actionpack 7.0.10 → 7.1.0.beta1

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -11,6 +11,8 @@ module ActionController # :nodoc:
   class InvalidCrossOriginRequest < ActionControllerError # :nodoc:
   end
 
+  # = Action Controller Request Forgery Protection
+  #
   # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
   # by including a token in the rendered HTML for your application. This token is
   # stored as a random string in the session, to which an attacker does not have
@@ -34,10 +36,10 @@ module ActionController # :nodoc:
   #
   # Subclasses of ActionController::Base are protected by default with the
   # <tt>:exception</tt> strategy, which raises an
-  # <tt>ActionController::InvalidAuthenticityToken</tt> error on unverified requests.
+  # ActionController::InvalidAuthenticityToken error on unverified requests.
   #
   # APIs may want to disable this behavior since they are typically designed to be
-  # state-less: that is, the request API client handles the session instead of Rails.
+  # state-less: that is, the request API client handles the session instead of \Rails.
   # One way to achieve this is to use the <tt>:null_session</tt> strategy instead,
   # which allows unverified requests to be handled, but with an empty session:
   #
@@ -55,6 +57,8 @@ module ActionController # :nodoc:
   # Learn more about CSRF attacks and securing your application in the
   # {Ruby on Rails Security Guide}[https://guides.rubyonrails.org/security.html].
   module RequestForgeryProtection
+    CSRF_TOKEN = "action_controller.csrf_token"
+
     extend ActiveSupport::Concern
 
     include AbstractController::Helpers
@@ -90,18 +94,9 @@ module ActionController # :nodoc:
       config_accessor :default_protect_from_forgery
       self.default_protect_from_forgery = false
 
-      # Controls whether URL-safe CSRF tokens are generated.
-      config_accessor :urlsafe_csrf_tokens, instance_writer: false
-      self.urlsafe_csrf_tokens = true
-
-      singleton_class.redefine_method(:urlsafe_csrf_tokens=) do |urlsafe_csrf_tokens|
-        if urlsafe_csrf_tokens
-          ActiveSupport::Deprecation.warn("URL-safe CSRF tokens are now the default. Use 6.1 defaults or above.")
-        else
-          ActiveSupport::Deprecation.warn("Non-URL-safe CSRF tokens are deprecated. Use 6.1 defaults or above.")
-        end
-        config.urlsafe_csrf_tokens = urlsafe_csrf_tokens
-      end
+      # The strategy to use for storing and retrieving CSRF tokens.
+      config_accessor :csrf_token_storage_strategy
+      self.csrf_token_storage_strategy = SessionStore.new
 
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
@@ -148,18 +143,46 @@ module ActionController # :nodoc:
       #      end
       #
       #      def handle_unverified_request
-      #        # Custom behaviour for unverfied request
+      #        # Custom behavior for unverfied request
       #      end
       #    end
       #
-      #    class ApplicationController < ActionController:x:Base
+      #    class ApplicationController < ActionController::Base
       #      protect_from_forgery with: CustomStrategy
       #    end
+      # * <tt>:store</tt> - Set the strategy to store and retrieve CSRF tokens.
+      #
+      # Built-in session token strategies are:
+      # * <tt>:session</tt> - Store the CSRF token in the session.  Used as default if <tt>:store</tt> option is not specified.
+      # * <tt>:cookie</tt> - Store the CSRF token in an encrypted cookie.
+      #
+      # You can also implement custom strategy classes for CSRF token storage:
+      #
+      #   class CustomStore
+      #     def fetch(request)
+      #       # Return the token from a custom location
+      #     end
+      #
+      #     def store(request, csrf_token)
+      #       # Store the token in a custom location
+      #     end
+      #
+      #     def reset(request)
+      #       # Delete the stored session token
+      #     end
+      #   end
+      #
+      #   class ApplicationController < ActionController::Base
+      #     protect_from_forgery store: CustomStore.new
+      #   end
       def protect_from_forgery(options = {})
         options = options.reverse_merge(prepend: false)
 
         self.forgery_protection_strategy = protection_method_class(options[:with] || :null_session)
         self.request_forgery_protection_token ||= :authenticity_token
+
+        self.csrf_token_storage_strategy = storage_strategy(options[:store] || SessionStore.new)
+
         before_action :verify_authenticity_token, options
         append_after_action :verify_same_origin_request
       end
@@ -188,6 +211,22 @@ module ActionController # :nodoc:
             raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, :reset_session, or a custom forgery protection class."
           end
         end
+
+        def storage_strategy(name)
+          case name
+          when :session
+            SessionStore.new
+          when :cookie
+            CookieStore.new(:csrf_token)
+          else
+            return name if is_storage_strategy?(name)
+            raise ArgumentError, "Invalid CSRF token storage strategy, use :session, :cookie, or a custom CSRF token storage class."
+          end
+        end
+
+        def is_storage_strategy?(object)
+          object.respond_to?(:fetch) && object.respond_to?(:store) && object.respond_to?(:reset)
+        end
     end
 
     module ProtectionMethods
@@ -255,6 +294,68 @@ module ActionController # :nodoc:
       end
     end
 
+    class SessionStore
+      def fetch(request)
+        request.session[:_csrf_token]
+      end
+
+      def store(request, csrf_token)
+        request.session[:_csrf_token] = csrf_token
+      end
+
+      def reset(request)
+        request.session.delete(:_csrf_token)
+      end
+    end
+
+    class CookieStore
+      def initialize(cookie = :csrf_token)
+        @cookie_name = cookie
+      end
+
+      def fetch(request)
+        contents = request.cookie_jar.encrypted[@cookie_name]
+        return nil if contents.nil?
+
+        value = JSON.parse(contents)
+        return nil unless value.dig("session_id", "public_id") == request.session.id_was&.public_id
+
+        value["token"]
+      rescue JSON::ParserError
+        nil
+      end
+
+      def store(request, csrf_token)
+        request.cookie_jar.encrypted.permanent[@cookie_name] = {
+          value: {
+            token: csrf_token,
+            session_id: request.session.id,
+          }.to_json,
+          httponly: true,
+          same_site: :lax,
+        }
+      end
+
+      def reset(request)
+        request.cookie_jar.delete(@cookie_name)
+      end
+    end
+
+    def initialize(...)
+      super
+      @marked_for_same_origin_verification = nil
+    end
+
+    def reset_csrf_token(request) # :doc:
+      request.env.delete(CSRF_TOKEN)
+      csrf_token_storage_strategy.reset(request)
+    end
+
+    def commit_csrf_token(request) # :doc:
+      csrf_token = request.env[CSRF_TOKEN]
+      csrf_token_storage_strategy.store(request, csrf_token) unless csrf_token.nil?
+    end
+
     private
       # The actual before_action that is used to verify the CSRF token.
       # Don't override this directly. Provide your own forgery protection
@@ -356,20 +457,20 @@ module ActionController # :nodoc:
 
       # Creates the authenticity token for the current request.
       def form_authenticity_token(form_options: {}) # :doc:
-        masked_authenticity_token(session, form_options: form_options)
+        masked_authenticity_token(form_options: form_options)
       end
 
       # Creates a masked version of the authenticity token that varies
       # on each request. The masking is used to mitigate SSL attacks
       # like BREACH.
-      def masked_authenticity_token(session, form_options: {})
+      def masked_authenticity_token(form_options: {})
         action, method = form_options.values_at(:action, :method)
 
         raw_token = if per_form_csrf_tokens && action && method
           action_path = normalize_action_path(action)
-          per_form_csrf_token(session, action_path, method)
+          per_form_csrf_token(nil, action_path, method)
         else
-          global_csrf_token(session)
+          global_csrf_token
         end
 
         mask_token(raw_token)
@@ -397,14 +498,14 @@ module ActionController # :nodoc:
           # This is actually an unmasked token. This is expected if
           # you have just upgraded to masked tokens, but should stop
           # happening shortly after installing this gem.
-          compare_with_real_token masked_token, session
+          compare_with_real_token masked_token
 
         elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
           csrf_token = unmask_token(masked_token)
 
-          compare_with_global_token(csrf_token, session) ||
-            compare_with_real_token(csrf_token, session) ||
-            valid_per_form_csrf_token?(csrf_token, session)
+          compare_with_global_token(csrf_token) ||
+            compare_with_real_token(csrf_token) ||
+            valid_per_form_csrf_token?(csrf_token)
         else
           false # Token is malformed.
         end
@@ -425,15 +526,15 @@ module ActionController # :nodoc:
         encode_csrf_token(masked_token)
       end
 
-      def compare_with_real_token(token, session) # :doc:
+      def compare_with_real_token(token, session = nil) # :doc:
         ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, real_csrf_token(session))
       end
 
-      def compare_with_global_token(token, session) # :doc:
+      def compare_with_global_token(token, session = nil) # :doc:
         ActiveSupport::SecurityUtils.fixed_length_secure_compare(token, global_csrf_token(session))
       end
 
-      def valid_per_form_csrf_token?(token, session) # :doc:
+      def valid_per_form_csrf_token?(token, session = nil) # :doc:
         if per_form_csrf_tokens
           correct_token = per_form_csrf_token(
             session,
@@ -447,9 +548,12 @@ module ActionController # :nodoc:
         end
       end
 
-      def real_csrf_token(session) # :doc:
-        session[:_csrf_token] ||= generate_csrf_token
-        decode_csrf_token(session[:_csrf_token])
+      def real_csrf_token(_session = nil) # :doc:
+        csrf_token = request.env.fetch(CSRF_TOKEN) do
+          request.env[CSRF_TOKEN] = csrf_token_storage_strategy.fetch(request) || generate_csrf_token
+        end
+
+        decode_csrf_token(csrf_token)
       end
 
       def per_form_csrf_token(session, action_path, method) # :doc:
@@ -459,7 +563,7 @@ module ActionController # :nodoc:
       GLOBAL_CSRF_TOKEN_IDENTIFIER = "!real_csrf_token"
       private_constant :GLOBAL_CSRF_TOKEN_IDENTIFIER
 
-      def global_csrf_token(session) # :doc:
+      def global_csrf_token(session = nil) # :doc:
         csrf_token_hmac(session, GLOBAL_CSRF_TOKEN_IDENTIFIER)
       end
 
@@ -519,31 +623,15 @@ module ActionController # :nodoc:
       end
 
       def generate_csrf_token # :nodoc:
-        if urlsafe_csrf_tokens
-          SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
-        else
-          SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
-        end
+        SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
       end
 
       def encode_csrf_token(csrf_token) # :nodoc:
-        if urlsafe_csrf_tokens
-          Base64.urlsafe_encode64(csrf_token, padding: false)
-        else
-          Base64.strict_encode64(csrf_token)
-        end
+        Base64.urlsafe_encode64(csrf_token, padding: false)
       end
 
       def decode_csrf_token(encoded_csrf_token) # :nodoc:
-        if urlsafe_csrf_tokens
-          Base64.urlsafe_decode64(encoded_csrf_token)
-        else
-          begin
-            Base64.strict_decode64(encoded_csrf_token)
-          rescue ArgumentError
-            Base64.urlsafe_decode64(encoded_csrf_token)
-          end
-        end
+        Base64.urlsafe_decode64(encoded_csrf_token)
       end
   end
 end

data/lib/action_controller/metal/rescue.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionController # :nodoc:
+  # = Action Controller \Rescue
+  #
   # This module is responsible for providing
   # {rescue_from}[rdoc-ref:ActiveSupport::Rescuable::ClassMethods#rescue_from]
   # to controllers, wrapping actions to handle configured errors, and

data/lib/action_controller/metal/streaming.rb

@@ -1,30 +1,25 @@
 # frozen_string_literal: true
 
-require "rack/chunked"
-
 module ActionController # :nodoc:
+  # = Action Controller \Streaming
+  #
   # Allows views to be streamed back to the client as they are rendered.
   #
-  # By default, Rails renders views by first rendering the template
+  # By default, \Rails renders views by first rendering the template
   # and then the layout. The response is sent to the client after the whole
   # template is rendered, all queries are made, and the layout is processed.
   #
-  # Streaming inverts the rendering flow by rendering the layout first and
-  # streaming each part of the layout as they are processed. This allows the
+  # \Streaming inverts the rendering flow by rendering the layout first and
+  # subsequently each part of the layout as they are processed. This allows the
   # header of the HTML (which is usually in the layout) to be streamed back
-  # to client very quickly, allowing JavaScripts and stylesheets to be loaded
+  # to client very quickly, enabling JavaScripts and stylesheets to be loaded
   # earlier than usual.
   #
-  # This approach was introduced in Rails 3.1 and is still improving. Several
-  # Rack middlewares may not work and you need to be careful when streaming.
-  # Those points are going to be addressed soon.
-  #
-  # In order to use streaming, you will need to use a Ruby version that
-  # supports fibers (fibers are supported since version 1.9.2 of the main
-  # Ruby implementation).
+  # Several Rack middlewares may not work and you need to be careful when streaming.
+  # This is covered in more detail below, see the Streaming@Middlewares section.
   #
-  # Streaming can be added to a given template easily, all you need to do is
-  # to pass the +:stream+ option.
+  # \Streaming can be added to a given template easily, all you need to do is
+  # to pass the +:stream+ option to +render+.
   #
   #   class PostsController
   #     def index
@@ -35,7 +30,7 @@ module ActionController # :nodoc:
   #
   # == When to use streaming
   #
-  # Streaming may be considered to be overkill for lightweight actions like
+  # \Streaming may be considered to be overkill for lightweight actions like
   # +new+ or +edit+. The real benefit of streaming is on expensive actions
   # that, for example, do a lot of queries on the database.
   #
@@ -59,13 +54,13 @@ module ActionController # :nodoc:
   #     render stream: true
   #   end
   #
-  # Notice that +:stream+ only works with templates. Rendering +:json+
+  # Notice that +:stream+ only works with templates. \Rendering +:json+
   # or +:xml+ with +:stream+ won't work.
   #
   # == Communication between layout and template
   #
   # When streaming, rendering happens top-down instead of inside-out.
-  # Rails starts with the layout, and the template is rendered later,
+  # \Rails starts with the layout, and the template is rendered later,
   # when its +yield+ is reached.
   #
   # This means that, if your application currently relies on instance
@@ -112,7 +107,7 @@ module ActionController # :nodoc:
   # This means that, if you have <code>yield :title</code> in your layout
   # and you want to use streaming, you would have to render the whole template
   # (and eventually trigger all queries) before streaming the title and all
-  # assets, which kills the purpose of streaming. For this purpose, you can use
+  # assets, which defeats the purpose of streaming. Alternatively, you can use
   # a helper called +provide+ that does the same as +content_for+ but tells the
   # layout to stop searching for other entries and continue rendering.
   #
@@ -122,7 +117,7 @@ module ActionController # :nodoc:
   #   Hello
   #   <%= content_for :title, " page" %>
   #
-  # Giving:
+  # Resulting in:
   #
   #   <html>
   #     <head><title>Main</title></head>
@@ -132,6 +127,8 @@ module ActionController # :nodoc:
   # That said, when streaming, you need to properly check your templates
   # and choose when to use +provide+ and +content_for+.
   #
+  # See also ActionView::Helpers::CaptureHelper for more information.
+  #
   # == Headers, cookies, session, and flash
   #
   # When streaming, the HTTP headers are sent to the client right before
@@ -143,10 +140,10 @@ module ActionController # :nodoc:
   #
   # Middlewares that need to manipulate the body won't work with streaming.
   # You should disable those middlewares whenever streaming in development
-  # or production. For instance, <tt>Rack::Bug</tt> won't work when streaming as it
+  # or production. For instance, +Rack::Bug+ won't work when streaming as it
   # needs to inject contents in the HTML body.
   #
-  # Also <tt>Rack::Cache</tt> won't work with streaming as it does not support
+  # Also +Rack::Cache+ won't work with streaming as it does not support
   # streaming bodies yet. Whenever streaming +Cache-Control+ is automatically
   # set to "no-cache".
   #
@@ -156,14 +153,14 @@ module ActionController # :nodoc:
   # happens because part of the template was already rendered and streamed to
   # the client, making it impossible to render a whole exception page.
   #
-  # Currently, when an exception happens in development or production, Rails
+  # Currently, when an exception happens in development or production, \Rails
   # will automatically stream to the client:
   #
   #   "><script>window.location = "/500.html"</script></html>
   #
-  # The first two characters (">) are required in case the exception happens
-  # while rendering attributes for a given tag. You can check the real cause
-  # for the exception in your logger.
+  # The first two characters (<tt>"></tt>) are required in case the exception
+  # happens while rendering attributes for a given tag. You can check the real
+  # cause for the exception in your logger.
   #
   # == Web server support
   #
@@ -183,16 +180,59 @@ module ActionController # :nodoc:
   #   unicorn_rails --config-file unicorn.config.rb
   #
   # You may also want to configure other parameters like <tt>:tcp_nodelay</tt>.
-  # Please check its documentation for more information: https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-listen
+  #
+  # For more information, please check the
+  # {documentation}[https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-listen].
   #
   # If you are using Unicorn with NGINX, you may need to tweak NGINX.
-  # Streaming should work out of the box on Rainbows.
+  # \Streaming should work out of the box on Rainbows.
   #
   # ==== Passenger
   #
-  # To be described.
+  # Phusion Passenger with NGINX, offers two streaming mechanisms out of the box.
+  #
+  # 1. NGINX response buffering mechanism which is dependent on the value of
+  #    +passenger_buffer_response+ option (default is "off").
+  # 2. Passenger buffering system which is always 'on' irrespective of the value
+  #    of +passenger_buffer_response+.
+  #
+  # When +passenger_buffer_response+ is turned "on", then streaming would be
+  # done at the NGINX level which waits until the application is done sending
+  # the response back to the client.
+  #
+  # For more information, please check the
+  # {documentation}[https://www.phusionpassenger.com/docs/references/config_reference/nginx/#passenger_buffer_response].
   #
   module Streaming
+    class Body # :nodoc:
+      TERM = "\r\n"
+      TAIL = "0#{TERM}"
+
+      # Store the response body to be chunked.
+      def initialize(body)
+        @body = body
+      end
+
+      # For each element yielded by the response body, yield
+      # the element in chunked encoding.
+      def each(&block)
+        term = TERM
+        @body.each do |chunk|
+          size = chunk.bytesize
+          next if size == 0
+
+          yield [size.to_s(16), term, chunk.b, term].join
+        end
+        yield TAIL
+        yield term
+      end
+
+      # Close the response body if the response body supports it.
+      def close
+        @body.close if @body.respond_to?(:close)
+      end
+    end
+
     private
       # Set proper cache control and transfer encoding when streaming
       def _process_options(options)
@@ -211,7 +251,7 @@ module ActionController # :nodoc:
       # Call render_body if we are streaming instead of usual +render+.
       def _render_template(options)
         if options.delete(:stream)
-          Rack::Chunked::Body.new view_renderer.render_body(view_context, options)
+          Body.new view_renderer.render_body(view_context, options)
         else
           super
         end