actionpack 7.0.5 → 7.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 53861f74b1eb42d6f13153c1cd5956f16e3eaa2277a18caff284b95e7f8ebde2
-  data.tar.gz: 1605a5742f7ea7e147e3771f2af1a8eb122d8debd0a263eda224d299f3dd31af
+  metadata.gz: b0ea4a26c00b3b19a208967d2242c623ff9f9a884accfe9f41f4d6098487348a
+  data.tar.gz: 48bf5d01180d6de383f32cd5a45156e8492cdd5776d9d6a5056339b0214795c1
 SHA512:
-  metadata.gz: 1e20f00481154c15e9ac839df3c4d370734f18297b0dbfc2d6c111abe7dd55adefd1f5fbce2ca6ea698b23fbb0100463df862e26e9bfdc033a6bd87c0ac7e58a
-  data.tar.gz: d0b75b79e9021ffea2dc7debcbd3381d8b20ad2eed1460d64b026ceeb89cf639748ff9f52d8140875f8ee88a3403e015b02f45d16f21ad2dc221f62ef1fe6c70
+  metadata.gz: faf60bcb1528e9ac4714f2419a183b459d882d7ca18341b3a8a9638a38d3d7b5aabb26bd523ebc2e45e1e566f94230cfa37140f46016cb6fb6dd3cb0d4e3bbc8
+  data.tar.gz: 2f66b9539d4df88e3fa3ae268947959395627886b188249e46b661f2d79cb0440624fe60546c5f5e4c6fb0dca36ad20dd36c1daa5796a92e2ede58fd1b5ec2e5

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+## Rails 7.0.6 (June 29, 2023) ##
+
+*   No changes.
+
+
+## Rails 7.0.5.1 (June 26, 2023) ##
+
+*   Raise an exception if illegal characters are provide to redirect_to
+    [CVE-2023-28362]
+
+    *Zack Deveau*
+
 ## Rails 7.0.5 (May 24, 2023) ##
 
 *   Do not return CSP headers for 304 Not Modified responses.

data/README.rdoc

@@ -30,7 +30,7 @@ The latest version of Action Pack can be installed with RubyGems:
 
   $ gem install actionpack
 
-Source code can be downloaded as part of the Rails project on GitHub:
+Source code can be downloaded as part of the \Rails project on GitHub:
 
 * https://github.com/rails/rails/tree/main/actionpack
 
@@ -48,7 +48,7 @@ API documentation is at:
 
 * https://api.rubyonrails.org
 
-Bug reports for the Ruby on Rails project can be filed here:
+Bug reports for the Ruby on \Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 

data/lib/abstract_controller/translation.rb

@@ -6,7 +6,7 @@ module AbstractController
   module Translation
     mattr_accessor :raise_on_missing_translations, default: false
 
-    # Delegates to <tt>I18n.translate</tt>. Also aliased as <tt>t</tt>.
+    # Delegates to <tt>I18n.translate</tt>.
     #
     # When the given key starts with a period, it will be scoped by the current
     # controller and action. So if you call <tt>translate(".foo")</tt> from
@@ -29,7 +29,7 @@ module AbstractController
     end
     alias :t :translate
 
-    # Delegates to <tt>I18n.localize</tt>. Also aliased as <tt>l</tt>.
+    # Delegates to <tt>I18n.localize</tt>.
     def localize(object, **options)
       I18n.localize(object, **options)
     end

data/lib/action_controller/metal/redirecting.rb

@@ -4,6 +4,8 @@ module ActionController
   module Redirecting
     extend ActiveSupport::Concern
 
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+
     include AbstractController::Logger
     include ActionController::UrlFor
 
@@ -85,8 +87,12 @@ module ActionController
 
       allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
 
-      self.status        = _extract_redirect_to_status(options, response_options)
-      self.location      = _enforce_open_redirect_protection(_compute_redirect_to_location(request, options), allow_other_host: allow_other_host)
+      self.status = _extract_redirect_to_status(options, response_options)
+
+      redirect_to_location = _compute_redirect_to_location(request, options)
+      _ensure_url_is_http_header_safe(redirect_to_location)
+
+      self.location      = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
 
@@ -204,5 +210,16 @@ module ActionController
       rescue ArgumentError, URI::Error
         false
       end
+
+      def _ensure_url_is_http_header_safe(url)
+        # Attempt to comply with the set of valid token characters
+        # defined for an HTTP header value in
+        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+        if url.match?(ILLEGAL_HEADER_VALUE_REGEX)
+          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
+            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+          raise UnsafeRedirectError, msg
+        end
+      end
   end
 end

data/lib/action_controller/metal/renderers.rb

@@ -3,12 +3,12 @@
 require "set"
 
 module ActionController
-  # See <tt>Renderers.add</tt>
+  # See Renderers.add
   def self.add_renderer(key, &block)
     Renderers.add(key, &block)
   end
 
-  # See <tt>Renderers.remove</tt>
+  # See Renderers.remove
   def self.remove_renderer(key)
     Renderers.remove(key)
   end

data/lib/action_controller/metal/rescue.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
 module ActionController # :nodoc:
-  # This module is responsible for providing +rescue_from+ helpers
-  # to controllers and configuring when detailed exceptions must be
-  # shown.
+  # This module is responsible for providing
+  # {rescue_from}[rdoc-ref:ActiveSupport::Rescuable::ClassMethods#rescue_from]
+  # to controllers, wrapping actions to handle configured errors, and
+  # configuring when detailed exceptions must be shown.
   module Rescue
     extend ActiveSupport::Concern
     include ActiveSupport::Rescuable

data/lib/action_controller/metal/strong_parameters.rb

@@ -97,7 +97,7 @@ module ActionController
   #   * +false+ to take no action.
   #   * <tt>:log</tt> to emit an <tt>ActiveSupport::Notifications.instrument</tt> event on the
   #     <tt>unpermitted_parameters.action_controller</tt> topic and log at the DEBUG level.
-  #   * <tt>:raise</tt> to raise a <tt>ActionController::UnpermittedParameters</tt> exception.
+  #   * <tt>:raise</tt> to raise an ActionController::UnpermittedParameters exception.
   #
   # Examples:
   #
@@ -146,7 +146,7 @@ module ActionController
     # :method: each_key
     #
     # :call-seq:
-    #   each_key()
+    #   each_key(&block)
     #
     # Calls block once for each key in the parameters, passing the key.
     # If no block is given, an enumerator is returned instead.
@@ -159,14 +159,6 @@ module ActionController
     #
     # Returns true if the parameters have no key/value pairs.
 
-    ##
-    # :method: has_key?
-    #
-    # :call-seq:
-    #   has_key?(key)
-    #
-    # Returns true if the given key is present in the parameters.
-
     ##
     # :method: has_value?
     #
@@ -183,22 +175,6 @@ module ActionController
     #
     # Returns true if the given key is present in the parameters.
 
-    ##
-    # :method: key?
-    #
-    # :call-seq:
-    #   key?(key)
-    #
-    # Returns true if the given key is present in the parameters.
-
-    ##
-    # :method: member?
-    #
-    # :call-seq:
-    #   member?(key)
-    #
-    # Returns true if the given key is present in the parameters.
-
     ##
     # :method: keys
     #
@@ -230,9 +206,13 @@ module ActionController
     #   values()
     #
     # Returns a new array of the values of the parameters.
-    delegate :keys, :key?, :has_key?, :member?, :values, :has_value?, :value?, :empty?, :include?,
+    delegate :keys, :values, :has_value?, :value?, :empty?, :include?,
       :as_json, :to_s, :each_key, to: :@parameters
 
+    alias_method :has_key?, :include?
+    alias_method :key?, :include?
+    alias_method :member?, :include?
+
     # By default, never raise an UnpermittedParameters exception if these
     # params are present. The default includes both 'controller' and 'action'
     # because they are added by Rails and should be of no concern. One way
@@ -248,7 +228,7 @@ module ActionController
       end
     end
 
-    # Returns a new instance of <tt>ActionController::Parameters</tt>.
+    # Returns a new <tt>ActionController::Parameters</tt> instance.
     # Also, sets the +permitted+ attribute to the default value of
     # <tt>ActionController::Parameters.permit_all_parameters</tt>.
     #
@@ -290,7 +270,7 @@ module ActionController
       [self.class, @parameters, @permitted].hash
     end
 
-    # Returns a safe <tt>ActiveSupport::HashWithIndifferentAccess</tt>
+    # Returns a safe ActiveSupport::HashWithIndifferentAccess
     # representation of the parameters with all unpermitted keys removed.
     #
     #   params = ActionController::Parameters.new({
@@ -350,18 +330,15 @@ module ActionController
     #   safe_params.to_query("user")
     #   # => "user%5Bname%5D=David&user%5Bnationality%5D=Danish"
     #
-    # The string pairs "key=value" that conform the query string
+    # The string pairs <tt>"key=value"</tt> that conform the query string
     # are sorted lexicographically in ascending order.
-    #
-    # This method is also aliased as +to_param+.
     def to_query(*args)
       to_h.to_query(*args)
     end
     alias_method :to_param, :to_query
 
-    # Returns an unsafe, unfiltered
-    # <tt>ActiveSupport::HashWithIndifferentAccess</tt> representation of the
-    # parameters.
+    # Returns an unsafe, unfiltered ActiveSupport::HashWithIndifferentAccess
+    # representation of the parameters.
     #
     #   params = ActionController::Parameters.new({
     #     name: "Senjougahara Hitagi",
@@ -401,7 +378,7 @@ module ActionController
     # looping in the common use case permit + mass-assignment. Defined in a
     # method to instantiate it only if needed.
     #
-    # Testing membership still loops, but it's going to be faster than our own
+    # \Testing membership still loops, but it's going to be faster than our own
     # loop that converts values. Also, we are not going to build a new array
     # object per fetch.
     def converted_arrays
@@ -449,7 +426,7 @@ module ActionController
     #   ActionController::Parameters.new(person: { name: "Francesco" }).require(:person)
     #   # => #<ActionController::Parameters {"name"=>"Francesco"} permitted: false>
     #
-    # Otherwise raises <tt>ActionController::ParameterMissing</tt>:
+    # Otherwise raises ActionController::ParameterMissing:
     #
     #   ActionController::Parameters.new.require(:person)
     #   # ActionController::ParameterMissing: param is missing or the value is empty: person
@@ -501,7 +478,6 @@ module ActionController
       end
     end
 
-    # Alias of #require.
     alias :required :require
 
     # Returns a new <tt>ActionController::Parameters</tt> instance that
@@ -523,7 +499,7 @@ module ActionController
     # +:name+ passes if it is a key of +params+ whose associated value is of type
     # +String+, +Symbol+, +NilClass+, +Numeric+, +TrueClass+, +FalseClass+,
     # +Date+, +Time+, +DateTime+, +StringIO+, +IO+,
-    # +ActionDispatch::Http::UploadedFile+ or +Rack::Test::UploadedFile+.
+    # ActionDispatch::Http::UploadedFile or +Rack::Test::UploadedFile+.
     # Otherwise, the key +:name+ is filtered out.
     #
     # You may declare that the parameter should be an array of permitted scalars
@@ -645,16 +621,16 @@ module ActionController
     end
 
     # Assigns a value to a given +key+. The given key may still get filtered out
-    # when +permit+ is called.
+    # when #permit is called.
     def []=(key, value)
       @parameters[key] = value
     end
 
     # Returns a parameter for the given +key+. If the +key+
     # can't be found, there are several options: With no other arguments,
-    # it will raise an <tt>ActionController::ParameterMissing</tt> error;
+    # it will raise an ActionController::ParameterMissing error;
     # if a second argument is given, then that is returned (converted to an
-    # instance of ActionController::Parameters if possible); if a block
+    # instance of +ActionController::Parameters+ if possible); if a block
     # is given, then that will be run and its result returned.
     #
     #   params = ActionController::Parameters.new(person: { name: "Francesco" })
@@ -700,7 +676,7 @@ module ActionController
       new_instance_with_inherited_permitted_status(@parameters.slice(*keys))
     end
 
-    # Returns current <tt>ActionController::Parameters</tt> instance which
+    # Returns the current <tt>ActionController::Parameters</tt> instance which
     # contains only the given +keys+.
     def slice!(*keys)
       @parameters.slice!(*keys)
@@ -726,7 +702,7 @@ module ActionController
       new_instance_with_inherited_permitted_status(@parameters.extract!(*keys))
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> with the results of
+    # Returns a new <tt>ActionController::Parameters</tt> instance with the results of
     # running +block+ once for every value. The keys are unchanged.
     #
     #   params = ActionController::Parameters.new(a: 1, b: 2, c: 3)
@@ -773,9 +749,9 @@ module ActionController
       )
     end
 
-    # Returns the <tt>ActionController::Parameters</tt> instance changing its keys.
-    # This includes the keys from the root hash and from all nested hashes and arrays.
-    # The values are unchanged.
+    # Returns the same <tt>ActionController::Parameters</tt> instance with
+    # changed keys. This includes the keys from the root hash and from all
+    # nested hashes and arrays. The values are unchanged.
     def deep_transform_keys!(&block)
       @parameters.deep_transform_keys!(&block)
       self
@@ -783,13 +759,13 @@ module ActionController
 
     # Deletes a key-value pair from +Parameters+ and returns the value. If
     # +key+ is not found, returns +nil+ (or, with optional code block, yields
-    # +key+ and returns the result). Cf. #extract!, which returns the
-    # corresponding +ActionController::Parameters+ object.
+    # +key+ and returns the result). This method is similar to #extract!, which
+    # returns the corresponding +ActionController::Parameters+ object.
     def delete(key, &block)
       convert_value_to_parameters(@parameters.delete(key, &block))
     end
 
-    # Returns a new instance of <tt>ActionController::Parameters</tt> with only
+    # Returns a new <tt>ActionController::Parameters</tt> instance with only
     # items that the block evaluates to true.
     def select(&block)
       new_instance_with_inherited_permitted_status(@parameters.select(&block))
@@ -802,7 +778,7 @@ module ActionController
     end
     alias_method :keep_if, :select!
 
-    # Returns a new instance of <tt>ActionController::Parameters</tt> with items
+    # Returns a new <tt>ActionController::Parameters</tt> instance with items
     # that the block evaluates to true removed.
     def reject(&block)
       new_instance_with_inherited_permitted_status(@parameters.reject(&block))
@@ -815,7 +791,7 @@ module ActionController
     end
     alias_method :delete_if, :reject!
 
-    # Returns a new instance of <tt>ActionController::Parameters</tt> with +nil+ values removed.
+    # Returns a new <tt>ActionController::Parameters</tt> instance with +nil+ values removed.
     def compact
       new_instance_with_inherited_permitted_status(@parameters.compact)
     end
@@ -825,7 +801,7 @@ module ActionController
       self if @parameters.compact!
     end
 
-    # Returns a new instance of <tt>ActionController::Parameters</tt> without the blank values.
+    # Returns a new <tt>ActionController::Parameters</tt> instance without the blank values.
     # Uses Object#blank? for determining if a value is blank.
     def compact_blank
       reject { |_k, v| v.blank? }
@@ -843,7 +819,7 @@ module ActionController
       convert_value_to_parameters(@parameters.values_at(*keys))
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> with all keys from
+    # Returns a new <tt>ActionController::Parameters</tt> instance with all keys from
     # +other_hash+ merged into current hash.
     def merge(other_hash)
       new_instance_with_inherited_permitted_status(
@@ -851,15 +827,15 @@ module ActionController
       )
     end
 
-    # Returns current <tt>ActionController::Parameters</tt> instance with
+    # Returns the current <tt>ActionController::Parameters</tt> instance with
     # +other_hash+ merged into current hash.
     def merge!(other_hash)
       @parameters.merge!(other_hash.to_h)
       self
     end
 
-    # Returns a new <tt>ActionController::Parameters</tt> with all keys from
-    # current hash merged into +other_hash+.
+    # Returns a new <tt>ActionController::Parameters</tt> instance with all keys
+    # from current hash merged into +other_hash+.
     def reverse_merge(other_hash)
       new_instance_with_inherited_permitted_status(
         other_hash.to_h.merge(@parameters)
@@ -867,7 +843,7 @@ module ActionController
     end
     alias_method :with_defaults, :reverse_merge
 
-    # Returns current <tt>ActionController::Parameters</tt> instance with
+    # Returns the current <tt>ActionController::Parameters</tt> instance with
     # current hash merged into +other_hash+.
     def reverse_merge!(other_hash)
       @parameters.merge!(other_hash.to_h) { |key, left, right| left }
@@ -917,7 +893,7 @@ module ActionController
       coder.map = { "parameters" => @parameters, "permitted" => @permitted }
     end
 
-    # Returns duplicate of object including all parameters.
+    # Returns a duplicate +ActionController::Parameters+ instance with the same permitted parameters.
     def deep_dup
       self.class.new(@parameters.deep_dup, @logging_context).tap do |duplicate|
         duplicate.permitted = @permitted
@@ -1024,10 +1000,11 @@ module ActionController
       # This is a list of permitted scalar types that includes the ones
       # supported in XML and JSON requests.
       #
-      # This list is in particular used to filter ordinary requests, String goes
+      # This list is in particular used to filter ordinary requests, \String goes
       # as first element to quickly short-circuit the common case.
       #
-      # If you modify this collection please update the API of +permit+ above.
+      # If you modify this collection please update the one in the #permit doc
+      # as well.
       PERMITTED_SCALAR_TYPES = [
         String,
         Symbol,
@@ -1083,8 +1060,8 @@ module ActionController
         value.is_a?(Array) || value.is_a?(Parameters)
       end
 
-      EMPTY_ARRAY = []
-      EMPTY_HASH  = {}
+      EMPTY_ARRAY = [] # :nodoc:
+      EMPTY_HASH  = {} # :nodoc:
       def hash_filter(params, filter)
         filter = filter.with_indifferent_access
 

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -6,14 +6,17 @@ module ActionDispatch
   # This middleware rescues any exception returned by the application
   # and calls an exceptions app that will wrap it in a format for the end user.
   #
-  # The exceptions app should be passed as parameter on initialization
-  # of ShowExceptions. Every time there is an exception, ShowExceptions will
-  # store the exception in env["action_dispatch.exception"], rewrite the
-  # PATH_INFO to the exception status code and call the Rack app.
+  # The exceptions app should be passed as a parameter on initialization of
+  # +ShowExceptions+. Every time there is an exception, +ShowExceptions+ will
+  # store the exception in <tt>env["action_dispatch.exception"]</tt>, rewrite
+  # the +PATH_INFO+ to the exception status code and call the Rack app.
   #
-  # If the application returns a "X-Cascade" pass response, this middleware
-  # will send an empty response as result with the correct status code.
-  # If any exception happens inside the exceptions app, this middleware
+  # In \Rails applications, the exceptions app can be configured with
+  # +config.exceptions_app+, which defaults to ActionDispatch::PublicExceptions.
+  #
+  # If the application returns an <tt>"X-Cascade" => "pass"</tt> response, this
+  # middleware will send an empty response as a result with the correct status
+  # code. If any exception happens inside the exceptions app, this middleware
   # catches the exceptions and returns a failsafe response.
   class ShowExceptions
     def initialize(app, exceptions_app)

data/lib/action_pack/gem_version.rb

@@ -9,7 +9,7 @@ module ActionPack
   module VERSION
     MAJOR = 7
     MINOR = 0
-    TINY  = 5
+    TINY  = 6
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.0.5
+  version: 7.0.6
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-05-24 00:00:00.000000000 Z
+date: 2023-06-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.5
+        version: 7.0.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.5
+        version: 7.0.6
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.5
+        version: 7.0.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.5
+        version: 7.0.6
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.5
+        version: 7.0.6
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.0.5
+        version: 7.0.6
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -310,10 +310,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.0.5/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.0.5/
+  changelog_uri: https://github.com/rails/rails/blob/v7.0.6/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.0.6/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.0.5/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.0.6/actionpack
   rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
@@ -331,7 +331,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.4.10
+rubygems_version: 3.4.13
 signing_key: 
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).