actionpack 7.0.8.7 → 7.2.2.1

data/lib/action_dispatch/middleware/flash.rb

@@ -1,39 +1,48 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/core_ext/hash/keys"
 
 module ActionDispatch
-  # The flash provides a way to pass temporary primitive-types (String, Array, Hash) between actions. Anything you place in the flash will be exposed
-  # to the very next action and then cleared out. This is a great way of doing notices and alerts, such as a create
-  # action that sets <tt>flash[:notice] = "Post successfully created"</tt> before redirecting to a display action that can
-  # then expose the flash to its template. Actually, that exposure is automatically done.
+  # # Action Dispatch Flash
   #
-  #   class PostsController < ActionController::Base
-  #     def create
-  #       # save post
-  #       flash[:notice] = "Post successfully created"
-  #       redirect_to @post
-  #     end
+  # The flash provides a way to pass temporary primitive-types (String, Array,
+  # Hash) between actions. Anything you place in the flash will be exposed to the
+  # very next action and then cleared out. This is a great way of doing notices
+  # and alerts, such as a create action that sets `flash[:notice] = "Post
+  # successfully created"` before redirecting to a display action that can then
+  # expose the flash to its template. Actually, that exposure is automatically
+  # done.
   #
-  #     def show
-  #       # doesn't need to assign the flash notice to the template, that's done automatically
+  #     class PostsController < ActionController::Base
+  #       def create
+  #         # save post
+  #         flash[:notice] = "Post successfully created"
+  #         redirect_to @post
+  #       end
+  #
+  #       def show
+  #         # doesn't need to assign the flash notice to the template, that's done automatically
+  #       end
   #     end
-  #   end
   #
-  # Then in +show.html.erb+:
+  # Then in `show.html.erb`:
   #
-  #   <% if flash[:notice] %>
-  #     <div class="notice"><%= flash[:notice] %></div>
-  #   <% end %>
+  #     <% if flash[:notice] %>
+  #       <div class="notice"><%= flash[:notice] %></div>
+  #     <% end %>
   #
-  # Since the +notice+ and +alert+ keys are a common idiom, convenience accessors are available:
+  # Since the `notice` and `alert` keys are a common idiom, convenience accessors
+  # are available:
   #
-  #   flash.alert = "You must be logged in"
-  #   flash.notice = "Post successfully created"
+  #     flash.alert = "You must be logged in"
+  #     flash.notice = "Post successfully created"
   #
-  # This example places a string in the flash. And of course, you can put as many as you like at a time too. If you want to pass
-  # non-primitive types, you will have to handle that in your application. Example: To show messages with links, you will have to
-  # use sanitize helper.
+  # This example places a string in the flash. And of course, you can put as many
+  # as you like at a time too. If you want to pass non-primitive types, you will
+  # have to handle that in your application. Example: To show messages with links,
+  # you will have to use sanitize helper.
   #
   # Just remember: They'll be gone by the time the next action has been performed.
   #
@@ -96,12 +105,12 @@ module ActionDispatch
         @flash[k.to_s]
       end
 
-      # Convenience accessor for <tt>flash.now[:alert]=</tt>.
+      # Convenience accessor for `flash.now[:alert]=`.
       def alert=(message)
         self[:alert] = message
       end
 
-      # Convenience accessor for <tt>flash.now[:notice]=</tt>.
+      # Convenience accessor for `flash.now[:notice]=`.
       def notice=(message)
         self[:notice] = message
       end
@@ -129,8 +138,8 @@ module ActionDispatch
         end
       end
 
-      # Builds a hash containing the flashes to keep for the next request.
-      # If there are none to keep, returns +nil+.
+      # Builds a hash containing the flashes to keep for the next request. If there
+      # are none to keep, returns `nil`.
       def to_session_value # :nodoc:
         flashes_to_keep = @flashes.except(*@discard)
         return nil if flashes_to_keep.empty?
@@ -175,6 +184,8 @@ module ActionDispatch
         @flashes.key? name.to_s
       end
 
+      # Immediately deletes the single flash entry. Use this method when you want
+      # remove the message within the current action. See also #discard.
       def delete(key)
         key = key.to_s
         @discard.delete key
@@ -207,42 +218,49 @@ module ActionDispatch
         self
       end
 
-      # Sets a flash that will not be available to the next action, only to the current.
+      # Sets a flash that will not be available to the next action, only to the
+      # current.
       #
       #     flash.now[:message] = "Hello current action"
       #
-      # This method enables you to use the flash as a central messaging system in your app.
-      # When you need to pass an object to the next action, you use the standard flash assign (<tt>[]=</tt>).
-      # When you need to pass an object to the current action, you use <tt>now</tt>, and your object will
-      # vanish when the current action is done.
+      # This method enables you to use the flash as a central messaging system in your
+      # app. When you need to pass an object to the next action, you use the standard
+      # flash assign (`[]=`). When you need to pass an object to the current action,
+      # you use `now`, and your object will vanish when the current action is done.
       #
-      # Entries set via <tt>now</tt> are accessed the same way as standard entries: <tt>flash['my-key']</tt>.
+      # Entries set via `now` are accessed the same way as standard entries:
+      # `flash['my-key']`.
       #
       # Also, brings two convenience accessors:
       #
-      #   flash.now.alert = "Beware now!"
-      #   # Equivalent to flash.now[:alert] = "Beware now!"
+      #     flash.now.alert = "Beware now!"
+      #     # Equivalent to flash.now[:alert] = "Beware now!"
       #
-      #   flash.now.notice = "Good luck now!"
-      #   # Equivalent to flash.now[:notice] = "Good luck now!"
+      #     flash.now.notice = "Good luck now!"
+      #     # Equivalent to flash.now[:notice] = "Good luck now!"
       def now
         @now ||= FlashNow.new(self)
       end
 
-      # Keeps either the entire current flash or a specific flash entry available for the next action:
+      # Keeps either the entire current flash or a specific flash entry available for
+      # the next action:
       #
-      #    flash.keep            # keeps the entire flash
-      #    flash.keep(:notice)   # keeps only the "notice" entry, the rest of the flash is discarded
+      #     flash.keep            # keeps the entire flash
+      #     flash.keep(:notice)   # keeps only the "notice" entry, the rest of the flash is discarded
       def keep(k = nil)
         k = k.to_s if k
         @discard.subtract Array(k || keys)
         k ? self[k] : self
       end
 
-      # Marks the entire flash or a single flash entry to be discarded by the end of the current action:
+      # Marks the entire flash or a single flash entry to be discarded by the end of
+      # the current action:
       #
       #     flash.discard              # discard the entire flash at the end of the current action
       #     flash.discard(:warning)    # discard only the "warning" entry at the end of the current action
+      #
+      # Use this method when you want to display the message in the current action but
+      # not in the next one. See also #delete.
       def discard(k = nil)
         k = k.to_s if k
         @discard.merge Array(k || keys)
@@ -251,28 +269,29 @@ module ActionDispatch
 
       # Mark for removal entries that were kept, and delete unkept ones.
       #
-      # This method is called automatically by filters, so you generally don't need to care about it.
+      # This method is called automatically by filters, so you generally don't need to
+      # care about it.
       def sweep # :nodoc:
         @discard.each { |k| @flashes.delete k }
         @discard.replace @flashes.keys
       end
 
-      # Convenience accessor for <tt>flash[:alert]</tt>.
+      # Convenience accessor for `flash[:alert]`.
       def alert
         self[:alert]
       end
 
-      # Convenience accessor for <tt>flash[:alert]=</tt>.
+      # Convenience accessor for `flash[:alert]=`.
       def alert=(message)
         self[:alert] = message
       end
 
-      # Convenience accessor for <tt>flash[:notice]</tt>.
+      # Convenience accessor for `flash[:notice]`.
       def notice
         self[:notice]
       end
 
-      # Convenience accessor for <tt>flash[:notice]=</tt>.
+      # Convenience accessor for `flash[:notice]=`.
       def notice=(message)
         self[:notice] = message
       end

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -1,23 +1,28 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
-  # This middleware guards from DNS rebinding attacks by explicitly permitting
-  # the hosts a request can be sent to, and is passed the options set in
-  # +config.host_authorization+.
+  # # Action Dispatch HostAuthorization
+  #
+  # This middleware guards from DNS rebinding attacks by explicitly permitting the
+  # hosts a request can be sent to, and is passed the options set in
+  # `config.host_authorization`.
   #
-  # Requests can opt-out of Host Authorization with +exclude+:
+  # Requests can opt-out of Host Authorization with `exclude`:
   #
-  #    config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }
+  #     config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }
   #
-  # When a request comes to an unauthorized host, the +response_app+
-  # application will be executed and rendered. If no +response_app+ is given, a
-  # default one will run.
-  # The default response app logs blocked host info with level 'error' and
-  # responds with <tt>403 Forbidden</tt>. The body of the response contains debug info
-  # if +config.consider_all_requests_local+ is set to true, otherwise the body is empty.
+  # When a request comes to an unauthorized host, the `response_app` application
+  # will be executed and rendered. If no `response_app` is given, a default one
+  # will run. The default response app logs blocked host info with level 'error'
+  # and responds with `403 Forbidden`. The body of the response contains debug
+  # info if `config.consider_all_requests_local` is set to true, otherwise the
+  # body is empty.
   class HostAuthorization
-    ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
+    ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", ".test", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
     PORT_REGEX = /(?::\d+)/ # :nodoc:
+    SUBDOMAIN_REGEX = /(?:[a-z0-9-]+\.)/i # :nodoc:
     IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
     IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
     IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
@@ -42,8 +47,8 @@ module ActionDispatch
             begin
               allowed === extract_hostname(host)
             rescue
-              # IPAddr#=== raises an error if you give it a hostname instead of
-              # IP. Treat similar errors as blocked access.
+              # IPAddr#=== raises an error if you give it a hostname instead of IP. Treat
+              # similar errors as blocked access.
               false
             end
           else
@@ -69,7 +74,7 @@ module ActionDispatch
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
+            /\A#{SUBDOMAIN_REGEX}?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
           else
             /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
           end
@@ -101,8 +106,8 @@ module ActionDispatch
 
         def response(format, body)
           [RESPONSE_STATUS,
-           { "Content-Type" => "#{format}; charset=#{Response.default_charset}",
-             "Content-Length" => body.bytesize.to_s },
+           { Rack::CONTENT_TYPE => "#{format}; charset=#{Response.default_charset}",
+             Rack::CONTENT_LENGTH => body.bytesize.to_s },
            [body]]
         end
 

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -1,13 +1,17 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
+  # # Action Dispatch PublicExceptions
+  #
   # When called, this middleware renders an error page. By default if an HTML
-  # response is expected it will render static error pages from the <tt>/public</tt>
+  # response is expected it will render static error pages from the `/public`
   # directory. For example when this middleware receives a 500 response it will
-  # render the template found in <tt>/public/500.html</tt>.
-  # If an internationalized locale is set, this middleware will attempt to render
-  # the template in <tt>/public/500.<locale>.html</tt>. If an internationalized template
-  # is not found it will fall back on <tt>/public/500.html</tt>.
+  # render the template found in `/public/500.html`. If an internationalized
+  # locale is set, this middleware will attempt to render the template in
+  # `/public/500.<locale>.html`. If an internationalized template is not found it
+  # will fall back on `/public/500.html`.
   #
   # When a request with a content type other than HTML is made, this middleware
   # will attempt to convert error information into the appropriate response type.
@@ -42,8 +46,8 @@ module ActionDispatch
       end
 
       def render_format(status, content_type, body)
-        [status, { "Content-Type" => "#{content_type}; charset=#{ActionDispatch::Response.default_charset}",
-                  "Content-Length" => body.bytesize.to_s }, [body]]
+        [status, { Rack::CONTENT_TYPE => "#{content_type}; charset=#{ActionDispatch::Response.default_charset}",
+                  Rack::CONTENT_LENGTH => body.bytesize.to_s }, [body]]
       end
 
       def render_html(status)
@@ -53,7 +57,7 @@ module ActionDispatch
         if found || File.exist?(path)
           render_format(status, "text/html", File.read(path))
         else
-          [404, { "X-Cascade" => "pass" }, []]
+          [404, { Constants::X_CASCADE => "pass" }, []]
         end
       end
   end

data/lib/action_dispatch/middleware/reloader.rb

@@ -1,12 +1,16 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
-  # ActionDispatch::Reloader wraps the request with callbacks provided by ActiveSupport::Reloader
-  # callbacks, intended to assist with code reloading during development.
+  # # Action Dispatch Reloader
+  #
+  # ActionDispatch::Reloader wraps the request with callbacks provided by
+  # ActiveSupport::Reloader, intended to assist with code reloading during
+  # development.
   #
-  # By default, ActionDispatch::Reloader is included in the middleware stack
-  # only in the development environment; specifically, when +config.cache_classes+
-  # is false.
+  # ActionDispatch::Reloader is included in the middleware stack only if reloading
+  # is enabled, which it is by the default in `development` mode.
   class Reloader < Executor
   end
 end

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -1,36 +1,41 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "ipaddr"
 
 module ActionDispatch
-  # This middleware calculates the IP address of the remote client that is
-  # making the request. It does this by checking various headers that could
-  # contain the address, and then picking the last-set address that is not
-  # on the list of trusted IPs. This follows the precedent set by e.g.
-  # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453],
-  # with {reasoning explained at length}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection]
-  # by @gingerlime. A more detailed explanation of the algorithm is given
-  # at GetIp#calculate_ip.
+  # # Action Dispatch RemoteIp
+  #
+  # This middleware calculates the IP address of the remote client that is making
+  # the request. It does this by checking various headers that could contain the
+  # address, and then picking the last-set address that is not on the list of
+  # trusted IPs. This follows the precedent set by e.g. [the Tomcat
+  # server](https://issues.apache.org/bugzilla/show_bug.cgi?id=50453). A more
+  # detailed explanation of the algorithm is given at GetIp#calculate_ip.
   #
-  # Some Rack servers concatenate repeated headers, like {HTTP RFC 2616}[https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]
-  # requires. Some Rack servers simply drop preceding headers, and only report
-  # the value that was {given in the last header}[https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-servers].
-  # If you are behind multiple proxy servers (like NGINX to HAProxy to Unicorn)
-  # then you should test your Rack server to make sure your data is good.
+  # Some Rack servers concatenate repeated headers, like [HTTP RFC
+  # 2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2) requires.
+  # Some Rack servers simply drop preceding headers, and only report the value
+  # that was [given in the last
+  # header](https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-servers).
+  # If you are behind multiple proxy servers (like NGINX to HAProxy to
+  # Unicorn) then you should test your Rack server to make sure your data is good.
   #
-  # IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING.
-  # This middleware assumes that there is at least one proxy sitting around
-  # and setting headers with the client's remote IP address. If you don't use
-  # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
-  # claim to have any IP address by setting the +X-Forwarded-For+ header. If you
-  # care about that, then you need to explicitly drop or ignore those headers
-  # sometime before this middleware runs.
+  # IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING. This
+  # middleware assumes that there is at least one proxy sitting around and setting
+  # headers with the client's remote IP address. If you don't use a proxy, because
+  # you are hosted on e.g. Heroku without SSL, any client can claim to have any IP
+  # address by setting the `X-Forwarded-For` header. If you care about that, then
+  # you need to explicitly drop or ignore those headers sometime before this
+  # middleware runs. Alternatively, remove this middleware to avoid inadvertently
+  # relying on it.
   class RemoteIp
     class IpSpoofAttackError < StandardError; end
 
-    # The default trusted IPs list simply includes IP addresses that are
-    # guaranteed by the IP specification to be private addresses. Those will
-    # not be the ultimate client IP in production, and so are discarded. See
+    # The default trusted IPs list simply includes IP addresses that are guaranteed
+    # by the IP specification to be private addresses. Those will not be the
+    # ultimate client IP in production, and so are discarded. See
     # https://en.wikipedia.org/wiki/Private_network for details.
     TRUSTED_PROXIES = [
       "127.0.0.0/8",    # localhost IPv4 range, per RFC-3330
@@ -43,20 +48,20 @@ module ActionDispatch
 
     attr_reader :check_ip, :proxies
 
-    # Create a new +RemoteIp+ middleware instance.
+    # Create a new `RemoteIp` middleware instance.
     #
-    # The +ip_spoofing_check+ option is on by default. When on, an exception
-    # is raised if it looks like the client is trying to lie about its own IP
-    # address. It makes sense to turn off this check on sites aimed at non-IP
-    # clients (like WAP devices), or behind proxies that set headers in an
-    # incorrect or confusing way (like AWS ELB).
+    # The `ip_spoofing_check` option is on by default. When on, an exception is
+    # raised if it looks like the client is trying to lie about its own IP address.
+    # It makes sense to turn off this check on sites aimed at non-IP clients (like
+    # WAP devices), or behind proxies that set headers in an incorrect or confusing
+    # way (like AWS ELB).
     #
-    # The +custom_proxies+ argument can take an enumerable which will be used
-    # instead of +TRUSTED_PROXIES+. Any proxy setup will put the value you
-    # want in the middle (or at the beginning) of the +X-Forwarded-For+ list,
-    # with your proxy servers after it. If your proxies aren't removed, pass
-    # them in via the +custom_proxies+ parameter. That way, the middleware will
-    # ignore those IP addresses, and return the one that you want.
+    # The `custom_proxies` argument can take an enumerable which will be used
+    # instead of `TRUSTED_PROXIES`. Any proxy setup will put the value you want in
+    # the middle (or at the beginning) of the `X-Forwarded-For` list, with your
+    # proxy servers after it. If your proxies aren't removed, pass them in via the
+    # `custom_proxies` parameter. That way, the middleware will ignore those IP
+    # addresses, and return the one that you want.
     def initialize(app, ip_spoofing_check = true, custom_proxies = nil)
       @app = app
       @check_ip = ip_spoofing_check
@@ -65,9 +70,9 @@ module ActionDispatch
       elsif custom_proxies.respond_to?(:any?)
         custom_proxies
       else
-        ActiveSupport::Deprecation.warn(<<~EOM)
-          Setting config.action_dispatch.trusted_proxies to a single value has
-          been deprecated. Please set this to an enumerable instead. For
+        raise(ArgumentError, <<~EOM)
+          Setting config.action_dispatch.trusted_proxies to a single value isn't
+          supported. Please set this to an enumerable instead. For
           example, instead of:
 
           config.action_dispatch.trusted_proxies = IPAddr.new("10.0.0.0/8")
@@ -76,26 +81,24 @@ module ActionDispatch
 
           config.action_dispatch.trusted_proxies = [IPAddr.new("10.0.0.0/8")]
 
-          Note that unlike passing a single argument, passing an enumerable
-          will *replace* the default set of trusted proxies.
+          Note that passing an enumerable will *replace* the default set of trusted proxies.
         EOM
-        Array(custom_proxies) + TRUSTED_PROXIES
       end
     end
 
-    # Since the IP address may not be needed, we store the object here
-    # without calculating the IP to keep from slowing down the majority of
-    # requests. For those requests that do need to know the IP, the
-    # GetIp#calculate_ip method will calculate the memoized client IP address.
+    # Since the IP address may not be needed, we store the object here without
+    # calculating the IP to keep from slowing down the majority of requests. For
+    # those requests that do need to know the IP, the GetIp#calculate_ip method will
+    # calculate the memoized client IP address.
     def call(env)
       req = ActionDispatch::Request.new env
       req.remote_ip = GetIp.new(req, check_ip, proxies)
       @app.call(req.env)
     end
 
-    # The GetIp class exists as a way to defer processing of the request data
-    # into an actual IP address. If the ActionDispatch::Request#remote_ip method
-    # is called, this class will calculate the value and then memoize it.
+    # The GetIp class exists as a way to defer processing of the request data into
+    # an actual IP address. If the ActionDispatch::Request#remote_ip method is
+    # called, this class will calculate the value and then memoize it.
     class GetIp
       def initialize(req, check_ip, proxies)
         @req      = req
@@ -103,45 +106,45 @@ module ActionDispatch
         @proxies  = proxies
       end
 
-      # Sort through the various IP address headers, looking for the IP most
-      # likely to be the address of the actual remote client making this
-      # request.
+      # Sort through the various IP address headers, looking for the IP most likely to
+      # be the address of the actual remote client making this request.
       #
-      # REMOTE_ADDR will be correct if the request is made directly against the
-      # Ruby process, on e.g. Heroku. When the request is proxied by another
-      # server like HAProxy or NGINX, the IP address that made the original
-      # request will be put in an +X-Forwarded-For+ header. If there are multiple
-      # proxies, that header may contain a list of IPs. Other proxy services
-      # set the +Client-Ip+ header instead, so we check that too.
+      # REMOTE_ADDR will be correct if the request is made directly against the Ruby
+      # process, on e.g. Heroku. When the request is proxied by another server like
+      # HAProxy or NGINX, the IP address that made the original request will be put in
+      # an `X-Forwarded-For` header. If there are multiple proxies, that header may
+      # contain a list of IPs. Other proxy services set the `Client-Ip` header
+      # instead, so we check that too.
       #
-      # As discussed in {this post about Rails IP Spoofing}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
-      # while the first IP in the list is likely to be the "originating" IP,
-      # it could also have been set by the client maliciously.
+      # As discussed in [this post about Rails IP
+      # Spoofing](https://web.archive.org/web/20170626095448/https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/),
+      # while the first IP in the list is likely to be the "originating" IP, it
+      # could also have been set by the client maliciously.
       #
-      # In order to find the first address that is (probably) accurate, we
-      # take the list of IPs, remove known and trusted proxies, and then take
-      # the last address left, which was presumably set by one of those proxies.
+      # In order to find the first address that is (probably) accurate, we take the
+      # list of IPs, remove known and trusted proxies, and then take the last address
+      # left, which was presumably set by one of those proxies.
       def calculate_ip
         # Set by the Rack web server, this is a single value.
         remote_addr = ips_from(@req.remote_addr).last
 
         # Could be a CSV list and/or repeated headers that were concatenated.
-        client_ips    = ips_from(@req.client_ip).reverse
-        forwarded_ips = ips_from(@req.x_forwarded_for).reverse
+        client_ips    = ips_from(@req.client_ip).reverse!
+        forwarded_ips = ips_from(@req.x_forwarded_for).reverse!
 
-        # +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
-        # If they are both set, it means that either:
+        # `Client-Ip` and `X-Forwarded-For` should not, generally, both be set. If they
+        # are both set, it means that either:
         #
         # 1) This request passed through two proxies with incompatible IP header
-        #    conventions.
-        # 2) The client passed one of +Client-Ip+ or +X-Forwarded-For+
-        #    (whichever the proxy servers weren't using) themselves.
+        #     conventions.
         #
-        # Either way, there is no way for us to determine which header is the
-        # right one after the fact. Since we have no idea, if we are concerned
-        # about IP spoofing we need to give up and explode. (If you're not
-        # concerned about IP spoofing you can turn the +ip_spoofing_check+
-        # option off.)
+        # 2) The client passed one of `Client-Ip` or `X-Forwarded-For`
+        #     (whichever the proxy servers weren't using) themselves.
+        #
+        # Either way, there is no way for us to determine which header is the right one
+        # after the fact. Since we have no idea, if we are concerned about IP spoofing
+        # we need to give up and explode. (If you're not concerned about IP spoofing you
+        # can turn the `ip_spoofing_check` option off.)
         should_check_ip = @check_ip && client_ips.last && forwarded_ips.last
         if should_check_ip && !forwarded_ips.include?(client_ips.last)
           # We don't know which came from the proxy, and which from the user
@@ -152,13 +155,14 @@ module ActionDispatch
 
         # We assume these things about the IP headers:
         #
-        #   - X-Forwarded-For will be a list of IPs, one per proxy, or blank
-        #   - Client-Ip is propagated from the outermost proxy, or is blank
-        #   - REMOTE_ADDR will be the IP that made the request to Rack
-        ips = [forwarded_ips, client_ips].flatten.compact
-
-        # If every single IP option is in the trusted list, return the IP
-        # that's furthest away
+        #     - X-Forwarded-For will be a list of IPs, one per proxy, or blank
+        #     - Client-Ip is propagated from the outermost proxy, or is blank
+        #     - REMOTE_ADDR will be the IP that made the request to Rack
+        ips = forwarded_ips + client_ips
+        ips.compact!
+
+        # If every single IP option is in the trusted list, return the IP that's
+        # furthest away
         filter_proxies(ips + [remote_addr]).first || ips.last || remote_addr
       end
 
@@ -173,7 +177,7 @@ module ActionDispatch
         return [] unless header
         # Split the comma-separated list into an array of strings.
         ips = header.strip.split(/[,\s]+/)
-        ips.select do |ip|
+        ips.select! do |ip|
           # Only return IPs that are valid according to the IPAddr#new method.
           range = IPAddr.new(ip).to_range
           # We want to make sure nobody is sneaking a netmask in.
@@ -181,6 +185,7 @@ module ActionDispatch
         rescue ArgumentError
           nil
         end
+        ips
       end
 
       def filter_proxies(ips) # :doc:

data/lib/action_dispatch/middleware/request_id.rb

@@ -1,19 +1,26 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "securerandom"
 require "active_support/core_ext/string/access"
 
 module ActionDispatch
-  # Makes a unique request id available to the +action_dispatch.request_id+ env variable (which is then accessible
-  # through ActionDispatch::Request#request_id or the alias ActionDispatch::Request#uuid) and sends
-  # the same id to the client via the +X-Request-Id+ header.
+  # # Action Dispatch RequestId
+  #
+  # Makes a unique request id available to the `action_dispatch.request_id` env
+  # variable (which is then accessible through ActionDispatch::Request#request_id
+  # or the alias ActionDispatch::Request#uuid) and sends the same id to the client
+  # via the `X-Request-Id` header.
   #
-  # The unique request id is either based on the +X-Request-Id+ header in the request, which would typically be generated
-  # by a firewall, load balancer, or the web server, or, if this header is not available, a random uuid. If the
-  # header is accepted from the outside world, we sanitize it to a max of 255 chars and alphanumeric and dashes only.
+  # The unique request id is either based on the `X-Request-Id` header in the
+  # request, which would typically be generated by a firewall, load balancer, or
+  # the web server, or, if this header is not available, a random uuid. If the
+  # header is accepted from the outside world, we sanitize it to a max of 255
+  # chars and alphanumeric and dashes only.
   #
-  # The unique request id can be used to trace a request end-to-end and would typically end up being part of log files
-  # from multiple pieces of the stack.
+  # The unique request id can be used to trace a request end-to-end and would
+  # typically end up being part of log files from multiple pieces of the stack.
   class RequestId
     def initialize(app, header:)
       @app = app