actionpack 7.0.8 → 7.1.0.rc1

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 require "active_support/core_ext/module/attribute_accessors"
+require "active_support/syntax_error_proxy"
+require "active_support/core_ext/thread/backtrace/location"
 require "rack/utils"
 
 module ActionDispatch
@@ -41,22 +43,76 @@ module ActionDispatch
       "ActionDispatch::Http::MimeNegotiation::InvalidType"
     ]
 
-    attr_reader :backtrace_cleaner, :exception, :wrapped_causes, :line_number, :file
+    attr_reader :backtrace_cleaner, :wrapped_causes, :exception_class_name, :exception
 
     def initialize(backtrace_cleaner, exception)
       @backtrace_cleaner = backtrace_cleaner
-      @exception = exception
-      @exception_class_name = @exception.class.name
+      @exception_class_name = exception.class.name
       @wrapped_causes = wrapped_causes_for(exception, backtrace_cleaner)
+      @exception = exception
+      if exception.is_a?(SyntaxError)
+        @exception = ActiveSupport::SyntaxErrorProxy.new(exception)
+      end
+      @backtrace = build_backtrace
+    end
+
+    def routing_error?
+      @exception.is_a?(ActionController::RoutingError)
+    end
 
-      expand_backtrace if exception.is_a?(SyntaxError) || exception.cause.is_a?(SyntaxError)
+    def template_error?
+      @exception.is_a?(ActionView::Template::Error)
+    end
+
+    def sub_template_message
+      @exception.sub_template_message
+    end
+
+    def has_cause?
+      @exception.cause
+    end
+
+    def failures
+      @exception.failures
+    end
+
+    def has_corrections?
+      @exception.respond_to?(:original_message) && @exception.respond_to?(:corrections)
+    end
+
+    def original_message
+      @exception.original_message
+    end
+
+    def corrections
+      @exception.corrections
+    end
+
+    def file_name
+      @exception.file_name
+    end
+
+    def line_number
+      @exception.line_number
+    end
+
+    def actions
+      ActiveSupport::ActionableError.actions(@exception)
     end
 
     def unwrapped_exception
       if wrapper_exceptions.include?(@exception_class_name)
-        exception.cause
+        @exception.cause
+      else
+        @exception
+      end
+    end
+
+    def annotated_source_code
+      if exception.respond_to?(:annotated_source_code)
+        exception.annotated_source_code
       else
-        exception
+        []
       end
     end
 
@@ -118,21 +174,44 @@ module ActionDispatch
       Rack::Utils.status_code(@@rescue_responses[class_name])
     end
 
+    def show?(request)
+      # We're treating `nil` as "unset", and we want the default setting to be
+      # `:all`. This logic should be extracted to `env_config` and calculated
+      # once.
+      config = request.get_header("action_dispatch.show_exceptions")
+
+      # Include true and false for backwards compatibility.
+      case config
+      when :none
+        false
+      when :rescuable
+        rescue_response?
+      when true
+        ActionDispatch.deprecator.warn("Setting action_dispatch.show_exceptions to true is deprecated. Set to :all instead.")
+        true
+      when false
+        ActionDispatch.deprecator.warn("Setting action_dispatch.show_exceptions to false is deprecated. Set to :none instead.")
+        false
+      else
+        true
+      end
+    end
+
     def rescue_response?
       @@rescue_responses.key?(exception.class.name)
     end
 
     def source_extracts
       backtrace.map do |trace|
-        file, line_number = extract_file_and_line_number(trace)
-
-        {
-          code: source_fragment(file, line_number),
-          line_number: line_number
-        }
+        extract_source(trace)
       end
     end
 
+    def error_highlight_available?
+      # ErrorHighlight.spot with backtrace_location keyword is available since error_highlight 0.4.0
+      defined?(ErrorHighlight) && Gem::Version.new(ErrorHighlight::VERSION) >= Gem::Version.new("0.4.0")
+    end
+
     def trace_to_show
       if traces["Application Trace"].empty? && rescue_template != "routing_error"
         "Full Trace"
@@ -145,9 +224,60 @@ module ActionDispatch
       (traces[trace_to_show].first || {})[:id]
     end
 
+    def exception_name
+      exception.cause.class.to_s
+    end
+
+    def message
+      exception.message
+    end
+
+    def exception_inspect
+      exception.inspect
+    end
+
+    def exception_id
+      exception.object_id
+    end
+
     private
-      def backtrace
-        Array(@exception.backtrace)
+      class SourceMapLocation < DelegateClass(Thread::Backtrace::Location) # :nodoc:
+        def initialize(location, template)
+          super(location)
+          @template = template
+        end
+
+        def spot(exc)
+          if RubyVM::AbstractSyntaxTree.respond_to?(:node_id_for_backtrace_location)
+            location = @template.spot(__getobj__)
+          else
+            location = super
+          end
+
+          if location
+            @template.translate_location(__getobj__, location)
+          end
+        end
+      end
+
+      attr_reader :backtrace
+
+      def build_backtrace
+        built_methods = {}
+
+        ActionView::PathRegistry.all_resolvers.each do |resolver|
+          resolver.built_templates.each do |template|
+            built_methods[template.method_name] = template
+          end
+        end
+
+        (@exception.backtrace_locations || []).map do |loc|
+          if built_methods.key?(loc.label.to_s)
+            SourceMapLocation.new(loc, built_methods[loc.label.to_s])
+          else
+            loc
+          end
+        end
       end
 
       def causes_for(exception)
@@ -168,29 +298,53 @@ module ActionDispatch
         end
       end
 
+      def extract_source(trace)
+        spot = trace.spot(@exception)
+
+        if spot
+          line = spot[:first_lineno]
+          code = extract_source_fragment_lines(spot[:script_lines], line)
+
+          if line == spot[:last_lineno]
+            code[line] = [
+              code[line][0, spot[:first_column]],
+              code[line][spot[:first_column]...spot[:last_column]],
+              code[line][spot[:last_column]..-1],
+            ]
+          end
+
+          return {
+            code: code,
+            line_number: line
+          }
+        end
+
+        file, line_number = extract_file_and_line_number(trace)
+
+        {
+          code: source_fragment(file, line_number),
+          line_number: line_number
+        }
+      end
+
+      def extract_source_fragment_lines(source_lines, line)
+        start = [line - 3, 0].max
+        lines = source_lines.drop(start).take(6)
+        Hash[*(start + 1..(lines.count + start)).zip(lines).flatten]
+      end
+
       def source_fragment(path, line)
         return unless Rails.respond_to?(:root) && Rails.root
         full_path = Rails.root.join(path)
         if File.exist?(full_path)
           File.open(full_path, "r") do |file|
-            start = [line - 3, 0].max
-            lines = file.each_line.drop(start).take(6)
-            Hash[*(start + 1..(lines.count + start)).zip(lines).flatten]
+            extract_source_fragment_lines(file.each_line, line)
           end
         end
       end
 
       def extract_file_and_line_number(trace)
-        # Split by the first colon followed by some digits, which works for both
-        # Windows and Unix path styles.
-        file, line = trace.match(/^(.+?):(\d+).*$/, &:captures) || trace
-        [file, line.to_i]
-      end
-
-      def expand_backtrace
-        @exception.backtrace.unshift(
-          @exception.to_s.split("\n")
-        ).flatten!
+        [trace.path, trace.lineno]
       end
   end
 end

data/lib/action_dispatch/middleware/executor.rb

@@ -14,7 +14,7 @@ module ActionDispatch
         response = @app.call(env)
         returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }
       rescue => error
-        @executor.error_reporter.report(error, handled: false)
+        @executor.error_reporter.report(error, handled: false, source: "application.action_dispatch")
         raise
       ensure
         state.complete! unless returned

data/lib/action_dispatch/middleware/flash.rb

@@ -3,6 +3,8 @@
 require "active_support/core_ext/hash/keys"
 
 module ActionDispatch
+  # = Action Dispatch \Flash
+  #
   # The flash provides a way to pass temporary primitive-types (String, Array, Hash) between actions. Anything you place in the flash will be exposed
   # to the very next action and then cleared out. This is a great way of doing notices and alerts, such as a create
   # action that sets <tt>flash[:notice] = "Post successfully created"</tt> before redirecting to a display action that can
@@ -175,6 +177,8 @@ module ActionDispatch
         @flashes.key? name.to_s
       end
 
+      # Immediately deletes the single flash entry. Use this method when you
+      # want remove the message within the current action. See also #discard.
       def delete(key)
         key = key.to_s
         @discard.delete key
@@ -243,6 +247,9 @@ module ActionDispatch
       #
       #     flash.discard              # discard the entire flash at the end of the current action
       #     flash.discard(:warning)    # discard only the "warning" entry at the end of the current action
+      #
+      # Use this method when you want to display the message in the current
+      # action but not in the next one. See also #delete.
       def discard(k = nil)
         k = k.to_s if k
         @discard.merge Array(k || keys)

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionDispatch
+  # = Action Dispatch \HostAuthorization
+  #
   # This middleware guards from DNS rebinding attacks by explicitly permitting
   # the hosts a request can be sent to, and is passed the options set in
   # +config.host_authorization+.
@@ -18,6 +20,7 @@ module ActionDispatch
   class HostAuthorization
     ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
     PORT_REGEX = /(?::\d+)/ # :nodoc:
+    SUBDOMAIN_REGEX = /(?:[a-z0-9-]+\.)/i # :nodoc:
     IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
     IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i # :nodoc:
     IPV6_HOSTNAME_WITH_PORT = /\[#{IPV6_HOSTNAME}\]#{PORT_REGEX}/i # :nodoc:
@@ -69,7 +72,7 @@ module ActionDispatch
 
         def sanitize_string(host)
           if host.start_with?(".")
-            /\A([a-z0-9-]+\.)?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
+            /\A#{SUBDOMAIN_REGEX}?#{Regexp.escape(host[1..-1])}#{PORT_REGEX}?\z/i
           else
             /\A#{Regexp.escape host}#{PORT_REGEX}?\z/i
           end
@@ -101,8 +104,8 @@ module ActionDispatch
 
         def response(format, body)
           [RESPONSE_STATUS,
-           { "Content-Type" => "#{format}; charset=#{Response.default_charset}",
-             "Content-Length" => body.bytesize.to_s },
+           { Rack::CONTENT_TYPE => "#{format}; charset=#{Response.default_charset}",
+             Rack::CONTENT_LENGTH => body.bytesize.to_s },
            [body]]
         end
 

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 module ActionDispatch
+  # = Action Dispatch \PublicExceptions
+  #
   # When called, this middleware renders an error page. By default if an HTML
   # response is expected it will render static error pages from the <tt>/public</tt>
   # directory. For example when this middleware receives a 500 response it will
@@ -42,8 +44,8 @@ module ActionDispatch
       end
 
       def render_format(status, content_type, body)
-        [status, { "Content-Type" => "#{content_type}; charset=#{ActionDispatch::Response.default_charset}",
-                  "Content-Length" => body.bytesize.to_s }, [body]]
+        [status, { Rack::CONTENT_TYPE => "#{content_type}; charset=#{ActionDispatch::Response.default_charset}",
+                  Rack::CONTENT_LENGTH => body.bytesize.to_s }, [body]]
       end
 
       def render_html(status)
@@ -53,7 +55,7 @@ module ActionDispatch
         if found || File.exist?(path)
           render_format(status, "text/html", File.read(path))
         else
-          [404, { "X-Cascade" => "pass" }, []]
+          [404, { Constants::X_CASCADE => "pass" }, []]
         end
       end
   end

data/lib/action_dispatch/middleware/reloader.rb

@@ -1,12 +1,14 @@
 # frozen_string_literal: true
 
 module ActionDispatch
-  # ActionDispatch::Reloader wraps the request with callbacks provided by ActiveSupport::Reloader
-  # callbacks, intended to assist with code reloading during development.
+  # = Action Dispatch \Reloader
   #
-  # By default, ActionDispatch::Reloader is included in the middleware stack
-  # only in the development environment; specifically, when +config.cache_classes+
-  # is false.
+  # ActionDispatch::Reloader wraps the request with callbacks provided by
+  # ActiveSupport::Reloader, intended to assist with code reloading during
+  # development.
+  #
+  # ActionDispatch::Reloader is included in the middleware stack only if
+  # reloading is enabled, which it is by the default in +development+ mode.
   class Reloader < Executor
   end
 end

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -3,14 +3,14 @@
 require "ipaddr"
 
 module ActionDispatch
+  # = Action Dispatch \RemoteIp
+  #
   # This middleware calculates the IP address of the remote client that is
   # making the request. It does this by checking various headers that could
   # contain the address, and then picking the last-set address that is not
   # on the list of trusted IPs. This follows the precedent set by e.g.
-  # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453],
-  # with {reasoning explained at length}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection]
-  # by @gingerlime. A more detailed explanation of the algorithm is given
-  # at GetIp#calculate_ip.
+  # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453].
+  # A more detailed explanation of the algorithm is given at GetIp#calculate_ip.
   #
   # Some Rack servers concatenate repeated headers, like {HTTP RFC 2616}[https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]
   # requires. Some Rack servers simply drop preceding headers, and only report
@@ -24,7 +24,8 @@ module ActionDispatch
   # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
   # claim to have any IP address by setting the +X-Forwarded-For+ header. If you
   # care about that, then you need to explicitly drop or ignore those headers
-  # sometime before this middleware runs.
+  # sometime before this middleware runs. Alternatively, remove this middleware
+  # to avoid inadvertently relying on it.
   class RemoteIp
     class IpSpoofAttackError < StandardError; end
 
@@ -65,9 +66,9 @@ module ActionDispatch
       elsif custom_proxies.respond_to?(:any?)
         custom_proxies
       else
-        ActiveSupport::Deprecation.warn(<<~EOM)
-          Setting config.action_dispatch.trusted_proxies to a single value has
-          been deprecated. Please set this to an enumerable instead. For
+        raise(ArgumentError, <<~EOM)
+          Setting config.action_dispatch.trusted_proxies to a single value isn't
+          supported. Please set this to an enumerable instead. For
           example, instead of:
 
           config.action_dispatch.trusted_proxies = IPAddr.new("10.0.0.0/8")
@@ -76,10 +77,8 @@ module ActionDispatch
 
           config.action_dispatch.trusted_proxies = [IPAddr.new("10.0.0.0/8")]
 
-          Note that unlike passing a single argument, passing an enumerable
-          will *replace* the default set of trusted proxies.
+          Note that passing an enumerable will *replace* the default set of trusted proxies.
         EOM
-        Array(custom_proxies) + TRUSTED_PROXIES
       end
     end
 
@@ -114,7 +113,7 @@ module ActionDispatch
       # proxies, that header may contain a list of IPs. Other proxy services
       # set the +Client-Ip+ header instead, so we check that too.
       #
-      # As discussed in {this post about Rails IP Spoofing}[https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
+      # As discussed in {this post about Rails IP Spoofing}[https://web.archive.org/web/20170626095448/https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
       # while the first IP in the list is likely to be the "originating" IP,
       # it could also have been set by the client maliciously.
       #
@@ -126,8 +125,8 @@ module ActionDispatch
         remote_addr = ips_from(@req.remote_addr).last
 
         # Could be a CSV list and/or repeated headers that were concatenated.
-        client_ips    = ips_from(@req.client_ip).reverse
-        forwarded_ips = ips_from(@req.x_forwarded_for).reverse
+        client_ips    = ips_from(@req.client_ip).reverse!
+        forwarded_ips = ips_from(@req.x_forwarded_for).reverse!
 
         # +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
         # If they are both set, it means that either:
@@ -155,7 +154,8 @@ module ActionDispatch
         #   - X-Forwarded-For will be a list of IPs, one per proxy, or blank
         #   - Client-Ip is propagated from the outermost proxy, or is blank
         #   - REMOTE_ADDR will be the IP that made the request to Rack
-        ips = [forwarded_ips, client_ips].flatten.compact
+        ips = forwarded_ips + client_ips
+        ips.compact!
 
         # If every single IP option is in the trusted list, return the IP
         # that's furthest away
@@ -173,7 +173,7 @@ module ActionDispatch
         return [] unless header
         # Split the comma-separated list into an array of strings.
         ips = header.strip.split(/[,\s]+/)
-        ips.select do |ip|
+        ips.select! do |ip|
           # Only return IPs that are valid according to the IPAddr#new method.
           range = IPAddr.new(ip).to_range
           # We want to make sure nobody is sneaking a netmask in.
@@ -181,6 +181,7 @@ module ActionDispatch
         rescue ArgumentError
           nil
         end
+        ips
       end
 
       def filter_proxies(ips) # :doc:

data/lib/action_dispatch/middleware/request_id.rb

@@ -4,6 +4,8 @@ require "securerandom"
 require "active_support/core_ext/string/access"
 
 module ActionDispatch
+  # = Action Dispatch \RequestId
+  #
   # Makes a unique request id available to the +action_dispatch.request_id+ env variable (which is then accessible
   # through ActionDispatch::Request#request_id or the alias ActionDispatch::Request#uuid) and sends
   # the same id to the client via the +X-Request-Id+ header.

data/lib/action_dispatch/middleware/server_timing.rb

@@ -4,8 +4,6 @@ require "active_support/notifications"
 
 module ActionDispatch
   class ServerTiming
-    SERVER_TIMING_HEADER = "Server-Timing"
-
     class Subscriber # :nodoc:
       include Singleton
       KEY = :action_dispatch_server_timing_events
@@ -67,8 +65,10 @@ module ActionDispatch
         "%s;dur=%.2f" % [event_name, events_collection.sum(&:duration)]
       end
 
-      header_info.prepend(headers[SERVER_TIMING_HEADER]) if headers[SERVER_TIMING_HEADER].present?
-      headers[SERVER_TIMING_HEADER] = header_info.join(", ")
+      if headers[ActionDispatch::Constants::SERVER_TIMING].present?
+        header_info.prepend(headers[ActionDispatch::Constants::SERVER_TIMING])
+      end
+      headers[ActionDispatch::Constants::SERVER_TIMING] = header_info.join(", ")
 
       response
     end

data/lib/action_dispatch/middleware/session/abstract_store.rb

@@ -67,6 +67,11 @@ module ActionDispatch
     end
 
     module SessionObject # :nodoc:
+      def commit_session(req, res)
+        req.commit_csrf_token
+        super(req, res)
+      end
+
       def prepare_session(req)
         Request::Session.create(self, req, @default_options)
       end

data/lib/action_dispatch/middleware/session/cache_store.rb

@@ -4,6 +4,8 @@ require "action_dispatch/middleware/session/abstract_store"
 
 module ActionDispatch
   module Session
+    # = Action Dispatch Session \CacheStore
+    #
     # A session store that uses an ActiveSupport::Cache::Store to store the sessions. This store is most useful
     # if you don't store critical data in your sessions and you don't need them to live for extended periods
     # of time.

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -6,7 +6,9 @@ require "rack/session/cookie"
 
 module ActionDispatch
   module Session
-    # This cookie-based session store is the Rails default. It is
+    # = Action Dispatch Session \CookieStore
+    #
+    # This cookie-based session store is the \Rails default. It is
     # dramatically faster than the alternatives.
     #
     # Sessions typically contain at most a user ID and flash message; both fit
@@ -18,18 +20,18 @@ module ActionDispatch
     #
     # Your cookies will be encrypted using your application's +secret_key_base+. This
     # goes a step further than signed cookies in that encrypted cookies cannot
-    # be altered or read by users. This is the default starting in Rails 4.
+    # be altered or read by users. This is the default starting in \Rails 4.
     #
     # Configure your session store in an initializer:
     #
     #   Rails.application.config.session_store :cookie_store, key: '_your_app_session'
     #
     # In the development and test environments your application's +secret_key_base+ is
-    # generated by Rails and stored in a temporary file in <tt>tmp/development_secret.txt</tt>.
+    # generated by \Rails and stored in a temporary file in <tt>tmp/local_secret.txt</tt>.
     # In all other environments, it is stored encrypted in the
     # <tt>config/credentials.yml.enc</tt> file.
     #
-    # If your application was not updated to Rails 5.2 defaults, the +secret_key_base+
+    # If your application was not updated to \Rails 5.2 defaults, the +secret_key_base+
     # will be found in the old <tt>config/secrets.yml</tt> file.
     #
     # Note that changing your +secret_key_base+ will invalidate all existing session.
@@ -56,8 +58,12 @@ module ActionDispatch
         end
       end
 
+      DEFAULT_SAME_SITE = proc { |request| request.cookies_same_site_protection } # :nodoc:
+
       def initialize(app, options = {})
-        super(app, options.merge!(cookie_only: true))
+        options[:cookie_only] = true
+        options[:same_site] = DEFAULT_SAME_SITE if !options.key?(:same_site)
+        super
       end
 
       def delete_session(req, session_id, options)

data/lib/action_dispatch/middleware/session/mem_cache_store.rb

@@ -4,12 +4,14 @@ require "action_dispatch/middleware/session/abstract_store"
 begin
   require "rack/session/dalli"
 rescue LoadError => e
-  $stderr.puts "You don't have dalli installed in your application. Please add it to your Gemfile and run bundle install"
+  warn "You don't have dalli installed in your application. Please add it to your Gemfile and run bundle install"
   raise e
 end
 
 module ActionDispatch
   module Session
+    # = Action Dispatch Session \MemCacheStore
+    #
     # A session store that uses MemCache to implement storage.
     #
     # ==== Options