actionpack 6.1.7.6 → 7.0.0.alpha1

data/lib/action_dispatch/journey/visualizer/fsm.js

@@ -68,7 +68,7 @@ function highlight_state(index, color) {
 }
 
 function highlight_finish(index) {
-  svg_nodes[index].select('polygon')
+  svg_nodes[index].select('ellipse')
     .style("fill", "while")
     .transition().duration(500)
     .style("fill", "blue");
@@ -76,54 +76,79 @@ function highlight_finish(index) {
 
 function match(input) {
   reset_graph();
-  var table         = tt();
-  var states        = [0];
-  var regexp_states = table['regexp_states'];
-  var string_states = table['string_states'];
-  var accepting     = table['accepting'];
+  var table           = tt();
+  var states          = [[0, null]];
+  var regexp_states   = table['regexp_states'];
+  var string_states   = table['string_states'];
+  var stdparam_states = table['stdparam_states'];
+  var accepting       = table['accepting'];
+  var default_re      = new RegExp("^[^.\/?]+$");
+  var start_index     = 0;
 
   highlight_state(0);
 
   tokenize(input, function(token) {
+    var end_index = start_index + token.length;
+
     var new_states = [];
     for(var key in states) {
-      var state = states[key];
+      var state_parts = states[key];
+      var state = state_parts[0];
+      var previous_start = state_parts[1];
+
+      if(previous_start == null) {
+        if(string_states[state] && string_states[state][token]) {
+          var new_state = string_states[state][token];
+          highlight_edge(state, new_state);
+          highlight_state(new_state);
+          new_states.push([new_state, null]);
+        }
 
-      if(string_states[state] && string_states[state][token]) {
-        var new_state = string_states[state][token];
-        highlight_edge(state, new_state);
-        highlight_state(new_state);
-        new_states.push(new_state);
+        if(stdparam_states[state] && default_re.test(token)) {
+          for(var key in stdparam_states[state]) {
+            var new_state = stdparam_states[state][key];
+            highlight_edge(state, new_state);
+            highlight_state(new_state);
+            new_states.push([new_state, null]);
+          }
+        }
       }
 
       if(regexp_states[state]) {
+        var slice_start = previous_start != null ? previous_start : start_index;
+
         for(var key in regexp_states[state]) {
           var re = new RegExp("^" + key + "$");
-          if(re.test(token)) {
+
+          var accumulation = input.slice(slice_start, end_index);
+
+          if(re.test(accumulation)) {
             var new_state = regexp_states[state][key];
             highlight_edge(state, new_state);
             highlight_state(new_state);
-            new_states.push(new_state);
+            new_states.push([new_state, null]);
           }
+
+          // retry the same regexp with the accumulated data either way
+          new_states.push([state, slice_start]);
         }
       }
     }
 
-    if(new_states.length == 0) {
-      return;
-    }
     states = new_states;
+    start_index = end_index;
   });
 
   for(var key in states) {
-    var state = states[key];
+    var state_parts = states[key];
+    var state = state_parts[0];
+    var slice_start = state_parts[1];
+
+    // we must ignore ones that are still accepting more data
+    if (slice_start != null) continue;
+
     if(accepting[state]) {
-      for(var mkey in svg_edges[state]) {
-        if(!regexp_states[mkey] && !string_states[mkey]) {
-          highlight_edge(state, mkey);
-          highlight_finish(mkey);
-        }
-      }
+      highlight_finish(state);
     } else {
       highlight_state(state, "red");
     }

data/lib/action_dispatch/journey/visualizer/index.html.erb

@@ -8,7 +8,7 @@
         <%= style %>
       <% end %>
     </style>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/d3/3.4.8/d3.min.js" type="text/javascript"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/d3/3.4.8/d3.min.js"></script>
   </head>
   <body>
     <div id="wrapper">

data/lib/action_dispatch/middleware/actionable_exceptions.rb

@@ -2,7 +2,6 @@
 
 require "erb"
 require "uri"
-require "action_dispatch/http/request"
 require "active_support/actionable_error"
 
 module ActionDispatch

data/lib/action_dispatch/middleware/cookies.rb

@@ -7,7 +7,7 @@ require "active_support/json"
 require "rack/utils"
 
 module ActionDispatch
-  class Request
+  module RequestCookieMethods
     def cookie_jar
       fetch_header("action_dispatch.cookies") do
         self.cookie_jar = Cookies::CookieJar.build(self, cookies)
@@ -88,6 +88,10 @@ module ActionDispatch
     # :startdoc:
   end
 
+  ActiveSupport.on_load(:action_dispatch_request) do
+    include RequestCookieMethods
+  end
+
   # Read and write data to cookies through ActionController#cookies.
   #
   # When reading cookie data, the data is read from the HTTP request header, Cookie.
@@ -99,7 +103,7 @@ module ActionDispatch
   #   # This cookie will be deleted when the user's browser is closed.
   #   cookies[:user_name] = "david"
   #
-  #   # Cookie values are String based. Other data types need to be serialized.
+  #   # Cookie values are String-based. Other data types need to be serialized.
   #   cookies[:lat_lon] = JSON.generate([47.68, -122.37])
   #
   #   # Sets a cookie that expires in 1 hour.
@@ -280,9 +284,23 @@ module ActionDispatch
         end
     end
 
-    class CookieJar #:nodoc:
+    class CookieJar # :nodoc:
       include Enumerable, ChainedCookieJars
 
+      # This regular expression is used to split the levels of a domain.
+      # The top level domain can be any string without a period or
+      # **.**, ***.** style TLDs like co.uk or com.au
+      #
+      # www.example.co.uk gives:
+      # $& => example.co.uk
+      #
+      # example.com gives:
+      # $& => example.com
+      #
+      # lots.of.subdomains.example.local gives:
+      # $& => example.local
+      DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
+
       def self.build(req, cookies)
         jar = new(req)
         jar.update(cookies)
@@ -435,35 +453,13 @@ module ActionDispatch
           options[:same_site] ||= cookies_same_site_protection.call(request)
 
           if options[:domain] == :all || options[:domain] == "all"
-            cookie_domain = ""
-            dot_splitted_host = request.host.split('.', -1)
-
-            # Case where request.host is not an IP address or it's an invalid domain
-            # (ip confirms to the domain structure we expect so we explicitly check for ip)
-            if request.host.match?(/^[\d.]+$/) || dot_splitted_host.include?("") || dot_splitted_host.length == 1
-              options[:domain] = nil
-              return
-            end
-
-            # If there is a provided tld length then we use it otherwise default domain.
-            if options[:tld_length].present? 
-              # Case where the tld_length provided is valid
-              if dot_splitted_host.length >= options[:tld_length]
-                cookie_domain = dot_splitted_host.last(options[:tld_length]).join('.')
-              end
-            # Case where tld_length is not provided
-            else
-              # Regular TLDs
-              if !(/\.[^.]{2,3}\.[^.]{2}\z/.match?(request.host))
-                cookie_domain = dot_splitted_host.last(2).join(".")
-              # **.**, ***.** style TLDs like co.uk and com.au
-              else
-                cookie_domain = dot_splitted_host.last(3).join('.')
-              end
-            end
+            # If there is a provided tld length then we use it otherwise default domain regexp.
+            domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
 
-            options[:domain] = if cookie_domain.present?
-              ".#{cookie_domain}"
+            # If host is not ip and matches domain regexp.
+            # (ip confirms to domain regexp so we explicitly check for ip)
+            options[:domain] = if !request.host.match?(/^[\d.]+$/) && (request.host =~ domain_regexp)
+              ".#{$&}"
             end
           elsif options[:domain].is_a? Array
             # If host matches one of the supplied domains.

data/lib/action_dispatch/middleware/debug_exceptions.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "action_dispatch/http/request"
 require "action_dispatch/middleware/exception_wrapper"
 require "action_dispatch/routing/inspector"
 
@@ -135,6 +134,7 @@ module ActionDispatch
         logger = logger(request)
 
         return unless logger
+        return if !log_rescued_responses?(request) && wrapper.rescue_response?
 
         exception = wrapper.exception
         trace = wrapper.exception_trace
@@ -149,9 +149,7 @@ module ActionDispatch
         log_array(logger, message)
       end
 
-      def log_array(logger, array)
-        lines = Array(array)
-
+      def log_array(logger, lines)
         return if lines.empty?
 
         if logger.formatter && logger.formatter.respond_to?(:tags_text)
@@ -178,5 +176,9 @@ module ActionDispatch
       def api_request?(content_type)
         @response_format == :api && !content_type.html?
       end
+
+      def log_rescued_responses?(request)
+        request.get_header("action_dispatch.log_rescued_responses")
+      end
   end
 end

data/lib/action_dispatch/middleware/debug_locks.rb

@@ -9,9 +9,9 @@ module ActionDispatch
   #     config.middleware.insert_before Rack::Sendfile, ActionDispatch::DebugLocks
   #
   # After restarting the application and re-triggering the deadlock condition,
-  # <tt>/rails/locks</tt> will show a summary of all threads currently known to
-  # the interlock, which lock level they are holding or awaiting, and their
-  # current backtrace.
+  # the route <tt>/rails/locks</tt> will show a summary of all threads currently
+  # known to the interlock, which lock level they are holding or awaiting, and
+  # their current backtrace.
   #
   # Generally a deadlock will be caused by the interlock conflicting with some
   # other external lock or blocking I/O call. These cannot be automatically

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -118,6 +118,10 @@ module ActionDispatch
       Rack::Utils.status_code(@@rescue_responses[class_name])
     end
 
+    def rescue_response?
+      @@rescue_responses.key?(exception.class.name)
+    end
+
     def source_extracts
       backtrace.map do |trace|
         file, line_number = extract_file_and_line_number(trace)

data/lib/action_dispatch/middleware/executor.rb

@@ -9,7 +9,7 @@ module ActionDispatch
     end
 
     def call(env)
-      state = @executor.run!(reset: true)
+      state = @executor.run!
       begin
         response = @app.call(env)
         returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }

data/lib/action_dispatch/middleware/flash.rb

@@ -59,16 +59,14 @@ module ActionDispatch
       end
 
       def commit_flash # :nodoc:
-        session    = self.session || {}
-        flash_hash = self.flash_hash
+        return unless session.enabled?
 
         if flash_hash && (flash_hash.present? || session.key?("flash"))
           session["flash"] = flash_hash.to_session_value
           self.flash = flash_hash.dup
         end
 
-        if (!session.respond_to?(:loaded?) || session.loaded?) && # reset_session uses {}, which doesn't implement #loaded?
-            session.key?("flash") && session["flash"].nil?
+        if session.loaded? && session.key?("flash") && session["flash"].nil?
           session.delete("flash")
         end
       end
@@ -79,7 +77,7 @@ module ActionDispatch
       end
     end
 
-    class FlashNow #:nodoc:
+    class FlashNow # :nodoc:
       attr_accessor :flash
 
       def initialize(flash)
@@ -111,7 +109,7 @@ module ActionDispatch
     class FlashHash
       include Enumerable
 
-      def self.from_session_value(value) #:nodoc:
+      def self.from_session_value(value) # :nodoc:
         case value
         when FlashHash # Rails 3.1, 3.2
           flashes = value.instance_variable_get(:@flashes)
@@ -132,13 +130,13 @@ module ActionDispatch
 
       # Builds a hash containing the flashes to keep for the next request.
       # If there are none to keep, returns +nil+.
-      def to_session_value #:nodoc:
+      def to_session_value # :nodoc:
         flashes_to_keep = @flashes.except(*@discard)
         return nil if flashes_to_keep.empty?
         { "discard" => [], "flashes" => flashes_to_keep }
       end
 
-      def initialize(flashes = {}, discard = []) #:nodoc:
+      def initialize(flashes = {}, discard = []) # :nodoc:
         @discard = Set.new(stringify_array(discard))
         @flashes = flashes.stringify_keys
         @now     = nil
@@ -162,7 +160,7 @@ module ActionDispatch
         @flashes[k.to_s]
       end
 
-      def update(h) #:nodoc:
+      def update(h) # :nodoc:
         @discard.subtract stringify_array(h.keys)
         @flashes.update h.stringify_keys
         self
@@ -202,7 +200,7 @@ module ActionDispatch
 
       alias :merge! :update
 
-      def replace(h) #:nodoc:
+      def replace(h) # :nodoc:
         @discard.clear
         @flashes.replace h.stringify_keys
         self
@@ -253,7 +251,7 @@ module ActionDispatch
       # Mark for removal entries that were kept, and delete unkept ones.
       #
       # This method is called automatically by filters, so you generally don't need to care about it.
-      def sweep #:nodoc:
+      def sweep # :nodoc:
         @discard.each { |k| @flashes.delete k }
         @discard.replace @flashes.keys
       end

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "action_dispatch/http/request"
-
 module ActionDispatch
   # This middleware guards from DNS rebinding attacks by explicitly permitting
   # the hosts a request can be sent to, and is passed the options set in
@@ -13,22 +11,8 @@ module ActionDispatch
   #
   # When a request comes to an unauthorized host, the +response_app+
   # application will be executed and rendered. If no +response_app+ is given, a
-  # default one will run.
-  # The default response app logs blocked host info with level 'error' and
-  # responds with <tt>403 Forbidden</tt>. The body of the response contains debug info
-  # if +config.consider_all_requests_local+ is set to true, otherwise the body is empty.
+  # default one will run, which responds with <tt>403 Forbidden</tt>.
   class HostAuthorization
-    ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
-    PORT_REGEX = /(?::\d+)/ # :nodoc:
-    IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
-    IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
-    IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
-    VALID_IP_HOSTNAME = Regexp.union( # :nodoc:
-      /\A#{IPV4_HOSTNAME}\z/,
-      /\A#{IPV6_HOSTNAME}\z/,
-      /\A#{IPV6_HOSTNAME_WITH_PORT}\z/,
-    )
-
     class Permissions # :nodoc:
       def initialize(hosts)
         @hosts = sanitize_hosts(hosts)
@@ -40,17 +24,11 @@ module ActionDispatch
 
       def allows?(host)
         @hosts.any? do |allowed|
-          if allowed.is_a?(IPAddr)
-            begin
-              allowed === extract_hostname(host)
-            rescue
-              # IPAddr#=== raises an error if you give it a hostname instead of
-              # IP. Treat similar errors as blocked access.
-              false
-            end
-          else
-            allowed === host
-          end
+          allowed === host
+        rescue
+          # IPAddr#=== raises an error if you give it a hostname instead of
+          # IP. Treat similar errors as blocked access.
+          false
         end
       end
 
@@ -66,59 +44,29 @@ module ActionDispatch
         end
 
         def sanitize_regexp(host)
-          /\A#{host}#{PORT_REGEX}?\z/
+          /\A#{host}\z/
         end
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
+            /\A(.+\.)?#{Regexp.escape(host[1..-1])}\z/i
           else
-            /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
+            /\A#{Regexp.escape host}\z/i
           end
         end
-
-        def extract_hostname(host)
-          host.slice(VALID_IP_HOSTNAME, "host") || host
-        end
     end
 
-    class DefaultResponseApp # :nodoc:
-      RESPONSE_STATUS = 403
-
-      def call(env)
-        request = Request.new(env)
-        format = request.xhr? ? "text/plain" : "text/html"
-
-        log_error(request)
-        response(format, response_body(request))
-      end
-
-      private
-        def response_body(request)
-          return "" unless request.get_header("action_dispatch.show_detailed_exceptions")
-
-          template = DebugView.new(host: request.host)
-          template.render(template: "rescues/blocked_host", layout: "rescues/layout")
-        end
-
-        def response(format, body)
-          [RESPONSE_STATUS,
-           { "Content-Type" => "#{format}; charset=#{Response.default_charset}",
-             "Content-Length" => body.bytesize.to_s },
-           [body]]
-        end
-
-        def log_error(request)
-          logger = available_logger(request)
-
-          return unless logger
+    DEFAULT_RESPONSE_APP = -> env do
+      request = Request.new(env)
 
-          logger.error("[#{self.class.name}] Blocked host: #{request.host}")
-        end
+      format = request.xhr? ? "text/plain" : "text/html"
+      template = DebugView.new(host: request.host)
+      body = template.render(template: "rescues/blocked_host", layout: "rescues/layout")
 
-        def available_logger(request)
-          request.logger || ActionView::Base.logger
-        end
+      [403, {
+        "Content-Type" => "#{format}; charset=#{Response.default_charset}",
+        "Content-Length" => body.bytesize.to_s,
+      }, [body]]
     end
 
     def initialize(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil)
@@ -135,7 +83,7 @@ module ActionDispatch
         response_app ||= deprecated_response_app
       end
 
-      @response_app = response_app || DefaultResponseApp.new
+      @response_app = response_app || DEFAULT_RESPONSE_APP
     end
 
     def call(env)
@@ -152,9 +100,13 @@ module ActionDispatch
     end
 
     private
+      HOSTNAME = /[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9.:]+\]/i
+      VALID_ORIGIN_HOST = /\A(#{HOSTNAME})(?::\d+)?\z/
+      VALID_FORWARDED_HOST = /(?:\A|,[ ]?)(#{HOSTNAME})(?::\d+)?\z/
+
       def authorized?(request)
-        origin_host = request.get_header("HTTP_HOST")
-        forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last
+        origin_host = request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
+        forwarded_host = request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
 
         @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
       end

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -51,10 +51,8 @@ module ActionDispatch
     # clients (like WAP devices), or behind proxies that set headers in an
     # incorrect or confusing way (like AWS ELB).
     #
-    # The +custom_proxies+ argument can take an Array of string, IPAddr, or
-    # Regexp objects which will be used instead of +TRUSTED_PROXIES+. If a
-    # single string, IPAddr, or Regexp object is provided, it will be used in
-    # addition to +TRUSTED_PROXIES+. Any proxy setup will put the value you
+    # The +custom_proxies+ argument can take an enumerable which will be used
+    # instead of +TRUSTED_PROXIES+. Any proxy setup will put the value you
     # want in the middle (or at the beginning) of the X-Forwarded-For list,
     # with your proxy servers after it. If your proxies aren't removed, pass
     # them in via the +custom_proxies+ parameter. That way, the middleware will
@@ -67,6 +65,20 @@ module ActionDispatch
       elsif custom_proxies.respond_to?(:any?)
         custom_proxies
       else
+        ActiveSupport::Deprecation.warn(<<~EOM)
+          Setting config.action_dispatch.trusted_proxies to a single value has
+          been deprecated. Please set this to an enumerable instead. For
+          example, instead of:
+
+          config.action_dispatch.trusted_proxies = IPAddr.new("10.0.0.0/8")
+
+          Wrap the value in an Array:
+
+          config.action_dispatch.trusted_proxies = [IPAddr.new("10.0.0.0/8")]
+
+          Note that unlike passing a single argument, passing an enumerable
+          will *replace* the default set of trusted proxies.
+        EOM
         Array(custom_proxies) + TRUSTED_PROXIES
       end
     end

data/lib/action_dispatch/middleware/session/abstract_store.rb

@@ -8,7 +8,7 @@ require "action_dispatch/request/session"
 
 module ActionDispatch
   module Session
-    class SessionRestoreError < StandardError #:nodoc:
+    class SessionRestoreError < StandardError # :nodoc:
       def initialize
         super("Session contains objects whose class definition isn't available.\n" \
           "Remember to require the classes for all objects kept in the session.\n" \

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "action_dispatch/http/request"
 require "action_dispatch/middleware/exception_wrapper"
 
 module ActionDispatch
@@ -15,14 +14,8 @@ module ActionDispatch
   # If the application returns a "X-Cascade" pass response, this middleware
   # will send an empty response as result with the correct status code.
   # If any exception happens inside the exceptions app, this middleware
-  # catches the exceptions and returns a FAILSAFE_RESPONSE.
+  # catches the exceptions and returns a failsafe response.
   class ShowExceptions
-    FAILSAFE_RESPONSE = [500, { "Content-Type" => "text/plain" },
-      ["500 Internal Server Error\n" \
-       "If you are the administrator of this website, then please read this web " \
-       "application's log file and/or the web server's log file to find out what " \
-       "went wrong."]]
-
     def initialize(app, exceptions_app)
       @app = app
       @exceptions_app = exceptions_app
@@ -47,23 +40,18 @@ module ActionDispatch
         request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
         request.set_header "action_dispatch.original_path", request.path_info
         request.set_header "action_dispatch.original_request_method", request.raw_request_method
-        fallback_to_html_format_if_invalid_mime_type(request)
         request.path_info = "/#{status}"
         request.request_method = "GET"
         response = @exceptions_app.call(request.env)
         response[1]["X-Cascade"] == "pass" ? pass_response(status) : response
       rescue Exception => failsafe_error
         $stderr.puts "Error during failsafe response: #{failsafe_error}\n  #{failsafe_error.backtrace * "\n  "}"
-        FAILSAFE_RESPONSE
-      end
 
-      def fallback_to_html_format_if_invalid_mime_type(request)
-        # If the MIME type for the request is invalid then the
-        # @exceptions_app may not be able to handle it. To make it
-        # easier to handle, we switch to HTML.
-        request.formats
-      rescue ActionDispatch::Http::MimeNegotiation::InvalidType
-        request.set_header "HTTP_ACCEPT", "text/html"
+        [500, { "Content-Type" => "text/plain" },
+          ["500 Internal Server Error\n" \
+          "If you are the administrator of this website, then please read this web " \
+          "application's log file and/or the web server's log file to find out what " \
+          "went wrong."]]
       end
 
       def pass_response(status)