actionpack 7.0.4 → 7.1.5.1

data/lib/action_dispatch/constants.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require "rack/version"
+
+module ActionDispatch
+  module Constants
+    # Response Header keys for Rack 2.x and 3.x
+    if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3")
+      VARY = "Vary"
+      CONTENT_ENCODING = "Content-Encoding"
+      CONTENT_SECURITY_POLICY = "Content-Security-Policy"
+      CONTENT_SECURITY_POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only"
+      LOCATION = "Location"
+      FEATURE_POLICY = "Feature-Policy"
+      X_REQUEST_ID = "X-Request-Id"
+      X_CASCADE = "X-Cascade"
+      SERVER_TIMING = "Server-Timing"
+      STRICT_TRANSPORT_SECURITY = "Strict-Transport-Security"
+    else
+      VARY = "vary"
+      CONTENT_ENCODING = "content-encoding"
+      CONTENT_SECURITY_POLICY = "content-security-policy"
+      CONTENT_SECURITY_POLICY_REPORT_ONLY = "content-security-policy-report-only"
+      LOCATION = "location"
+      FEATURE_POLICY = "feature-policy"
+      X_REQUEST_ID = "x-request-id"
+      X_CASCADE = "x-cascade"
+      SERVER_TIMING = "server-timing"
+      STRICT_TRANSPORT_SECURITY = "strict-transport-security"
+    end
+  end
+end

data/lib/action_dispatch/deprecator.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  def self.deprecator # :nodoc:
+    @deprecator ||= ActiveSupport::Deprecation.new
+  end
+end

data/lib/action_dispatch/http/cache.rb

@@ -18,7 +18,7 @@ module ActionDispatch
         end
 
         def if_none_match_etags
-          if_none_match ? if_none_match.split(/\s*,\s*/) : []
+          if_none_match ? if_none_match.split(",").each(&:strip!) : []
         end
 
         def not_modified?(modified_at)
@@ -32,8 +32,8 @@ module ActionDispatch
           end
         end
 
-        # Check response freshness (Last-Modified and ETag) against request
-        # If-Modified-Since and If-None-Match conditions. If both headers are
+        # Check response freshness (+Last-Modified+ and ETag) against request
+        # +If-Modified-Since+ and +If-None-Match+ conditions. If both headers are
         # supplied, both must match, or the request is not considered fresh.
         def fresh?(response)
           last_modified = if_modified_since
@@ -81,8 +81,8 @@ module ActionDispatch
 
         # This method sets a weak ETag validator on the response so browsers
         # and proxies may cache the response, keyed on the ETag. On subsequent
-        # requests, the If-None-Match header is set to the cached ETag. If it
-        # matches the current ETag, we can return a 304 Not Modified response
+        # requests, the +If-None-Match+ header is set to the cached ETag. If it
+        # matches the current ETag, we can return a <tt>304 Not Modified</tt> response
         # with no body, letting the browser or proxy know that their cache is
         # current. Big savings in request time and network bandwidth.
         #
@@ -92,7 +92,7 @@ module ActionDispatch
         # is viewing.
         #
         # Strong ETags are considered byte-for-byte identical. They allow a
-        # browser or proxy cache to support Range requests, useful for paging
+        # browser or proxy cache to support +Range+ requests, useful for paging
         # through a PDF file or scrubbing through a video. Some CDNs only
         # support strong ETags and will ignore weak ETags entirely.
         #
@@ -112,12 +112,12 @@ module ActionDispatch
 
         def etag?; etag; end
 
-        # True if an ETag is set and it's a weak validator (preceded with W/)
+        # True if an ETag is set, and it's a weak validator (preceded with <tt>W/</tt>).
         def weak_etag?
           etag? && etag.start_with?('W/"')
         end
 
-        # True if an ETag is set and it isn't a weak validator (not preceded with W/)
+        # True if an ETag is set, and it isn't a weak validator (not preceded with <tt>W/</tt>).
         def strong_etag?
           etag? && !weak_etag?
         end
@@ -138,15 +138,13 @@ module ActionDispatch
         def cache_control_segments
           if cache_control = _cache_control
             cache_control.delete(" ").split(",")
-          else
-            []
           end
         end
 
         def cache_control_headers
           cache_control = {}
 
-          cache_control_segments.each do |segment|
+          cache_control_segments&.each do |segment|
             directive, argument = segment.split("=", 2)
 
             if SPECIAL_KEYS.include? directive

data/lib/action_dispatch/http/content_security_policy.rb

@@ -4,6 +4,8 @@ require "active_support/core_ext/object/deep_dup"
 require "active_support/core_ext/array/wrap"
 
 module ActionDispatch # :nodoc:
+  # = Action Dispatch Content Security Policy
+  #
   # Configures the HTTP
   # {Content-Security-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy]
   # response header to help protect against XSS and injection attacks.
@@ -22,21 +24,25 @@ module ActionDispatch # :nodoc:
   #     policy.report_uri "/csp-violation-report-endpoint"
   #   end
   class ContentSecurityPolicy
-    class Middleware
-      CONTENT_TYPE = "Content-Type"
-      POLICY = "Content-Security-Policy"
-      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only"
+    class InvalidDirectiveError < StandardError
+    end
 
+    class Middleware
       def initialize(app)
         @app = app
       end
 
       def call(env)
-        request = ActionDispatch::Request.new env
-        _, headers, _ = response = @app.call(env)
+        status, headers, _ = response = @app.call(env)
+
+        # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
+        # CSP headers might not match nonces in the cached HTML.
+        return response if status == 304
 
         return response if policy_present?(headers)
 
+        request = ActionDispatch::Request.new env
+
         if policy = request.content_security_policy
           nonce = request.content_security_policy_nonce
           nonce_directives = request.content_security_policy_nonce_directives
@@ -50,14 +56,15 @@ module ActionDispatch # :nodoc:
       private
         def header_name(request)
           if request.content_security_policy_report_only
-            POLICY_REPORT_ONLY
+            ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY
           else
-            POLICY
+            ActionDispatch::Constants::CONTENT_SECURITY_POLICY
           end
         end
 
         def policy_present?(headers)
-          headers[POLICY] || headers[POLICY_REPORT_ONLY]
+          headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY] ||
+            headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY]
         end
     end
 
@@ -119,6 +126,7 @@ module ActionDispatch # :nodoc:
     MAPPINGS = {
       self:             "'self'",
       unsafe_eval:      "'unsafe-eval'",
+      unsafe_hashes:    "'unsafe-hashes'",
       unsafe_inline:    "'unsafe-inline'",
       none:             "'none'",
       http:             "http:",
@@ -312,9 +320,9 @@ module ActionDispatch # :nodoc:
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(sources, context).join(' ')}"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -324,8 +332,22 @@ module ActionDispatch # :nodoc:
         end
       end
 
-      def build_directive(sources, context)
-        sources.map { |source| resolve_source(source, context) }
+      def validate(directive, sources)
+        sources.flatten.each do |source|
+          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
+            raise InvalidDirectiveError, <<~MSG.squish
+              Invalid Content Security Policy #{directive}: "#{source}".
+              Directive values must not contain whitespace or semicolons.
+              Please use multiple arguments or other directive methods instead.
+            MSG
+          end
+        end
+      end
+
+      def build_directive(directive, sources, context)
+        resolved_sources = sources.map { |source| resolve_source(source, context) }
+
+        validate(directive, resolved_sources)
       end
 
       def resolve_source(source, context)

data/lib/action_dispatch/http/filter_parameters.rb

@@ -4,33 +4,15 @@ require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
-    # Allows you to specify sensitive parameters which will be replaced from
-    # the request log by looking in the query string of the request and all
-    # sub-hashes of the params hash to filter. Filtering only certain sub-keys
-    # from a hash is possible by using the dot notation: 'credit_card.number'.
-    # If a block is given, each key and value of the params hash and all
-    # sub-hashes are passed to it, where the value or the key can be replaced using
-    # String#replace or similar methods.
+    # = Action Dispatch HTTP Filter Parameters
     #
-    #   env["action_dispatch.parameter_filter"] = [:password]
-    #   => replaces the value to all keys matching /password/i with "[FILTERED]"
+    # Allows you to specify sensitive query string and POST parameters to filter
+    # from the request log.
     #
+    #   # Replaces values with "[FILTERED]" for keys that match /foo|bar/i.
     #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
-    #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
     #
-    #   env["action_dispatch.parameter_filter"] = [ /\Apin\z/i, /\Apin_/i ]
-    #   => replaces the value for the exact (case-insensitive) key 'pin' and all
-    #   (case-insensitive) keys beginning with 'pin_', with "[FILTERED]"
-    #   Does not match keys with 'pin' as a substring, such as 'shipping_id'.
-    #
-    #   env["action_dispatch.parameter_filter"] = [ "credit_card.code" ]
-    #   => replaces { credit_card: {code: "xxxx"} } with "[FILTERED]", does not
-    #   change { file: { code: "xxxx"} }
-    #
-    #   env["action_dispatch.parameter_filter"] = -> (k, v) do
-    #     v.reverse! if k.match?(/secret/i)
-    #   end
-    #   => reverses the value to all keys matching /secret/i
+    # For more information about filter behavior, see ActiveSupport::ParameterFilter.
     module FilterParameters
       ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
       NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
@@ -41,6 +23,7 @@ module ActionDispatch
         @filtered_parameters = nil
         @filtered_env        = nil
         @filtered_path       = nil
+        @parameter_filter    = nil
       end
 
       # Returns a hash of parameters with all sensitive data replaced.
@@ -60,13 +43,16 @@ module ActionDispatch
         @filtered_path ||= query_string.empty? ? path : "#{path}?#{filtered_query_string}"
       end
 
-    private
-      def parameter_filter # :doc:
-        parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
-          return NULL_PARAM_FILTER
-        }
+      # Returns the +ActiveSupport::ParameterFilter+ object used to filter in this request.
+      def parameter_filter
+        @parameter_filter ||= if has_header?("action_dispatch.parameter_filter")
+          parameter_filter_for get_header("action_dispatch.parameter_filter")
+        else
+          NULL_PARAM_FILTER
+        end
       end
 
+    private
       def env_filter # :doc:
         user_key = fetch_header("action_dispatch.parameter_filter") {
           return NULL_ENV_FILTER
@@ -78,12 +64,17 @@ module ActionDispatch
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end

data/lib/action_dispatch/http/headers.rb

@@ -2,6 +2,8 @@
 
 module ActionDispatch
   module Http
+    # = Action Dispatch HTTP \Headers
+    #
     # Provides access to the request's HTTP headers from the environment.
     #
     #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
@@ -65,7 +67,7 @@ module ActionDispatch
         @req.set_header env_name(key), value
       end
 
-      # Add a value to a multivalued header like Vary or Accept-Encoding.
+      # Add a value to a multivalued header like +Vary+ or +Accept-Encoding+.
       def add(key, value)
         @req.add_header env_name(key), value
       end

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -16,7 +16,20 @@ module ActionDispatch
 
       included do
         mattr_accessor :ignore_accept_header, default: false
-        cattr_accessor :return_only_media_type_on_content_type, default: false
+
+        def return_only_media_type_on_content_type=(value)
+          ActionDispatch.deprecator.warn(
+            "`config.action_dispatch.return_only_request_media_type_on_content_type` is deprecated and will" \
+              " be removed in Rails 7.2."
+          )
+        end
+
+        def return_only_media_type_on_content_type
+          ActionDispatch.deprecator.warn(
+            "`config.action_dispatch.return_only_request_media_type_on_content_type` is deprecated and will" \
+            " be removed in Rails 7.2."
+          )
+        end
       end
 
       # The MIME type of the HTTP request, such as Mime[:xml].
@@ -33,19 +46,6 @@ module ActionDispatch
         end
       end
 
-      def content_type
-        if self.class.return_only_media_type_on_content_type
-          ActiveSupport::Deprecation.warn(
-            "Rails 7.1 will return Content-Type header without modification." \
-            " If you want just the MIME type, please use `#media_type` instead."
-          )
-
-          content_mime_type&.to_s
-        else
-          super
-        end
-      end
-
       def has_content_type? # :nodoc:
         get_header "CONTENT_TYPE"
       end
@@ -72,7 +72,7 @@ module ActionDispatch
       #   GET /posts/5.xhtml | request.format => Mime[:html]
       #   GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
       #
-      def format(view_path = [])
+      def format(_view_path = nil)
         formats.first || Mime::NullType.instance
       end
 
@@ -81,7 +81,7 @@ module ActionDispatch
           v = if params_readable?
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
-            accepts
+            accepts.dup
           elsif extension_format = format_from_path_extension
             [extension_format]
           elsif xhr?
@@ -90,7 +90,7 @@ module ActionDispatch
             [Mime[:html]]
           end
 
-          v = v.select do |format|
+          v.select! do |format|
             format.symbol || format.ref == "*/*"
           end
 
@@ -132,7 +132,7 @@ module ActionDispatch
       # Sets the \formats by string extensions. This differs from #format= by allowing you
       # to set multiple, ordered formats, which is useful when you want to have a fallback.
       #
-      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fallback
+      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fall back
       # to the +:html+ format.
       #
       #   class ApplicationController < ActionController::Base
@@ -172,22 +172,22 @@ module ActionDispatch
         # in which case we assume you're a browser and send HTML.
         BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
 
-        def params_readable? # :doc:
+        def params_readable?
           parameters[:format]
         rescue *RESCUABLE_MIME_FORMAT_ERRORS
           false
         end
 
-        def valid_accept_header # :doc:
+        def valid_accept_header
           (xhr? && (accept.present? || content_mime_type)) ||
             (accept.present? && !accept.match?(BROWSER_LIKE_ACCEPTS))
         end
 
-        def use_accept_header # :doc:
+        def use_accept_header
           !self.class.ignore_accept_header
         end
 
-        def format_from_path_extension # :doc:
+        def format_from_path_extension
           path = get_header("action_dispatch.original_path") || get_header("PATH_INFO")
           if match = path && path.match(/\.(\w+)\z/)
             Mime[match.captures.first]

data/lib/action_dispatch/http/mime_type.rb

@@ -11,6 +11,7 @@ module Mime
     def initialize
       @mimes = []
       @symbols = []
+      @symbols_set = Set.new
     end
 
     def each(&block)
@@ -19,17 +20,25 @@ module Mime
 
     def <<(type)
       @mimes << type
-      @symbols << type.to_sym
+      sym_type = type.to_sym
+      @symbols << sym_type
+      @symbols_set << sym_type
     end
 
     def delete_if
       @mimes.delete_if do |x|
         if yield x
-          @symbols.delete(x.to_sym)
+          sym_type = x.to_sym
+          @symbols.delete(sym_type)
+          @symbols_set.delete(sym_type)
           true
         end
       end
     end
+
+    def valid_symbols?(symbols) # :nodoc
+      symbols.all? { |s| @symbols_set.include?(s) }
+    end
   end
 
   SET              = Mimes.new
@@ -42,6 +51,14 @@ module Mime
       Type.lookup_by_extension(type)
     end
 
+    def symbols
+      SET.symbols
+    end
+
+    def valid_symbols?(symbols) # :nodoc:
+      SET.valid_symbols?(symbols)
+    end
+
     def fetch(type, &block)
       return type if type.is_a?(Type)
       EXTENSION_LOOKUP.fetch(type.to_s, &block)
@@ -135,13 +152,20 @@ module Mime
 
     class << self
       TRAILING_STAR_REGEXP = /^(text|application)\/\*/
-      PARAMETER_SEPARATOR_REGEXP = /;\s*\w+="?\w+"?/
+      # all media-type parameters need to be before the q-parameter
+      # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
+      PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
+      ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
 
       def register_callback(&block)
         @register_callbacks << block
       end
 
       def lookup(string)
+        return LOOKUP[string] if LOOKUP.key?(string)
+
+        # fallback to the media-type without parameters if it was not found
+        string = string.split(";", 2)[0]&.rstrip
         LOOKUP[string] || Type.new(string)
       end
 
@@ -171,12 +195,14 @@ module Mime
 
       def parse(accept_header)
         if !accept_header.include?(",")
-          accept_header = accept_header.split(PARAMETER_SEPARATOR_REGEXP).first
-          return [] unless accept_header
-          parse_trailing_star(accept_header) || [Mime::Type.lookup(accept_header)].compact
+          if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
+            accept_header = accept_header[0, index].strip
+          end
+          return [] if accept_header.blank?
+          parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))
         else
           list, index = [], 0
-          accept_header.split(",").each do |header|
+          accept_header.scan(ACCEPT_HEADER_REGEXP).each do |header|
             params, q = header.split(PARAMETER_SEPARATOR_REGEXP)
 
             next unless params
@@ -199,10 +225,10 @@ module Mime
       end
 
       # For an input of <tt>'text'</tt>, returns <tt>[Mime[:json], Mime[:xml], Mime[:ics],
-      # Mime[:html], Mime[:css], Mime[:csv], Mime[:js], Mime[:yaml], Mime[:text]</tt>.
+      # Mime[:html], Mime[:css], Mime[:csv], Mime[:js], Mime[:yaml], Mime[:text]]</tt>.
       #
       # For an input of <tt>'application'</tt>, returns <tt>[Mime[:html], Mime[:js],
-      # Mime[:xml], Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]</tt>.
+      # Mime[:xml], Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]]</tt>.
       def parse_data_with_trailing_star(type)
         Mime::SET.select { |m| m.match?(type) }
       end
@@ -225,7 +251,7 @@ module Mime
     attr_reader :hash
 
     MIME_NAME = "[a-zA-Z0-9][a-zA-Z0-9#{Regexp.escape('!#$&-^_.+')}]{0,126}"
-    MIME_PARAMETER_VALUE = "#{Regexp.escape('"')}?#{MIME_NAME}#{Regexp.escape('"')}?"
+    MIME_PARAMETER_VALUE = "(?:#{MIME_NAME}|\"[^\"\r\\\\]*\")"
     MIME_PARAMETER = "\s*;\s*#{MIME_NAME}(?:=#{MIME_PARAMETER_VALUE})?"
     MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>#{MIME_PARAMETER})*\s*)\z/
 
@@ -291,7 +317,7 @@ module Mime
     end
 
     def html?
-      (symbol == :html) || /html/.match?(@string)
+      (symbol == :html) || @string.include?("html")
     end
 
     def all?; false; end

data/lib/action_dispatch/http/mime_types.rb

@@ -18,6 +18,7 @@ Mime::Type.register "image/gif", :gif, [], %w(gif)
 Mime::Type.register "image/bmp", :bmp, [], %w(bmp)
 Mime::Type.register "image/tiff", :tiff, [], %w(tif tiff)
 Mime::Type.register "image/svg+xml", :svg
+Mime::Type.register "image/webp", :webp, [], %w(webp)
 
 Mime::Type.register "video/mpeg", :mpeg, [], %w(mpg mpeg mpe)
 
@@ -43,7 +44,8 @@ Mime::Type.register "application/x-www-form-urlencoded", :url_encoded_form
 
 # https://www.ietf.org/rfc/rfc4627.txt
 # http://www.json.org/JSONRequest.html
-Mime::Type.register "application/json", :json, %w( text/x-json application/jsonrequest )
+# https://www.ietf.org/rfc/rfc7807.txt
+Mime::Type.register "application/json", :json, %w( text/x-json application/jsonrequest application/problem+json )
 
 Mime::Type.register "application/pdf", :pdf, [], %w(pdf)
 Mime::Type.register "application/zip", :zip, [], %w(zip)

data/lib/action_dispatch/http/parameters.rb

@@ -76,7 +76,7 @@ module ActionDispatch
       end
 
       # Returns a hash with the \parameters used to form the \path of the request.
-      # Returned hash keys are strings:
+      # Returned hash keys are symbols:
       #
       #   { action: "my_action", controller: "my_controller" }
       def path_parameters