actionpack 7.0.2.4 → 7.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 06e621226ed4db65eca7f6c6a5194702b49e8287e513e241ed511dc096ef320e
-  data.tar.gz: 4c7c1405b2e523f77fdd076755c9311528bc5e38fac81823330719846a562736
+  metadata.gz: 1f920e0c8edecebb6708efc39f5bc4de2d9dd1beb20b11fac4c2408406ef4812
+  data.tar.gz: e87d2d36beb62a55feb9677d7009725531c2187692099d41682014822e478204
 SHA512:
-  metadata.gz: a1d0d5c67985a6d93bff849b4fd2c21ebb6f0572d64109aaad0bd47317e72cde6c5ba66d1bcf88fe3378dedb37d788f264405f98d11fc3f9c0a4ccad34d8bf1c
-  data.tar.gz: 459de47bc8f00dd8f69b147dac927c30f757657cd5eb3b22518fba2922a0cc96892552f46f32b25bf38aee6ba3deb1ad6272398642befed341621e55d44b88e0
+  metadata.gz: 4ed2fb214470bb89c3a6c6101428806f6ebb2eb01044cc8426dddecdb189a541511aa7355b07f13e898a076a2a7f9b3eabefdfdfb7130918c216993da503e173
+  data.tar.gz: 0c4a9b5b27a03faec9e2d971cce098cb943fbdc7bf0cb25ba243755bfa72760c2a0eefc18e80134877f2a382d7d154deee64faaccacbe557768a978771873ee4

data/CHANGELOG.md

@@ -1,3 +1,83 @@
+## Rails 7.0.4 (September 09, 2022) ##
+
+*   Prevent `ActionDispatch::ServerTiming` from overwriting existing values in `Server-Timing`.
+
+    Previously, if another middleware down the chain set `Server-Timing` header,
+    it would overwritten by `ActionDispatch::ServerTiming`.
+
+    *Jakub Malinowski*
+
+
+## Rails 7.0.3.1 (July 12, 2022) ##
+
+*   No changes.
+
+
+## Rails 7.0.3 (May 09, 2022) ##
+
+*   Allow relative redirects when `raise_on_open_redirects` is enabled.
+
+    *Tom Hughes*
+
+*   Fix `authenticate_with_http_basic` to allow for missing password.
+
+    Before Rails 7.0 it was possible to handle basic authentication with only a username.
+
+    ```ruby
+    authenticate_with_http_basic do |token, _|
+      ApiClient.authenticate(token)
+    end
+    ```
+
+    This ability is restored.
+
+    *Jean Boussier*
+
+*   Fix `content_security_policy` returning invalid directives.
+
+    Directives such as `self`, `unsafe-eval` and few others were not
+    single quoted when the directive was the result of calling a lambda
+    returning an array.
+
+    ```ruby
+    content_security_policy do |policy|
+      policy.frame_ancestors lambda { [:self, "https://example.com"] }
+    end
+    ```
+
+    With this fix the policy generated from above will now be valid.
+
+    *Edouard Chin*
+
+*   Fix `skip_forgery_protection` to run without raising an error if forgery
+    protection has not been enabled / `verify_authenticity_token` is not a
+    defined callback.
+
+    This fix prevents the Rails 7.0 Welcome Page (`/`) from raising an
+    `ArgumentError` if `default_protect_from_forgery` is false.
+
+    *Brad Trick*
+
+*   Fix `ActionController::Live` to copy the IsolatedExecutionState in the ephemeral thread.
+
+    Since its inception `ActionController::Live` has been copying thread local variables
+    to keep things such as `CurrentAttributes` set from middlewares working in the controller action.
+
+    With the introduction of `IsolatedExecutionState` in 7.0, some of that global state was lost in
+    `ActionController::Live` controllers.
+
+    *Jean Boussier*
+
+*   Fix setting `trailing_slash: true` in route definition.
+
+    ```ruby
+    get '/test' => "test#index", as: :test, trailing_slash: true
+
+    test_path() # => "/test/"
+    ```
+
+    *Jean Boussier*
+
 ## Rails 7.0.2.4 (April 26, 2022) ##
 
 *   Allow Content Security Policy DSL to generate for API responses.

data/lib/abstract_controller/base.rb

@@ -150,13 +150,14 @@ module AbstractController
 
       process_action(action_name, *args)
     end
+    ruby2_keywords(:process)
 
-    # Delegates to the class' ::controller_path
+    # Delegates to the class's ::controller_path.
     def controller_path
       self.class.controller_path
     end
 
-    # Delegates to the class' ::action_methods
+    # Delegates to the class's ::action_methods.
     def action_methods
       self.class.action_methods
     end
@@ -177,7 +178,7 @@ module AbstractController
 
     # Tests if a response body is set. Used to determine if the
     # +process_action+ callback needs to be terminated in
-    # +AbstractController::Callbacks+.
+    # AbstractController::Callbacks.
     def performed?
       response_body
     end
@@ -210,8 +211,8 @@ module AbstractController
       #
       # Notice that the first argument is the method to be dispatched
       # which is *not* necessarily the same as the action name.
-      def process_action(method_name, *args)
-        send_action(method_name, *args)
+      def process_action(...)
+        send_action(...)
       end
 
       # Actually call the method associated with the action. Override

data/lib/abstract_controller/callbacks.rb

@@ -229,7 +229,7 @@ module AbstractController
     private
       # Override <tt>AbstractController::Base#process_action</tt> to run the
       # <tt>process_action</tt> callbacks around the normal behavior.
-      def process_action(*)
+      def process_action(...)
         run_callbacks(:process_action) do
           super
         end

data/lib/abstract_controller/helpers.rb

@@ -110,7 +110,7 @@ module AbstractController
       # The last two assume that <tt>"foo".camelize</tt> returns "Foo".
       #
       # When strings or symbols are passed, the method finds the actual module
-      # object using +String#constantize+. Therefore, if the module has not been
+      # object using String#constantize. Therefore, if the module has not been
       # yet loaded, it has to be autoloadable, which is normally the case.
       #
       # Namespaces are supported. The following calls include +Foo::BarHelper+:

data/lib/action_controller/api.rb

@@ -5,7 +5,7 @@ require "action_controller"
 require "action_controller/log_subscriber"
 
 module ActionController
-  # API Controller is a lightweight version of <tt>ActionController::Base</tt>,
+  # API Controller is a lightweight version of ActionController::Base,
   # created for applications that don't require all functionalities that a complete
   # \Rails controller provides, allowing you to create controllers with just the
   # features that you need for API only applications.
@@ -32,7 +32,7 @@ module ActionController
   #   end
   #
   # Request, response, and parameters objects all work the exact same way as
-  # <tt>ActionController::Base</tt>.
+  # ActionController::Base.
   #
   # == Renders
   #
@@ -51,7 +51,7 @@ module ActionController
   #
   # Redirects are used to move from one action to another. You can use the
   # <tt>redirect_to</tt> method in your controllers in the same way as in
-  # <tt>ActionController::Base</tt>. For example:
+  # ActionController::Base. For example:
   #
   #   def create
   #     redirect_to root_url and return if not_authorized?
@@ -61,7 +61,7 @@ module ActionController
   # == Adding New Behavior
   #
   # In some scenarios you may want to add back some functionality provided by
-  # <tt>ActionController::Base</tt> that is not present by default in
+  # ActionController::Base that is not present by default in
   # <tt>ActionController::API</tt>, for instance <tt>MimeResponds</tt>. This
   # module gives you the <tt>respond_to</tt> method. Adding it is quite simple,
   # you just need to include the module in a specific controller or in
@@ -83,7 +83,7 @@ module ActionController
   #     end
   #   end
   #
-  # Make sure to check the modules included in <tt>ActionController::Base</tt>
+  # Make sure to check the modules included in ActionController::Base
   # if you want to use any other functionality that is not provided
   # by <tt>ActionController::API</tt> out of the box.
   class API < Metal

data/lib/action_controller/base.rb

@@ -87,10 +87,11 @@ module ActionController
   #
   # or you can remove the entire session with +reset_session+.
   #
-  # Sessions are stored by default in a browser cookie that's cryptographically signed, but unencrypted.
-  # This prevents the user from tampering with the session but also allows them to see its contents.
-  #
-  # Do not put secret information in cookie-based sessions!
+  # By default, sessions are stored in an encrypted browser cookie (see
+  # ActionDispatch::Session::CookieStore). Thus the user will not be able to
+  # read or edit the session data. However, the user can keep a copy of the
+  # cookie even after it has expired, so you should avoid storing sensitive
+  # information in cookie-based sessions.
   #
   # == Responses
   #

data/lib/action_controller/form_builder.rb

@@ -3,7 +3,7 @@
 module ActionController
   # Override the default form builder for all views rendered by this
   # controller and any of its descendants. Accepts a subclass of
-  # +ActionView::Helpers::FormBuilder+.
+  # ActionView::Helpers::FormBuilder.
   #
   # For example, given a form builder:
   #
@@ -36,7 +36,7 @@ module ActionController
       # in the views rendered by this controller and its subclasses.
       #
       # ==== Parameters
-      # * <tt>builder</tt> - Default form builder, an instance of +ActionView::Helpers::FormBuilder+
+      # * <tt>builder</tt> - Default form builder, an instance of ActionView::Helpers::FormBuilder
       def default_form_builder(builder)
         self._default_form_builder = builder
       end

data/lib/action_controller/metal/conditional_get.rb

@@ -268,7 +268,7 @@ module ActionController
     #   expires_in 3.hours, public: true, stale_while_revalidate: 60.seconds, stale_if_error: 5.minutes
     #
     # HTTP Cache-Control Extensions other values: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
-    # Any additional key-value pairs are concatenated onto the `Cache-Control` header in the response:
+    # Any additional key-value pairs are concatenated onto the Cache-Control header in the response:
     #
     #   expires_in 3.hours, public: true, "s-maxage": 3.hours, "no-transform": true
     #

data/lib/action_controller/metal/content_security_policy.rb

@@ -2,7 +2,6 @@
 
 module ActionController # :nodoc:
   module ContentSecurityPolicy
-    # TODO: Documentation
     extend ActiveSupport::Concern
 
     include AbstractController::Helpers
@@ -14,6 +13,29 @@ module ActionController # :nodoc:
     end
 
     module ClassMethods
+      # Overrides parts of the globally configured Content-Security-Policy
+      # header:
+      #
+      #   class PostsController < ApplicationController
+      #     content_security_policy do |policy|
+      #       policy.base_uri "https://www.example.com"
+      #     end
+      #   end
+      #
+      # Options can be passed similar to +before_action+. For example, pass
+      # <tt>only: :index</tt> to override the header on the index action only:
+      #
+      #   class PostsController < ApplicationController
+      #     content_security_policy(only: :index) do |policy|
+      #       policy.default_src :self, :https
+      #     end
+      #   end
+      #
+      # Pass +false+ to remove the Content-Security-Policy header:
+      #
+      #   class PostsController < ApplicationController
+      #     content_security_policy false, only: :index
+      #   end
       def content_security_policy(enabled = true, **options, &block)
         before_action(options) do
           if block_given?
@@ -28,6 +50,18 @@ module ActionController # :nodoc:
         end
       end
 
+      # Overrides the globally configured Content-Security-Policy-Report-Only
+      # header:
+      #
+      #   class PostsController < ApplicationController
+      #     content_security_policy_report_only only: :index
+      #   end
+      #
+      # Pass +false+ to remove the Content-Security-Policy-Report-Only header:
+      #
+      #   class PostsController < ApplicationController
+      #     content_security_policy_report_only false, only: :index
+      #   end
       def content_security_policy_report_only(report_only = true, **options)
         before_action(options) do
           request.content_security_policy_report_only = report_only

data/lib/action_controller/metal/helpers.rb

@@ -91,7 +91,7 @@ module ActionController
         end
       end
 
-      # Overwrite modules_for_helpers to accept :all as argument, which loads
+      # Override modules_for_helpers to accept +:all+ as argument, which loads
       # all helpers in helpers_path.
       #
       # ==== Parameters

data/lib/action_controller/metal/http_authentication.rb

@@ -5,9 +5,9 @@ require "active_support/security_utils"
 require "active_support/core_ext/array/access"
 
 module ActionController
-  # HTTP Basic, Digest and Token authentication.
+  # HTTP Basic, Digest, and Token authentication.
   module HttpAuthentication
-    # HTTP \Basic authentication.
+    # = HTTP \Basic authentication
     #
     # === Simple \Basic example
     #
@@ -70,7 +70,12 @@ module ActionController
         extend ActiveSupport::Concern
 
         module ClassMethods
+          # Enables HTTP \Basic authentication.
+          #
+          # See ActionController::HttpAuthentication::Basic for example usage.
           def http_basic_authenticate_with(name:, password:, realm: nil, **options)
+            raise ArgumentError, "Expected name: to be a String, got #{name.class}" unless name.is_a?(String)
+            raise ArgumentError, "Expected password: to be a String, got #{password.class}" unless password.is_a?(String)
             before_action(options) { http_basic_authenticate_or_request_with name: name, password: password, realm: realm }
           end
         end
@@ -79,8 +84,8 @@ module ActionController
           authenticate_or_request_with_http_basic(realm, message) do |given_name, given_password|
             # This comparison uses & so that it doesn't short circuit and
             # uses `secure_compare` so that length information isn't leaked.
-            ActiveSupport::SecurityUtils.secure_compare(given_name, name) &
-              ActiveSupport::SecurityUtils.secure_compare(given_password, password)
+            ActiveSupport::SecurityUtils.secure_compare(given_name.to_s, name) &
+              ActiveSupport::SecurityUtils.secure_compare(given_password.to_s, password)
           end
         end
 
@@ -104,7 +109,7 @@ module ActionController
       end
 
       def has_basic_credentials?(request)
-        request.authorization.present? && (auth_scheme(request).downcase == "basic") && user_name_and_password(request).length == 2
+        request.authorization.present? && (auth_scheme(request).downcase == "basic")
       end
 
       def user_name_and_password(request)
@@ -135,7 +140,7 @@ module ActionController
       end
     end
 
-    # HTTP \Digest authentication.
+    # = HTTP \Digest authentication
     #
     # === Simple \Digest example
     #
@@ -181,22 +186,28 @@ module ActionController
       extend self
 
       module ControllerMethods
+        # Authenticate using an HTTP \Digest, or otherwise render an HTTP header
+        # requesting the client to send a \Digest.
+        #
+        # See ActionController::HttpAuthentication::Digest for example usage.
         def authenticate_or_request_with_http_digest(realm = "Application", message = nil, &password_procedure)
           authenticate_with_http_digest(realm, &password_procedure) || request_http_digest_authentication(realm, message)
         end
 
-        # Authenticate with HTTP Digest, returns true or false
+        # Authenticate using an HTTP \Digest. Returns true if authentication is
+        # successful, false otherwise.
         def authenticate_with_http_digest(realm = "Application", &password_procedure)
           HttpAuthentication::Digest.authenticate(request, realm, &password_procedure)
         end
 
-        # Render output including the HTTP Digest authentication header
+        # Render an HTTP header requesting the client to send a \Digest for
+        # authentication.
         def request_http_digest_authentication(realm = "Application", message = nil)
           HttpAuthentication::Digest.authentication_request(self, realm, message)
         end
       end
 
-      # Returns false on a valid response, true otherwise
+      # Returns false on a valid response, true otherwise.
       def authenticate(request, realm, &password_procedure)
         request.authorization && validate_digest_response(request, realm, &password_procedure)
       end
@@ -301,7 +312,7 @@ module ActionController
       #
       # An implementation might choose not to accept a previously used nonce or a previously used digest, in order to
       # protect against a replay attack. Or, an implementation might choose to use one-time nonces or digests for
-      # POST, PUT, or PATCH requests and a time-stamp for GET requests. For more details on the issues involved see Section 4
+      # POST, PUT, or PATCH requests, and a time-stamp for GET requests. For more details on the issues involved see Section 4
       # of this document.
       #
       # The nonce is opaque to the client. Composed of Time, and hash of Time with secret
@@ -331,9 +342,9 @@ module ActionController
       end
     end
 
-    # HTTP Token authentication.
+    # = HTTP \Token authentication
     #
-    # Simple Token example:
+    # === Simple \Token example
     #
     #   class PostsController < ApplicationController
     #     TOKEN = "secret"
@@ -412,14 +423,22 @@ module ActionController
       extend self
 
       module ControllerMethods
+        # Authenticate using an HTTP Bearer token, or otherwise render an HTTP
+        # header requesting the client to send a Bearer token.
+        #
+        # See ActionController::HttpAuthentication::Token for example usage.
         def authenticate_or_request_with_http_token(realm = "Application", message = nil, &login_procedure)
           authenticate_with_http_token(&login_procedure) || request_http_token_authentication(realm, message)
         end
 
+        # Authenticate using an HTTP Bearer token. Returns true if
+        # authentication is successful, false otherwise.
         def authenticate_with_http_token(&login_procedure)
           Token.authenticate(self, &login_procedure)
         end
 
+        # Render an HTTP header requesting the client to send a Bearer token for
+        # authentication.
         def request_http_token_authentication(realm = "Application", message = nil)
           Token.authentication_request(self, realm, message)
         end
@@ -428,17 +447,17 @@ module ActionController
       # If token Authorization header is present, call the login
       # procedure with the present token and options.
       #
-      # [controller]
-      #   ActionController::Base instance for the current request.
+      # Returns the return value of <tt>login_procedure</tt> if a
+      # token is found. Returns <tt>nil</tt> if no token is found.
+      #
+      # ==== Parameters
       #
-      # [login_procedure]
-      #   Proc to call if a token is present. The Proc should take two arguments:
+      # * +controller+ - ActionController::Base instance for the current request.
+      # * +login_procedure+ - Proc to call if a token is present. The Proc
+      #   should take two arguments:
       #
       #     authenticate(controller) { |token, options| ... }
       #
-      # Returns the return value of <tt>login_procedure</tt> if a
-      # token is found. Returns <tt>nil</tt> if no token is found.
-
       def authenticate(controller, &login_procedure)
         token, options = token_and_options(controller.request)
         unless token.blank?
@@ -449,14 +468,18 @@ module ActionController
       # Parses the token and options out of the token Authorization header.
       # The value for the Authorization header is expected to have the prefix
       # <tt>"Token"</tt> or <tt>"Bearer"</tt>. If the header looks like this:
+      #
       #   Authorization: Token token="abc", nonce="def"
-      # Then the returned token is <tt>"abc"</tt>, and the options are
-      # <tt>{nonce: "def"}</tt>
       #
-      # request - ActionDispatch::Request instance with the current headers.
+      # Then the returned token is <tt>"abc"</tt>, and the options are
+      # <tt>{nonce: "def"}</tt>.
       #
       # Returns an +Array+ of <tt>[String, Hash]</tt> if a token is present.
       # Returns +nil+ if no token is found.
+      #
+      # ==== Parameters
+      #
+      # * +request+ - ActionDispatch::Request instance with the current headers.
       def token_and_options(request)
         authorization_request = request.authorization.to_s
         if authorization_request[TOKEN_REGEX]
@@ -469,7 +492,7 @@ module ActionController
         rewrite_param_values params_array_from raw_params auth
       end
 
-      # Takes raw_params and turns it into an array of parameters
+      # Takes +raw_params+ and turns it into an array of parameters.
       def params_array_from(raw_params)
         raw_params.map { |param| param.split %r/=(.+)?/ }
       end
@@ -494,10 +517,12 @@ module ActionController
 
       # Encodes the given token and options into an Authorization header value.
       #
-      # token   - String token.
-      # options - optional Hash of the options.
-      #
       # Returns String.
+      #
+      # ==== Parameters
+      #
+      # * +token+ - String token.
+      # * +options+ - Optional Hash of the options.
       def encode_credentials(token, options = {})
         values = ["#{TOKEN_KEY}#{token.to_s.inspect}"] + options.map do |key, value|
           "#{key}=#{value.to_s.inspect}"
@@ -507,10 +532,12 @@ module ActionController
 
       # Sets a WWW-Authenticate header to let the client know a token is desired.
       #
-      # controller - ActionController::Base instance for the outgoing response.
-      # realm      - String realm to use in the header.
-      #
       # Returns nothing.
+      #
+      # ==== Parameters
+      #
+      # * +controller+ - ActionController::Base instance for the outgoing response.
+      # * +realm+ - String realm to use in the header.
       def authentication_request(controller, realm, message = nil)
         message ||= "HTTP Token: Access denied.\n"
         controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.tr('"', "")}")

data/lib/action_controller/metal/live.rb

@@ -261,6 +261,7 @@ module ActionController
           # Since we're processing the view in a different thread, copy the
           # thread locals from the main thread to the child thread. :'(
           locals.each { |k, v| t2[k] = v }
+          ActiveSupport::IsolatedExecutionState.share_with(t1)
 
           begin
             super(name)

data/lib/action_controller/metal/permissions_policy.rb

@@ -1,37 +1,28 @@
 # frozen_string_literal: true
 
 module ActionController # :nodoc:
-  # HTTP Permissions Policy is a web standard for defining a mechanism to
-  # allow and deny the use of browser permissions in its own context, and
-  # in content within any <iframe> elements in the document.
-  #
-  # Full details of HTTP Permissions Policy specification and guidelines can
-  # be found at MDN:
-  #
-  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
-  #
-  # Examples of usage:
-  #
-  #   # Global policy
-  #   Rails.application.config.permissions_policy do |f|
-  #     f.camera      :none
-  #     f.gyroscope   :none
-  #     f.microphone  :none
-  #     f.usb         :none
-  #     f.fullscreen  :self
-  #     f.payment     :self, "https://secure.example.com"
-  #   end
-  #
-  #   # Controller level policy
-  #   class PagesController < ApplicationController
-  #     permissions_policy do |p|
-  #       p.geolocation "https://example.com"
-  #     end
-  #   end
   module PermissionsPolicy
     extend ActiveSupport::Concern
 
     module ClassMethods
+      # Overrides parts of the globally configured Feature-Policy
+      # header:
+      #
+      #   class PagesController < ApplicationController
+      #     permissions_policy do |policy|
+      #       policy.geolocation "https://example.com"
+      #     end
+      #   end
+      #
+      # Options can be passed similar to +before_action+. For example, pass
+      # <tt>only: :index</tt> to override the header on the index action only:
+      #
+      #   class PagesController < ApplicationController
+      #     permissions_policy(only: :index) do |policy|
+      #       policy.camera :self
+      #     end
+      #   end
+      #
       def permissions_policy(**options, &block)
         before_action(options) do
           if block_given?

data/lib/action_controller/metal/redirecting.rb

@@ -74,7 +74,7 @@ module ActionController
     #
     # Raises UnsafeRedirectError in the case of an unsafe redirect.
     #
-    # To allow any external redirects pass `allow_other_host: true`, though using a user-provided param in that case is unsafe.
+    # To allow any external redirects pass <tt>allow_other_host: true</tt>, though using a user-provided param in that case is unsafe.
     #
     #   redirect_to "https://rubyonrails.org", allow_other_host: true
     #
@@ -117,7 +117,7 @@ module ActionController
     # * <tt>:allow_other_host</tt> - Allow or disallow redirection to the host that is different to the current host, defaults to true.
     #
     # All other options that can be passed to #redirect_to are accepted as
-    # options and the behavior is identical.
+    # options, and the behavior is identical.
     def redirect_back_or_to(fallback_location, allow_other_host: _allow_other_host, **options)
       if request.referer && (allow_other_host || _url_host_allowed?(request.referer))
         redirect_to request.referer, allow_other_host: allow_other_host, **options
@@ -195,7 +195,8 @@ module ActionController
       end
 
       def _url_host_allowed?(url)
-        URI(url.to_s).host == request.host
+        host = URI(url.to_s).host
+        host == request.host || host.nil? && url.to_s.start_with?("/")
       rescue ArgumentError, URI::Error
         false
       end