actionpack 7.0.8.4 → 7.1.3.4

data/lib/action_controller/railtie.rb

@@ -14,8 +14,13 @@ module ActionController
     config.action_controller.log_query_tags_around_actions = true
     config.action_controller.wrap_parameters_by_default = false
 
+    config.eager_load_namespaces << AbstractController
     config.eager_load_namespaces << ActionController
 
+    initializer "action_controller.deprecator", before: :load_environment_config do |app|
+      app.deprecators[:action_controller] = ActionController.deprecator
+    end
+
     initializer "action_controller.assets_config", group: :all do |app|
       app.config.action_controller.assets_dir ||= app.config.paths["public"].first
     end
@@ -37,10 +42,15 @@ module ActionController
         action_on_unpermitted_parameters = options.action_on_unpermitted_parameters
 
         if action_on_unpermitted_parameters.nil?
-          action_on_unpermitted_parameters = (Rails.env.test? || Rails.env.development?) ? :log : false
+          action_on_unpermitted_parameters = Rails.env.local? ? :log : false
         end
 
         ActionController::Parameters.action_on_unpermitted_parameters = action_on_unpermitted_parameters
+
+        unless options.allow_deprecated_parameters_hash_equality.nil?
+          ActionController::Parameters.allow_deprecated_parameters_hash_equality =
+            options.allow_deprecated_parameters_hash_equality
+        end
       end
     end
 
@@ -71,7 +81,8 @@ module ActionController
           :permit_all_parameters,
           :action_on_unpermitted_parameters,
           :always_permitted_parameters,
-          :wrap_parameters_by_default
+          :wrap_parameters_by_default,
+          :allow_deprecated_parameters_hash_equality
         )
 
         filtered_options.each do |k, v|
@@ -99,12 +110,6 @@ module ActionController
       end
     end
 
-    initializer "action_controller.eager_load_actions" do
-      ActiveSupport.on_load(:after_initialize) do
-        ActionController::Metal.descendants.each(&:action_methods) if config.eager_load
-      end
-    end
-
     initializer "action_controller.query_log_tags" do |app|
       query_logs_tags_enabled = app.config.respond_to?(:active_record) &&
         app.config.active_record.query_log_tags_enabled &&
@@ -118,7 +123,15 @@ module ActionController
           ActiveRecord::QueryLogs.taggings.merge!(
             controller:            ->(context) { context[:controller]&.controller_name },
             action:                ->(context) { context[:controller]&.action_name },
-            namespaced_controller: ->(context) { context[:controller].class.name if context[:controller] }
+            namespaced_controller: ->(context) {
+              if context[:controller]
+                controller_class = context[:controller].class
+                # based on ActionController::Metal#controller_name, but does not demodulize
+                unless controller_class.anonymous?
+                  controller_class.name.delete_suffix("Controller").underscore
+                end
+              end
+            }
           )
         end
       end

data/lib/action_controller/renderer.rb

@@ -1,78 +1,127 @@
 # frozen_string_literal: true
 
 module ActionController
-  # ActionController::Renderer allows you to render arbitrary templates
-  # without requirement of being in controller actions.
+  # = Action Controller \Renderer
   #
-  # You get a concrete renderer class by invoking ActionController::Base#renderer.
-  # For example:
+  # ActionController::Renderer allows you to render arbitrary templates without
+  # being inside a controller action.
   #
-  #   ApplicationController.renderer
-  #
-  # It allows you to call method #render directly.
-  #
-  #   ApplicationController.renderer.render template: '...'
-  #
-  # You can use this shortcut in a controller, instead of the previous example:
-  #
-  #   ApplicationController.render template: '...'
+  # You can get a renderer instance by calling +renderer+ on a controller class:
   #
-  # #render allows you to use the same options that you can use when rendering in a controller.
-  # For example:
-  #
-  #   FooController.render :action, locals: { ... }, assigns: { ... }
-  #
-  # The template will be rendered in a Rack environment which is accessible through
-  # ActionController::Renderer#env. You can set it up in two ways:
+  #   ApplicationController.renderer
+  #   PostsController.renderer
   #
-  # *  by changing renderer defaults, like
+  # and render a template by calling the #render method:
   #
-  #       ApplicationController.renderer.defaults # => hash with default Rack environment
+  #   ApplicationController.renderer.render template: "posts/show", assigns: { post: Post.first }
+  #   PostsController.renderer.render :show, assigns: { post: Post.first }
   #
-  # *  by initializing an instance of renderer by passing it a custom environment.
+  # As a shortcut, you can also call +render+ directly on the controller class itself:
   #
-  #       ApplicationController.renderer.new(method: 'post', https: true)
+  #   ApplicationController.render template: "posts/show", assigns: { post: Post.first }
+  #   PostsController.render :show, assigns: { post: Post.first }
   #
   class Renderer
-    attr_reader :defaults, :controller
+    attr_reader :controller
 
     DEFAULTS = {
-      http_host: "example.org",
-      https: false,
       method: "get",
-      script_name: "",
       input: ""
     }.freeze
 
-    # Create a new renderer instance for a specific controller class.
-    def self.for(controller, env = {}, defaults = DEFAULTS.dup)
+    def self.normalize_env(env) # :nodoc:
+      new_env = {}
+
+      env.each_pair do |key, value|
+        case key
+        when :https
+          value = value ? "on" : "off"
+        when :method
+          value = -value.upcase
+        end
+
+        key = RACK_KEY_TRANSLATION[key] || key.to_s
+
+        new_env[key] = value
+      end
+
+      if new_env["HTTP_HOST"]
+        new_env["HTTPS"] ||= "off"
+        new_env["SCRIPT_NAME"] ||= ""
+      end
+
+      if new_env["HTTPS"]
+        new_env["rack.url_scheme"] = new_env["HTTPS"] == "on" ? "https" : "http"
+      end
+
+      new_env
+    end
+
+    # Creates a new renderer using the given controller class. See ::new.
+    def self.for(controller, env = nil, defaults = DEFAULTS)
       new(controller, env, defaults)
     end
 
-    # Create a new renderer for the same controller but with a new env.
-    def new(env = {})
-      self.class.new controller, env, defaults
+    # Creates a new renderer using the same controller, but with a new Rack env.
+    #
+    #   ApplicationController.renderer.new(method: "post")
+    #
+    def new(env = nil)
+      self.class.new controller, env, @defaults
     end
 
-    # Create a new renderer for the same controller but with new defaults.
+    # Creates a new renderer using the same controller, but with the given
+    # defaults merged on top of the previous defaults.
     def with_defaults(defaults)
-      self.class.new controller, @env, self.defaults.merge(defaults)
+      self.class.new controller, @env, @defaults.merge(defaults)
     end
 
-    # Accepts a custom Rack environment to render templates in.
-    # It will be merged with the default Rack environment defined by
-    # +ActionController::Renderer::DEFAULTS+.
+    # Initializes a new Renderer.
+    #
+    # ==== Parameters
+    #
+    # * +controller+ - The controller class to instantiate for rendering.
+    # * +env+ - The Rack env to use for mocking a request when rendering.
+    #   Entries can be typical Rack env keys and values, or they can be any of
+    #   the following, which will be converted appropriately:
+    #   * +:http_host+ - The HTTP host for the incoming request. Converts to
+    #     Rack's +HTTP_HOST+.
+    #   * +:https+ - Boolean indicating whether the incoming request uses HTTPS.
+    #     Converts to Rack's +HTTPS+.
+    #   * +:method+ - The HTTP method for the incoming request, case-insensitive.
+    #     Converts to Rack's +REQUEST_METHOD+.
+    #   * +:script_name+ - The portion of the incoming request's URL path that
+    #     corresponds to the application. Converts to Rack's +SCRIPT_NAME+.
+    #   * +:input+ - The input stream. Converts to Rack's +rack.input+.
+    # * +defaults+ - Default values for the Rack env. Entries are specified in
+    #   the same format as +env+. +env+ will be merged on top of these values.
+    #   +defaults+ will be retained when calling #new on a renderer instance.
+    #
+    # If no +http_host+ is specified, the env HTTP host will be derived from the
+    # routes' +default_url_options+. In this case, the +https+ boolean and the
+    # +script_name+ will also be derived from +default_url_options+ if they were
+    # not specified. Additionally, the +https+ boolean will fall back to
+    # +Rails.application.config.force_ssl+ if +default_url_options+ does not
+    # specify a +protocol+.
     def initialize(controller, env, defaults)
       @controller = controller
       @defaults = defaults
-      @env = normalize_keys defaults, env
+      if env.blank? && @defaults == DEFAULTS
+        @env = DEFAULT_ENV
+      else
+        @env = normalize_env(@defaults)
+        @env.merge!(normalize_env(env)) unless env.blank?
+      end
+    end
+
+    def defaults
+      @defaults = @defaults.dup if @defaults.frozen?
+      @defaults
     end
 
     # Renders a template to a string, just like ActionController::Rendering#render_to_string.
     def render(*args)
-      raise "missing controller" unless controller
-
-      request = ActionDispatch::Request.new @env
+      request = ActionDispatch::Request.new(env_for_request)
       request.routes = controller._routes
 
       instance = controller.new
@@ -83,19 +132,6 @@ module ActionController
     alias_method :render_to_string, :render # :nodoc:
 
     private
-      def normalize_keys(defaults, env)
-        new_env = {}
-        env.each_pair { |k, v| new_env[rack_key_for(k)] = rack_value_for(k, v) }
-
-        defaults.each_pair do |k, v|
-          key = rack_key_for(k)
-          new_env[key] = rack_value_for(k, v) unless new_env.key?(key)
-        end
-
-        new_env["rack.url_scheme"] = new_env["HTTPS"] == "on" ? "https" : "http"
-        new_env
-      end
-
       RACK_KEY_TRANSLATION = {
         http_host:   "HTTP_HOST",
         https:       "HTTPS",
@@ -104,18 +140,15 @@ module ActionController
         input:       "rack.input"
       }
 
-      def rack_key_for(key)
-        RACK_KEY_TRANSLATION[key] || key.to_s
-      end
+      DEFAULT_ENV = normalize_env(DEFAULTS).freeze # :nodoc:
 
-      def rack_value_for(key, value)
-        case key
-        when :https
-          value ? "on" : "off"
-        when :method
-          -value.upcase
+      delegate :normalize_env, to: :class
+
+      def env_for_request
+        if @env.key?("HTTP_HOST") || controller._routes.nil?
+          @env.dup
         else
-          value
+          controller._routes.default_env.merge(@env)
         end
       end
   end

data/lib/action_controller/test_case.rb

@@ -127,6 +127,9 @@ module ActionController
       fetch_header("PATH_INFO") do |k|
         set_header k, generated_path
       end
+      fetch_header("ORIGINAL_FULLPATH") do |k|
+        set_header k, fullpath
+      end
       path_parameters[:controller] = controller_path
       path_parameters[:action] = action
 
@@ -182,11 +185,12 @@ module ActionController
   class TestSession < Rack::Session::Abstract::PersistedSecure::SecureSessionHash # :nodoc:
     DEFAULT_OPTIONS = Rack::Session::Abstract::Persisted::DEFAULT_OPTIONS
 
-    def initialize(session = {})
+    def initialize(session = {}, id = Rack::Session::SessionId.new(SecureRandom.hex(16)))
       super(nil, nil)
-      @id = Rack::Session::SessionId.new(SecureRandom.hex(16))
+      @id = id
       @data = stringify_keys(session)
       @loaded = true
+      @initially_empty = @data.empty?
     end
 
     def exists?
@@ -218,21 +222,27 @@ module ActionController
       true
     end
 
+    def id_was
+      @id
+    end
+
     private
       def load!
         @id
       end
   end
 
+  # = Action Controller Test Case
+  #
   # Superclass for ActionController functional tests. Functional tests allow you to
   # test a single controller action per test method.
   #
   # == Use integration style controller tests over functional style controller tests.
   #
-  # Rails discourages the use of functional tests in favor of integration tests
+  # \Rails discourages the use of functional tests in favor of integration tests
   # (use ActionDispatch::IntegrationTest).
   #
-  # New Rails applications no longer generate functional style controller tests and they should
+  # New \Rails applications no longer generate functional style controller tests and they should
   # only be used for backward compatibility. Integration style controller tests perform actual
   # requests, whereas functional style controller tests merely simulate a request. Besides,
   # integration tests are as fast as functional tests and provide lot of helpers such as +as+,
@@ -467,7 +477,7 @@ module ActionController
       #
       # It's not recommended to make more than one request in the same test. Instance
       # variables that are set in one request will not persist to the next request,
-      # but it's not guaranteed that all Rails internal state will be reset. Prefer
+      # but it's not guaranteed that all \Rails internal state will be reset. Prefer
       # ActionDispatch::IntegrationTest for making multiple requests in the same test.
       #
       # Note that the request method is not verified.

data/lib/action_controller.rb

@@ -2,9 +2,17 @@
 
 require "abstract_controller"
 require "action_dispatch"
+require "action_controller/deprecator"
 require "action_controller/metal/strong_parameters"
 require "action_controller/metal/exceptions"
 
+# = Action Controller
+#
+# Action Controller is a module of Action Pack.
+#
+# Action Controller provides a base controller class that can be subclassed to
+# implement filters and actions to handle requests. The result of an action is
+# typically content generated from views.
 module ActionController
   extend ActiveSupport::Autoload
 
@@ -60,7 +68,6 @@ end
 
 # Common Active Support usage in Action Controller
 require "active_support/core_ext/module/attribute_accessors"
-require "active_support/core_ext/load_error"
 require "active_support/core_ext/module/attr_internal"
 require "active_support/core_ext/name_error"
 require "active_support/inflector"

data/lib/action_dispatch/constants.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require "rack/version"
+
+module ActionDispatch
+  module Constants
+    # Response Header keys for Rack 2.x and 3.x
+    if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3")
+      VARY = "Vary"
+      CONTENT_ENCODING = "Content-Encoding"
+      CONTENT_SECURITY_POLICY = "Content-Security-Policy"
+      CONTENT_SECURITY_POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only"
+      LOCATION = "Location"
+      FEATURE_POLICY = "Feature-Policy"
+      X_REQUEST_ID = "X-Request-Id"
+      X_CASCADE = "X-Cascade"
+      SERVER_TIMING = "Server-Timing"
+      STRICT_TRANSPORT_SECURITY = "Strict-Transport-Security"
+    else
+      VARY = "vary"
+      CONTENT_ENCODING = "content-encoding"
+      CONTENT_SECURITY_POLICY = "content-security-policy"
+      CONTENT_SECURITY_POLICY_REPORT_ONLY = "content-security-policy-report-only"
+      LOCATION = "location"
+      FEATURE_POLICY = "feature-policy"
+      X_REQUEST_ID = "x-request-id"
+      X_CASCADE = "x-cascade"
+      SERVER_TIMING = "server-timing"
+      STRICT_TRANSPORT_SECURITY = "strict-transport-security"
+    end
+  end
+end

data/lib/action_dispatch/deprecator.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  def self.deprecator # :nodoc:
+    @deprecator ||= ActiveSupport::Deprecation.new
+  end
+end

data/lib/action_dispatch/http/cache.rb

@@ -138,15 +138,13 @@ module ActionDispatch
         def cache_control_segments
           if cache_control = _cache_control
             cache_control.delete(" ").split(",")
-          else
-            []
           end
         end
 
         def cache_control_headers
           cache_control = {}
 
-          cache_control_segments.each do |segment|
+          cache_control_segments&.each do |segment|
             directive, argument = segment.split("=", 2)
 
             if SPECIAL_KEYS.include? directive

data/lib/action_dispatch/http/content_security_policy.rb

@@ -4,6 +4,8 @@ require "active_support/core_ext/object/deep_dup"
 require "active_support/core_ext/array/wrap"
 
 module ActionDispatch # :nodoc:
+  # = Action Dispatch Content Security Policy
+  #
   # Configures the HTTP
   # {Content-Security-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy]
   # response header to help protect against XSS and injection attacks.
@@ -23,16 +25,11 @@ module ActionDispatch # :nodoc:
   #   end
   class ContentSecurityPolicy
     class Middleware
-      CONTENT_TYPE = "Content-Type"
-      POLICY = "Content-Security-Policy"
-      POLICY_REPORT_ONLY = "Content-Security-Policy-Report-Only"
-
       def initialize(app)
         @app = app
       end
 
       def call(env)
-        request = ActionDispatch::Request.new env
         status, headers, _ = response = @app.call(env)
 
         # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
@@ -41,6 +38,8 @@ module ActionDispatch # :nodoc:
 
         return response if policy_present?(headers)
 
+        request = ActionDispatch::Request.new env
+
         if policy = request.content_security_policy
           nonce = request.content_security_policy_nonce
           nonce_directives = request.content_security_policy_nonce_directives
@@ -54,14 +53,15 @@ module ActionDispatch # :nodoc:
       private
         def header_name(request)
           if request.content_security_policy_report_only
-            POLICY_REPORT_ONLY
+            ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY
           else
-            POLICY
+            ActionDispatch::Constants::CONTENT_SECURITY_POLICY
           end
         end
 
         def policy_present?(headers)
-          headers[POLICY] || headers[POLICY_REPORT_ONLY]
+          headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY] ||
+            headers[ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY]
         end
     end
 
@@ -123,6 +123,7 @@ module ActionDispatch # :nodoc:
     MAPPINGS = {
       self:             "'self'",
       unsafe_eval:      "'unsafe-eval'",
+      unsafe_hashes:    "'unsafe-hashes'",
       unsafe_inline:    "'unsafe-inline'",
       none:             "'none'",
       http:             "http:",

data/lib/action_dispatch/http/filter_parameters.rb

@@ -4,6 +4,8 @@ require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
+    # = Action Dispatch HTTP Filter Parameters
+    #
     # Allows you to specify sensitive query string and POST parameters to filter
     # from the request log.
     #
@@ -21,6 +23,7 @@ module ActionDispatch
         @filtered_parameters = nil
         @filtered_env        = nil
         @filtered_path       = nil
+        @parameter_filter    = nil
       end
 
       # Returns a hash of parameters with all sensitive data replaced.
@@ -40,13 +43,16 @@ module ActionDispatch
         @filtered_path ||= query_string.empty? ? path : "#{path}?#{filtered_query_string}"
       end
 
-    private
-      def parameter_filter # :doc:
-        parameter_filter_for fetch_header("action_dispatch.parameter_filter") {
-          return NULL_PARAM_FILTER
-        }
+      # Returns the +ActiveSupport::ParameterFilter+ object used to filter in this request.
+      def parameter_filter
+        @parameter_filter ||= if has_header?("action_dispatch.parameter_filter")
+          parameter_filter_for get_header("action_dispatch.parameter_filter")
+        else
+          NULL_PARAM_FILTER
+        end
       end
 
+    private
       def env_filter # :doc:
         user_key = fetch_header("action_dispatch.parameter_filter") {
           return NULL_ENV_FILTER

data/lib/action_dispatch/http/headers.rb

@@ -2,6 +2,8 @@
 
 module ActionDispatch
   module Http
+    # = Action Dispatch HTTP \Headers
+    #
     # Provides access to the request's HTTP headers from the environment.
     #
     #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -16,7 +16,20 @@ module ActionDispatch
 
       included do
         mattr_accessor :ignore_accept_header, default: false
-        cattr_accessor :return_only_media_type_on_content_type, default: false
+
+        def return_only_media_type_on_content_type=(value)
+          ActionDispatch.deprecator.warn(
+            "`config.action_dispatch.return_only_request_media_type_on_content_type` is deprecated and will" \
+              " be removed in Rails 7.2."
+          )
+        end
+
+        def return_only_media_type_on_content_type
+          ActionDispatch.deprecator.warn(
+            "`config.action_dispatch.return_only_request_media_type_on_content_type` is deprecated and will" \
+            " be removed in Rails 7.2."
+          )
+        end
       end
 
       # The MIME type of the HTTP request, such as Mime[:xml].
@@ -33,19 +46,6 @@ module ActionDispatch
         end
       end
 
-      def content_type
-        if self.class.return_only_media_type_on_content_type
-          ActiveSupport::Deprecation.warn(
-            "Rails 7.1 will return Content-Type header without modification." \
-            " If you want just the MIME type, please use `#media_type` instead."
-          )
-
-          content_mime_type&.to_s
-        else
-          super
-        end
-      end
-
       def has_content_type? # :nodoc:
         get_header "CONTENT_TYPE"
       end
@@ -72,7 +72,7 @@ module ActionDispatch
       #   GET /posts/5.xhtml | request.format => Mime[:html]
       #   GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
       #
-      def format(view_path = [])
+      def format(_view_path = nil)
         formats.first || Mime::NullType.instance
       end
 
@@ -81,7 +81,7 @@ module ActionDispatch
           v = if params_readable?
             Array(Mime[parameters[:format]])
           elsif use_accept_header && valid_accept_header
-            accepts
+            accepts.dup
           elsif extension_format = format_from_path_extension
             [extension_format]
           elsif xhr?
@@ -90,7 +90,7 @@ module ActionDispatch
             [Mime[:html]]
           end
 
-          v = v.select do |format|
+          v.select! do |format|
             format.symbol || format.ref == "*/*"
           end
 
@@ -132,7 +132,7 @@ module ActionDispatch
       # Sets the \formats by string extensions. This differs from #format= by allowing you
       # to set multiple, ordered formats, which is useful when you want to have a fallback.
       #
-      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fallback
+      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fall back
       # to the +:html+ format.
       #
       #   class ApplicationController < ActionController::Base
@@ -172,22 +172,22 @@ module ActionDispatch
         # in which case we assume you're a browser and send HTML.
         BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
 
-        def params_readable? # :doc:
+        def params_readable?
           parameters[:format]
         rescue *RESCUABLE_MIME_FORMAT_ERRORS
           false
         end
 
-        def valid_accept_header # :doc:
+        def valid_accept_header
           (xhr? && (accept.present? || content_mime_type)) ||
             (accept.present? && !accept.match?(BROWSER_LIKE_ACCEPTS))
         end
 
-        def use_accept_header # :doc:
+        def use_accept_header
           !self.class.ignore_accept_header
         end
 
-        def format_from_path_extension # :doc:
+        def format_from_path_extension
           path = get_header("action_dispatch.original_path") || get_header("PATH_INFO")
           if match = path && path.match(/\.(\w+)\z/)
             Mime[match.captures.first]