actionpack 7.0.8.1 → 7.2.2.1

data/lib/action_dispatch/http/content_disposition.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
   module Http
     class ContentDisposition # :nodoc:

data/lib/action_dispatch/http/content_security_policy.rb

@@ -1,46 +1,50 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/core_ext/object/deep_dup"
 require "active_support/core_ext/array/wrap"
 
 module ActionDispatch # :nodoc:
-  # Configures the HTTP
-  # {Content-Security-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy]
-  # response header to help protect against XSS and injection attacks.
+  # # Action Dispatch Content Security Policy
+  #
+  # Configures the HTTP [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+  # response header to help protect against XSS and
+  # injection attacks.
   #
   # Example global policy:
   #
-  #   Rails.application.config.content_security_policy do |policy|
-  #     policy.default_src :self, :https
-  #     policy.font_src    :self, :https, :data
-  #     policy.img_src     :self, :https, :data
-  #     policy.object_src  :none
-  #     policy.script_src  :self, :https
-  #     policy.style_src   :self, :https
+  #     Rails.application.config.content_security_policy do |policy|
+  #       policy.default_src :self, :https
+  #       policy.font_src    :self, :https, :data
+  #       policy.img_src     :self, :https, :data
+  #       policy.object_src  :none
+  #       policy.script_src  :self, :https
+  #       policy.style_src   :self, :https
   #
-  #     # Specify URI for violation reports
-  #     policy.report_uri "/csp-violation-report-endpoint"
-  #   end
+  #       # Specify URI for violation reports
+  #       policy.report_uri "/csp-violation-report-endpoint"
+  #     end
   class ContentSecurityPolicy
-    class Middleware
-      CONTENT_TYPE = "Content-Type"
-      POLICY = "Content-Security-Policy"
-      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only"
+    class InvalidDirectiveError < StandardError
+    end
 
+    class Middleware
       def initialize(app)
         @app = app
       end
 
       def call(env)
-        request = ActionDispatch::Request.new env
         status, headers, _ = response = @app.call(env)
 
-        # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
-        # CSP headers might not match nonces in the cached HTML.
+        # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the
+        # new CSP headers might not match nonces in the cached HTML.
         return response if status == 304
 
         return response if policy_present?(headers)
 
+        request = ActionDispatch::Request.new env
+
         if policy = request.content_security_policy
           nonce = request.content_security_policy_nonce
           nonce_directives = request.content_security_policy_nonce_directives
@@ -54,14 +58,15 @@ module ActionDispatch # :nodoc:
       private
         def header_name(request)
           if request.content_security_policy_report_only
-            POLICY_REPORT_ONLY
+            ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY
           else
-            POLICY
+            ActionDispatch::Constants::CONTENT_SECURITY_POLICY
           end
         end
 
         def policy_present?(headers)
-          headers[POLICY] || headers[POLICY_REPORT_ONLY]
+          headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY] ||
+            headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY]
         end
     end
 
@@ -123,6 +128,7 @@ module ActionDispatch # :nodoc:
     MAPPINGS = {
       self:             "'self'",
       unsafe_eval:      "'unsafe-eval'",
+      unsafe_hashes:    "'unsafe-hashes'",
       unsafe_inline:    "'unsafe-inline'",
       none:             "'none'",
       http:             "http:",
@@ -189,14 +195,14 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Specify whether to prevent the user agent from loading any assets over
-    # HTTP when the page uses HTTPS:
+    # Specify whether to prevent the user agent from loading any assets over HTTP
+    # when the page uses HTTPS:
     #
-    #   policy.block_all_mixed_content
+    #     policy.block_all_mixed_content
     #
-    # Pass +false+ to allow it again:
+    # Pass `false` to allow it again:
     #
-    #   policy.block_all_mixed_content false
+    #     policy.block_all_mixed_content false
     #
     def block_all_mixed_content(enabled = true)
       if enabled
@@ -208,11 +214,11 @@ module ActionDispatch # :nodoc:
 
     # Restricts the set of plugins that can be embedded:
     #
-    #   policy.plugin_types "application/x-shockwave-flash"
+    #     policy.plugin_types "application/x-shockwave-flash"
     #
     # Leave empty to allow all plugins:
     #
-    #   policy.plugin_types
+    #     policy.plugin_types
     #
     def plugin_types(*types)
       if types.first
@@ -222,23 +228,23 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Enable the {report-uri}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri]
-    # directive. Violation reports will be sent to the specified URI:
+    # Enable the [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
+    # directive. Violation reports will be sent to the
+    # specified URI:
     #
-    #   policy.report_uri "/csp-violation-report-endpoint"
+    #     policy.report_uri "/csp-violation-report-endpoint"
     #
     def report_uri(uri)
       @directives["report-uri"] = [uri]
     end
 
-    # Specify asset types for which {Subresource Integrity}[https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity]
-    # is required:
+    # Specify asset types for which [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
     #
-    #   policy.require_sri_for :script, :style
+    #     policy.require_sri_for :script, :style
     #
     # Leave empty to not require Subresource Integrity:
     #
-    #   policy.require_sri_for
+    #     policy.require_sri_for
     #
     def require_sri_for(*types)
       if types.first
@@ -248,18 +254,18 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Specify whether a {sandbox}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox]
+    # Specify whether a [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
     # should be enabled for the requested resource:
     #
-    #   policy.sandbox
+    #     policy.sandbox
     #
     # Values can be passed as arguments:
     #
-    #   policy.sandbox "allow-scripts", "allow-modals"
+    #     policy.sandbox "allow-scripts", "allow-modals"
     #
-    # Pass +false+ to disable the sandbox:
+    # Pass `false` to disable the sandbox:
     #
-    #   policy.sandbox false
+    #     policy.sandbox false
     #
     def sandbox(*values)
       if values.empty?
@@ -273,11 +279,11 @@ module ActionDispatch # :nodoc:
 
     # Specify whether user agents should treat any assets over HTTP as HTTPS:
     #
-    #   policy.upgrade_insecure_requests
+    #     policy.upgrade_insecure_requests
     #
-    # Pass +false+ to disable it:
+    # Pass `false` to disable it:
     #
-    #   policy.upgrade_insecure_requests false
+    #     policy.upgrade_insecure_requests false
     #
     def upgrade_insecure_requests(enabled = true)
       if enabled
@@ -316,9 +322,9 @@ module ActionDispatch # :nodoc:
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(sources, context).join(' ')}"
+              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -328,8 +334,22 @@ module ActionDispatch # :nodoc:
         end
       end
 
-      def build_directive(sources, context)
-        sources.map { |source| resolve_source(source, context) }
+      def validate(directive, sources)
+        sources.flatten.each do |source|
+          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
+            raise InvalidDirectiveError, <<~MSG.squish
+              Invalid Content Security Policy #{directive}: "#{source}".
+              Directive values must not contain whitespace or semicolons.
+              Please use multiple arguments or other directive methods instead.
+            MSG
+          end
+        end
+      end
+
+      def build_directive(directive, sources, context)
+        resolved_sources = sources.map { |source| resolve_source(source, context) }
+
+        validate(directive, resolved_sources)
       end
 
       def resolve_source(source, context)

data/lib/action_dispatch/http/filter_parameters.rb

@@ -1,16 +1,21 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
+    # # Action Dispatch HTTP Filter Parameters
+    #
     # Allows you to specify sensitive query string and POST parameters to filter
     # from the request log.
     #
-    #   # Replaces values with "[FILTERED]" for keys that match /foo|bar/i.
-    #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
+    #     # Replaces values with "[FILTERED]" for keys that match /foo|bar/i.
+    #     env["action_dispatch.parameter_filter"] = [:foo, "bar"]
     #
-    # For more information about filter behavior, see ActiveSupport::ParameterFilter.
+    # For more information about filter behavior, see
+    # ActiveSupport::ParameterFilter.
     module FilterParameters
       ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
       NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
@@ -21,6 +26,7 @@ module ActionDispatch
         @filtered_parameters = nil
         @filtered_env        = nil
         @filtered_path       = nil
+        @parameter_filter    = nil
       end
 
       # Returns a hash of parameters with all sensitive data replaced.
@@ -40,13 +46,17 @@ module ActionDispatch
         @filtered_path ||= query_string.empty? ? path : "#{path}?#{filtered_query_string}"
       end
 
-    private
-      def parameter_filter # :doc:
-        parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
-          return NULL_PARAM_FILTER
-        }
+      # Returns the `ActiveSupport::ParameterFilter` object used to filter in this
+      # request.
+      def parameter_filter
+        @parameter_filter ||= if has_header?("action_dispatch.parameter_filter")
+          parameter_filter_for get_header("action_dispatch.parameter_filter")
+        else
+          NULL_PARAM_FILTER
+        end
       end
 
+    private
       def env_filter # :doc:
         user_key = fetch_header("action_dispatch.parameter_filter") {
           return NULL_ENV_FILTER
@@ -58,12 +68,17 @@ module ActionDispatch
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end

data/lib/action_dispatch/http/filter_redirect.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
   module Http
     module FilterRedirect
@@ -9,7 +11,7 @@ module ActionDispatch
         if location_filter_match?
           FILTERED
         else
-          location
+          parameter_filtered_location
         end
       end
 
@@ -31,6 +33,25 @@ module ActionDispatch
           end
         end
       end
+
+      def parameter_filtered_location
+        uri = URI.parse(location)
+        unless uri.query.nil? || uri.query.empty?
+          parts = uri.query.split(/([&;])/)
+          filtered_parts = parts.map do |part|
+            if part.include?("=")
+              key, value = part.split("=", 2)
+              request.parameter_filter.filter(key => value).first.join("=")
+            else
+              part
+            end
+          end
+          uri.query = filtered_parts.join("")
+        end
+        uri.to_s
+      rescue URI::Error
+        FILTERED
+      end
     end
   end
 end

data/lib/action_dispatch/http/headers.rb

@@ -1,26 +1,30 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
   module Http
+    # # Action Dispatch HTTP Headers
+    #
     # Provides access to the request's HTTP headers from the environment.
     #
-    #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
-    #   headers = ActionDispatch::Http::Headers.from_hash(env)
-    #   headers["Content-Type"] # => "text/plain"
-    #   headers["User-Agent"] # => "curl/7.43.0"
+    #     env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
+    #     headers = ActionDispatch::Http::Headers.from_hash(env)
+    #     headers["Content-Type"] # => "text/plain"
+    #     headers["User-Agent"] # => "curl/7.43.0"
     #
     # Also note that when headers are mapped to CGI-like variables by the Rack
     # server, both dashes and underscores are converted to underscores. This
     # ambiguity cannot be resolved at this stage anymore. Both underscores and
     # dashes have to be interpreted as if they were originally sent as dashes.
     #
-    #   # GET / HTTP/1.1
-    #   # ...
-    #   # User-Agent: curl/7.43.0
-    #   # X_Custom_Header: token
+    #     # GET / HTTP/1.1
+    #     # ...
+    #     # User-Agent: curl/7.43.0
+    #     # X_Custom_Header: token
     #
-    #   headers["X_Custom_Header"] # => nil
-    #   headers["X-Custom-Header"] # => "token"
+    #     headers["X_Custom_Header"] # => nil
+    #     headers["X-Custom-Header"] # => "token"
     class Headers
       CGI_VARIABLES = Set.new(%W[
         AUTH_TYPE
@@ -65,7 +69,7 @@ module ActionDispatch
         @req.set_header env_name(key), value
       end
 
-      # Add a value to a multivalued header like +Vary+ or +Accept-Encoding+.
+      # Add a value to a multivalued header like `Vary` or `Accept-Encoding`.
       def add(key, value)
         @req.add_header env_name(key), value
       end
@@ -79,11 +83,10 @@ module ActionDispatch
 
       # Returns the value for the given key mapped to @env.
       #
-      # If the key is not found and an optional code block is not provided,
-      # raises a <tt>KeyError</tt> exception.
+      # If the key is not found and an optional code block is not provided, raises a
+      # `KeyError` exception.
       #
-      # If the code block is provided, then it will be run and
-      # its result returned.
+      # If the code block is provided, then it will be run and its result returned.
       def fetch(key, default = DEFAULT)
         @req.fetch_header(env_name(key)) do
           return default unless default == DEFAULT
@@ -97,16 +100,15 @@ module ActionDispatch
       end
 
       # Returns a new Http::Headers instance containing the contents of
-      # <tt>headers_or_env</tt> and the original instance.
+      # `headers_or_env` and the original instance.
       def merge(headers_or_env)
         headers = @req.dup.headers
         headers.merge!(headers_or_env)
         headers
       end
 
-      # Adds the contents of <tt>headers_or_env</tt> to original instance
-      # entries; duplicate keys are overwritten with the values from
-      # <tt>headers_or_env</tt>.
+      # Adds the contents of `headers_or_env` to original instance entries; duplicate
+      # keys are overwritten with the values from `headers_or_env`.
       def merge!(headers_or_env)
         headers_or_env.each do |key, value|
           @req.set_header env_name(key), value
@@ -116,8 +118,8 @@ module ActionDispatch
       def env; @req.env.dup; end
 
       private
-        # Converts an HTTP header name to an environment variable name if it is
-        # not contained within the headers hash.
+        # Converts an HTTP header name to an environment variable name if it is not
+        # contained within the headers hash.
         def env_name(key)
           key = key.to_s
           if HTTP_HEADER.match?(key)

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/core_ext/module/attribute_accessors"
 
 module ActionDispatch
@@ -16,10 +18,9 @@ module ActionDispatch
 
       included do
         mattr_accessor :ignore_accept_header, default: false
-        cattr_accessor :return_only_media_type_on_content_type, default: false
       end
 
-      # The MIME type of the HTTP request, such as Mime[:xml].
+      # The MIME type of the HTTP request, such as [Mime](:xml).
       def content_mime_type
         fetch_header("action_dispatch.request.content_type") do |k|
           v = if get_header("CONTENT_TYPE") =~ /^([^,;]*)/
@@ -33,19 +34,6 @@ module ActionDispatch
         end
       end
 
-      def content_type
-        if self.class.return_only_media_type_on_content_type
-          ActiveSupport::Deprecation.warn(
-            "Rails 7.1 will return Content-Type header without modification." \
-            " If you want just the MIME type, please use `#media_type` instead."
-          )
-
-          content_mime_type&.to_s
-        else
-          super
-        end
-      end
-
       def has_content_type? # :nodoc:
         get_header "CONTENT_TYPE"
       end
@@ -66,13 +54,13 @@ module ActionDispatch
         end
       end
 
-      # Returns the MIME type for the \format used in the request.
+      # Returns the MIME type for the format used in the request.
       #
-      #   GET /posts/5.xml   | request.format => Mime[:xml]
-      #   GET /posts/5.xhtml | request.format => Mime[:html]
-      #   GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
+      #     GET /posts/5.xml   | request.format => Mime[:xml]
+      #     GET /posts/5.xhtml | request.format => Mime[:html]
+      #     GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
       #
-      def format(view_path = [])
+      def format(_view_path = nil)
         formats.first || Mime::NullType.instance
       end
 
@@ -81,7 +69,7 @@ module ActionDispatch
           v = if params_readable?
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
-            accepts
+            accepts.dup
           elsif extension_format = format_from_path_extension
             [extension_format]
           elsif xhr?
@@ -90,7 +78,7 @@ module ActionDispatch
             [Mime[:html]]
           end
 
-          v = v.select do |format|
+          v.select! do |format|
             format.symbol || format.ref == "*/*"
           end
 
@@ -98,7 +86,7 @@ module ActionDispatch
         end
       end
 
-      # Sets the \variant for template.
+      # Sets the variant for template.
       def variant=(variant)
         variant = Array(variant)
 
@@ -113,36 +101,37 @@ module ActionDispatch
         @variant ||= ActiveSupport::ArrayInquirer.new
       end
 
-      # Sets the \format by string extension, which can be used to force custom formats
+      # Sets the format by string extension, which can be used to force custom formats
       # that are not controlled by the extension.
       #
-      #   class ApplicationController < ActionController::Base
-      #     before_action :adjust_format_for_iphone
+      #     class ApplicationController < ActionController::Base
+      #       before_action :adjust_format_for_iphone
       #
-      #     private
-      #       def adjust_format_for_iphone
-      #         request.format = :iphone if request.env["HTTP_USER_AGENT"][/iPhone/]
-      #       end
-      #   end
+      #       private
+      #         def adjust_format_for_iphone
+      #           request.format = :iphone if request.env["HTTP_USER_AGENT"][/iPhone/]
+      #         end
+      #     end
       def format=(extension)
         parameters[:format] = extension.to_s
         set_header "action_dispatch.request.formats", [Mime::Type.lookup_by_extension(parameters[:format])]
       end
 
-      # Sets the \formats by string extensions. This differs from #format= by allowing you
-      # to set multiple, ordered formats, which is useful when you want to have a fallback.
+      # Sets the formats by string extensions. This differs from #format= by allowing
+      # you to set multiple, ordered formats, which is useful when you want to have a
+      # fallback.
       #
-      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fallback
-      # to the +:html+ format.
+      # In this example, the `:iphone` format will be used if it's available,
+      # otherwise it'll fall back to the `:html` format.
       #
-      #   class ApplicationController < ActionController::Base
-      #     before_action :adjust_format_for_iphone_with_html_fallback
+      #     class ApplicationController < ActionController::Base
+      #       before_action :adjust_format_for_iphone_with_html_fallback
       #
-      #     private
-      #       def adjust_format_for_iphone_with_html_fallback
-      #         request.formats = [ :iphone, :html ] if request.env["HTTP_USER_AGENT"][/iPhone/]
-      #       end
-      #   end
+      #       private
+      #         def adjust_format_for_iphone_with_html_fallback
+      #           request.formats = [ :iphone, :html ] if request.env["HTTP_USER_AGENT"][/iPhone/]
+      #         end
+      #     end
       def formats=(extensions)
         parameters[:format] = extensions.first.to_s
         set_header "action_dispatch.request.formats", extensions.collect { |extension|
@@ -168,26 +157,26 @@ module ActionDispatch
       end
 
       private
-        # We use normal content negotiation unless you include */* in your list,
-        # in which case we assume you're a browser and send HTML.
+        # We use normal content negotiation unless you include **/** in your list, in
+        # which case we assume you're a browser and send HTML.
         BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
 
-        def params_readable? # :doc:
+        def params_readable?
           parameters[:format]
         rescue *RESCUABLE_MIME_FORMAT_ERRORS
           false
         end
 
-        def valid_accept_header # :doc:
+        def valid_accept_header
           (xhr? && (accept.present? || content_mime_type)) ||
             (accept.present? && !accept.match?(BROWSER_LIKE_ACCEPTS))
         end
 
-        def use_accept_header # :doc:
+        def use_accept_header
           !self.class.ignore_accept_header
         end
 
-        def format_from_path_extension # :doc:
+        def format_from_path_extension
           path = get_header("action_dispatch.original_path") || get_header("PATH_INFO")
           if match = path && path.match(/\.(\w+)\z/)
             Mime[match.captures.first]