actionpack 7.0.4 → 7.1.3.4

data/lib/action_controller/metal/head.rb

@@ -17,19 +17,21 @@ module ActionController
     #   return head(:bad_request) unless valid_request?
     #   render
     #
-    # See Rack::Utils::SYMBOL_TO_STATUS_CODE for a full list of valid +status+ symbols.
-    def head(status, options = {})
+    # See +Rack::Utils::SYMBOL_TO_STATUS_CODE+ for a full list of valid +status+ symbols.
+    def head(status, options = nil)
       if status.is_a?(Hash)
         raise ArgumentError, "#{status.inspect} is not a valid value for `status`."
       end
 
       status ||= :ok
 
-      location = options.delete(:location)
-      content_type = options.delete(:content_type)
+      if options
+        location = options.delete(:location)
+        content_type = options.delete(:content_type)
 
-      options.each do |key, value|
-        headers[key.to_s.split(/[-_]/).each { |v| v[0] = v[0].upcase }.join("-")] = value.to_s
+        options.each do |key, value|
+          headers[key.to_s.split(/[-_]/).each { |v| v[0] = v[0].upcase }.join("-")] = value.to_s
+        end
       end
 
       self.status = status
@@ -37,7 +39,7 @@ module ActionController
 
       if include_content?(response_code)
         unless self.media_type
-          self.content_type = content_type || (Mime[formats.first] if formats) || Mime[:html]
+          self.content_type = content_type || ((f = formats) && Mime[f.first]) || Mime[:html]
         end
 
         response.charset = false

data/lib/action_controller/metal/helpers.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionController
+  # = Action Controller \Helpers
+  #
   # The \Rails framework provides a large number of helpers for working with assets, dates, forms,
   # numbers and model objects, to name a few. These helpers are available to all templates
   # by default.
@@ -80,7 +82,7 @@ module ActionController
       # Provides a proxy to access helper methods from outside the view.
       #
       # Note that the proxy is rendered under a different view context.
-      # This may cause incorrect behaviour with capture methods. Consider
+      # This may cause incorrect behavior with capture methods. Consider
       # using {helper}[rdoc-ref:AbstractController::Helpers::ClassMethods#helper]
       # instead when using +capture+.
       def helpers
@@ -104,19 +106,6 @@ module ActionController
         super(args)
       end
 
-      # Returns a list of helper names in a given path.
-      #
-      #   ActionController::Base.all_helpers_from_path 'app/helpers'
-      #   # => ["application", "chart", "rubygems"]
-      def all_helpers_from_path(path)
-        helpers = Array(path).flat_map do |_path|
-          names = Dir["#{_path}/**/*_helper.rb"].map { |file| file[_path.to_s.size + 1..-"_helper.rb".size - 1] }
-          names.sort!
-        end
-        helpers.uniq!
-        helpers
-      end
-
       private
         # Extract helper names from files in <tt>app/helpers/**/*_helper.rb</tt>
         def all_application_helpers

data/lib/action_controller/metal/http_authentication.rb

@@ -21,7 +21,7 @@ module ActionController
     #     def edit
     #       render plain: "I'm only accessible if you know the password"
     #     end
-    #  end
+    #   end
     #
     # === Advanced \Basic example
     #
@@ -316,7 +316,7 @@ module ActionController
       # of this document.
       #
       # The nonce is opaque to the client. Composed of Time, and hash of Time with secret
-      # key from the Rails session secret generated upon creation of project. Ensures
+      # key from the \Rails session secret generated upon creation of project. Ensures
       # the time cannot be modified by client.
       def nonce(secret_key, time = Time.now)
         t = time.to_i
@@ -424,15 +424,20 @@ module ActionController
 
       module ControllerMethods
         # Authenticate using an HTTP Bearer token, or otherwise render an HTTP
-        # header requesting the client to send a Bearer token.
+        # header requesting the client to send a Bearer token. For the authentication
+        # to be considered successful, +login_procedure+ should return a non-nil
+        # value. Typically, the authenticated user is returned.
         #
         # See ActionController::HttpAuthentication::Token for example usage.
         def authenticate_or_request_with_http_token(realm = "Application", message = nil, &login_procedure)
           authenticate_with_http_token(&login_procedure) || request_http_token_authentication(realm, message)
         end
 
-        # Authenticate using an HTTP Bearer token. Returns true if
-        # authentication is successful, false otherwise.
+        # Authenticate using an HTTP Bearer token.
+        # Returns the return value of +login_procedure+ if a
+        # token is found. Returns +nil+ if no token is found.
+        #
+        # See ActionController::HttpAuthentication::Token for example usage.
         def authenticate_with_http_token(&login_procedure)
           Token.authenticate(self, &login_procedure)
         end
@@ -447,8 +452,8 @@ module ActionController
       # If token Authorization header is present, call the login
       # procedure with the present token and options.
       #
-      # Returns the return value of <tt>login_procedure</tt> if a
-      # token is found. Returns <tt>nil</tt> if no token is found.
+      # Returns the return value of +login_procedure+ if a
+      # token is found. Returns +nil+ if no token is found.
       #
       # ==== Parameters
       #
@@ -502,11 +507,15 @@ module ActionController
         array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
       end
 
+      WHITESPACED_AUTHN_PAIR_DELIMITERS = /\s*#{AUTHN_PAIR_DELIMITERS}\s*/
+      private_constant :WHITESPACED_AUTHN_PAIR_DELIMITERS
+
       # This method takes an authorization body and splits up the key-value
       # pairs by the standardized <tt>:</tt>, <tt>;</tt>, or <tt>\t</tt>
       # delimiters defined in +AUTHN_PAIR_DELIMITERS+.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(/\s*#{AUTHN_PAIR_DELIMITERS}\s*/)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(WHITESPACED_AUTHN_PAIR_DELIMITERS)
+        _raw_params.reject!(&:empty?)
 
         if !_raw_params.first&.start_with?(TOKEN_KEY)
           _raw_params[0] = "#{TOKEN_KEY}#{_raw_params.first}"

data/lib/action_controller/metal/implicit_render.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionController
+  # = Action Controller Implicit Render
+  #
   # Handles implicit rendering for a controller action that does not
   # explicitly respond with +render+, +respond_to+, +redirect+, or +head+.
   #
@@ -17,12 +19,12 @@ module ActionController
   # Second, if we DON'T find a template but the controller action does have
   # templates for other formats, variants, etc., then we trust that you meant
   # to provide a template for this response, too, and we raise
-  # <tt>ActionController::UnknownFormat</tt> with an explanation.
+  # ActionController::UnknownFormat with an explanation.
   #
   # Third, if we DON'T find a template AND the request is a page load in a web
   # browser (technically, a non-XHR GET request for an HTML response) where
   # you reasonably expect to have rendered a template, then we raise
-  # <tt>ActionController::MissingExactTemplate</tt> with an explanation.
+  # ActionController::MissingExactTemplate with an explanation.
   #
   # Finally, if we DON'T find a template AND the request isn't a browser page
   # load, then we implicitly respond with <tt>204 No Content</tt>.
@@ -42,7 +44,7 @@ module ActionController
         raise ActionController::UnknownFormat, message
       elsif interactive_browser_request?
         message = "#{self.class.name}\##{action_name} is missing a template for request formats: #{request.formats.map(&:to_s).join(',')}"
-        raise ActionController::MissingExactTemplate, message
+        raise ActionController::MissingExactTemplate.new(message, self.class, action_name)
       else
         logger.info "No template found for #{self.class.name}\##{action_name}, rendering head :no_content" if logger
         super

data/lib/action_controller/metal/instrumentation.rb

@@ -4,6 +4,8 @@ require "benchmark"
 require "abstract_controller/logger"
 
 module ActionController
+  # = Action Controller \Instrumentation
+  #
   # Adds instrumentation to several ends in ActionController::Base. It also provides
   # some hooks related with process_action. This allows an ORM like Active Record
   # and/or DataMapper to plug in ActionController and show related information.
@@ -16,6 +18,11 @@ module ActionController
 
     attr_internal :view_runtime
 
+    def initialize(...) # :nodoc:
+      super
+      self.view_runtime = nil
+    end
+
     def render(*)
       render_output = nil
       self.view_runtime = cleanup_view_runtime do
@@ -58,7 +65,7 @@ module ActionController
           headers: request.headers,
           format: request.format.ref,
           method: request.request_method,
-          path: request.fullpath
+          path: request.filtered_path
         }
 
         ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload)

data/lib/action_controller/metal/live.rb

@@ -5,6 +5,8 @@ require "delegate"
 require "active_support/json"
 
 module ActionController
+  # = Action Controller \Live
+  #
   # Mix this module into your controller, and all actions in that controller
   # will be able to stream data to the client as it's written.
   #
@@ -34,6 +36,21 @@ module ActionController
   # The final caveat is that your actions are executed in a separate thread than
   # the main thread. Make sure your actions are thread safe, and this shouldn't
   # be a problem (don't share state across threads, etc).
+  #
+  # Note that \Rails includes +Rack::ETag+ by default, which will buffer your
+  # response. As a result, streaming responses may not work properly with Rack
+  # 2.2.x, and you may need to implement workarounds in your application.
+  # You can either set the +ETag+ or +Last-Modified+ response headers or remove
+  # +Rack::ETag+ from the middleware stack to address this issue.
+  #
+  # Here's an example of how you can set the +Last-Modified+ header if your Rack
+  # version is 2.2.x:
+  #
+  #   def stream
+  #     response.headers["Content-Type"] = "text/event-stream"
+  #     response.headers["Last-Modified"] = Time.now.httpdate # Add this line if your Rack version is 2.2.x
+  #     ...
+  #   end
   module Live
     extend ActiveSupport::Concern
 
@@ -49,6 +66,8 @@ module ActionController
       end
     end
 
+    # = Action Controller \Live Server Sent Events
+    #
     # This class provides the ability to write an SSE (Server Sent Event)
     # to an IO stream. The class is initialized with a stream and can be used
     # to either write a JSON string or an object which can be converted to JSON.
@@ -148,6 +167,11 @@ module ActionController
         @ignore_disconnect = false
       end
 
+      # ActionDispatch::Response delegates #to_ary to the internal ActionDispatch::Response::Buffer,
+      # defining #to_ary is an indicator that the response body can be buffered and/or cached by
+      # Rack middlewares, this is not the case for Live responses so we undefine it for this Buffer subclass.
+      undef_method :to_ary
+
       def write(string)
         unless @response.committed?
           @response.headers["Cache-Control"] ||= "no-cache"
@@ -321,7 +345,7 @@ module ActionController
     def send_stream(filename:, disposition: "attachment", type: nil)
       response.headers["Content-Type"] =
         (type.is_a?(Symbol) ? Mime[type].to_s : type) ||
-        Mime::Type.lookup_by_extension(File.extname(filename).downcase.delete(".")) ||
+        Mime::Type.lookup_by_extension(File.extname(filename).downcase.delete("."))&.to_s ||
         "application/octet-stream"
 
       response.headers["Content-Disposition"] =

data/lib/action_controller/metal/mime_responds.rb

@@ -32,7 +32,7 @@ module ActionController # :nodoc:
     #
     # What that says is, "if the client wants HTML or JS in response to this action, just respond as we
     # would have before, but if the client wants XML, return them the list of people in XML format."
-    # (Rails determines the desired response format from the HTTP Accept header submitted by the client.)
+    # (\Rails determines the desired response format from the HTTP Accept header submitted by the client.)
     #
     # Supposing you have an action that adds a new person, optionally creating their company
     # (by name) if it does not already exist, without web-services, it might look like this:
@@ -98,7 +98,7 @@ module ActionController # :nodoc:
     #
     # Note that you can define your own XML parameter parser which would allow you to describe multiple entities
     # in a single request (i.e., by wrapping them all in a single root node), but if you just go with the flow
-    # and accept Rails' defaults, life will be much easier.
+    # and accept \Rails' defaults, life will be much easier.
     #
     # If you need to use a MIME type which isn't supported by default, you can register your own handlers in
     # +config/initializers/mime_types.rb+ as follows.

data/lib/action_controller/metal/params_wrapper.rb

@@ -6,6 +6,8 @@ require "active_support/core_ext/module/anonymous"
 require "action_dispatch/http/mime_type"
 
 module ActionController
+  # = Action Controller Params Wrapper
+  #
   # Wraps the parameters hash into a nested hash. This will allow clients to
   # submit requests without having to specify any root elements.
   #
@@ -68,9 +70,9 @@ module ActionController
   #     class Admin::UsersController < ApplicationController
   #     end
   #
-  # will try to check if <tt>Admin::User</tt> or +User+ model exists, and use it to
+  # will try to check if +Admin::User+ or +User+ model exists, and use it to
   # determine the wrapper key respectively. If both models don't exist,
-  # it will then fallback to use +user+ as the key.
+  # it will then fall back to use +user+ as the key.
   #
   # To disable this functionality for a controller:
   #

data/lib/action_controller/metal/permissions_policy.rb

@@ -5,7 +5,7 @@ module ActionController # :nodoc:
     extend ActiveSupport::Concern
 
     module ClassMethods
-      # Overrides parts of the globally configured Feature-Policy
+      # Overrides parts of the globally configured +Feature-Policy+
       # header:
       #
       #   class PagesController < ApplicationController
@@ -27,7 +27,7 @@ module ActionController # :nodoc:
         before_action(options) do
           if block_given?
             policy = request.permissions_policy.clone
-            yield policy
+            instance_exec(policy, &block)
             request.permissions_policy = policy
           end
         end

data/lib/action_controller/metal/redirecting.rb

@@ -9,6 +9,8 @@ module ActionController
 
     class UnsafeRedirectError < StandardError; end
 
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+
     included do
       mattr_accessor :raise_on_open_redirects, default: false
     end
@@ -21,7 +23,7 @@ module ActionController
     # * <tt>String</tt> not containing a protocol - The current protocol and host is prepended to the string.
     # * <tt>Proc</tt> - A block that will be executed in the controller's context. Should return any option accepted by +redirect_to+.
     #
-    # === Examples:
+    # === Examples
     #
     #   redirect_to action: "show", id: 5
     #   redirect_to @post
@@ -65,8 +67,8 @@ module ActionController
     #
     # === Open Redirect protection
     #
-    # By default, Rails protects against redirecting to external hosts for your app's safety, so called open redirects.
-    # Note: this was a new default in Rails 7.0, after upgrading opt-in by uncommenting the line with +raise_on_open_redirects+ in <tt>config/initializers/new_framework_defaults_7_0.rb</tt>
+    # By default, \Rails protects against redirecting to external hosts for your app's safety, so called open redirects.
+    # Note: this was a new default in \Rails 7.0, after upgrading opt-in by uncommenting the line with +raise_on_open_redirects+ in <tt>config/initializers/new_framework_defaults_7_0.rb</tt>
     #
     # Here #redirect_to automatically validates the potentially-unsafe URL:
     #
@@ -85,9 +87,13 @@ module ActionController
 
       allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
 
-      self.status        = _extract_redirect_to_status(options, response_options)
-      self.location      = _enforce_open_redirect_protection(_compute_redirect_to_location(request, options), allow_other_host: allow_other_host)
-      self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
+      self.status = _extract_redirect_to_status(options, response_options)
+
+      redirect_to_location = _compute_redirect_to_location(request, options)
+      _ensure_url_is_http_header_safe(redirect_to_location)
+
+      self.location      = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
+      self.response_body = ""
     end
 
     # Soft deprecated alias for #redirect_back_or_to where the +fallback_location+ location is supplied as a keyword argument instead
@@ -148,7 +154,7 @@ module ActionController
     public :_compute_redirect_to_location
 
     # Verifies the passed +location+ is an internal URL that's safe to redirect to and returns it, or nil if not.
-    # Useful to wrap a params provided redirect URL and fallback to an alternate URL to redirect to:
+    # Useful to wrap a params provided redirect URL and fall back to an alternate URL to redirect to:
     #
     #   redirect_to url_from(params[:redirect_url]) || root_url
     #
@@ -196,9 +202,24 @@ module ActionController
 
       def _url_host_allowed?(url)
         host = URI(url.to_s).host
-        host == request.host || host.nil? && url.to_s.start_with?("/")
+
+        return true if host == request.host
+        return false unless host.nil?
+        return false unless url.to_s.start_with?("/")
+        !url.to_s.start_with?("//")
       rescue ArgumentError, URI::Error
         false
       end
+
+      def _ensure_url_is_http_header_safe(url)
+        # Attempt to comply with the set of valid token characters
+        # defined for an HTTP header value in
+        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+        if url.match?(ILLEGAL_HEADER_VALUE_REGEX)
+          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
+            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+          raise UnsafeRedirectError, msg
+        end
+      end
   end
 end

data/lib/action_controller/metal/renderers.rb

@@ -3,12 +3,12 @@
 require "set"
 
 module ActionController
-  # See <tt>Renderers.add</tt>
+  # See Renderers.add
   def self.add_renderer(key, &block)
     Renderers.add(key, &block)
   end
 
-  # See <tt>Renderers.remove</tt>
+  # See Renderers.remove
   def self.remove_renderer(key)
     Renderers.remove(key)
   end
@@ -58,7 +58,7 @@ module ActionController
     #       disposition: "attachment; filename=#{filename}.csv"
     #   end
     #
-    # Note that we used Mime[:csv] for the csv mime type as it comes with Rails.
+    # Note that we used Mime[:csv] for the csv mime type as it comes with \Rails.
     # For a custom renderer, you'll need to register a mime type with
     # <tt>Mime::Type.register</tt>.
     #
@@ -100,7 +100,7 @@ module ActionController
       #
       # Both ActionController::Base and ActionController::API
       # include ActionController::Renderers::All, making all renderers
-      # available in the controller. See <tt>Renderers::RENDERERS</tt> and <tt>Renderers.add</tt>.
+      # available in the controller. See Renderers::RENDERERS and Renderers.add.
       #
       # Since ActionController::Metal controllers cannot render, the controller
       # must include AbstractController::Rendering, ActionController::Rendering,

data/lib/action_controller/metal/rendering.rb

@@ -24,12 +24,124 @@ module ActionController
       end
     end
 
+    # Renders a template and assigns the result to +self.response_body+.
+    #
+    # If no rendering mode option is specified, the template will be derived
+    # from the first argument.
+    #
+    #   render "posts/show"
+    #   # => renders app/views/posts/show.html.erb
+    #
+    #   # In a PostsController action...
+    #   render :show
+    #   # => renders app/views/posts/show.html.erb
+    #
+    # If the first argument responds to +render_in+, the template will be
+    # rendered by calling +render_in+ with the current view context.
+    #
+    # ==== \Rendering Mode
+    #
+    # [+:partial+]
+    #   See ActionView::PartialRenderer for details.
+    #
+    #     render partial: "posts/form", locals: { post: Post.new }
+    #     # => renders app/views/posts/_form.html.erb
+    #
+    # [+:file+]
+    #   Renders the contents of a file. This option should <b>not</b> be used
+    #   with unsanitized user input.
+    #
+    #     render file: "/path/to/some/file"
+    #     # => renders /path/to/some/file
+    #
+    # [+:inline+]
+    #   Renders an ERB template string.
+    #
+    #     @name = "World"
+    #     render inline: "<h1>Hello, <%= @name %>!</h1>"
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    # [+:body+]
+    #   Renders the provided text, and sets the content type as +text/plain+.
+    #
+    #     render body: "Hello, World!"
+    #     # => renders "Hello, World!"
+    #
+    # [+:plain+]
+    #   Renders the provided text, and sets the content type as +text/plain+.
+    #
+    #     render plain: "Hello, World!"
+    #     # => renders "Hello, World!"
+    #
+    # [+:html+]
+    #   Renders the provided HTML string, and sets the content type as +text/html+.
+    #   If the string is not +html_safe?+, performs HTML escaping on the string
+    #   before rendering.
+    #
+    #     render html: "<h1>Hello, World!</h1>".html_safe
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    #     render html: "<h1>Hello, World!</h1>"
+    #     # => renders "&lt;h1&gt;Hello, World!&lt;/h1&gt;"
+    #
+    # [+:json+]
+    #   Renders the provided object as JSON, and sets the content type as
+    #   +application/json+. If the object is not a string, it will be converted
+    #   to JSON by calling +to_json+.
+    #
+    #     render json: { hello: "world" }
+    #     # => renders "{\"hello\":\"world\"}"
+    #
+    # By default, when a rendering mode is specified, no layout template is
+    # rendered.
+    #
+    # ==== Options
+    #
+    # [+:assigns+]
+    #   Hash of instance variable assignments for the template.
+    #
+    #     render inline: "<h1>Hello, <%= @name %>!</h1>", assigns: { name: "World" }
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    # [+:locals+]
+    #   Hash of local variable assignments for the template.
+    #
+    #     render inline: "<h1>Hello, <%= name %>!</h1>", locals: { name: "World" }
+    #     # => renders "<h1>Hello, World!</h1>"
+    #
+    # [+:layout+]
+    #   The layout template to render. Can also be +false+ or +true+ to disable
+    #   or (re)enable the default layout template.
+    #
+    #     render "posts/show", layout: "holiday"
+    #     # => renders app/views/posts/show.html.erb with the app/views/layouts/holiday.html.erb layout
+    #
+    #     render "posts/show", layout: false
+    #     # => renders app/views/posts/show.html.erb with no layout
+    #
+    #     render inline: "<h1>Hello, World!</h1>", layout: true
+    #     # => renders "<h1>Hello, World!</h1>" with the default layout
+    #
+    # [+:status+]
+    #   The HTTP status code to send with the response. Can be specified as a
+    #   number or as the status name in Symbol form. Defaults to 200.
+    #
+    #     render "posts/new", status: 422
+    #     # => renders app/views/posts/new.html.erb with HTTP status code 422
+    #
+    #     render "posts/new", status: :unprocessable_entity
+    #     # => renders app/views/posts/new.html.erb with HTTP status code 422
+    #
+    #--
     # Check for double render errors and set the content_type after rendering.
-    def render(*args) # :nodoc:
+    def render(*args)
       raise ::AbstractController::DoubleRenderError if response_body
       super
     end
 
+    # Similar to #render, but only returns the rendered template as a string,
+    # instead of setting +self.response_body+.
+    #--
     # Override render_to_string because body can now be set to a Rack body.
     def render_to_string(*)
       result = super
@@ -42,7 +154,7 @@ module ActionController
       end
     end
 
-    def render_to_body(options = {})
+    def render_to_body(options = {}) # :nodoc:
       super || _render_in_priorities(options) || " "
     end
 
@@ -83,13 +195,6 @@ module ActionController
         end
       end
 
-      # Normalize arguments by catching blocks and setting them on :update.
-      def _normalize_args(action = nil, options = {}, &blk)
-        options = super
-        options[:update] = blk if block_given?
-        options
-      end
-
       # Normalize both text and status options.
       def _normalize_options(options)
         _normalize_text(options)