actionpack 6.1.7.5 → 7.1.3.1

data/lib/action_controller/test_case.rb

@@ -31,7 +31,7 @@ module ActionController
 
   # ActionController::TestCase will be deprecated and moved to a gem in the future.
   # Please use ActionDispatch::IntegrationTest going forward.
-  class TestRequest < ActionDispatch::TestRequest #:nodoc:
+  class TestRequest < ActionDispatch::TestRequest # :nodoc:
     DEFAULT_ENV = ActionDispatch::TestRequest::DEFAULT_ENV.dup
     DEFAULT_ENV.delete "PATH_INFO"
 
@@ -127,6 +127,9 @@ module ActionController
       fetch_header("PATH_INFO") do |k|
         set_header k, generated_path
       end
+      fetch_header("ORIGINAL_FULLPATH") do |k|
+        set_header k, fullpath
+      end
       path_parameters[:controller] = controller_path
       path_parameters[:action] = action
 
@@ -179,14 +182,15 @@ module ActionController
 
   # Methods #destroy and #load! are overridden to avoid calling methods on the
   # @store object, which does not exist for the TestSession class.
-  class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash #:nodoc:
+  class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash # :nodoc:
     DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
 
-    def initialize(session = {})
+    def initialize(session = {}, id = Rack::Session::SessionId.new(SecureRandom.hex(16)))
       super(nil, nil)
-      @id = Rack::Session::SessionId.new(SecureRandom.hex(16))
+      @id = id
       @data = stringify_keys(session)
       @loaded = true
+      @initially_empty = @data.empty?
     end
 
     def exists?
@@ -214,21 +218,31 @@ module ActionController
       @data.fetch(key.to_s, *args, &block)
     end
 
+    def enabled?
+      true
+    end
+
+    def id_was
+      @id
+    end
+
     private
       def load!
         @id
       end
   end
 
+  # = Action Controller Test Case
+  #
   # Superclass for ActionController functional tests. Functional tests allow you to
   # test a single controller action per test method.
   #
   # == Use integration style controller tests over functional style controller tests.
   #
-  # Rails discourages the use of functional tests in favor of integration tests
+  # \Rails discourages the use of functional tests in favor of integration tests
   # (use ActionDispatch::IntegrationTest).
   #
-  # New Rails applications no longer generate functional style controller tests and they should
+  # New \Rails applications no longer generate functional style controller tests and they should
   # only be used for backward compatibility. Integration style controller tests perform actual
   # requests, whereas functional style controller tests merely simulate a request. Besides,
   # integration tests are as fast as functional tests and provide lot of helpers such as +as+,
@@ -237,7 +251,7 @@ module ActionController
   # == Basic example
   #
   # Functional tests are written as follows:
-  # 1. First, one uses the +get+, +post+, +patch+, +put+, +delete+ or +head+ method to simulate
+  # 1. First, one uses the +get+, +post+, +patch+, +put+, +delete+, or +head+ method to simulate
   #    an HTTP request.
   # 2. Then, one asserts whether the current state is as expected. "State" can be anything:
   #    the controller's HTTP response, the database contents, etc.
@@ -329,6 +343,8 @@ module ActionController
   #
   #  assert_redirected_to page_url(title: 'foo')
   class TestCase < ActiveSupport::TestCase
+    singleton_class.attr_accessor :executor_around_each_request
+
     module Behavior
       extend ActiveSupport::Concern
       include ActionDispatch::TestProcess
@@ -385,7 +401,7 @@ module ActionController
       #
       # You can also simulate POST, PATCH, PUT, DELETE, and HEAD requests with
       # +post+, +patch+, +put+, +delete+, and +head+.
-      # Example sending parameters, session and setting a flash message:
+      # Example sending parameters, session, and setting a flash message:
       #
       #   get :show,
       #     params: { id: 7 },
@@ -455,13 +471,19 @@ module ActionController
       #     session: { user_id: 1 },
       #     flash: { notice: 'This is flash message' }
       #
-      # To simulate +GET+, +POST+, +PATCH+, +PUT+, +DELETE+ and +HEAD+ requests
+      # To simulate +GET+, +POST+, +PATCH+, +PUT+, +DELETE+, and +HEAD+ requests
       # prefer using #get, #post, #patch, #put, #delete and #head methods
       # respectively which will make tests more expressive.
       #
+      # It's not recommended to make more than one request in the same test. Instance
+      # variables that are set in one request will not persist to the next request,
+      # but it's not guaranteed that all \Rails internal state will be reset. Prefer
+      # ActionDispatch::IntegrationTest for making multiple requests in the same test.
+      #
       # Note that the request method is not verified.
       def process(action, method: "GET", params: nil, session: nil, body: nil, flash: {}, format: nil, xhr: false, as: nil)
         check_required_ivars
+        @controller.clear_instance_variables_between_requests
 
         action = +action.to_s
         http_method = method.to_s.upcase
@@ -574,10 +596,19 @@ module ActionController
           end
         end
 
+        def wrap_execution(&block)
+          if ActionController::TestCase.executor_around_each_request && defined?(Rails.application) && Rails.application
+            Rails.application.executor.wrap(&block)
+          else
+            yield
+          end
+        end
+
         def process_controller_response(action, cookies, xhr)
           begin
             @controller.recycle!
-            @controller.dispatch(action, @request, @response)
+
+            wrap_execution { @controller.dispatch(action, @request, @response) }
           ensure
             @request = @controller.request
             @response = @controller.response
@@ -623,7 +654,7 @@ module ActionController
         end
 
         def check_required_ivars
-          # Sanity check for required instance variables so we can give an
+          # Check for required instance variables so we can give an
           # understandable error message.
           [:@routes, :@controller, :@request, :@response].each do |iv_name|
             if !instance_variable_defined?(iv_name) || instance_variable_get(iv_name).nil?

data/lib/action_controller.rb

@@ -2,8 +2,17 @@
 
 require "abstract_controller"
 require "action_dispatch"
+require "action_controller/deprecator"
 require "action_controller/metal/strong_parameters"
+require "action_controller/metal/exceptions"
 
+# = Action Controller
+#
+# Action Controller is a module of Action Pack.
+#
+# Action Controller provides a base controller class that can be subclassed to
+# implement filters and actions to handle requests. The result of an action is
+# typically content generated from views.
 module ActionController
   extend ActiveSupport::Autoload
 
@@ -18,10 +27,6 @@ module ActionController
   end
 
   autoload_under "metal" do
-    eager_autoload do
-      autoload :Live
-    end
-
     autoload :ConditionalGet
     autoload :ContentSecurityPolicy
     autoload :Cookies
@@ -37,6 +42,7 @@ module ActionController
     autoload :BasicImplicitRender
     autoload :ImplicitRender
     autoload :Instrumentation
+    autoload :Live
     autoload :Logging
     autoload :MimeResponds
     autoload :ParamsWrapper
@@ -62,8 +68,6 @@ end
 
 # Common Active Support usage in Action Controller
 require "active_support/core_ext/module/attribute_accessors"
-require "active_support/core_ext/load_error"
 require "active_support/core_ext/module/attr_internal"
 require "active_support/core_ext/name_error"
-require "active_support/core_ext/uri"
 require "active_support/inflector"

data/lib/action_dispatch/constants.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require "rack/version"
+
+module ActionDispatch
+  module Constants
+    # Response Header keys for Rack 2.x and 3.x
+    if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3")
+      VARY = "Vary"
+      CONTENT_ENCODING = "Content-Encoding"
+      CONTENT_SECURITY_POLICY = "Content-Security-Policy"
+      CONTENT_SECURITY_POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only"
+      LOCATION = "Location"
+      FEATURE_POLICY = "Feature-Policy"
+      X_REQUEST_ID = "X-Request-Id"
+      X_CASCADE = "X-Cascade"
+      SERVER_TIMING = "Server-Timing"
+      STRICT_TRANSPORT_SECURITY = "Strict-Transport-Security"
+    else
+      VARY = "vary"
+      CONTENT_ENCODING = "content-encoding"
+      CONTENT_SECURITY_POLICY = "content-security-policy"
+      CONTENT_SECURITY_POLICY_REPORT_ONLY = "content-security-policy-report-only"
+      LOCATION = "location"
+      FEATURE_POLICY = "feature-policy"
+      X_REQUEST_ID = "x-request-id"
+      X_CASCADE = "x-cascade"
+      SERVER_TIMING = "server-timing"
+      STRICT_TRANSPORT_SECURITY = "strict-transport-security"
+    end
+  end
+end

data/lib/action_dispatch/deprecator.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  def self.deprecator # :nodoc:
+    @deprecator ||= ActiveSupport::Deprecation.new
+  end
+end

data/lib/action_dispatch/http/cache.rb

@@ -32,8 +32,8 @@ module ActionDispatch
           end
         end
 
-        # Check response freshness (Last-Modified and ETag) against request
-        # If-Modified-Since and If-None-Match conditions. If both headers are
+        # Check response freshness (+Last-Modified+ and ETag) against request
+        # +If-Modified-Since+ and +If-None-Match+ conditions. If both headers are
         # supplied, both must match, or the request is not considered fresh.
         def fresh?(response)
           last_modified = if_modified_since
@@ -81,8 +81,8 @@ module ActionDispatch
 
         # This method sets a weak ETag validator on the response so browsers
         # and proxies may cache the response, keyed on the ETag. On subsequent
-        # requests, the If-None-Match header is set to the cached ETag. If it
-        # matches the current ETag, we can return a 304 Not Modified response
+        # requests, the +If-None-Match+ header is set to the cached ETag. If it
+        # matches the current ETag, we can return a <tt>304 Not Modified</tt> response
         # with no body, letting the browser or proxy know that their cache is
         # current. Big savings in request time and network bandwidth.
         #
@@ -92,7 +92,7 @@ module ActionDispatch
         # is viewing.
         #
         # Strong ETags are considered byte-for-byte identical. They allow a
-        # browser or proxy cache to support Range requests, useful for paging
+        # browser or proxy cache to support +Range+ requests, useful for paging
         # through a PDF file or scrubbing through a video. Some CDNs only
         # support strong ETags and will ignore weak ETags entirely.
         #
@@ -112,12 +112,12 @@ module ActionDispatch
 
         def etag?; etag; end
 
-        # True if an ETag is set and it's a weak validator (preceded with W/)
+        # True if an ETag is set, and it's a weak validator (preceded with <tt>W/</tt>).
         def weak_etag?
           etag? && etag.start_with?('W/"')
         end
 
-        # True if an ETag is set and it isn't a weak validator (not preceded with W/)
+        # True if an ETag is set, and it isn't a weak validator (not preceded with <tt>W/</tt>).
         def strong_etag?
           etag? && !weak_etag?
         end
@@ -138,15 +138,13 @@ module ActionDispatch
         def cache_control_segments
           if cache_control = _cache_control
             cache_control.delete(" ").split(",")
-          else
-            []
           end
         end
 
         def cache_control_headers
           cache_control = {}
 
-          cache_control_segments.each do |segment|
+          cache_control_segments&.each do |segment|
             directive, argument = segment.split("=", 2)
 
             if SPECIAL_KEYS.include? directive
@@ -187,13 +185,20 @@ module ActionDispatch
 
           return if control.empty? && cache_control.empty?  # Let middleware handle default behavior
 
-          if extras = control.delete(:extras)
-            cache_control[:extras] ||= []
-            cache_control[:extras] += extras
-            cache_control[:extras].uniq!
-          end
+          if cache_control.any?
+            # Any caching directive coming from a controller overrides
+            # no-cache/no-store in the default Cache-Control header.
+            control.delete(:no_cache)
+            control.delete(:no_store)
+
+            if extras = control.delete(:extras)
+              cache_control[:extras] ||= []
+              cache_control[:extras] += extras
+              cache_control[:extras].uniq!
+            end
 
-          control.merge! cache_control
+            control.merge! cache_control
+          end
 
           options = []
 

data/lib/action_dispatch/http/content_security_policy.rb

@@ -3,23 +3,43 @@
 require "active_support/core_ext/object/deep_dup"
 require "active_support/core_ext/array/wrap"
 
-module ActionDispatch #:nodoc:
+module ActionDispatch # :nodoc:
+  # = Action Dispatch Content Security Policy
+  #
+  # Configures the HTTP
+  # {Content-Security-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy]
+  # response header to help protect against XSS and injection attacks.
+  #
+  # Example global policy:
+  #
+  #   Rails.application.config.content_security_policy do |policy|
+  #     policy.default_src :self, :https
+  #     policy.font_src    :self, :https, :data
+  #     policy.img_src     :self, :https, :data
+  #     policy.object_src  :none
+  #     policy.script_src  :self, :https
+  #     policy.style_src   :self, :https
+  #
+  #     # Specify URI for violation reports
+  #     policy.report_uri "/csp-violation-report-endpoint"
+  #   end
   class ContentSecurityPolicy
     class Middleware
-      CONTENT_TYPE = "Content-Type"
-      POLICY = "Content-Security-Policy"
-      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only"
-
       def initialize(app)
         @app = app
       end
 
       def call(env)
-        request = ActionDispatch::Request.new env
-        _, headers, _ = response = @app.call(env)
+        status, headers, _ = response = @app.call(env)
+
+        # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
+        # CSP headers might not match nonces in the cached HTML.
+        return response if status == 304
 
         return response if policy_present?(headers)
 
+        request = ActionDispatch::Request.new env
+
         if policy = request.content_security_policy
           nonce = request.content_security_policy_nonce
           nonce_directives = request.content_security_policy_nonce_directives
@@ -33,14 +53,15 @@ module ActionDispatch #:nodoc:
       private
         def header_name(request)
           if request.content_security_policy_report_only
-            POLICY_REPORT_ONLY
+            ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY
           else
-            POLICY
+            ActionDispatch::Constants::CONTENT_SECURITY_POLICY
           end
         end
 
         def policy_present?(headers)
-          headers[POLICY] || headers[POLICY_REPORT_ONLY]
+          headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY] ||
+            headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY]
         end
     end
 
@@ -100,43 +121,48 @@ module ActionDispatch #:nodoc:
     end
 
     MAPPINGS = {
-      self:           "'self'",
-      unsafe_eval:    "'unsafe-eval'",
-      unsafe_inline:  "'unsafe-inline'",
-      none:           "'none'",
-      http:           "http:",
-      https:          "https:",
-      data:           "data:",
-      mediastream:    "mediastream:",
-      blob:           "blob:",
-      filesystem:     "filesystem:",
-      report_sample:  "'report-sample'",
-      strict_dynamic: "'strict-dynamic'",
-      ws:             "ws:",
-      wss:            "wss:"
+      self:             "'self'",
+      unsafe_eval:      "'unsafe-eval'",
+      unsafe_hashes:    "'unsafe-hashes'",
+      unsafe_inline:    "'unsafe-inline'",
+      none:             "'none'",
+      http:             "http:",
+      https:            "https:",
+      data:             "data:",
+      mediastream:      "mediastream:",
+      allow_duplicates: "'allow-duplicates'",
+      blob:             "blob:",
+      filesystem:       "filesystem:",
+      report_sample:    "'report-sample'",
+      script:           "'script'",
+      strict_dynamic:   "'strict-dynamic'",
+      ws:               "ws:",
+      wss:              "wss:"
     }.freeze
 
     DIRECTIVES = {
-      base_uri:        "base-uri",
-      child_src:       "child-src",
-      connect_src:     "connect-src",
-      default_src:     "default-src",
-      font_src:        "font-src",
-      form_action:     "form-action",
-      frame_ancestors: "frame-ancestors",
-      frame_src:       "frame-src",
-      img_src:         "img-src",
-      manifest_src:    "manifest-src",
-      media_src:       "media-src",
-      object_src:      "object-src",
-      prefetch_src:    "prefetch-src",
-      script_src:      "script-src",
-      script_src_attr: "script-src-attr",
-      script_src_elem: "script-src-elem",
-      style_src:       "style-src",
-      style_src_attr:  "style-src-attr",
-      style_src_elem:  "style-src-elem",
-      worker_src:      "worker-src"
+      base_uri:                   "base-uri",
+      child_src:                  "child-src",
+      connect_src:                "connect-src",
+      default_src:                "default-src",
+      font_src:                   "font-src",
+      form_action:                "form-action",
+      frame_ancestors:            "frame-ancestors",
+      frame_src:                  "frame-src",
+      img_src:                    "img-src",
+      manifest_src:               "manifest-src",
+      media_src:                  "media-src",
+      object_src:                 "object-src",
+      prefetch_src:               "prefetch-src",
+      require_trusted_types_for:  "require-trusted-types-for",
+      script_src:                 "script-src",
+      script_src_attr:            "script-src-attr",
+      script_src_elem:            "script-src-elem",
+      style_src:                  "style-src",
+      style_src_attr:             "style-src-attr",
+      style_src_elem:             "style-src-elem",
+      trusted_types:              "trusted-types",
+      worker_src:                 "worker-src"
     }.freeze
 
     DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze
@@ -164,6 +190,15 @@ module ActionDispatch #:nodoc:
       end
     end
 
+    # Specify whether to prevent the user agent from loading any assets over
+    # HTTP when the page uses HTTPS:
+    #
+    #   policy.block_all_mixed_content
+    #
+    # Pass +false+ to allow it again:
+    #
+    #   policy.block_all_mixed_content false
+    #
     def block_all_mixed_content(enabled = true)
       if enabled
         @directives["block-all-mixed-content"] = true
@@ -172,6 +207,14 @@ module ActionDispatch #:nodoc:
       end
     end
 
+    # Restricts the set of plugins that can be embedded:
+    #
+    #   policy.plugin_types "application/x-shockwave-flash"
+    #
+    # Leave empty to allow all plugins:
+    #
+    #   policy.plugin_types
+    #
     def plugin_types(*types)
       if types.first
         @directives["plugin-types"] = types
@@ -180,10 +223,24 @@ module ActionDispatch #:nodoc:
       end
     end
 
+    # Enable the {report-uri}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri]
+    # directive. Violation reports will be sent to the specified URI:
+    #
+    #   policy.report_uri "/csp-violation-report-endpoint"
+    #
     def report_uri(uri)
       @directives["report-uri"] = [uri]
     end
 
+    # Specify asset types for which {Subresource Integrity}[https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity]
+    # is required:
+    #
+    #   policy.require_sri_for :script, :style
+    #
+    # Leave empty to not require Subresource Integrity:
+    #
+    #   policy.require_sri_for
+    #
     def require_sri_for(*types)
       if types.first
         @directives["require-sri-for"] = types
@@ -192,6 +249,19 @@ module ActionDispatch #:nodoc:
       end
     end
 
+    # Specify whether a {sandbox}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox]
+    # should be enabled for the requested resource:
+    #
+    #   policy.sandbox
+    #
+    # Values can be passed as arguments:
+    #
+    #   policy.sandbox "allow-scripts", "allow-modals"
+    #
+    # Pass +false+ to disable the sandbox:
+    #
+    #   policy.sandbox false
+    #
     def sandbox(*values)
       if values.empty?
         @directives["sandbox"] = true
@@ -202,6 +272,14 @@ module ActionDispatch #:nodoc:
       end
     end
 
+    # Specify whether user agents should treat any assets over HTTP as HTTPS:
+    #
+    #   policy.upgrade_insecure_requests
+    #
+    # Pass +false+ to disable it:
+    #
+    #   policy.upgrade_insecure_requests false
+    #
     def upgrade_insecure_requests(enabled = true)
       if enabled
         @directives["upgrade-insecure-requests"] = true

data/lib/action_dispatch/http/filter_parameters.rb

@@ -4,28 +4,15 @@ require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
-    # Allows you to specify sensitive parameters which will be replaced from
-    # the request log by looking in the query string of the request and all
-    # sub-hashes of the params hash to filter. Filtering only certain sub-keys
-    # from a hash is possible by using the dot notation: 'credit_card.number'.
-    # If a block is given, each key and value of the params hash and all
-    # sub-hashes are passed to it, where the value or the key can be replaced using
-    # String#replace or similar methods.
+    # = Action Dispatch HTTP Filter Parameters
     #
-    #   env["action_dispatch.parameter_filter"] = [:password]
-    #   => replaces the value to all keys matching /password/i with "[FILTERED]"
+    # Allows you to specify sensitive query string and POST parameters to filter
+    # from the request log.
     #
+    #   # Replaces values with "[FILTERED]" for keys that match /foo|bar/i.
     #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
-    #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
     #
-    #   env["action_dispatch.parameter_filter"] = [ "credit_card.code" ]
-    #   => replaces { credit_card: {code: "xxxx"} } with "[FILTERED]", does not
-    #   change { file: { code: "xxxx"} }
-    #
-    #   env["action_dispatch.parameter_filter"] = -> (k, v) do
-    #     v.reverse! if k.match?(/secret/i)
-    #   end
-    #   => reverses the value to all keys matching /secret/i
+    # For more information about filter behavior, see ActiveSupport::ParameterFilter.
     module FilterParameters
       ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
       NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
@@ -36,6 +23,7 @@ module ActionDispatch
         @filtered_parameters = nil
         @filtered_env        = nil
         @filtered_path       = nil
+        @parameter_filter    = nil
       end
 
       # Returns a hash of parameters with all sensitive data replaced.
@@ -55,13 +43,16 @@ module ActionDispatch
         @filtered_path ||= query_string.empty? ? path : "#{path}?#{filtered_query_string}"
       end
 
-    private
-      def parameter_filter # :doc:
-        parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
-          return NULL_PARAM_FILTER
-        }
+      # Returns the +ActiveSupport::ParameterFilter+ object used to filter in this request.
+      def parameter_filter
+        @parameter_filter ||= if has_header?("action_dispatch.parameter_filter")
+          parameter_filter_for get_header("action_dispatch.parameter_filter")
+        else
+          NULL_PARAM_FILTER
+        end
       end
 
+    private
       def env_filter # :doc:
         user_key = fetch_header("action_dispatch.parameter_filter") {
           return NULL_ENV_FILTER

data/lib/action_dispatch/http/headers.rb

@@ -2,6 +2,8 @@
 
 module ActionDispatch
   module Http
+    # = Action Dispatch HTTP \Headers
+    #
     # Provides access to the request's HTTP headers from the environment.
     #
     #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
@@ -65,7 +67,7 @@ module ActionDispatch
         @req.set_header env_name(key), value
       end
 
-      # Add a value to a multivalued header like Vary or Accept-Encoding.
+      # Add a value to a multivalued header like +Vary+ or +Accept-Encoding+.
       def add(key, value)
         @req.add_header env_name(key), value
       end