actionpack 7.1.3.4 → 7.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b8322f0e0b03702b4d77eacd0f77ddc0d0578389b0f9ae056338c97ce3239aa8
-  data.tar.gz: 04614dea6d1bab93cb2a21289272b0ee1a2705355ad260ea9be1a8c069f3c92a
+  metadata.gz: b4d5f38e40fa62a9e501f3cb6f6f569af105e1e4a3690f6246890b50fada2595
+  data.tar.gz: e3d511f1c6de7e525c7512be7913f153f918de39dac5fd4c1a26aa99882d2d85
 SHA512:
-  metadata.gz: a36e9f99ced3f948578e34fc8f32fc1699e39c465374b875c4c987bbc27155bd1f57cb21a6cb92745125cb0bd0c0200ee0e8f2c5942cb008b302a054d1d65fc3
-  data.tar.gz: ed0ce501cbff0a1c315a583b369401d47b7cb2e36300d4a0470cad9366df85cf5dc449e5ef3472170dea52e7837e16d80d2b1ab80189a4818f3f28bdcf85233c
+  metadata.gz: 918629b0d717a17eaf28f523b56e292b1f98ec7ebf7fe635a53b1ba395e1411810c00fcd0754d4822736deceabccf37f17fa3a2349d31fef26a767df89591949
+  data.tar.gz: d5bbb185497884aed4bfc496680c5774e2838447ac306da5c41bf6c047ac916d6bb4ca6d373be43b16ca5ff8a8913961c248560fbef43fb1db27b23509c61bed

data/CHANGELOG.md

@@ -1,8 +1,73 @@
+## Rails 7.1.4 (August 22, 2024) ##
+
+*   Resolve deprecation warning in latest `selenium-webdriver`.
+
+    *Earlopain*
+
+*   Don't preload Selenium browser when remote.
+
+    *Noah Horton*
+
+*   Fix crash for invalid Content-Type in ShowExceptions middleware.
+
+    *Earlopain*
+
+*   Fix inconsistent results of `params.deep_transform_keys`.
+
+    *Iago Pimenta*
+
+*   Do not report rendered errors except 500.
+
+    *Nikita Vasilevsky*
+
+*   Improve routes source location detection.
+
+    *Jean Boussier*
+
+*   Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
+
+    *Hartley McGuire*
+
+*   Fix url generation in nested engine when script name is empty.
+
+    *zzak*
+
+*   Fix `Mime::Type.parse` handling type parameters for HTTP Accept headers.
+
+    *Taylor Chaparro*
+
+*   Fix the error page that is displayed when a view template is missing to account for nested controller paths in the
+    suggested correct location for the missing template.
+
+    *Joshua Young*
+
+*   Fix a regression in 7.1.3 passing a `to:` option without a controller when the controller is already defined by a scope.
+
+    ```ruby
+    Rails.application.routes.draw do
+      controller :home do
+        get "recent", to: "recent_posts"
+      end
+    end
+    ```
+
+    *Étienne Barrié*
+
+*   Fix `ActionDispatch::Executor` middleware to report errors handled by `ActionDispatch::ShowExceptions`
+
+    In the default production environment, `ShowExceptions` rescues uncaught errors
+    and returns a response. Because of this the executor wouldn't report production
+    errors with the default Rails configuration.
+
+    *Jean Boussier*
+
+
 ## Rails 7.1.3.4 (June 04, 2024) ##
 
 *   Include the HTTP Permissions-Policy on non-HTML Content-Types
     [CVE-2024-28103]
 
+    *Aaron Patterson*
 
 ## Rails 7.1.3.3 (May 16, 2024) ##
 
@@ -14,16 +79,22 @@
 *   Fix `raise_on_missing_translations` not working correctly with the
     `translate` method in controllers after the patch for CVE-2024-26143.
 
+    *John Hawthorn*
+
 ## Rails 7.1.3.1 (February 21, 2024) ##
 
 *   Fix possible XSS vulnerability with the `translate` method in controllers
 
     CVE-2024-26143
 
+    *ooooooo-q + Aaron Patterson*
+
 *   Fix ReDoS in Accept header parsing
 
     CVE-2024-26142
 
+    *Aaron Patterson*
+
 ## Rails 7.1.3 (January 16, 2024) ##
 
 *   Fix including `Rails.application.routes.url_helpers` directly in an
@@ -138,6 +209,11 @@
 
     *Mike Dalessio*
 
+*   Ensure an uncaught exception when rendering a Turbo Frame properly breaks
+    out of the Frame and shows the `DebugView` error page in development.
+
+    *Joé Dupuis*
+
 *   The `with_routing` helper can now be called at the class level. When called at the class level, the routes will
     be setup before each test, and reset after every test. For example:
 

data/lib/abstract_controller/translation.rb

@@ -21,10 +21,12 @@ module AbstractController
         key = "#{path}.#{action_name}#{key}"
       end
 
-      if options[:default]
-        options[:default] = [options[:default]] unless options[:default].is_a?(Array)
-        options[:default] = options[:default].map do |value|
-          value.is_a?(String) ? ERB::Util.html_escape(value) : value
+      if ActiveSupport::HtmlSafeTranslation.html_safe_translation_key?(key)
+        if options[:default]
+          options[:default] = [options[:default]] unless options[:default].is_a?(Array)
+          options[:default] = options[:default].map do |value|
+            value.is_a?(String) ? ERB::Util.html_escape(value) : value
+          end
         end
       end
 

data/lib/action_controller/metal/strong_parameters.rb

@@ -792,7 +792,7 @@ module ActionController
     # from the root hash and from all nested hashes and arrays. The values are unchanged.
     def deep_transform_keys(&block)
       new_instance_with_inherited_permitted_status(
-        @parameters.deep_transform_keys(&block)
+        _deep_transform_keys_in_object(@parameters, &block).to_unsafe_h
       )
     end
 
@@ -800,7 +800,7 @@ module ActionController
     # changed keys. This includes the keys from the root hash and from all
     # nested hashes and arrays. The values are unchanged.
     def deep_transform_keys!(&block)
-      @parameters.deep_transform_keys!(&block)
+      @parameters = _deep_transform_keys_in_object(@parameters, &block).to_unsafe_h
       self
     end
 
@@ -972,7 +972,7 @@ module ActionController
     # the returned array will include empty strings.
     #
     #   params = ActionController::Parameters.new(tags: "ruby,rails,,web")
-    #   params.extract_value(:tags) # => ["ruby", "rails", "", "web"]
+    #   params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails", "", "web"]
     def extract_value(key, delimiter: "_")
       @parameters[key]&.split(delimiter, -1)
     end
@@ -1035,6 +1035,46 @@ module ActionController
         end
       end
 
+      def _deep_transform_keys_in_object(object, &block)
+        case object
+        when Hash
+          object.each_with_object(self.class.new) do |(key, value), result|
+            result[yield(key)] = _deep_transform_keys_in_object(value, &block)
+          end
+        when Parameters
+          if object.permitted?
+            object.to_h.deep_transform_keys(&block)
+          else
+            object.to_unsafe_h.deep_transform_keys(&block)
+          end
+        when Array
+          object.map { |e| _deep_transform_keys_in_object(e, &block) }
+        else
+          object
+        end
+      end
+
+      def _deep_transform_keys_in_object!(object, &block)
+        case object
+        when Hash
+          object.keys.each do |key|
+            value = object.delete(key)
+            object[yield(key)] = _deep_transform_keys_in_object!(value, &block)
+          end
+          object
+        when Parameters
+          if object.permitted?
+            object.to_h.deep_transform_keys!(&block)
+          else
+            object.to_unsafe_h.deep_transform_keys!(&block)
+          end
+        when Array
+          object.map! { |e| _deep_transform_keys_in_object!(e, &block) }
+        else
+          object
+        end
+      end
+
       def specify_numeric_keys?(filter)
         if filter.respond_to?(:keys)
           filter.keys.any? { |key| /\A-?\d+\z/.match?(key) }

data/lib/action_controller/test_case.rb

@@ -284,13 +284,13 @@ module ActionController
   # ActionController::TestCase will also automatically provide the following instance
   # variables for use in the tests:
   #
-  # <b>@controller</b>::
+  # @controller::
   #      The controller instance that will be tested.
-  # <b>@request</b>::
+  # @request::
   #      An ActionController::TestRequest, representing the current HTTP
   #      request. You can modify this object before sending the HTTP request. For example,
   #      you might want to set some session properties before sending a GET request.
-  # <b>@response</b>::
+  # @response::
   #      An ActionDispatch::TestResponse object, representing the response
   #      of the last HTTP response. In the above example, <tt>@response</tt> becomes valid
   #      after calling +post+. If the various assert methods are not sufficient, then you

data/lib/action_controller.rb

@@ -62,8 +62,11 @@ module ActionController
     autoload :ApiRendering
   end
 
-  autoload :TestCase,           "action_controller/test_case"
-  autoload :TemplateAssertions, "action_controller/test_case"
+  autoload_at "action_controller/test_case" do
+    autoload :TestCase
+    autoload :TestRequest
+    autoload :TemplateAssertions
+  end
 end
 
 # Common Active Support usage in Action Controller

data/lib/action_dispatch/http/mime_type.rb

@@ -162,8 +162,11 @@ module Mime
       end
 
       def lookup(string)
+        return LOOKUP[string] if LOOKUP.key?(string)
+
         # fallback to the media-type without parameters if it was not found
-        LOOKUP[string] || LOOKUP[string.split(";", 2)[0]&.rstrip] || Type.new(string)
+        string = string.split(";", 2)[0]&.rstrip
+        LOOKUP[string] || Type.new(string)
       end
 
       def lookup_by_extension(extension)

data/lib/action_dispatch/http/permissions_policy.rb

@@ -89,7 +89,7 @@ module ActionDispatch # :nodoc:
       geolocation:          "geolocation",
       gyroscope:            "gyroscope",
       hid:                  "hid",
-      idle_detection:       "idle_detection",
+      idle_detection:       "idle-detection",
       magnetometer:         "magnetometer",
       microphone:           "microphone",
       midi:                 "midi",

data/lib/action_dispatch/http/request.rb

@@ -229,11 +229,12 @@ module ActionDispatch
     # Early Hints is an HTTP/2 status code that indicates hints to help a client start
     # making preparations for processing the final response.
     #
-    # If the env contains +rack.early_hints+ then the server accepts HTTP2 push for Link headers.
+    # If the env contains +rack.early_hints+ then the server accepts HTTP2 push for
+    # link headers.
     #
     # The +send_early_hints+ method accepts a hash of links as follows:
     #
-    #   send_early_hints("Link" => "</style.css>; rel=preload; as=style\n</script.js>; rel=preload")
+    #   send_early_hints("link" => "</style.css>; rel=preload; as=style,</script.js>; rel=preload")
     #
     # If you are using +javascript_include_tag+ or +stylesheet_link_tag+ the
     # Early Hints headers are included by default if supported.
@@ -339,7 +340,6 @@ module ActionDispatch
     def raw_post
       unless has_header? "RAW_POST_DATA"
         set_header("RAW_POST_DATA", read_body_stream)
-        body_stream.rewind if body_stream.respond_to?(:rewind)
       end
       get_header "RAW_POST_DATA"
     end
@@ -467,9 +467,29 @@ module ActionDispatch
       end
 
       def read_body_stream
-        body_stream.rewind if body_stream.respond_to?(:rewind)
-        return body_stream.read if headers.key?("Transfer-Encoding") # Read body stream until EOF if "Transfer-Encoding" is present
-        body_stream.read(content_length)
+        if body_stream
+          reset_stream(body_stream) do
+            if headers.key?("Transfer-Encoding")
+              body_stream.read # Read body stream until EOF if "Transfer-Encoding" is present
+            else
+              body_stream.read(content_length)
+            end
+          end
+        end
+      end
+
+      def reset_stream(body_stream)
+        if body_stream.respond_to?(:rewind)
+          body_stream.rewind
+
+          content = yield
+
+          body_stream.rewind
+
+          content
+        else
+          yield
+        end
       end
   end
 end

data/lib/action_dispatch/middleware/executor.rb

@@ -12,6 +12,12 @@ module ActionDispatch
       state = @executor.run!(reset: true)
       begin
         response = @app.call(env)
+
+        if env["action_dispatch.report_exception"]
+          error = env["action_dispatch.exception"]
+          @executor.error_reporter.report(error, handled: false, source: "application.action_dispatch")
+        end
+
         returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }
       rescue => error
         @executor.error_reporter.report(error, handled: false, source: "application.action_dispatch")

data/lib/action_dispatch/middleware/show_exceptions.rb

@@ -33,8 +33,11 @@ module ActionDispatch
       request = ActionDispatch::Request.new env
       backtrace_cleaner = request.get_header("action_dispatch.backtrace_cleaner")
       wrapper = ExceptionWrapper.new(backtrace_cleaner, exception)
+      request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
+      request.set_header "action_dispatch.report_exception", !wrapper.rescue_response?
+
       if wrapper.show?(request)
-        render_exception(request, wrapper)
+        render_exception(request.dup, wrapper)
       else
         raise exception
       end
@@ -43,7 +46,6 @@ module ActionDispatch
     private
       def render_exception(request, wrapper)
         status = wrapper.status_code
-        request.set_header "action_dispatch.exception", wrapper.unwrapped_exception
         request.set_header "action_dispatch.original_path", request.path_info
         request.set_header "action_dispatch.original_request_method", request.raw_request_method
         fallback_to_html_format_if_invalid_mime_type(request)
@@ -65,9 +67,17 @@ module ActionDispatch
         # If the MIME type for the request is invalid then the
         # @exceptions_app may not be able to handle it. To make it
         # easier to handle, we switch to HTML.
-        request.formats
-      rescue ActionDispatch::Http::MimeNegotiation::InvalidType
-        request.set_header "HTTP_ACCEPT", "text/html"
+        begin
+          request.content_mime_type
+        rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+          request.set_header "CONTENT_TYPE", "text/html"
+        end
+
+        begin
+          request.formats
+        rescue ActionDispatch::Http::MimeNegotiation::InvalidType
+          request.set_header "HTTP_ACCEPT", "text/html"
+        end
       end
 
       def pass_response(status)

data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb

@@ -11,7 +11,7 @@
     </p>
     <p>
       For example, a <code><%= @exception.controller %>#<%= @exception.action_name %></code> action defined in <code>app/controllers/<%= @exception.controller.controller_path %>_controller.rb</code> should have a corresponding view template
-      in a file named <code>app/views/<%= @exception.controller.controller_name %>/<%= @exception.action_name %>.html.erb</code>.
+      in a file named <code>app/views/<%= @exception.controller.controller_path %>/<%= @exception.action_name %>.html.erb</code>.
     </p>
     <p>
       However, if this controller is an API endpoint responding with 204 (No Content), which does not require a view template because it doesn't serve an HTML response, then this error will occur when trying to access it with a browser. In this particular scenario, you can ignore this error.

data/lib/action_dispatch/railtie.rb

@@ -69,7 +69,6 @@ module ActionDispatch
       ActionDispatch::Cookies::CookieJar.always_write_cookie = config.action_dispatch.always_write_cookie
 
       ActionDispatch::Routing::Mapper.route_source_locations = Rails.env.development?
-      ActionDispatch::Routing::Mapper.backtrace_cleaner = Rails.backtrace_cleaner
 
       ActionDispatch.test_app = app
     end

data/lib/action_dispatch/routing/mapper.rb

@@ -10,10 +10,19 @@ require "action_dispatch/routing/endpoint"
 module ActionDispatch
   module Routing
     class Mapper
+      class BacktraceCleaner < ActiveSupport::BacktraceCleaner # :nodoc:
+        def initialize
+          super
+          remove_silencers!
+          add_core_silencer
+          add_stdlib_silencer
+        end
+      end
+
       URL_OPTIONS = [:protocol, :subdomain, :domain, :host, :port]
 
       cattr_accessor :route_source_locations, instance_accessor: false, default: false
-      cattr_accessor :backtrace_cleaner, instance_accessor: false, default: ActiveSupport::BacktraceCleaner.new
+      cattr_accessor :backtrace_cleaner, instance_accessor: false, default: BacktraceCleaner.new
 
       class Constraints < Routing::Endpoint # :nodoc:
         attr_reader :app, :constraints
@@ -220,12 +229,17 @@ module ActionDispatch
               if to.nil?
                 controller = default_controller
                 action = default_action
-              elsif to.is_a?(String) && to.include?("#")
-                to_endpoint = to.split("#").map!(&:-@)
-                controller  = to_endpoint[0]
-                action      = to_endpoint[1]
+              elsif to.is_a?(String)
+                if to.include?("#")
+                  to_endpoint = to.split("#").map!(&:-@)
+                  controller  = to_endpoint[0]
+                  action      = to_endpoint[1]
+                else
+                  controller = default_controller
+                  action = to
+                end
               else
-                raise ArgumentError, ":to must respond to `action` or `call`, or it must be a String that includes '#'"
+                raise ArgumentError, ":to must respond to `action` or `call`, or it must be a String that includes '#', or the controller should be implicit"
               end
 
               controller = add_controller_module(controller, modyoule)
@@ -359,12 +373,35 @@ module ActionDispatch
             Routing::RouteSet::Dispatcher.new raise_on_name_error
           end
 
-          def route_source_location
-            if Mapper.route_source_locations
-              action_dispatch_dir = File.expand_path("..", __dir__)
-              caller_location = caller_locations.find { |location| !location.path.include?(action_dispatch_dir) }
-              cleaned_path = Mapper.backtrace_cleaner.clean([caller_location.path]).first
-              "#{cleaned_path}:#{caller_location.lineno}" if cleaned_path
+          if Thread.respond_to?(:each_caller_location)
+            def route_source_location
+              if Mapper.route_source_locations
+                action_dispatch_dir = File.expand_path("..", __dir__)
+                Thread.each_caller_location do |location|
+                  next if location.path.start_with?(action_dispatch_dir)
+
+                  cleaned_path = Mapper.backtrace_cleaner.clean_frame(location.path)
+                  next if cleaned_path.nil?
+
+                  return "#{cleaned_path}:#{location.lineno}"
+                end
+                nil
+              end
+            end
+          else
+            def route_source_location
+              if Mapper.route_source_locations
+                action_dispatch_dir = File.expand_path("..", __dir__)
+                caller_locations.each do |location|
+                  next if location.path.start_with?(action_dispatch_dir)
+
+                  cleaned_path = Mapper.backtrace_cleaner.clean_frame(location.path)
+                  next if cleaned_path.nil?
+
+                  return "#{cleaned_path}:#{location.lineno}"
+                end
+                nil
+              end
             end
           end
       end
@@ -680,7 +717,7 @@ module ActionDispatch
               def optimize_routes_generation?; false; end
 
               define_method :find_script_name do |options|
-                if options.key? :script_name
+                if options.key?(:script_name) && options[:script_name].present?
                   super(options)
                 else
                   script_namer.call(options)

data/lib/action_dispatch/system_testing/browser.rb

@@ -70,7 +70,12 @@ module ActionDispatch
         end
 
         def resolve_driver_path(namespace)
-          namespace::Service.driver_path = ::Selenium::WebDriver::DriverFinder.path(options, namespace::Service)
+          # The path method has been deprecated in 4.20.0
+          if Gem::Version.new(::Selenium::WebDriver::VERSION) >= Gem::Version.new("4.20.0")
+            namespace::Service.driver_path = ::Selenium::WebDriver::DriverFinder.new(options, namespace::Service.new).driver_path
+          else
+            namespace::Service.driver_path = ::Selenium::WebDriver::DriverFinder.path(options, namespace::Service)
+          end
         end
     end
   end

data/lib/action_dispatch/system_testing/driver.rb

@@ -16,7 +16,7 @@ module ActionDispatch
           gem "selenium-webdriver", ">= 4.0.0"
           require "selenium/webdriver"
           @browser = Browser.new(options[:using])
-          @browser.preload
+          @browser.preload unless @options[:browser] == :remote
         else
           @browser = nil
         end

data/lib/action_pack/gem_version.rb

@@ -9,8 +9,8 @@ module ActionPack
   module VERSION
     MAJOR = 7
     MINOR = 1
-    TINY  = 3
-    PRE   = "4"
+    TINY  = 4
+    PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 7.1.3.4
+  version: 7.1.4
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-04 00:00:00.000000000 Z
+date: 2024-08-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.4
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -128,28 +128,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.4
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.4
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.3.4
+        version: 7.1.4
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com
@@ -346,10 +346,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.1.3.4/actionpack/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.1.3.4/
+  changelog_uri: https://github.com/rails/rails/blob/v7.1.4/actionpack/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.1.4/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.1.3.4/actionpack
+  source_code_uri: https://github.com/rails/rails/tree/v7.1.4/actionpack
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -367,7 +367,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements:
 - none
-rubygems_version: 3.3.27
+rubygems_version: 3.5.11
 signing_key:
 specification_version: 4
 summary: Web-flow and rendering framework putting the VC in MVC (part of Rails).