actionpack 6.1.7.5 → 7.1.3.1

data/lib/action_dispatch/journey/visualizer/fsm.js

@@ -68,7 +68,7 @@ function highlight_state(index, color) {
 }
 
 function highlight_finish(index) {
-  svg_nodes[index].select('polygon')
+  svg_nodes[index].select('ellipse')
     .style("fill", "while")
     .transition().duration(500)
     .style("fill", "blue");
@@ -76,54 +76,79 @@ function highlight_finish(index) {
 
 function match(input) {
   reset_graph();
-  var table         = tt();
-  var states        = [0];
-  var regexp_states = table['regexp_states'];
-  var string_states = table['string_states'];
-  var accepting     = table['accepting'];
+  var table           = tt();
+  var states          = [[0, null]];
+  var regexp_states   = table['regexp_states'];
+  var string_states   = table['string_states'];
+  var stdparam_states = table['stdparam_states'];
+  var accepting       = table['accepting'];
+  var default_re      = new RegExp("^[^.\/?]+$");
+  var start_index     = 0;
 
   highlight_state(0);
 
   tokenize(input, function(token) {
+    var end_index = start_index + token.length;
+
     var new_states = [];
     for(var key in states) {
-      var state = states[key];
+      var state_parts = states[key];
+      var state = state_parts[0];
+      var previous_start = state_parts[1];
+
+      if(previous_start == null) {
+        if(string_states[state] && string_states[state][token]) {
+          var new_state = string_states[state][token];
+          highlight_edge(state, new_state);
+          highlight_state(new_state);
+          new_states.push([new_state, null]);
+        }
 
-      if(string_states[state] && string_states[state][token]) {
-        var new_state = string_states[state][token];
-        highlight_edge(state, new_state);
-        highlight_state(new_state);
-        new_states.push(new_state);
+        if(stdparam_states[state] && default_re.test(token)) {
+          for(var key in stdparam_states[state]) {
+            var new_state = stdparam_states[state][key];
+            highlight_edge(state, new_state);
+            highlight_state(new_state);
+            new_states.push([new_state, null]);
+          }
+        }
       }
 
       if(regexp_states[state]) {
+        var slice_start = previous_start != null ? previous_start : start_index;
+
         for(var key in regexp_states[state]) {
           var re = new RegExp("^" + key + "$");
-          if(re.test(token)) {
+
+          var accumulation = input.slice(slice_start, end_index);
+
+          if(re.test(accumulation)) {
             var new_state = regexp_states[state][key];
             highlight_edge(state, new_state);
             highlight_state(new_state);
-            new_states.push(new_state);
+            new_states.push([new_state, null]);
           }
+
+          // retry the same regexp with the accumulated data either way
+          new_states.push([state, slice_start]);
         }
       }
     }
 
-    if(new_states.length == 0) {
-      return;
-    }
     states = new_states;
+    start_index = end_index;
   });
 
   for(var key in states) {
-    var state = states[key];
+    var state_parts = states[key];
+    var state = state_parts[0];
+    var slice_start = state_parts[1];
+
+    // we must ignore ones that are still accepting more data
+    if (slice_start != null) continue;
+
     if(accepting[state]) {
-      for(var mkey in svg_edges[state]) {
-        if(!regexp_states[mkey] && !string_states[mkey]) {
-          highlight_edge(state, mkey);
-          highlight_finish(mkey);
-        }
-      }
+      highlight_finish(state);
     } else {
       highlight_state(state, "red");
     }

data/lib/action_dispatch/journey/visualizer/index.html.erb

@@ -8,7 +8,7 @@
         <%= style %>
       <% end %>
     </style>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/d3/3.4.8/d3.min.js" type="text/javascript"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/d3/3.4.8/d3.min.js"></script>
   </head>
   <body>
     <div id="wrapper">

data/lib/action_dispatch/log_subscriber.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  class LogSubscriber < ActiveSupport::LogSubscriber
+    def redirect(event)
+      payload = event.payload
+
+      info { "Redirected to #{payload[:location]}" }
+
+      info do
+        status = payload[:status]
+
+        message = +"Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms"
+        message << "\n\n" if defined?(Rails.env) && Rails.env.development?
+
+        message
+      end
+    end
+    subscribe_log_level :redirect, :info
+  end
+end
+
+ActionDispatch::LogSubscriber.attach_to :action_dispatch

data/lib/action_dispatch/middleware/actionable_exceptions.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
-require "erb"
 require "uri"
-require "action_dispatch/http/request"
 require "active_support/actionable_error"
 
 module ActionDispatch
@@ -31,15 +29,15 @@ module ActionDispatch
         uri = URI.parse location
 
         if uri.relative? || uri.scheme == "http" || uri.scheme == "https"
-          body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(location)}\">redirected</a>.</body></html>"
+          body = ""
         else
-          return [400, { "Content-Type" => "text/plain" }, ["Invalid redirection URI"]]
+          return [400, { Rack::CONTENT_TYPE => "text/plain; charset=utf-8" }, ["Invalid redirection URI"]]
         end
 
         [302, {
-          "Content-Type" => "text/html; charset=#{Response.default_charset}",
-          "Content-Length" => body.bytesize.to_s,
-          "Location" => location,
+          Rack::CONTENT_TYPE => "text/html; charset=#{Response.default_charset}",
+          Rack::CONTENT_LENGTH => body.bytesize.to_s,
+          ActionDispatch::Constants::LOCATION => location,
         }, [body]]
       end
   end

data/lib/action_dispatch/middleware/assume_ssl.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  # = Action Dispatch \AssumeSSL
+  #
+  # When proxying through a load balancer that terminates SSL, the forwarded request will appear
+  # as though it's HTTP instead of HTTPS to the application. This makes redirects and cookie
+  # security target HTTP instead of HTTPS. This middleware makes the server assume that the
+  # proxy already terminated SSL, and that the request really is HTTPS.
+  class AssumeSSL
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      env["HTTPS"] = "on"
+      env["HTTP_X_FORWARDED_PORT"] = "443"
+      env["HTTP_X_FORWARDED_PROTO"] = "https"
+      env["rack.url_scheme"] = "https"
+
+      @app.call(env)
+    end
+  end
+end

data/lib/action_dispatch/middleware/callbacks.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionDispatch
+  # = Action Dispatch \Callbacks
+  #
   # Provides callbacks to be executed before and after dispatching the request.
   class Callbacks
     include ActiveSupport::Callbacks

data/lib/action_dispatch/middleware/cookies.rb

@@ -7,7 +7,7 @@ require "active_support/json"
 require "rack/utils"
 
 module ActionDispatch
-  class Request
+  module RequestCookieMethods
     def cookie_jar
       fetch_header("action_dispatch.cookies") do
         self.cookie_jar = Cookies::CookieJar.build(self, cookies)
@@ -70,7 +70,7 @@ module ActionDispatch
     end
 
     def cookies_same_site_protection
-      get_header(Cookies::COOKIES_SAME_SITE_PROTECTION) || Proc.new { }
+      get_header(Cookies::COOKIES_SAME_SITE_PROTECTION)&.call(self)
     end
 
     def cookies_digest
@@ -88,10 +88,14 @@ module ActionDispatch
     # :startdoc:
   end
 
-  # Read and write data to cookies through ActionController#cookies.
+  ActiveSupport.on_load(:action_dispatch_request) do
+    include RequestCookieMethods
+  end
+
+  # Read and write data to cookies through ActionController::Cookies#cookies.
   #
   # When reading cookie data, the data is read from the HTTP request header, Cookie.
-  # When writing cookie data, the data is sent out in the HTTP response header, Set-Cookie.
+  # When writing cookie data, the data is sent out in the HTTP response header, +Set-Cookie+.
   #
   # Examples of writing:
   #
@@ -99,7 +103,7 @@ module ActionDispatch
   #   # This cookie will be deleted when the user's browser is closed.
   #   cookies[:user_name] = "david"
   #
-  #   # Cookie values are String based. Other data types need to be serialized.
+  #   # Cookie values are String-based. Other data types need to be serialized.
   #   cookies[:lat_lon] = JSON.generate([47.68, -122.37])
   #
   #   # Sets a cookie that expires in 1 hour.
@@ -135,7 +139,7 @@ module ActionDispatch
   #
   #   cookies.delete :user_name
   #
-  # Please note that if you specify a :domain when setting a cookie, you must also specify the domain when deleting the cookie:
+  # Please note that if you specify a +:domain+ when setting a cookie, you must also specify the domain when deleting the cookie:
   #
   #  cookies[:name] = {
   #    value: 'a yummy cookie',
@@ -156,13 +160,18 @@ module ActionDispatch
   #   to <tt>:all</tt>. To support multiple domains, provide an array, and
   #   the first domain matching <tt>request.host</tt> will be used. Make
   #   sure to specify the <tt>:domain</tt> option with <tt>:all</tt> or
-  #   <tt>Array</tt> again when deleting cookies.
+  #   <tt>Array</tt> again when deleting cookies. For more flexibility you
+  #   can set the domain on a per-request basis by specifying <tt>:domain</tt>
+  #   with a proc.
   #
   #     domain: nil  # Does not set cookie domain. (default)
   #     domain: :all # Allow the cookie for the top most level
   #                  # domain and subdomains.
   #     domain: %w(.example.com .example.org) # Allow the cookie
   #                                           # for concrete domain names.
+  #     domain: proc { Tenant.current.cookie_domain } # Set cookie domain dynamically
+  #     domain: proc { |req| ".sub.#{req.host}" }     # Set cookie domain dynamically based on request
+  #
   #
   # * <tt>:tld_length</tt> - When using <tt>:domain => :all</tt>, this option can be used to explicitly
   #   set the TLD length when using a short (<= 3 character) domain that is being interpreted as part of a TLD.
@@ -172,6 +181,10 @@ module ActionDispatch
   #   Default is +false+.
   # * <tt>:httponly</tt> - Whether this cookie is accessible via scripting or
   #   only HTTP. Defaults to +false+.
+  # * <tt>:same_site</tt> - The value of the +SameSite+ cookie attribute, which
+  #   determines how this cookie should be restricted in cross-site contexts.
+  #   Possible values are +nil+, +:none+, +:lax+, and +:strict+. Defaults to
+  #   +:lax+.
   class Cookies
     HTTP_HEADER   = "Set-Cookie"
     GENERATOR_KEY = "action_dispatch.key_generator"
@@ -195,7 +208,7 @@ module ActionDispatch
     # Raised when storing more than 4K of session data.
     CookieOverflow = Class.new StandardError
 
-    # Include in a cookie jar to allow chaining, e.g. cookies.permanent.signed.
+    # Include in a cookie jar to allow chaining, e.g. +cookies.permanent.signed+.
     module ChainedCookieJars
       # Returns a jar that'll automatically set the assigned cookies to have an expiration date 20 years from now. Example:
       #
@@ -280,7 +293,7 @@ module ActionDispatch
         end
     end
 
-    class CookieJar #:nodoc:
+    class CookieJar # :nodoc:
       include Enumerable, ChainedCookieJars
 
       def self.build(req, cookies)
@@ -369,6 +382,8 @@ module ActionDispatch
       # Removes the cookie on the client machine by setting the value to an empty string
       # and the expiration date in the past. Like <tt>[]=</tt>, you can pass in
       # an options hash to delete cookies with extra data such as a <tt>:path</tt>.
+      #
+      # Returns the value of the cookie, or +nil+ if the cookie does not exist.
       def delete(name, options = {})
         return unless @cookies.has_key? name.to_s
 
@@ -394,9 +409,15 @@ module ActionDispatch
         @cookies.each_key { |k| delete(k, options) }
       end
 
-      def write(headers)
-        if header = make_set_cookie_header(headers[HTTP_HEADER])
-          headers[HTTP_HEADER] = header
+      def write(response)
+        @set_cookies.each do |name, value|
+          if write_cookie?(value)
+            response.set_cookie(name, value)
+          end
+        end
+
+        @delete_cookies.each do |name, value|
+          response.delete_cookie(name, value)
         end
       end
 
@@ -407,21 +428,8 @@ module ActionDispatch
           ::Rack::Utils.escape(string)
         end
 
-        def make_set_cookie_header(header)
-          header = @set_cookies.inject(header) { |m, (k, v)|
-            if write_cookie?(v)
-              ::Rack::Utils.add_cookie_to_header(m, k, v)
-            else
-              m
-            end
-          }
-          @delete_cookies.inject(header) { |m, (k, v)|
-            ::Rack::Utils.add_remove_cookie_to_header(m, k, v)
-          }
-        end
-
         def write_cookie?(cookie)
-          request.ssl? || !cookie[:secure] || always_write_cookie
+          request.ssl? || !cookie[:secure] || always_write_cookie || request.host.end_with?(".onion")
         end
 
         def handle_options(options)
@@ -431,12 +439,13 @@ module ActionDispatch
 
           options[:path]      ||= "/"
 
-          cookies_same_site_protection = request.cookies_same_site_protection
-          options[:same_site] ||= cookies_same_site_protection.call(request)
+          unless options.key?(:same_site)
+            options[:same_site] = request.cookies_same_site_protection
+          end
 
           if options[:domain] == :all || options[:domain] == "all"
             cookie_domain = ""
-            dot_splitted_host = request.host.split('.', -1)
+            dot_splitted_host = request.host.split(".", -1)
 
             # Case where request.host is not an IP address or it's an invalid domain
             # (ip confirms to the domain structure we expect so we explicitly check for ip)
@@ -446,10 +455,10 @@ module ActionDispatch
             end
 
             # If there is a provided tld length then we use it otherwise default domain.
-            if options[:tld_length].present? 
+            if options[:tld_length].present?
               # Case where the tld_length provided is valid
               if dot_splitted_host.length >= options[:tld_length]
-                cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
+                cookie_domain = dot_splitted_host.last(options[:tld_length]).join(".")
               end
             # Case where tld_length is not provided
             else
@@ -458,12 +467,12 @@ module ActionDispatch
                 cookie_domain = dot_splitted_host.last(2).join(".")
               # **.**, ***.** style TLDs like co.uk and com.au
               else
-                cookie_domain = dot_splitted_host.last(3).join('.')
+                cookie_domain = dot_splitted_host.last(3).join(".")
               end
             end
 
             options[:domain] = if cookie_domain.present?
-              ".#{cookie_domain}"
+              cookie_domain
             end
           elsif options[:domain].is_a? Array
             # If host matches one of the supplied domains.
@@ -471,6 +480,8 @@ module ActionDispatch
               domain = domain.delete_prefix(".")
               request.host == domain || request.host.end_with?(".#{domain}")
             end
+          elsif options[:domain].respond_to?(:call)
+            options[:domain] = options[:domain].call(request)
           end
         end
     end
@@ -534,75 +545,57 @@ module ActionDispatch
         end
     end
 
-    class MarshalWithJsonFallback # :nodoc:
-      def self.load(value)
-        Marshal.load(value)
-      rescue TypeError => e
-        ActiveSupport::JSON.decode(value) rescue raise e
-      end
-
-      def self.dump(value)
-        Marshal.dump(value)
-      end
-    end
-
-    class JsonSerializer # :nodoc:
-      def self.load(value)
-        ActiveSupport::JSON.decode(value)
-      end
-
-      def self.dump(value)
-        ActiveSupport::JSON.encode(value)
-      end
-    end
-
     module SerializedCookieJars # :nodoc:
-      MARSHAL_SIGNATURE = "\x04\x08"
       SERIALIZER = ActiveSupport::MessageEncryptor::NullSerializer
 
       protected
-        def needs_migration?(value)
-          request.cookies_serializer == :hybrid && value.start_with?(MARSHAL_SIGNATURE)
+        def digest
+          request.cookies_digest || "SHA1"
         end
 
-        def serialize(value)
-          serializer.dump(value)
+      private
+        def serializer
+          @serializer ||=
+            case request.cookies_serializer
+            when nil
+              ActiveSupport::Messages::SerializerWithFallback[:marshal]
+            when :hybrid
+              ActiveSupport::Messages::SerializerWithFallback[:json_allow_marshal]
+            when Symbol
+              ActiveSupport::Messages::SerializerWithFallback[request.cookies_serializer]
+            else
+              request.cookies_serializer
+            end
         end
 
-        def deserialize(name)
-          rotate = false
-          value  = yield -> { rotate = true }
+        def reserialize?(dumped)
+          serializer.is_a?(ActiveSupport::Messages::SerializerWithFallback) &&
+            serializer != ActiveSupport::Messages::SerializerWithFallback[:marshal] &&
+            !serializer.dumped?(dumped)
+        end
 
-          if value
-            case
-            when needs_migration?(value)
-              Marshal.load(value).tap do |v|
-                self[name] = { value: v }
-              end
-            when rotate
-              serializer.load(value).tap do |v|
-                self[name] = { value: v }
-              end
-            else
-              serializer.load(value)
+        def parse(name, dumped, force_reserialize: false, **)
+          if dumped
+            begin
+              value = serializer.load(dumped)
+            rescue StandardError
+              return
             end
+
+            self[name] = { value: value } if force_reserialize || reserialize?(dumped)
+
+            value
           end
         end
 
-        def serializer
-          serializer = request.cookies_serializer || :marshal
-          case serializer
-          when :marshal
-            MarshalWithJsonFallback
-          when :json, :hybrid
-            JsonSerializer
-          else
-            serializer
-          end
+        def commit(name, options)
+          options[:value] = serializer.dump(options[:value])
         end
 
-        def digest
-          request.cookies_digest || "SHA1"
+        def check_for_overflow!(name, options)
+          if options[:value].bytesize > MAX_COOKIE_SIZE
+            raise CookieOverflow, "#{name} cookie overflowed with size #{options[:value].bytesize} bytes"
+          end
         end
     end
 
@@ -623,15 +616,15 @@ module ActionDispatch
 
       private
         def parse(name, signed_message, purpose: nil)
-          deserialize(name) do |rotate|
-            @verifier.verified(signed_message, on_rotation: rotate, purpose: purpose)
-          end
+          rotated = false
+          data = @verifier.verified(signed_message, purpose: purpose, on_rotation: -> { rotated = true })
+          super(name, data, force_reserialize: rotated)
         end
 
         def commit(name, options)
-          options[:value] = @verifier.generate(serialize(options[:value]), **cookie_metadata(name, options))
-
-          raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE
+          super
+          options[:value] = @verifier.generate(options[:value], **cookie_metadata(name, options))
+          check_for_overflow!(name, options)
         end
     end
 
@@ -673,17 +666,17 @@ module ActionDispatch
 
       private
         def parse(name, encrypted_message, purpose: nil)
-          deserialize(name) do |rotate|
-            @encryptor.decrypt_and_verify(encrypted_message, on_rotation: rotate, purpose: purpose)
-          end
+          rotated = false
+          data = @encryptor.decrypt_and_verify(encrypted_message, purpose: purpose, on_rotation: -> { rotated = true })
+          super(name, data, force_reserialize: rotated)
         rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature
           nil
         end
 
         def commit(name, options)
-          options[:value] = @encryptor.encrypt_and_sign(serialize(options[:value]), **cookie_metadata(name, options))
-
-          raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE
+          super
+          options[:value] = @encryptor.encrypt_and_sign(options[:value], **cookie_metadata(name, options))
+          check_for_overflow!(name, options)
         end
     end
 
@@ -692,21 +685,18 @@ module ActionDispatch
     end
 
     def call(env)
-      request = ActionDispatch::Request.new env
-
-      status, headers, body = @app.call(env)
+      request = ActionDispatch::Request.new(env)
+      response = @app.call(env)
 
       if request.have_cookie_jar?
         cookie_jar = request.cookie_jar
         unless cookie_jar.committed?
-          cookie_jar.write(headers)
-          if headers[HTTP_HEADER].respond_to?(:join)
-            headers[HTTP_HEADER] = headers[HTTP_HEADER].join("\n")
-          end
+          response = Rack::Response[*response]
+          cookie_jar.write(response)
         end
       end
 
-      [status, headers, body]
+      response.to_a
     end
   end
 end