actionpack 6.1.7.6 → 7.0.0.alpha1

data/lib/action_controller/metal/instrumentation.rb

@@ -16,30 +16,6 @@ module ActionController
 
     attr_internal :view_runtime
 
-    def process_action(*)
-      raw_payload = {
-        controller: self.class.name,
-        action: action_name,
-        request: request,
-        params: request.filtered_parameters,
-        headers: request.headers,
-        format: request.format.ref,
-        method: request.request_method,
-        path: request.fullpath
-      }
-
-      ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload)
-
-      ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
-        result = super
-        payload[:response] = response
-        payload[:status]   = response.status
-        result
-      ensure
-        append_info_to_payload(payload)
-      end
-    end
-
     def render(*)
       render_output = nil
       self.view_runtime = cleanup_view_runtime do
@@ -70,37 +46,64 @@ module ActionController
       end
     end
 
-  private
-    # A hook invoked every time a before callback is halted.
-    def halted_callback_hook(filter, _)
-      ActiveSupport::Notifications.instrument("halted_callback.action_controller", filter: filter)
-    end
+    private
+      def process_action(*)
+        raw_payload = {
+          controller: self.class.name,
+          action: action_name,
+          request: request,
+          params: request.filtered_parameters,
+          headers: request.headers,
+          format: request.format.ref,
+          method: request.request_method,
+          path: request.fullpath
+        }
 
-    # A hook which allows you to clean up any time, wrongly taken into account in
-    # views, like database querying time.
-    #
-    #   def cleanup_view_runtime
-    #     super - time_taken_in_something_expensive
-    #   end
-    def cleanup_view_runtime # :doc:
-      yield
-    end
+        ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload)
 
-    # Every time after an action is processed, this method is invoked
-    # with the payload, so you can add more information.
-    def append_info_to_payload(payload) # :doc:
-      payload[:view_runtime] = view_runtime
-    end
+        ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
+          result = super
+          payload[:response] = response
+          payload[:status]   = response.status
+          result
+        rescue => error
+          payload[:status] = ActionDispatch::ExceptionWrapper.status_code_for_exception(error.class.name)
+          raise
+        ensure
+          append_info_to_payload(payload)
+        end
+      end
 
-    module ClassMethods
-      # A hook which allows other frameworks to log what happened during
-      # controller process action. This method should return an array
-      # with the messages to be added.
-      def log_process_action(payload) #:nodoc:
-        messages, view_runtime = [], payload[:view_runtime]
-        messages << ("Views: %.1fms" % view_runtime.to_f) if view_runtime
-        messages
+      # A hook invoked every time a before callback is halted.
+      def halted_callback_hook(filter, _)
+        ActiveSupport::Notifications.instrument("halted_callback.action_controller", filter: filter)
+      end
+
+      # A hook which allows you to clean up any time, wrongly taken into account in
+      # views, like database querying time.
+      #
+      #   def cleanup_view_runtime
+      #     super - time_taken_in_something_expensive
+      #   end
+      def cleanup_view_runtime # :doc:
+        yield
+      end
+
+      # Every time after an action is processed, this method is invoked
+      # with the payload, so you can add more information.
+      def append_info_to_payload(payload) # :doc:
+        payload[:view_runtime] = view_runtime
+      end
+
+      module ClassMethods
+        # A hook which allows other frameworks to log what happened during
+        # controller process action. This method should return an array
+        # with the messages to be added.
+        def log_process_action(payload) # :nodoc:
+          messages, view_runtime = [], payload[:view_runtime]
+          messages << ("Views: %.1fms" % view_runtime.to_f) if view_runtime
+          messages
+        end
       end
-    end
   end
 end

data/lib/action_controller/metal/live.rb

@@ -124,7 +124,7 @@ module ActionController
     class ClientDisconnected < RuntimeError
     end
 
-    class Buffer < ActionDispatch::Response::Buffer #:nodoc:
+    class Buffer < ActionDispatch::Response::Buffer # :nodoc:
       include MonitorMixin
 
       class << self
@@ -168,6 +168,11 @@ module ActionController
         end
       end
 
+      # Same as +write+ but automatically include a newline at the end of the string.
+      def writeln(string)
+        write string.end_with?("\n") ? string : "#{string}\n"
+      end
+
       # Write a 'close' event to the buffer; the producer/writing thread
       # uses this to notify us that it's finished supplying content.
       #
@@ -225,7 +230,7 @@ module ActionController
         end
     end
 
-    class Response < ActionDispatch::Response #:nodoc: all
+    class Response < ActionDispatch::Response # :nodoc: all
       private
         def before_committed
           super
@@ -291,6 +296,41 @@ module ActionController
       response.close if response
     end
 
+    # Sends a stream to the browser, which is helpful when you're generating exports or other running data where you
+    # don't want the entire file buffered in memory first. Similar to send_data, but where the data is generated live.
+    #
+    # Options:
+    # * <tt>:filename</tt> - suggests a filename for the browser to use.
+    # * <tt>:type</tt> - specifies an HTTP content type.
+    #   You can specify either a string or a symbol for a registered type with <tt>Mime::Type.register</tt>, for example :json.
+    #   If omitted, type will be inferred from the file extension specified in <tt>:filename</tt>.
+    #   If no content type is registered for the extension, the default type 'application/octet-stream' will be used.
+    # * <tt>:disposition</tt> - specifies whether the file will be shown inline or downloaded.
+    #   Valid values are 'inline' and 'attachment' (default).
+    #
+    # Example of generating a csv export:
+    #
+    #    send_stream(filename: "subscribers.csv") do |stream|
+    #      stream.write "email_address,updated_at\n"
+    #
+    #      @subscribers.find_each do |subscriber|
+    #        stream.write "#{subscriber.email_address},#{subscriber.updated_at}\n"
+    #      end
+    #    end
+    def send_stream(filename:, disposition: "attachment", type: nil)
+      response.headers["Content-Type"] =
+        (type.is_a?(Symbol) ? Mime[type].to_s : type) ||
+        Mime::Type.lookup_by_extension(File.extname(filename).downcase.delete(".")) ||
+        "application/octet-stream"
+
+      response.headers["Content-Disposition"] =
+        ActionDispatch::Http::ContentDisposition.format(disposition: disposition, filename: filename)
+
+      yield response.stream
+    ensure
+      response.stream.close
+    end
+
     private
       # Spawn a new thread to serve up the controller in. This is to get
       # around the fact that Rack isn't based around IOs and we need to use

data/lib/action_controller/metal/mime_responds.rb

@@ -2,7 +2,7 @@
 
 require "abstract_controller/collector"
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   module MimeResponds
     # Without web-service support, an action which collects the data for displaying a list of people
     # might look something like this:
@@ -103,7 +103,7 @@ module ActionController #:nodoc:
     # If you need to use a MIME type which isn't supported by default, you can register your own handlers in
     # +config/initializers/mime_types.rb+ as follows.
     #
-    #   Mime::Type.register "image/jpg", :jpg
+    #   Mime::Type.register "image/jpeg", :jpg
     #
     # +respond_to+ also allows you to specify a common block for different formats by using +any+:
     #
@@ -289,7 +289,7 @@ module ActionController #:nodoc:
         @format = request.negotiate_mime(@responses.keys)
       end
 
-      class VariantCollector #:nodoc:
+      class VariantCollector # :nodoc:
         def initialize(variant = nil)
           @variant = variant
           @variants = {}

data/lib/action_controller/metal/params_wrapper.rb

@@ -242,14 +242,14 @@ module ActionController
       end
     end
 
-    # Performs parameters wrapping upon the request. Called automatically
-    # by the metal call stack.
-    def process_action(*)
-      _perform_parameter_wrapping if _wrapper_enabled?
-      super
-    end
-
     private
+      # Performs parameters wrapping upon the request. Called automatically
+      # by the metal call stack.
+      def process_action(*)
+        _perform_parameter_wrapping if _wrapper_enabled?
+        super
+      end
+
       # Returns the wrapper key which will be used to store wrapped parameters.
       def _wrapper_key
         _wrapper_options.name

data/lib/action_controller/metal/permissions_policy.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   # HTTP Permissions Policy is a web standard for defining a mechanism to
   # allow and deny the use of browser permissions in its own context, and
   # in content within any <iframe> elements in the document.

data/lib/action_controller/metal/query_tags.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ActionController
+  module QueryTags # :nodoc:
+    extend ActiveSupport::Concern
+
+    included do
+      around_action :expose_controller_to_query_logs
+    end
+
+    private
+      def expose_controller_to_query_logs(&block)
+        ActiveRecord::QueryLogs.set_context(controller: self, &block)
+      end
+  end
+end

data/lib/action_controller/metal/redirecting.rb

@@ -7,9 +7,9 @@ module ActionController
     include AbstractController::Logger
     include ActionController::UrlFor
 
-    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
-
-    class UnsafeRedirectError < StandardError; end
+    included do
+      mattr_accessor :raise_on_open_redirects, default: false
+    end
 
     # Redirects the browser to the target specified in +options+. This parameter can be any one of:
     #
@@ -58,20 +58,28 @@ module ActionController
     #
     # Statements after +redirect_to+ in our controller get executed, so +redirect_to+ doesn't stop the execution of the function.
     # To terminate the execution of the function immediately after the +redirect_to+, use return.
+    #
     #   redirect_to post_url(@post) and return
+    #
+    # Passing user input directly into +redirect_to+ is considered dangerous (e.g. `redirect_to(params[:location])`).
+    # Always use regular expressions or a permitted list when redirecting to a user specified location.
     def redirect_to(options = {}, response_options = {})
+      response_options[:allow_other_host] ||= _allow_other_host unless response_options.key?(:allow_other_host)
+
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
       raise AbstractController::DoubleRenderError if response_body
 
       self.status        = _extract_redirect_to_status(options, response_options)
-
-      redirect_to_location = _compute_redirect_to_location(request, options)
-      _ensure_url_is_http_header_safe(redirect_to_location)
-
-      self.location      = redirect_to_location
+      self.location      = _compute_safe_redirect_to_location(request, options, response_options)
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
 
+    # Soft deprecated alias for <tt>redirect_back_or_to</tt> where the fallback_location location is supplied as a keyword argument instead
+    # of the first positional argument.
+    def redirect_back(fallback_location:, allow_other_host: _allow_other_host, **args)
+      redirect_back_or_to fallback_location, allow_other_host: allow_other_host, **args
+    end
+
     # Redirects the browser to the page that issued the request (the referrer)
     # if possible, otherwise redirects to the provided default fallback
     # location.
@@ -81,35 +89,49 @@ module ActionController
     # subject to browser security settings and user preferences. If the request
     # is missing this header, the <tt>fallback_location</tt> will be used.
     #
-    #   redirect_back fallback_location: { action: "show", id: 5 }
-    #   redirect_back fallback_location: @post
-    #   redirect_back fallback_location: "http://www.rubyonrails.org"
-    #   redirect_back fallback_location: "/images/screenshot.jpg"
-    #   redirect_back fallback_location: posts_url
-    #   redirect_back fallback_location: proc { edit_post_url(@post) }
-    #   redirect_back fallback_location: '/', allow_other_host: false
+    #   redirect_back_or_to({ action: "show", id: 5 })
+    #   redirect_back_or_to @post
+    #   redirect_back_or_to "http://www.rubyonrails.org"
+    #   redirect_back_or_to "/images/screenshot.jpg"
+    #   redirect_back_or_to posts_url
+    #   redirect_back_or_to proc { edit_post_url(@post) }
+    #   redirect_back_or_to '/', allow_other_host: false
     #
     # ==== Options
-    # * <tt>:fallback_location</tt> - The default fallback location that will be used on missing +Referer+ header.
     # * <tt>:allow_other_host</tt> - Allow or disallow redirection to the host that is different to the current host, defaults to true.
     #
     # All other options that can be passed to #redirect_to are accepted as
     # options and the behavior is identical.
-    def redirect_back(fallback_location:, allow_other_host: true, **args)
-      referer = request.headers["Referer"]
-      redirect_to_referer = referer && (allow_other_host || _url_host_allowed?(referer))
-      redirect_to redirect_to_referer ? referer : fallback_location, **args
+    def redirect_back_or_to(fallback_location, allow_other_host: _allow_other_host, **options)
+      location = request.referer || fallback_location
+      location = fallback_location unless allow_other_host || _url_host_allowed?(request.referer)
+      allow_other_host = true if _allow_other_host && !allow_other_host # if the fallback is an open redirect
+
+      redirect_to location, allow_other_host: allow_other_host, **options
     end
 
-    def _compute_redirect_to_location(request, options) #:nodoc:
+    def _compute_safe_redirect_to_location(request, options, response_options)
+      location = _compute_redirect_to_location(request, options)
+
+      if response_options[:allow_other_host] || _url_host_allowed?(location)
+        location
+      else
+        raise(ArgumentError, <<~MSG.squish)
+          Unsafe redirect #{location.truncate(100).inspect},
+          use :allow_other_host to redirect anyway.
+        MSG
+      end
+    end
+
+    def _compute_redirect_to_location(request, options) # :nodoc:
       case options
       # The scheme name consist of a letter followed by any combination of
       # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
       # characters; and is terminated by a colon (":").
       # See https://tools.ietf.org/html/rfc3986#section-3.1
       # The protocol relative scheme starts with a double slash "//".
-      when /\A([a-z][a-z\d\-+\.]*:|\/\/).*/i
-        options
+      when /\A([a-z][a-z\d\-+.]*:|\/\/).*/i
+        options.to_str
       when String
         request.protocol + request.host_with_port + options
       when Proc
@@ -122,6 +144,10 @@ module ActionController
     public :_compute_redirect_to_location
 
     private
+      def _allow_other_host
+        !raise_on_open_redirects
+      end
+
       def _extract_redirect_to_status(options, response_options)
         if options.is_a?(Hash) && options.key?(:status)
           Rack::Utils.status_code(options.delete(:status))
@@ -137,16 +163,5 @@ module ActionController
       rescue ArgumentError, URI::Error
         false
       end
-
-      def _ensure_url_is_http_header_safe(url)
-        # Attempt to comply with the set of valid token characters
-        # defined for an HTTP header value in
-        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
-        if url.match(ILLEGAL_HEADER_VALUE_REGEX)
-          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
-            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
-          raise UnsafeRedirectError, msg
-        end
-      end
   end
 end

data/lib/action_controller/metal/rendering.rb

@@ -24,14 +24,8 @@ module ActionController
       end
     end
 
-    # Before processing, set the request formats in current controller formats.
-    def process_action(*) #:nodoc:
-      self.formats = request.formats.map(&:ref).compact
-      super
-    end
-
     # Check for double render errors and set the content_type after rendering.
-    def render(*args) #:nodoc:
+    def render(*args) # :nodoc:
       raise ::AbstractController::DoubleRenderError if response_body
       super
     end
@@ -53,6 +47,12 @@ module ActionController
     end
 
     private
+      # Before processing, set the request formats in current controller formats.
+      def process_action(*) # :nodoc:
+        self.formats = request.formats.filter_map(&:ref)
+        super
+      end
+
       def _process_variant(options)
         if defined?(request) && !request.nil? && request.variant.present?
           options[:variant] = request.variant
@@ -78,8 +78,8 @@ module ActionController
       end
 
       def _set_vary_header
-        if response.headers["Vary"].blank? && request.should_apply_vary_header?
-          response.headers["Vary"] = "Accept"
+        if self.headers["Vary"].blank? && request.should_apply_vary_header?
+          self.headers["Vary"] = "Accept"
         end
       end
 

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -4,11 +4,11 @@ require "rack/session/abstract/id"
 require "action_controller/metal/exceptions"
 require "active_support/security_utils"
 
-module ActionController #:nodoc:
-  class InvalidAuthenticityToken < ActionControllerError #:nodoc:
+module ActionController # :nodoc:
+  class InvalidAuthenticityToken < ActionControllerError # :nodoc:
   end
 
-  class InvalidCrossOriginRequest < ActionControllerError #:nodoc:
+  class InvalidCrossOriginRequest < ActionControllerError # :nodoc:
   end
 
   # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
@@ -57,6 +57,17 @@ module ActionController #:nodoc:
   module RequestForgeryProtection
     extend ActiveSupport::Concern
 
+    class DisabledSessionError < StandardError
+      MESSAGE = <<~EOS.squish
+        Request forgery protection requires a working session store but your application has sessions disabled.
+        You need to either disable request forgery protection, or configure a working session store.
+      EOS
+
+      def initialize(message = MESSAGE)
+        super
+      end
+    end
+
     include AbstractController::Helpers
     include AbstractController::Callbacks
 
@@ -90,6 +101,11 @@ module ActionController #:nodoc:
       config_accessor :default_protect_from_forgery
       self.default_protect_from_forgery = false
 
+      # Controls whether trying to use forgery protection without a working session store
+      # issues a warning or raises an error.
+      config_accessor :silence_disabled_session_errors
+      self.silence_disabled_session_errors = true
+
       # Controls whether URL-safe CSRF tokens are generated.
       config_accessor :urlsafe_csrf_tokens, instance_writer: false
       self.urlsafe_csrf_tokens = false
@@ -170,7 +186,7 @@ module ActionController #:nodoc:
         end
 
         private
-          class NullSessionHash < Rack::Session::Abstract::SessionHash #:nodoc:
+          class NullSessionHash < Rack::Session::Abstract::SessionHash # :nodoc:
             def initialize(req)
               super(nil, req)
               @data = {}
@@ -183,9 +199,13 @@ module ActionController #:nodoc:
             def exists?
               true
             end
+
+            def enabled?
+              false
+            end
           end
 
-          class NullCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc:
+          class NullCookieJar < ActionDispatch::Cookies::CookieJar # :nodoc:
             def write(*)
               # nothing
             end
@@ -203,12 +223,14 @@ module ActionController #:nodoc:
       end
 
       class Exception
+        attr_accessor :warning_message
+
         def initialize(controller)
           @controller = controller
         end
 
         def handle_unverified_request
-          raise ActionController::InvalidAuthenticityToken
+          raise ActionController::InvalidAuthenticityToken, warning_message
         end
       end
     end
@@ -228,22 +250,31 @@ module ActionController #:nodoc:
         mark_for_same_origin_verification!
 
         if !verified_request?
-          if logger && log_warning_on_csrf_failure
-            if valid_request_origin?
-              logger.warn "Can't verify CSRF token authenticity."
-            else
-              logger.warn "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
-            end
-          end
+          logger.warn unverified_request_warning_message if logger && log_warning_on_csrf_failure
+
           handle_unverified_request
         end
       end
 
       def handle_unverified_request # :doc:
-        forgery_protection_strategy.new(self).handle_unverified_request
+        protection_strategy = forgery_protection_strategy.new(self)
+
+        if protection_strategy.respond_to?(:warning_message)
+          protection_strategy.warning_message = unverified_request_warning_message
+        end
+
+        protection_strategy.handle_unverified_request
+      end
+
+      def unverified_request_warning_message # :nodoc:
+        if valid_request_origin?
+          "Can't verify CSRF token authenticity."
+        else
+          "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
+        end
       end
 
-      #:nodoc:
+      # :nodoc:
       CROSS_ORIGIN_JAVASCRIPT_WARNING = "Security warning: an embedded " \
         "<script> tag on another site requested protected JavaScript. " \
         "If you know what you're doing, go ahead and disable forgery " \
@@ -303,15 +334,15 @@ module ActionController #:nodoc:
         [form_authenticity_param, request.x_csrf_token]
       end
 
-      # Sets the token value for the current session.
-      def form_authenticity_token(form_options: {})
+      # Creates the authenticity token for the current request.
+      def form_authenticity_token(form_options: {}) # :doc:
         masked_authenticity_token(session, form_options: form_options)
       end
 
       # Creates a masked version of the authenticity token that varies
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
-      def masked_authenticity_token(session, form_options: {}) # :doc:
+      def masked_authenticity_token(session, form_options: {})
         action, method = form_options.values_at(:action, :method)
 
         raw_token = if per_form_csrf_tokens && action && method
@@ -438,7 +469,20 @@ module ActionController #:nodoc:
 
       # Checks if the controller allows forgery protection.
       def protect_against_forgery? # :doc:
-        allow_forgery_protection
+        allow_forgery_protection && ensure_session_is_enabled!
+      end
+
+      def ensure_session_is_enabled!
+        if !session.respond_to?(:enabled?) || session.enabled?
+          true
+        else
+          if silence_disabled_session_errors
+            ActiveSupport::Deprecation.warn(DisabledSessionError::MESSAGE)
+            false
+          else
+            raise DisabledSessionError
+          end
+        end
       end
 
       NULL_ORIGIN_MESSAGE = <<~MSG
@@ -469,7 +513,7 @@ module ActionController #:nodoc:
 
       def generate_csrf_token # :nodoc:
         if urlsafe_csrf_tokens
-          SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH, padding: false)
+          SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
         else
           SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
         end

data/lib/action_controller/metal/rescue.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   # This module is responsible for providing +rescue_from+ helpers
   # to controllers and configuring when detailed exceptions must be
   # shown.

data/lib/action_controller/metal/streaming.rb

@@ -2,7 +2,7 @@
 
 require "rack/chunked"
 
-module ActionController #:nodoc:
+module ActionController # :nodoc:
   # Allows views to be streamed back to the client as they are rendered.
   #
   # By default, Rails renders views by first rendering the template
@@ -193,8 +193,6 @@ module ActionController #:nodoc:
   # To be described.
   #
   module Streaming
-    extend ActiveSupport::Concern
-
     private
       # Set proper cache control and transfer encoding when streaming
       def _process_options(options)