
     module_function :_compute_redirect_to_location
     public :_compute_redirect_to_location
 
+    # Verifies the passed +location+ is an internal URL that's safe to redirect to and returns it, or nil if not.
+    # Useful to wrap a params provided redirect URL and fallback to an alternate URL to redirect to:
+    #
+    #   redirect_to url_from(params[:redirect_url]) || root_url
+    #
+    # The +location+ is considered internal, and safe, if it's on the same host as <tt>request.host</tt>:
+    #
+    #   # If request.host is example.com:
+    #   url_from("https://example.com/profile") # => "https://example.com/profile"
+    #   url_from("http://example.com/profile")  # => "http://example.com/profile"
+    #   url_from("http://evil.com/profile")     # => nil
+    #
+    # Subdomains are considered part of the host:
+    #
+    #   # If request.host is on https://example.com or https://app.example.com, you'd get:
+    #   url_from("https://dev.example.com/profile") # => nil
+    #
+    # NOTE: there's a similarity with {url_for}[rdoc-ref:ActionDispatch::Routing::UrlFor#url_for], which generates an internal URL from various options from within the app, e.g. <tt>url_for(@post)</tt>.
+    # However, #url_from is meant to take an external parameter to verify as in <tt>url_from(params[:redirect_url])</tt>.
+    def url_from(location)
+      location = location.presence
+      location if location && _url_host_allowed?(location)
+    end
+
     private
+      def _allow_other_host
+        !raise_on_open_redirects
+      end
+
       def _extract_redirect_to_status(options, response_options)
         if options.is_a?(Hash) && options.key?(:status)
           Rack::Utils.status_code(options.delete(:status))
@@ -132,8 +192,21 @@ module ActionController
         end
       end
 
+      def _enforce_open_redirect_protection(location, allow_other_host:)
+        if allow_other_host || _url_host_allowed?(location)
+          location
+        else
+          raise UnsafeRedirectError, "Unsafe redirect to #{location.truncate(100).inspect}, pass allow_other_host: true to redirect anyway."
+        end
+      end
+
       def _url_host_allowed?(url)
-        URI(url.to_s).host == request.host
+        host = URI(url.to_s).host
+
+        return true if host == request.host
+        return false unless host.nil?
+        return false unless url.to_s.start_with?("/")
+        !url.to_s.start_with?("//")
       rescue ArgumentError, URI::Error
         false
       end
@@ -142,7 +215,7 @@ module ActionController
         # Attempt to comply with the set of valid token characters
         # defined for an HTTP header value in
         # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
-        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
+        if url.match?(ILLEGAL_HEADER_VALUE_REGEX)
           msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
             "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
           raise UnsafeRedirectError, msg

data/lib/action_controller/metal/renderers.rb

@@ -3,12 +3,12 @@
 require "set"
 
 module ActionController
-  # See <tt>Renderers.add</tt>
+  # See Renderers.add
   def self.add_renderer(key, &block)
     Renderers.add(key, &block)
   end
 
-  # See <tt>Renderers.remove</tt>
+  # See Renderers.remove
   def self.remove_renderer(key)
     Renderers.remove(key)
   end
@@ -31,8 +31,7 @@ module ActionController
       class_attribute :_renderers, default: Set.new.freeze
     end
 
-    # Used in <tt>ActionController::Base</tt>
-    # and <tt>ActionController::API</tt> to include all
+    # Used in ActionController::Base and ActionController::API to include all
     # renderers by default.
     module All
       extend ActiveSupport::Concern
@@ -45,7 +44,7 @@ module ActionController
 
     # Adds a new renderer to call within controller actions.
     # A renderer is invoked by passing its name as an option to
-    # <tt>AbstractController::Rendering#render</tt>. To create a renderer
+    # AbstractController::Rendering#render. To create a renderer
     # pass it a name and a block. The block takes two arguments, the first
     # is the value paired with its key and the second is the remaining
     # hash of options passed to +render+.
@@ -96,18 +95,18 @@ module ActionController
       # Adds, by name, a renderer or renderers to the +_renderers+ available
       # to call within controller actions.
       #
-      # It is useful when rendering from an <tt>ActionController::Metal</tt> controller or
+      # It is useful when rendering from an ActionController::Metal controller or
       # otherwise to add an available renderer proc to a specific controller.
       #
-      # Both <tt>ActionController::Base</tt> and <tt>ActionController::API</tt>
-      # include <tt>ActionController::Renderers::All</tt>, making all renderers
+      # Both ActionController::Base and ActionController::API
+      # include ActionController::Renderers::All, making all renderers
       # available in the controller. See <tt>Renderers::RENDERERS</tt> and <tt>Renderers.add</tt>.
       #
-      # Since <tt>ActionController::Metal</tt> controllers cannot render, the controller
-      # must include <tt>AbstractController::Rendering</tt>, <tt>ActionController::Rendering</tt>,
-      # and <tt>ActionController::Renderers</tt>, and have at least one renderer.
+      # Since ActionController::Metal controllers cannot render, the controller
+      # must include AbstractController::Rendering, ActionController::Rendering,
+      # and ActionController::Renderers, and have at least one renderer.
       #
-      # Rather than including <tt>ActionController::Renderers::All</tt> and including all renderers,
+      # Rather than including ActionController::Renderers::All and including all renderers,
       # you may specify which renderers to include by passing the renderer name or names to
       # +use_renderers+. For example, a controller that includes only the <tt>:json</tt> renderer
       # (+_render_with_renderer_json+) might look like:
@@ -133,7 +132,7 @@ module ActionController
       alias use_renderer use_renderers
     end
 
-    # Called by +render+ in <tt>AbstractController::Rendering</tt>
+    # Called by +render+ in AbstractController::Rendering
     # which sets the return value as the +response_body+.
     #
     # If no renderer is found, +super+ returns control to

data/lib/action_controller/metal/rendering.rb

@@ -24,19 +24,125 @@ module ActionController
       end
     end
 
-    # Before processing, set the request formats in current controller formats.
-    def process_action(*) #:nodoc:
-      self.formats = request.formats.map(&:ref).compact
-      super
-    end
-
+    # Renders a template and assigns the result to +self.response_body+.
+    #
+    # If no rendering mode option is specified, the template will be derived
+    # from the first argument.
+    #
+    #   render "posts/show"
+    #   # => renders app/views/posts/show.html.erb
+    #
+    #   # In a PostsController action...
+    #   render :show
+    #   # => renders app/views/posts/show.html.erb
+    #
+    # If the first argument responds to +render_in+, the template will be
+    # rendered by calling +render_in+ with the current view context.
+    #
+    # ==== \Rendering Mode
+    #
+    # [+:partial+]
+    #   See ActionView::PartialRenderer for details.
+    #
+    #     render partial: "posts/form", locals: { post: Post.new }
+    #     # => renders app/views/posts/_form.html.erb
+    #
+    # [+:file+]
+    #   Renders the contents of a file. This option should <b>not</b> be used
+    #   with unsanitized user input.
+    #
+    #     render file: "/path/to/some/file"
+    #     # => renders /path/to/some/file
+    #
+    # [+:inline+]
+    #   Renders an ERB template string.
+    #
+    #     @name = "World"
+    #     render inline: "<h1>Hello, <%= @name %>!</h1>"
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    # [+:body+]
+    #   Renders the provided text, and sets the content type as +text/plain+.
+    #
+    #     render body: "Hello, World!"
+    #     # => renders "Hello, World!"
+    #
+    # [+:plain+]
+    #   Renders the provided text, and sets the content type as +text/plain+.
+    #
+    #     render plain: "Hello, World!"
+    #     # => renders "Hello, World!"
+    #
+    # [+:html+]
+    #   Renders the provided HTML string, and sets the content type as +text/html+.
+    #   If the string is not +html_safe?+, performs HTML escaping on the string
+    #   before rendering.
+    #
+    #     render html: "<h1>Hello, World!</h1>".html_safe
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    #     render html: "<h1>Hello, World!</h1>"
+    #     # => renders "&lt;h1&gt;Hello, World!&lt;/h1&gt;"
+    #
+    # [+:json+]
+    #   Renders the provided object as JSON, and sets the content type as
+    #   +application/json+. If the object is not a string, it will be converted
+    #   to JSON by calling +to_json+.
+    #
+    #     render json: { hello: "world" }
+    #     # => renders "{\"hello\":\"world\"}"
+    #
+    # By default, when a rendering mode is specified, no layout template is
+    # rendered.
+    #
+    # ==== Options
+    #
+    # [+:assigns+]
+    #   Hash of instance variable assignments for the template.
+    #
+    #     render inline: "<h1>Hello, <%= @name %>!</h1>", assigns: { name: "World" }
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    # [+:locals+]
+    #   Hash of local variable assignments for the template.
+    #
+    #     render inline: "<h1>Hello, <%= name %>!</h1>", locals: { name: "World" }
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    # [+:layout+]
+    #   The layout template to render. Can also be +false+ or +true+ to disable
+    #   or (re)enable the default layout template.
+    #
+    #     render "posts/show", layout: "holiday"
+    #     # => renders app/views/posts/show.html.erb with the app/views/layouts/holiday.html.erb layout
+    #
+    #     render "posts/show", layout: false
+    #     # => renders app/views/posts/show.html.erb with no layout
+    #
+    #     render inline: "<h1>Hello, World!</h1>", layout: true
+    #     # => renders "<h1>Hello, World!</h1>" with the default layout
+    #
+    # [+:status+]
+    #   The HTTP status code to send with the response. Can be specified as a
+    #   number or as the status name in Symbol form. Defaults to 200.
+    #
+    #     render "posts/new", status: 422
+    #     # => renders app/views/posts/new.html.erb with HTTP status code 422
+    #
+    #     render "posts/new", status: :unprocessable_entity
+    #     # => renders app/views/posts/new.html.erb with HTTP status code 422
+    #
+    #--
     # Check for double render errors and set the content_type after rendering.
-    def render(*args) #:nodoc:
+    def render(*args)
       raise ::AbstractController::DoubleRenderError if response_body
       super
     end
 
-    # Overwrite render_to_string because body can now be set to a Rack body.
+    # Similar to #render, but only returns the rendered template as a string,
+    # instead of setting +self.response_body+.
+    #--
+    # Override render_to_string because body can now be set to a Rack body.
     def render_to_string(*)
       result = super
       if result.respond_to?(:each)
@@ -48,11 +154,17 @@ module ActionController
       end
     end
 
-    def render_to_body(options = {})
+    def render_to_body(options = {}) # :nodoc:
       super || _render_in_priorities(options) || " "
     end
 
     private
+      # Before processing, set the request formats in current controller formats.
+      def process_action(*) # :nodoc:
+        self.formats = request.formats.filter_map(&:ref)
+        super
+      end
+
       def _process_variant(options)
         if defined?(request) && !request.nil? && request.variant.present?
           options[:variant] = request.variant