actionpack 7.0.4 → 7.1.3.4

data/lib/action_dispatch/http/cache.rb

@@ -18,7 +18,7 @@ module ActionDispatch
         end
 
         def if_none_match_etags
-          if_none_match ? if_none_match.split(/\s*,\s*/) : []
+          if_none_match ? if_none_match.split(",").each(&:strip!) : []
         end
 
         def not_modified?(modified_at)
@@ -32,8 +32,8 @@ module ActionDispatch
           end
         end
 
-        # Check response freshness (Last-Modified and ETag) against request
-        # If-Modified-Since and If-None-Match conditions. If both headers are
+        # Check response freshness (+Last-Modified+ and ETag) against request
+        # +If-Modified-Since+ and +If-None-Match+ conditions. If both headers are
         # supplied, both must match, or the request is not considered fresh.
         def fresh?(response)
           last_modified = if_modified_since
@@ -81,8 +81,8 @@ module ActionDispatch
 
         # This method sets a weak ETag validator on the response so browsers
         # and proxies may cache the response, keyed on the ETag. On subsequent
-        # requests, the If-None-Match header is set to the cached ETag. If it
-        # matches the current ETag, we can return a 304 Not Modified response
+        # requests, the +If-None-Match+ header is set to the cached ETag. If it
+        # matches the current ETag, we can return a <tt>304 Not Modified</tt> response
         # with no body, letting the browser or proxy know that their cache is
         # current. Big savings in request time and network bandwidth.
         #
@@ -92,7 +92,7 @@ module ActionDispatch
         # is viewing.
         #
         # Strong ETags are considered byte-for-byte identical. They allow a
-        # browser or proxy cache to support Range requests, useful for paging
+        # browser or proxy cache to support +Range+ requests, useful for paging
         # through a PDF file or scrubbing through a video. Some CDNs only
         # support strong ETags and will ignore weak ETags entirely.
         #
@@ -112,12 +112,12 @@ module ActionDispatch
 
         def etag?; etag; end
 
-        # True if an ETag is set and it's a weak validator (preceded with W/)
+        # True if an ETag is set, and it's a weak validator (preceded with <tt>W/</tt>).
         def weak_etag?
           etag? && etag.start_with?('W/"')
         end
 
-        # True if an ETag is set and it isn't a weak validator (not preceded with W/)
+        # True if an ETag is set, and it isn't a weak validator (not preceded with <tt>W/</tt>).
         def strong_etag?
           etag? && !weak_etag?
         end
@@ -138,15 +138,13 @@ module ActionDispatch
         def cache_control_segments
           if cache_control = _cache_control
             cache_control.delete(" ").split(",")
-          else
-            []
           end
         end
 
         def cache_control_headers
           cache_control = {}
 
-          cache_control_segments.each do |segment|
+          cache_control_segments&.each do |segment|
             directive, argument = segment.split("=", 2)
 
             if SPECIAL_KEYS.include? directive

data/lib/action_dispatch/http/content_security_policy.rb

@@ -4,6 +4,8 @@ require "active_support/core_ext/object/deep_dup"
 require "active_support/core_ext/array/wrap"
 
 module ActionDispatch # :nodoc:
+  # = Action Dispatch Content Security Policy
+  #
   # Configures the HTTP
   # {Content-Security-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy]
   # response header to help protect against XSS and injection attacks.
@@ -23,20 +25,21 @@ module ActionDispatch # :nodoc:
   #   end
   class ContentSecurityPolicy
     class Middleware
-      CONTENT_TYPE = "Content-Type"
-      POLICY = "Content-Security-Policy"
-      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only"
-
       def initialize(app)
         @app = app
       end
 
       def call(env)
-        request = ActionDispatch::Request.new env
-        _, headers, _ = response = @app.call(env)
+        status, headers, _ = response = @app.call(env)
+
+        # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
+        # CSP headers might not match nonces in the cached HTML.
+        return response if status == 304
 
         return response if policy_present?(headers)
 
+        request = ActionDispatch::Request.new env
+
         if policy = request.content_security_policy
           nonce = request.content_security_policy_nonce
           nonce_directives = request.content_security_policy_nonce_directives
@@ -50,14 +53,15 @@ module ActionDispatch # :nodoc:
       private
         def header_name(request)
           if request.content_security_policy_report_only
-            POLICY_REPORT_ONLY
+            ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY
           else
-            POLICY
+            ActionDispatch::Constants::CONTENT_SECURITY_POLICY
           end
         end
 
         def policy_present?(headers)
-          headers[POLICY] || headers[POLICY_REPORT_ONLY]
+          headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY] ||
+            headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY]
         end
     end
 
@@ -119,6 +123,7 @@ module ActionDispatch # :nodoc:
     MAPPINGS = {
       self:             "'self'",
       unsafe_eval:      "'unsafe-eval'",
+      unsafe_hashes:    "'unsafe-hashes'",
       unsafe_inline:    "'unsafe-inline'",
       none:             "'none'",
       http:             "http:",

data/lib/action_dispatch/http/filter_parameters.rb

@@ -4,33 +4,15 @@ require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
-    # Allows you to specify sensitive parameters which will be replaced from
-    # the request log by looking in the query string of the request and all
-    # sub-hashes of the params hash to filter. Filtering only certain sub-keys
-    # from a hash is possible by using the dot notation: 'credit_card.number'.
-    # If a block is given, each key and value of the params hash and all
-    # sub-hashes are passed to it, where the value or the key can be replaced using
-    # String#replace or similar methods.
+    # = Action Dispatch HTTP Filter Parameters
     #
-    #   env["action_dispatch.parameter_filter"] = [:password]
-    #   => replaces the value to all keys matching /password/i with "[FILTERED]"
+    # Allows you to specify sensitive query string and POST parameters to filter
+    # from the request log.
     #
+    #   # Replaces values with "[FILTERED]" for keys that match /foo|bar/i.
     #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
-    #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
     #
-    #   env["action_dispatch.parameter_filter"] = [ /\Apin\z/i, /\Apin_/i ]
-    #   => replaces the value for the exact (case-insensitive) key 'pin' and all
-    #   (case-insensitive) keys beginning with 'pin_', with "[FILTERED]"
-    #   Does not match keys with 'pin' as a substring, such as 'shipping_id'.
-    #
-    #   env["action_dispatch.parameter_filter"] = [ "credit_card.code" ]
-    #   => replaces { credit_card: {code: "xxxx"} } with "[FILTERED]", does not
-    #   change { file: { code: "xxxx"} }
-    #
-    #   env["action_dispatch.parameter_filter"] = -> (k, v) do
-    #     v.reverse! if k.match?(/secret/i)
-    #   end
-    #   => reverses the value to all keys matching /secret/i
+    # For more information about filter behavior, see ActiveSupport::ParameterFilter.
     module FilterParameters
       ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
       NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
@@ -41,6 +23,7 @@ module ActionDispatch
         @filtered_parameters = nil
         @filtered_env        = nil
         @filtered_path       = nil
+        @parameter_filter    = nil
       end
 
       # Returns a hash of parameters with all sensitive data replaced.
@@ -60,13 +43,16 @@ module ActionDispatch
         @filtered_path ||= query_string.empty? ? path : "#{path}?#{filtered_query_string}"
       end
 
-    private
-      def parameter_filter # :doc:
-        parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
-          return NULL_PARAM_FILTER
-        }
+      # Returns the +ActiveSupport::ParameterFilter+ object used to filter in this request.
+      def parameter_filter
+        @parameter_filter ||= if has_header?("action_dispatch.parameter_filter")
+          parameter_filter_for get_header("action_dispatch.parameter_filter")
+        else
+          NULL_PARAM_FILTER
+        end
       end
 
+    private
       def env_filter # :doc:
         user_key = fetch_header("action_dispatch.parameter_filter") {
           return NULL_ENV_FILTER

data/lib/action_dispatch/http/headers.rb

@@ -2,6 +2,8 @@
 
 module ActionDispatch
   module Http
+    # = Action Dispatch HTTP \Headers
+    #
     # Provides access to the request's HTTP headers from the environment.
     #
     #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
@@ -65,7 +67,7 @@ module ActionDispatch
         @req.set_header env_name(key), value
       end
 
-      # Add a value to a multivalued header like Vary or Accept-Encoding.
+      # Add a value to a multivalued header like +Vary+ or +Accept-Encoding+.
       def add(key, value)
         @req.add_header env_name(key), value
       end

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -16,7 +16,20 @@ module ActionDispatch
 
       included do
         mattr_accessor :ignore_accept_header, default: false
-        cattr_accessor :return_only_media_type_on_content_type, default: false
+
+        def return_only_media_type_on_content_type=(value)
+          ActionDispatch.deprecator.warn(
+            "`config.action_dispatch.return_only_request_media_type_on_content_type` is deprecated and will" \
+              " be removed in Rails 7.2."
+          )
+        end
+
+        def return_only_media_type_on_content_type
+          ActionDispatch.deprecator.warn(
+            "`config.action_dispatch.return_only_request_media_type_on_content_type` is deprecated and will" \
+            " be removed in Rails 7.2."
+          )
+        end
       end
 
       # The MIME type of the HTTP request, such as Mime[:xml].
@@ -33,19 +46,6 @@ module ActionDispatch
         end
       end
 
-      def content_type
-        if self.class.return_only_media_type_on_content_type
-          ActiveSupport::Deprecation.warn(
-            "Rails 7.1 will return Content-Type header without modification." \
-            " If you want just the MIME type, please use `#media_type` instead."
-          )
-
-          content_mime_type&.to_s
-        else
-          super
-        end
-      end
-
       def has_content_type? # :nodoc:
         get_header "CONTENT_TYPE"
       end
@@ -72,7 +72,7 @@ module ActionDispatch
       #   GET /posts/5.xhtml | request.format => Mime[:html]
       #   GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
       #
-      def format(view_path = [])
+      def format(_view_path = nil)
         formats.first || Mime::NullType.instance
       end
 
@@ -81,7 +81,7 @@ module ActionDispatch
           v = if params_readable?
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
-            accepts
+            accepts.dup
           elsif extension_format = format_from_path_extension
             [extension_format]
           elsif xhr?
@@ -90,7 +90,7 @@ module ActionDispatch
             [Mime[:html]]
           end
 
-          v = v.select do |format|
+          v.select! do |format|
             format.symbol || format.ref == "*/*"
           end
 
@@ -132,7 +132,7 @@ module ActionDispatch
       # Sets the \formats by string extensions. This differs from #format= by allowing you
       # to set multiple, ordered formats, which is useful when you want to have a fallback.
       #
-      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fallback
+      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fall back
       # to the +:html+ format.
       #
       #   class ApplicationController < ActionController::Base
@@ -172,22 +172,22 @@ module ActionDispatch
         # in which case we assume you're a browser and send HTML.
         BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
 
-        def params_readable? # :doc:
+        def params_readable?
           parameters[:format]
         rescue *RESCUABLE_MIME_FORMAT_ERRORS
           false
         end
 
-        def valid_accept_header # :doc:
+        def valid_accept_header
           (xhr? && (accept.present? || content_mime_type)) ||
             (accept.present? && !accept.match?(BROWSER_LIKE_ACCEPTS))
         end
 
-        def use_accept_header # :doc:
+        def use_accept_header
           !self.class.ignore_accept_header
         end
 
-        def format_from_path_extension # :doc:
+        def format_from_path_extension
           path = get_header("action_dispatch.original_path") || get_header("PATH_INFO")
           if match = path && path.match(/\.(\w+)\z/)
             Mime[match.captures.first]

data/lib/action_dispatch/http/mime_type.rb

@@ -11,6 +11,7 @@ module Mime
     def initialize
       @mimes = []
       @symbols = []
+      @symbols_set = Set.new
     end
 
     def each(&block)
@@ -19,17 +20,25 @@ module Mime
 
     def <<(type)
       @mimes << type
-      @symbols << type.to_sym
+      sym_type = type.to_sym
+      @symbols << sym_type
+      @symbols_set << sym_type
     end
 
     def delete_if
       @mimes.delete_if do |x|
         if yield x
-          @symbols.delete(x.to_sym)
+          sym_type = x.to_sym
+          @symbols.delete(sym_type)
+          @symbols_set.delete(sym_type)
           true
         end
       end
     end
+
+    def valid_symbols?(symbols) # :nodoc
+      symbols.all? { |s| @symbols_set.include?(s) }
+    end
   end
 
   SET              = Mimes.new
@@ -42,6 +51,14 @@ module Mime
       Type.lookup_by_extension(type)
     end
 
+    def symbols
+      SET.symbols
+    end
+
+    def valid_symbols?(symbols) # :nodoc:
+      SET.valid_symbols?(symbols)
+    end
+
     def fetch(type, &block)
       return type if type.is_a?(Type)
       EXTENSION_LOOKUP.fetch(type.to_s, &block)
@@ -135,14 +152,18 @@ module Mime
 
     class << self
       TRAILING_STAR_REGEXP = /^(text|application)\/\*/
-      PARAMETER_SEPARATOR_REGEXP = /;\s*\w+="?\w+"?/
+      # all media-type parameters need to be before the q-parameter
+      # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
+      PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
+      ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
 
       def register_callback(&block)
         @register_callbacks << block
       end
 
       def lookup(string)
-        LOOKUP[string] || Type.new(string)
+        # fallback to the media-type without parameters if it was not found
+        LOOKUP[string] || LOOKUP[string.split(";", 2)[0]&.rstrip] || Type.new(string)
       end
 
       def lookup_by_extension(extension)
@@ -171,12 +192,14 @@ module Mime
 
       def parse(accept_header)
         if !accept_header.include?(",")
-          accept_header = accept_header.split(PARAMETER_SEPARATOR_REGEXP).first
-          return [] unless accept_header
-          parse_trailing_star(accept_header) || [Mime::Type.lookup(accept_header)].compact
+          if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
+            accept_header = accept_header[0, index].strip
+          end
+          return [] if accept_header.blank?
+          parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))
         else
           list, index = [], 0
-          accept_header.split(",").each do |header|
+          accept_header.scan(ACCEPT_HEADER_REGEXP).each do |header|
             params, q = header.split(PARAMETER_SEPARATOR_REGEXP)
 
             next unless params
@@ -199,10 +222,10 @@ module Mime
       end
 
       # For an input of <tt>'text'</tt>, returns <tt>[Mime[:json], Mime[:xml], Mime[:ics],
-      # Mime[:html], Mime[:css], Mime[:csv], Mime[:js], Mime[:yaml], Mime[:text]</tt>.
+      # Mime[:html], Mime[:css], Mime[:csv], Mime[:js], Mime[:yaml], Mime[:text]]</tt>.
       #
       # For an input of <tt>'application'</tt>, returns <tt>[Mime[:html], Mime[:js],
-      # Mime[:xml], Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]</tt>.
+      # Mime[:xml], Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]]</tt>.
       def parse_data_with_trailing_star(type)
         Mime::SET.select { |m| m.match?(type) }
       end
@@ -225,7 +248,7 @@ module Mime
     attr_reader :hash
 
     MIME_NAME = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
-    MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?#{MIME_NAME}#{Regexp.escape('"')}?"
+    MIME_PARAMETER_VALUE = "(?:#{MIME_NAME}|\"[^\"\r\\\\]*\")"
     MIME_PARAMETER = "\s*;\s*#{MIME_NAME}(?:=#{MIME_PARAMETER_VALUE})?"
     MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>#{MIME_PARAMETER})*\s*)\z/
 
@@ -291,7 +314,7 @@ module Mime
     end
 
     def html?
-      (symbol == :html) || /html/.match?(@string)
+      (symbol == :html) || @string.include?("html")
     end
 
     def all?; false; end

data/lib/action_dispatch/http/mime_types.rb

@@ -18,6 +18,7 @@ Mime::Type.register "image/gif", :gif, [], %w(gif)
 Mime::Type.register "image/bmp", :bmp, [], %w(bmp)
 Mime::Type.register "image/tiff", :tiff, [], %w(tif tiff)
 Mime::Type.register "image/svg+xml", :svg
+Mime::Type.register "image/webp", :webp, [], %w(webp)
 
 Mime::Type.register "video/mpeg", :mpeg, [], %w(mpg mpeg mpe)
 
@@ -43,7 +44,8 @@ Mime::Type.register "application/x-www-form-urlencoded", :url_encoded_form
 
 # https://www.ietf.org/rfc/rfc4627.txt
 # http://www.json.org/JSONRequest.html
-Mime::Type.register "application/json", :json, %w( text/x-json application/jsonrequest )
+# https://www.ietf.org/rfc/rfc7807.txt
+Mime::Type.register "application/json", :json, %w( text/x-json application/jsonrequest application/problem+json )
 
 Mime::Type.register "application/pdf", :pdf, [], %w(pdf)
 Mime::Type.register "application/zip", :zip, [], %w(zip)

data/lib/action_dispatch/http/parameters.rb

@@ -76,7 +76,7 @@ module ActionDispatch
       end
 
       # Returns a hash with the \parameters used to form the \path of the request.
-      # Returned hash keys are strings:
+      # Returned hash keys are symbols:
       #
       #   { action: "my_action", controller: "my_controller" }
       def path_parameters

data/lib/action_dispatch/http/permissions_policy.rb

@@ -3,6 +3,8 @@
 require "active_support/core_ext/object/deep_dup"
 
 module ActionDispatch # :nodoc:
+  # = Action Dispatch \PermissionsPolicy
+  #
   # Configures the HTTP
   # {Feature-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy]
   # response header to specify which browser features the current document and
@@ -19,47 +21,38 @@ module ActionDispatch # :nodoc:
   #     policy.payment     :self, "https://secure.example.com"
   #   end
   #
+  # The Feature-Policy header has been renamed to Permissions-Policy.
+  # The Permissions-Policy requires a different implementation and isn't
+  # yet supported by all browsers. To avoid having to rename this
+  # middleware in the future we use the new name for the middleware but
+  # keep the old header name and implementation for now.
   class PermissionsPolicy
     class Middleware
-      CONTENT_TYPE = "Content-Type"
-      # The Feature-Policy header has been renamed to Permissions-Policy.
-      # The Permissions-Policy requires a different implementation and isn't
-      # yet supported by all browsers. To avoid having to rename this
-      # middleware in the future we use the new name for the middleware but
-      # keep the old header name and implementation for now.
-      POLICY       = "Feature-Policy"
-
       def initialize(app)
         @app = app
       end
 
       def call(env)
-        request = ActionDispatch::Request.new(env)
         _, headers, _ = response = @app.call(env)
 
-        return response unless html_response?(headers)
         return response if policy_present?(headers)
 
+        request = ActionDispatch::Request.new(env)
+
         if policy = request.permissions_policy
-          headers[POLICY] = policy.build(request.controller_instance)
+          headers[ActionDispatch::Constants::FEATURE_POLICY] = policy.build(request.controller_instance)
         end
 
         if policy_empty?(policy)
-          headers.delete(POLICY)
+          headers.delete(ActionDispatch::Constants::FEATURE_POLICY)
         end
 
         response
       end
 
       private
-        def html_response?(headers)
-          if content_type = headers[CONTENT_TYPE]
-            /html/.match?(content_type)
-          end
-        end
-
         def policy_present?(headers)
-          headers[POLICY]
+          headers[ActionDispatch::Constants::FEATURE_POLICY]
         end
 
         def policy_empty?(policy)
@@ -85,7 +78,7 @@ module ActionDispatch # :nodoc:
     }.freeze
 
     # List of available permissions can be found at
-    # https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#policy-controlled-features
+    # https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features
     DIRECTIVES = {
       accelerometer:        "accelerometer",
       ambient_light_sensor: "ambient-light-sensor",
@@ -95,15 +88,18 @@ module ActionDispatch # :nodoc:
       fullscreen:           "fullscreen",
       geolocation:          "geolocation",
       gyroscope:            "gyroscope",
+      hid:                  "hid",
+      idle_detection:       "idle_detection",
       magnetometer:         "magnetometer",
       microphone:           "microphone",
       midi:                 "midi",
       payment:              "payment",
       picture_in_picture:   "picture-in-picture",
-      speaker:              "speaker",
+      screen_wake_lock:     "screen-wake-lock",
+      serial:               "serial",
+      sync_xhr:             "sync-xhr",
       usb:                  "usb",
-      vibrate:              "vibrate",
-      vr:                   "vr",
+      web_share:            "web-share",
     }.freeze
 
     private_constant :MAPPINGS, :DIRECTIVES
@@ -129,6 +125,25 @@ module ActionDispatch # :nodoc:
       end
     end
 
+    %w[speaker vibrate vr].each do |directive|
+      define_method(directive) do |*sources|
+        ActionDispatch.deprecator.warn(<<~MSG)
+          The `#{directive}` permissions policy directive is deprecated
+          and will be removed in Rails 7.2.
+
+          There is no browser support for this directive, and no plan
+          for browser support in the future. You can just remove this
+          directive from your application.
+        MSG
+
+        if sources.first
+          @directives[directive] = apply_mappings(sources)
+        else
+          @directives.delete(directive)
+        end
+      end
+    end
+
     def build(context = nil)
       build_directives(context).compact.join("; ")
     end

data/lib/action_dispatch/http/rack_cache.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :enddoc:
+
 require "rack/cache"
 require "rack/cache/context"
 require "active_support/cache"