actionpack 7.1.2 → 7.1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 27b3fee0fa041bb5e11a19926a50910131e2a8e9f52678491f97626d28272f08
-  data.tar.gz: 6e7c091c13209ba730de05b35472f5f5af601506ed0a8c27b43ca9a64ee2a73a
+  metadata.gz: 1b62aeaa57b9cd75f878c9fc01bfb6ea6212efb204b11333d90f612e1c00bfda
+  data.tar.gz: 0b92927142cc52e79ba1e16d8b8ba3dbceb9906978ff0d9292835110c08f6637
 SHA512:
-  metadata.gz: 57adb80fbb5071d15c3a89d9086ca18fe353168e5f06e8341815f124a1aaca6e6206443de95c3391ce9b5992313e20517c52bf44450dd03884e6ab084e33ec30
-  data.tar.gz: 309e1889aa0d61b31caf0f9aff3262480c5cca3b2b08bae86c6632b6cf500fabd9618768326594fffc52fa1ebab93aa1ad8629bc9ce8ca449780f35ca842fcb7
+  metadata.gz: abcb6dd57c8fea664f4a8c8f9124e48188e4d9042620096a877b9b55d7f20c64ee38a4c9b18435add3c81929884f666651befd678aa109760c42d8f03605888a
+  data.tar.gz: 715bbae4ea354077bd17c50ffcab9916278d245861e34913b8ee457eccb6aefd685474720accc4413b5b7eabb7e62e1b0c8abb336e93854fc244abef2b2833f3

data/CHANGELOG.md

@@ -1,3 +1,26 @@
+## Rails 7.1.3.1 (February 21, 2024) ##
+
+*   Fix possible XSS vulnerability with the `translate` method in controllers
+
+    CVE-2024-26143
+
+*   Fix ReDoS in Accept header parsing
+
+    CVE-2024-26142
+
+## Rails 7.1.3 (January 16, 2024) ##
+
+*   Fix including `Rails.application.routes.url_helpers` directly in an
+    `ActiveSupport::Concern.`
+
+    *Jonathan Hefner*
+
+*   Fix system tests when using a Chrome binary that has been downloaded by
+    Selenium.
+
+    *Jonathan Hefner*
+
+
 ## Rails 7.1.2 (November 10, 2023) ##
 
 *   Fix a race condition that could cause a `Text file busy - chromedriver`

data/lib/abstract_controller/translation.rb

@@ -21,7 +21,25 @@ module AbstractController
         key = "#{path}.#{action_name}#{key}"
       end
 
-      ActiveSupport::HtmlSafeTranslation.translate(key, **options)
+      if options[:default]
+        options[:default] = [options[:default]] unless options[:default].is_a?(Array)
+        options[:default] = options[:default].map do |value|
+          value.is_a?(String) ? ERB::Util.html_escape(value) : value
+        end
+      end
+
+      if options[:raise].nil?
+        options[:default] = [] unless options[:default]
+        options[:default] << MISSING_TRANSLATION
+      end
+
+      result = ActiveSupport::HtmlSafeTranslation.translate(key, **options)
+
+      if result == MISSING_TRANSLATION
+        +"translation missing: #{key}"
+      else
+        result
+      end
     end
     alias :t :translate
 
@@ -30,5 +48,9 @@ module AbstractController
       I18n.localize(object, **options)
     end
     alias :l :localize
+
+    private
+      MISSING_TRANSLATION = -(2**60)
+      private_constant :MISSING_TRANSLATION
   end
 end

data/lib/action_controller/metal/params_wrapper.rb

@@ -72,7 +72,7 @@ module ActionController
   #
   # will try to check if +Admin::User+ or +User+ model exists, and use it to
   # determine the wrapper key respectively. If both models don't exist,
-  # it will then fallback to use +user+ as the key.
+  # it will then fall back to use +user+ as the key.
   #
   # To disable this functionality for a controller:
   #

data/lib/action_controller/metal/redirecting.rb

@@ -154,7 +154,7 @@ module ActionController
     public :_compute_redirect_to_location
 
     # Verifies the passed +location+ is an internal URL that's safe to redirect to and returns it, or nil if not.
-    # Useful to wrap a params provided redirect URL and fallback to an alternate URL to redirect to:
+    # Useful to wrap a params provided redirect URL and fall back to an alternate URL to redirect to:
     #
     #   redirect_to url_from(params[:redirect_url]) || root_url
     #

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -132,7 +132,7 @@ module ActionDispatch
       # Sets the \formats by string extensions. This differs from #format= by allowing you
       # to set multiple, ordered formats, which is useful when you want to have a fallback.
       #
-      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fallback
+      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fall back
       # to the +:html+ format.
       #
       #   class ApplicationController < ActionController::Base

data/lib/action_dispatch/http/mime_type.rb

@@ -154,7 +154,7 @@ module Mime
       TRAILING_STAR_REGEXP = /^(text|application)\/\*/
       # all media-type parameters need to be before the q-parameter
       # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
-      PARAMETER_SEPARATOR_REGEXP = /\s*;\s*q="?/
+      PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
       ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
 
       def register_callback(&block)
@@ -193,7 +193,7 @@ module Mime
       def parse(accept_header)
         if !accept_header.include?(",")
           if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
-            accept_header = accept_header[0, index]
+            accept_header = accept_header[0, index].strip
           end
           return [] if accept_header.blank?
           parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))

data/lib/action_dispatch/http/permissions_policy.rb

@@ -85,7 +85,7 @@ module ActionDispatch # :nodoc:
     }.freeze
 
     # List of available permissions can be found at
-    # https://github.com/w3c/webappsec-permissions-policy/blob/master/features.md#policy-controlled-features
+    # https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md#policy-controlled-features
     DIRECTIVES = {
       accelerometer:        "accelerometer",
       ambient_light_sensor: "ambient-light-sensor",

data/lib/action_dispatch/http/request.rb

@@ -201,7 +201,7 @@ module ActionDispatch
     # more information.
     #
     # For debugging purposes, when called with arguments this method will
-    # fallback to Object#method
+    # fall back to Object#method
     def method(*args)
       if args.empty?
         @method ||= check_method(

data/lib/action_dispatch/middleware/assume_ssl.rb

@@ -4,7 +4,7 @@ module ActionDispatch
   # = Action Dispatch \AssumeSSL
   #
   # When proxying through a load balancer that terminates SSL, the forwarded request will appear
-  # as though its HTTP instead of HTTPS to the application. This makes redirects and cookie
+  # as though it's HTTP instead of HTTPS to the application. This makes redirects and cookie
   # security target HTTP instead of HTTPS. This middleware makes the server assume that the
   # proxy already terminated SSL, and that the request really is HTTPS.
   class AssumeSSL

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -248,7 +248,7 @@ module ActionDispatch
         end
 
         def spot(exc)
-          if RubyVM::AbstractSyntaxTree.respond_to?(:node_id_for_backtrace_location)
+          if RubyVM::AbstractSyntaxTree.respond_to?(:node_id_for_backtrace_location) && __getobj__.is_a?(Thread::Backtrace::Location)
             location = @template.spot(__getobj__)
           else
             location = super
@@ -273,7 +273,12 @@ module ActionDispatch
 
         (@exception.backtrace_locations || []).map do |loc|
           if built_methods.key?(loc.label.to_s)
-            SourceMapLocation.new(loc, built_methods[loc.label.to_s])
+            thread_backtrace_location = if loc.respond_to?(:__getobj__)
+              loc.__getobj__
+            else
+              loc
+            end
+            SourceMapLocation.new(thread_backtrace_location, built_methods[loc.label.to_s])
           else
             loc
           end

data/lib/action_dispatch/routing/mapper.rb

@@ -217,9 +217,16 @@ module ActionDispatch
             if to.respond_to?(:action) || to.respond_to?(:call)
               options
             else
-              to_endpoint = split_to to
-              controller  = to_endpoint[0] || default_controller
-              action      = to_endpoint[1] || default_action
+              if to.nil?
+                controller = default_controller
+                action = default_action
+              elsif to.is_a?(String) && to.include?("#")
+                to_endpoint = to.split("#").map!(&:-@)
+                controller  = to_endpoint[0]
+                action      = to_endpoint[1]
+              else
+                raise ArgumentError, ":to must respond to `action` or `call`, or it must be a String that includes '#'"
+              end
 
               controller = add_controller_module(controller, modyoule)
 
@@ -308,14 +315,6 @@ module ActionDispatch
             hash
           end
 
-          def split_to(to)
-            if to&.include?("#")
-              to.split("#").map!(&:-@)
-            else
-              []
-            end
-          end
-
           def add_controller_module(controller, modyoule)
             if modyoule && !controller.is_a?(Regexp)
               if controller&.start_with?("/")

data/lib/action_dispatch/routing/route_set.rb

@@ -603,7 +603,7 @@ module ActionDispatch
           # `included` block is run only for the initial inclusion of each copy.
           def self.included(base)
             super
-            if !base._routes.equal?(@_proxy._routes)
+            if base.respond_to?(:_routes) && !base._routes.equal?(@_proxy._routes)
               @dup_for_reinclude ||= self.dup
               base.include @dup_for_reinclude
             end

data/lib/action_dispatch/routing/routes_proxy.rb

@@ -29,23 +29,18 @@ module ActionDispatch
 
       def method_missing(method, *args)
         if @helpers.respond_to?(method)
-          instance_eval <<-RUBY, __FILE__, __LINE__ + 1
-            def #{method}(*args)
-              options = args.extract_options!
-              options = url_options.merge((options || {}).symbolize_keys)
+          options = args.extract_options!
+          options = url_options.merge((options || {}).symbolize_keys)
 
-              if @script_namer
-                options[:script_name] = merge_script_names(
-                  options[:script_name],
-                  @script_namer.call(options)
-                )
-              end
+          if @script_namer
+            options[:script_name] = merge_script_names(
+              options[:script_name],
+              @script_namer.call(options)
+            )
+          end
 
-              args << options
-              @helpers.#{method}(*args)
-            end
-          RUBY
-          public_send(method, *args)
+          args << options
+          @helpers.public_send(method, *args)
         else
           super
         end

data/lib/action_dispatch/routing.rb

@@ -117,9 +117,9 @@ module ActionDispatch
   #
   #   # In config/routes.rb
   #   controller :blog do
-  #     get 'blog/show',    to: :list
-  #     get 'blog/delete',  to: :delete
-  #     get 'blog/edit',    to: :edit
+  #     get 'blog/show'    => :list
+  #     get 'blog/delete'  => :delete
+  #     get 'blog/edit'    => :edit
   #   end
   #
   #   # provides named routes for show, delete, and edit
@@ -238,7 +238,7 @@ module ActionDispatch
   #
   # == View a list of all your routes
   #
-  #   bin/rails routes
+  #   $ bin/rails routes
   #
   # Target a specific controller with <tt>-c</tt>, or grep routes
   # using <tt>-g</tt>. Useful in conjunction with <tt>--expanded</tt>

data/lib/action_dispatch/system_testing/browser.rb

@@ -3,7 +3,7 @@
 module ActionDispatch
   module SystemTesting
     class Browser # :nodoc:
-      attr_reader :name, :options
+      attr_reader :name
 
       def initialize(name)
         @name = name
@@ -21,9 +21,18 @@ module ActionDispatch
         end
       end
 
+      def options
+        @options ||=
+          case type
+          when :chrome
+            ::Selenium::WebDriver::Chrome::Options.new
+          when :firefox
+            ::Selenium::WebDriver::Firefox::Options.new
+          end
+      end
+
       def configure
-        initialize_options
-        yield options if block_given? && options
+        yield options if block_given?
       end
 
       # driver_path is lazily initialized by default. Eagerly set it to
@@ -38,16 +47,6 @@ module ActionDispatch
       end
 
       private
-        def initialize_options
-          @options ||=
-            case type
-            when :chrome
-              ::Selenium::WebDriver::Chrome::Options.new
-            when :firefox
-              ::Selenium::WebDriver::Firefox::Options.new
-            end
-        end
-
         def set_default_options
           case name
           when :headless_chrome
@@ -71,10 +70,7 @@ module ActionDispatch
         end
 
         def resolve_driver_path(namespace)
-          namespace::Service.driver_path = ::Selenium::WebDriver::DriverFinder.path(
-            options || namespace::Options.new,
-            namespace::Service
-          )
+          namespace::Service.driver_path = ::Selenium::WebDriver::DriverFinder.path(options, namespace::Service)
         end
     end
   end

data/lib/action_dispatch/testing/assertion_response.rb

@@ -36,7 +36,7 @@ module ActionDispatch
 
     private
       def code_from_name(name)
-        GENERIC_RESPONSE_CODES[name] || Rack::Utils::SYMBOL_TO_STATUS_CODE[name]
+        GENERIC_RESPONSE_CODES[name] || Rack::Utils.status_code(name)
       end
 
       def name_from_code(code)

data/lib/action_pack/gem_version.rb

@@ -9,8 +9,8 @@ module ActionPack
   module VERSION
     MAJOR = 7
     MINOR = 1
-    TINY  = 2
-    PRE   = nil
+    TINY  = 3
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.1.2
+  version: 7.1.3.1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-10 00:00:00.000000000 Z
+date: 2024-02-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.2
+        version: 7.1.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.2
+        version: 7.1.3.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.2
+        version: 7.1.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.2
+        version: 7.1.3.1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.2
+        version: 7.1.3.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.2
+        version: 7.1.3.1
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -346,10 +346,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.1.2/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.1.2/
+  changelog_uri: https://github.com/rails/rails/blob/v7.1.3.1/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.1.3.1/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.1.2/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.1.3.1/actionpack
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -367,7 +367,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.4.18
+rubygems_version: 3.4.10
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).