actionpack 7.0.8.7 → 7.2.2.1

data/lib/action_dispatch/middleware/server_timing.rb

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/notifications"
 
 module ActionDispatch
   class ServerTiming
-    SERVER_TIMING_HEADER = "Server-Timing"
-
     class Subscriber # :nodoc:
       include Singleton
       KEY = :action_dispatch_server_timing_events
@@ -31,8 +31,8 @@ module ActionDispatch
 
       def ensure_subscribed
         @mutex.synchronize do
-          # Subscribe to all events, except those beginning with "!"
-          # Ideally we would be more selective of what is being measured
+          # Subscribe to all events, except those beginning with "!" Ideally we would be
+          # more selective of what is being measured
           @subscriber ||= ActiveSupport::Notifications.subscribe(/\A[^!]/, self)
         end
       end
@@ -67,8 +67,10 @@ module ActionDispatch
         "%s;dur=%.2f" % [event_name, events_collection.sum(&:duration)]
       end
 
-      header_info.prepend(headers[SERVER_TIMING_HEADER]) if headers[SERVER_TIMING_HEADER].present?
-      headers[SERVER_TIMING_HEADER] = header_info.join(", ")
+      if headers[ActionDispatch::Constants::SERVER_TIMING].present?
+        header_info.prepend(headers[ActionDispatch::Constants::SERVER_TIMING])
+      end
+      headers[ActionDispatch::Constants::SERVER_TIMING] = header_info.join(", ")
 
       response
     end

data/lib/action_dispatch/middleware/session/abstract_store.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "rack/utils"
 require "rack/request"
 require "rack/session/abstract/id"
@@ -67,6 +69,11 @@ module ActionDispatch
     end
 
     module SessionObject # :nodoc:
+      def commit_session(req, res)
+        req.commit_csrf_token
+        super(req, res)
+      end
+
       def prepare_session(req)
         Request::Session.create(self, req, @default_options)
       end

data/lib/action_dispatch/middleware/session/cache_store.rb

@@ -1,17 +1,24 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "action_dispatch/middleware/session/abstract_store"
 
 module ActionDispatch
   module Session
-    # A session store that uses an ActiveSupport::Cache::Store to store the sessions. This store is most useful
-    # if you don't store critical data in your sessions and you don't need them to live for extended periods
-    # of time.
+    # # Action Dispatch Session CacheStore
+    #
+    # A session store that uses an ActiveSupport::Cache::Store to store the
+    # sessions. This store is most useful if you don't store critical data in your
+    # sessions and you don't need them to live for extended periods of time.
+    #
+    # #### Options
+    # *   `cache`         - The cache to use. If it is not specified, `Rails.cache`
+    #     will be used.
+    # *   `expire_after`  - The length of time a session will be stored before
+    #     automatically expiring. By default, the `:expires_in` option of the cache
+    #     is used.
     #
-    # ==== Options
-    # * <tt>cache</tt>         - The cache to use. If it is not specified, <tt>Rails.cache</tt> will be used.
-    # * <tt>expire_after</tt>  - The length of time a session will be stored before automatically expiring.
-    #   By default, the <tt>:expires_in</tt> option of the cache is used.
     class CacheStore < AbstractSecureStore
       def initialize(app, options = {})
         @cache = options[:cache] || Rails.cache

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -1,51 +1,54 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/core_ext/hash/keys"
 require "action_dispatch/middleware/session/abstract_store"
 require "rack/session/cookie"
 
 module ActionDispatch
   module Session
-    # This cookie-based session store is the Rails default. It is
-    # dramatically faster than the alternatives.
+    # # Action Dispatch Session CookieStore
+    #
+    # This cookie-based session store is the Rails default. It is dramatically
+    # faster than the alternatives.
     #
     # Sessions typically contain at most a user ID and flash message; both fit
-    # within the 4096 bytes cookie size limit. A +CookieOverflow+ exception is raised if
-    # you attempt to store more than 4096 bytes of data.
+    # within the 4096 bytes cookie size limit. A `CookieOverflow` exception is
+    # raised if you attempt to store more than 4096 bytes of data.
     #
-    # The cookie jar used for storage is automatically configured to be the
-    # best possible option given your application's configuration.
+    # The cookie jar used for storage is automatically configured to be the best
+    # possible option given your application's configuration.
     #
-    # Your cookies will be encrypted using your application's +secret_key_base+. This
-    # goes a step further than signed cookies in that encrypted cookies cannot
+    # Your cookies will be encrypted using your application's `secret_key_base`.
+    # This goes a step further than signed cookies in that encrypted cookies cannot
     # be altered or read by users. This is the default starting in Rails 4.
     #
     # Configure your session store in an initializer:
     #
-    #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
+    #     Rails.application.config.session_store :cookie_store, key: '_your_app_session'
     #
-    # In the development and test environments your application's +secret_key_base+ is
-    # generated by Rails and stored in a temporary file in <tt>tmp/development_secret.txt</tt>.
-    # In all other environments, it is stored encrypted in the
-    # <tt>config/credentials.yml.enc</tt> file.
+    # In the development and test environments your application's `secret_key_base`
+    # is generated by Rails and stored in a temporary file in
+    # `tmp/local_secret.txt`. In all other environments, it is stored encrypted in
+    # the `config/credentials.yml.enc` file.
     #
-    # If your application was not updated to Rails 5.2 defaults, the +secret_key_base+
-    # will be found in the old <tt>config/secrets.yml</tt> file.
+    # If your application was not updated to Rails 5.2 defaults, the
+    # `secret_key_base` will be found in the old `config/secrets.yml` file.
     #
-    # Note that changing your +secret_key_base+ will invalidate all existing session.
-    # Additionally, you should take care to make sure you are not relying on the
-    # ability to decode signed cookies generated by your app in external
+    # Note that changing your `secret_key_base` will invalidate all existing
+    # session. Additionally, you should take care to make sure you are not relying
+    # on the ability to decode signed cookies generated by your app in external
     # applications or JavaScript before changing it.
     #
-    # Because CookieStore extends +Rack::Session::Abstract::Persisted+, many of the
-    # options described there can be used to customize the session cookie that
-    # is generated. For example:
+    # Because CookieStore extends `Rack::Session::Abstract::Persisted`, many of the
+    # options described there can be used to customize the session cookie that is
+    # generated. For example:
     #
-    #   Rails.application.config.session_store :cookie_store, expire_after: 14.days
+    #     Rails.application.config.session_store :cookie_store, expire_after: 14.days
     #
     # would set the session cookie to expire automatically 14 days after creation.
-    # Other useful options include <tt>:key</tt>, <tt>:secure</tt>,
-    # <tt>:httponly</tt>, and <tt>:same_site</tt>.
+    # Other useful options include `:key`, `:secure`, `:httponly`, and `:same_site`.
     class CookieStore < AbstractSecureStore
       class SessionId < DelegateClass(Rack::Session::SessionId)
         attr_reader :cookie_value
@@ -56,8 +59,12 @@ module ActionDispatch
         end
       end
 
+      DEFAULT_SAME_SITE = proc { |request| request.cookies_same_site_protection } # :nodoc:
+
       def initialize(app, options = {})
-        super(app, options.merge!(cookie_only: true))
+        options[:cookie_only] = true
+        options[:same_site] = DEFAULT_SAME_SITE if !options.key?(:same_site)
+        super
       end
 
       def delete_session(req, session_id, options)

data/lib/action_dispatch/middleware/session/mem_cache_store.rb

@@ -1,19 +1,25 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "action_dispatch/middleware/session/abstract_store"
 begin
   require "rack/session/dalli"
 rescue LoadError => e
-  $stderr.puts "You don't have dalli installed in your application. Please add it to your Gemfile and run bundle install"
+  warn "You don't have dalli installed in your application. Please add it to your Gemfile and run bundle install"
   raise e
 end
 
 module ActionDispatch
   module Session
+    # # Action Dispatch Session MemCacheStore
+    #
     # A session store that uses MemCache to implement storage.
     #
-    # ==== Options
-    # * <tt>expire_after</tt>  - The length of time a session will be stored before automatically expiring.
+    # #### Options
+    # *   `expire_after`  - The length of time a session will be stored before
+    #     automatically expiring.
+    #
     class MemCacheStore < Rack::Session::Dalli
       include Compatibility
       include StaleSessionCheck

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -1,23 +1,27 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "action_dispatch/middleware/exception_wrapper"
 
 module ActionDispatch
-  # This middleware rescues any exception returned by the application
-  # and calls an exceptions app that will wrap it in a format for the end user.
+  # # Action Dispatch ShowExceptions
+  #
+  # This middleware rescues any exception returned by the application and calls an
+  # exceptions app that will wrap it in a format for the end user.
   #
   # The exceptions app should be passed as a parameter on initialization of
-  # +ShowExceptions+. Every time there is an exception, +ShowExceptions+ will
-  # store the exception in <tt>env["action_dispatch.exception"]</tt>, rewrite
-  # the +PATH_INFO+ to the exception status code and call the Rack app.
+  # `ShowExceptions`. Every time there is an exception, `ShowExceptions` will
+  # store the exception in `env["action_dispatch.exception"]`, rewrite the
+  # `PATH_INFO` to the exception status code, and call the Rack app.
   #
-  # In \Rails applications, the exceptions app can be configured with
-  # +config.exceptions_app+, which defaults to ActionDispatch::PublicExceptions.
+  # In Rails applications, the exceptions app can be configured with
+  # `config.exceptions_app`, which defaults to ActionDispatch::PublicExceptions.
   #
-  # If the application returns an <tt>"X-Cascade" => "pass"</tt> response, this
-  # middleware will send an empty response as a result with the correct status
-  # code. If any exception happens inside the exceptions app, this middleware
-  # catches the exceptions and returns a failsafe response.
+  # If the application returns a response with the `X-Cascade` header set to
+  # `"pass"`, this middleware will send an empty response as a result with the
+  # correct status code. If any exception happens inside the exceptions app, this
+  # middleware catches the exceptions and returns a failsafe response.
   class ShowExceptions
     def initialize(app, exceptions_app)
       @app = app
@@ -25,33 +29,35 @@ module ActionDispatch
     end
 
     def call(env)
-      request = ActionDispatch::Request.new env
       @app.call(env)
     rescue Exception => exception
-      if request.show_exceptions?
-        render_exception(request, exception)
+      request = ActionDispatch::Request.new env
+      backtrace_cleaner = request.get_header("action_dispatch.backtrace_cleaner")
+      wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
+      request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
+      request.set_header "action_dispatch.report_exception", !wrapper.rescue_response?
+
+      if wrapper.show?(request)
+        render_exception(request.dup, wrapper)
       else
         raise exception
       end
     end
 
     private
-      def render_exception(request, exception)
-        backtrace_cleaner = request.get_header "action_dispatch.backtrace_cleaner"
-        wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
-        status  = wrapper.status_code
-        request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
+      def render_exception(request, wrapper)
+        status = wrapper.status_code
         request.set_header "action_dispatch.original_path", request.path_info
         request.set_header "action_dispatch.original_request_method", request.raw_request_method
         fallback_to_html_format_if_invalid_mime_type(request)
         request.path_info = "/#{status}"
         request.request_method = "GET"
         response = @exceptions_app.call(request.env)
-        response[1]["X-Cascade"] == "pass" ? pass_response(status) : response
+        response[1][Constants::X_CASCADE] == "pass" ? pass_response(status) : response
       rescue Exception => failsafe_error
         $stderr.puts "Error during failsafe response: #{failsafe_error}\n  #{failsafe_error.backtrace * "\n  "}"
 
-        [500, { "Content-Type" => "text/plain" },
+        [500, { Rack::CONTENT_TYPE => "text/plain; charset=utf-8" },
           ["500 Internal Server Error\n" \
           "If you are the administrator of this website, then please read this web " \
           "application's log file and/or the web server's log file to find out what " \
@@ -59,16 +65,24 @@ module ActionDispatch
       end
 
       def fallback_to_html_format_if_invalid_mime_type(request)
-        # If the MIME type for the request is invalid then the
-        # @exceptions_app may not be able to handle it. To make it
-        # easier to handle, we switch to HTML.
-        request.formats
-      rescue ActionDispatch::Http::MimeNegotiation::InvalidType
-        request.set_header "HTTP_ACCEPT", "text/html"
+        # If the MIME type for the request is invalid then the @exceptions_app may not
+        # be able to handle it. To make it easier to handle, we switch to HTML.
+        begin
+          request.content_mime_type
+        rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+          request.set_header "CONTENT_TYPE", "text/html"
+        end
+
+        begin
+          request.formats
+        rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+          request.set_header "HTTP_ACCEPT", "text/html"
+        end
       end
 
       def pass_response(status)
-        [status, { "Content-Type" => "text/html; charset=#{Response.default_charset}", "Content-Length" => "0" }, []]
+        [status, { Rack::CONTENT_TYPE => "text/html; charset=#{Response.default_charset}",
+                  Rack::CONTENT_LENGTH => "0" }, []]
       end
   end
 end

data/lib/action_dispatch/middleware/ssl.rb

@@ -1,55 +1,60 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
-  # This middleware is added to the stack when <tt>config.force_ssl = true</tt>, and is passed
-  # the options set in +config.ssl_options+. It does three jobs to enforce secure HTTP
-  # requests:
+  # # Action Dispatch SSL
+  #
+  # This middleware is added to the stack when `config.force_ssl = true`, and is
+  # passed the options set in `config.ssl_options`. It does three jobs to enforce
+  # secure HTTP requests:
+  #
+  # 1.  **TLS redirect**: Permanently redirects `http://` requests to `https://`
+  #     with the same URL host, path, etc. Enabled by default. Set
+  #     `config.ssl_options` to modify the destination URL (e.g. `redirect: {
+  #     host: "secure.widgets.com", port: 8080 }`), or set `redirect: false` to
+  #     disable this feature.
+  #
+  #     Requests can opt-out of redirection with `exclude`:
   #
-  # 1. <b>TLS redirect</b>: Permanently redirects +http://+ requests to +https://+
-  #    with the same URL host, path, etc. Enabled by default. Set +config.ssl_options+
-  #    to modify the destination URL
-  #    (e.g. <tt>redirect: { host: "secure.widgets.com", port: 8080 }</tt>), or set
-  #    <tt>redirect: false</tt> to disable this feature.
+  #         config.ssl_options = { redirect: { exclude: -> request { request.path == "/up" } } }
   #
-  #    Requests can opt-out of redirection with +exclude+:
+  #     Cookies will not be flagged as secure for excluded requests.
   #
-  #      config.ssl_options = { redirect: { exclude: -> request { /healthcheck/.match?(request.path) } } }
+  # 2.  **Secure cookies**: Sets the `secure` flag on cookies to tell browsers
+  #     they must not be sent along with `http://` requests. Enabled by default.
+  #     Set `config.ssl_options` with `secure_cookies: false` to disable this
+  #     feature.
   #
-  #    Cookies will not be flagged as secure for excluded requests.
+  # 3.  **HTTP Strict Transport Security (HSTS)**: Tells the browser to remember
+  #     this site as TLS-only and automatically redirect non-TLS requests. Enabled
+  #     by default. Configure `config.ssl_options` with `hsts: false` to disable.
   #
-  # 2. <b>Secure cookies</b>: Sets the +secure+ flag on cookies to tell browsers they
-  #    must not be sent along with +http://+ requests. Enabled by default. Set
-  #    +config.ssl_options+ with <tt>secure_cookies: false</tt> to disable this feature.
+  #     Set `config.ssl_options` with `hsts: { ... }` to configure HSTS:
   #
-  # 3. <b>HTTP Strict Transport Security (HSTS)</b>: Tells the browser to remember
-  #    this site as TLS-only and automatically redirect non-TLS requests.
-  #    Enabled by default. Configure +config.ssl_options+ with <tt>hsts: false</tt> to disable.
+  #     *   `expires`: How long, in seconds, these settings will stick. The
+  #         minimum required to qualify for browser preload lists is 1 year.
+  #         Defaults to 2 years (recommended).
   #
-  #    Set +config.ssl_options+ with <tt>hsts: { ... }</tt> to configure HSTS:
+  #     *   `subdomains`: Set to `true` to tell the browser to apply these
+  #         settings to all subdomains. This protects your cookies from
+  #         interception by a vulnerable site on a subdomain. Defaults to `true`.
   #
-  #    * +expires+: How long, in seconds, these settings will stick. The minimum
-  #      required to qualify for browser preload lists is 1 year. Defaults to
-  #      2 years (recommended).
+  #     *   `preload`: Advertise that this site may be included in browsers'
+  #         preloaded HSTS lists. HSTS protects your site on every visit *except
+  #         the first visit* since it hasn't seen your HSTS header yet. To close
+  #         this gap, browser vendors include a baked-in list of HSTS-enabled
+  #         sites. Go to https://hstspreload.org to submit your site for
+  #         inclusion. Defaults to `false`.
   #
-  #    * +subdomains+: Set to +true+ to tell the browser to apply these settings
-  #      to all subdomains. This protects your cookies from interception by a
-  #      vulnerable site on a subdomain. Defaults to +true+.
   #
-  #    * +preload+: Advertise that this site may be included in browsers'
-  #      preloaded HSTS lists. HSTS protects your site on every visit <i>except the
-  #      first visit</i> since it hasn't seen your HSTS header yet. To close this
-  #      gap, browser vendors include a baked-in list of HSTS-enabled sites.
-  #      Go to https://hstspreload.org to submit your site for inclusion.
-  #      Defaults to +false+.
+  #     To turn off HSTS, omitting the header is not enough. Browsers will
+  #     remember the original HSTS directive until it expires. Instead, use the
+  #     header to tell browsers to expire HSTS immediately. Setting `hsts: false`
+  #     is a shortcut for `hsts: { expires: 0 }`.
   #
-  #    To turn off HSTS, omitting the header is not enough. Browsers will remember the
-  #    original HSTS directive until it expires. Instead, use the header to tell browsers to
-  #    expire HSTS immediately. Setting <tt>hsts: false</tt> is a shortcut for
-  #    <tt>hsts: { expires: 0 }</tt>.
   class SSL
-    # :stopdoc:
-
-    # Default to 2 years as recommended on hstspreload.org.
+    # :stopdoc: Default to 2 years as recommended on hstspreload.org.
     HSTS_EXPIRES_IN = 63072000
 
     PERMANENT_REDIRECT_REQUEST_METHODS = %w[GET HEAD] # :nodoc:
@@ -86,13 +91,13 @@ module ActionDispatch
 
     private
       def set_hsts_header!(headers)
-        headers["Strict-Transport-Security"] ||= @hsts_header
+        headers[Constants::STRICT_TRANSPORT_SECURITY] ||= @hsts_header
       end
 
       def normalize_hsts_options(options)
         case options
-        # Explicitly disabling HSTS clears the existing setting from browsers
-        # by setting expiry to 0.
+        # Explicitly disabling HSTS clears the existing setting from browsers by setting
+        # expiry to 0.
         when false
           self.class.default_hsts_options.merge(expires: 0)
         # Default to enabled, with default options.
@@ -112,23 +117,33 @@ module ActionDispatch
       end
 
       def flag_cookies_as_secure!(headers)
-        if cookies = headers["Set-Cookie"]
-          cookies = cookies.split("\n")
+        cookies = headers[Rack::SET_COOKIE]
+        return unless cookies
 
-          headers["Set-Cookie"] = cookies.map { |cookie|
+        if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3")
+          cookies = cookies.split("\n")
+          headers[Rack::SET_COOKIE] = cookies.map { |cookie|
             if !/;\s*secure\s*(;|$)/i.match?(cookie)
               "#{cookie}; secure"
             else
               cookie
             end
           }.join("\n")
+        else
+          headers[Rack::SET_COOKIE] = Array(cookies).map do |cookie|
+            if !/;\s*secure\s*(;|$)/i.match?(cookie)
+              "#{cookie}; secure"
+            else
+              cookie
+            end
+          end
         end
       end
 
       def redirect_to_https(request)
         [ @redirect.fetch(:status, redirection_status(request)),
-          { "Content-Type" => "text/html",
-            "Location" => https_location_for(request) },
+          { Rack::CONTENT_TYPE => "text/html; charset=utf-8",
+            Constants::LOCATION => https_location_for(request) },
           (@redirect[:body] || []) ]
       end
 

data/lib/action_dispatch/middleware/stack.rb

@@ -1,9 +1,16 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/inflector/methods"
 require "active_support/dependencies"
 
 module ActionDispatch
+  # # Action Dispatch MiddlewareStack
+  #
+  # Read more about [Rails middleware
+  # stack](https://guides.rubyonrails.org/rails_on_rack.html#action-dispatcher-middleware-stack)
+  # in the guides.
   class MiddlewareStack
     class Middleware
       attr_reader :args, :block, :klass
@@ -20,13 +27,13 @@ module ActionDispatch
         case middleware
         when Middleware
           klass == middleware.klass
-        when Class
+        when Module
           klass == middleware
         end
       end
 
       def inspect
-        if klass.is_a?(Class)
+        if klass.is_a?(Module)
           klass.to_s
         else
           klass.class.to_s
@@ -42,9 +49,8 @@ module ActionDispatch
       end
     end
 
-    # This class is used to instrument the execution of a single middleware.
-    # It proxies the +call+ method transparently and instruments the method
-    # call.
+    # This class is used to instrument the execution of a single middleware. It
+    # proxies the `call` method transparently and instruments the method call.
     class InstrumentationProxy
       EVENT_NAME = "process_middleware.action_dispatch"
 
@@ -120,16 +126,16 @@ module ActionDispatch
 
     # Deletes a middleware from the middleware stack.
     #
-    # Returns the array of middlewares not including the deleted item, or
-    # returns nil if the target is not found.
+    # Returns the array of middlewares not including the deleted item, or returns
+    # nil if the target is not found.
     def delete(target)
       middlewares.reject! { |m| m.name == target.name }
     end
 
     # Deletes a middleware from the middleware stack.
     #
-    # Returns the array of middlewares not including the deleted item, or
-    # raises +RuntimeError+ if the target is not found.
+    # Returns the array of middlewares not including the deleted item, or raises
+    # `RuntimeError` if the target is not found.
     def delete!(target)
       delete(target) || (raise "No such middleware to remove: #{target.inspect}")
     end