actionpack 7.1.3.4 → 7.2.0.beta1

data/lib/action_dispatch/middleware/exception_wrapper.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/core_ext/module/attribute_accessors"
 require "active_support/syntax_error_proxy"
 require "active_support/core_ext/thread/backtrace/location"
@@ -175,23 +177,15 @@ module ActionDispatch
     end
 
     def show?(request)
-      # We're treating `nil` as "unset", and we want the default setting to be
-      # `:all`. This logic should be extracted to `env_config` and calculated
-      # once.
+      # We're treating `nil` as "unset", and we want the default setting to be `:all`.
+      # This logic should be extracted to `env_config` and calculated once.
       config = request.get_header("action_dispatch.show_exceptions")
 
-      # Include true and false for backwards compatibility.
       case config
       when :none
         false
       when :rescuable
         rescue_response?
-      when true
-        ActionDispatch.deprecator.warn("Setting action_dispatch.show_exceptions to true is deprecated. Set to :all instead.")
-        true
-      when false
-        ActionDispatch.deprecator.warn("Setting action_dispatch.show_exceptions to false is deprecated. Set to :none instead.")
-        false
       else
         true
       end
@@ -208,7 +202,8 @@ module ActionDispatch
     end
 
     def error_highlight_available?
-      # ErrorHighlight.spot with backtrace_location keyword is available since error_highlight 0.4.0
+      # ErrorHighlight.spot with backtrace_location keyword is available since
+      # error_highlight 0.4.0
       defined?(ErrorHighlight) && Gem::Version.new(ErrorHighlight::VERSION) >= Gem::Version.new("0.4.0")
     end
 

data/lib/action_dispatch/middleware/executor.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "rack/body_proxy"
 
 module ActionDispatch
@@ -12,6 +14,12 @@ module ActionDispatch
       state = @executor.run!(reset: true)
       begin
         response = @app.call(env)
+
+        if env["action_dispatch.report_exception"]
+          error = env["action_dispatch.exception"]
+          @executor.error_reporter.report(error, handled: false, source: "application.action_dispatch")
+        end
+
         returned = response << ::Rack::BodyProxy.new(response.pop) { state.complete! }
       rescue => error
         @executor.error_reporter.report(error, handled: false, source: "application.action_dispatch")

data/lib/action_dispatch/middleware/flash.rb

@@ -1,41 +1,48 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/core_ext/hash/keys"
 
 module ActionDispatch
-  # = Action Dispatch \Flash
+  # # Action Dispatch Flash
   #
-  # The flash provides a way to pass temporary primitive-types (String, Array, Hash) between actions. Anything you place in the flash will be exposed
-  # to the very next action and then cleared out. This is a great way of doing notices and alerts, such as a create
-  # action that sets <tt>flash[:notice] = "Post successfully created"</tt> before redirecting to a display action that can
-  # then expose the flash to its template. Actually, that exposure is automatically done.
+  # The flash provides a way to pass temporary primitive-types (String, Array,
+  # Hash) between actions. Anything you place in the flash will be exposed to the
+  # very next action and then cleared out. This is a great way of doing notices
+  # and alerts, such as a create action that sets `flash[:notice] = "Post
+  # successfully created"` before redirecting to a display action that can then
+  # expose the flash to its template. Actually, that exposure is automatically
+  # done.
   #
-  #   class PostsController < ActionController::Base
-  #     def create
-  #       # save post
-  #       flash[:notice] = "Post successfully created"
-  #       redirect_to @post
-  #     end
+  #     class PostsController < ActionController::Base
+  #       def create
+  #         # save post
+  #         flash[:notice] = "Post successfully created"
+  #         redirect_to @post
+  #       end
   #
-  #     def show
-  #       # doesn't need to assign the flash notice to the template, that's done automatically
+  #       def show
+  #         # doesn't need to assign the flash notice to the template, that's done automatically
+  #       end
   #     end
-  #   end
   #
-  # Then in +show.html.erb+:
+  # Then in `show.html.erb`:
   #
-  #   <% if flash[:notice] %>
-  #     <div class="notice"><%= flash[:notice] %></div>
-  #   <% end %>
+  #     <% if flash[:notice] %>
+  #       <div class="notice"><%= flash[:notice] %></div>
+  #     <% end %>
   #
-  # Since the +notice+ and +alert+ keys are a common idiom, convenience accessors are available:
+  # Since the `notice` and `alert` keys are a common idiom, convenience accessors
+  # are available:
   #
-  #   flash.alert = "You must be logged in"
-  #   flash.notice = "Post successfully created"
+  #     flash.alert = "You must be logged in"
+  #     flash.notice = "Post successfully created"
   #
-  # This example places a string in the flash. And of course, you can put as many as you like at a time too. If you want to pass
-  # non-primitive types, you will have to handle that in your application. Example: To show messages with links, you will have to
-  # use sanitize helper.
+  # This example places a string in the flash. And of course, you can put as many
+  # as you like at a time too. If you want to pass non-primitive types, you will
+  # have to handle that in your application. Example: To show messages with links,
+  # you will have to use sanitize helper.
   #
   # Just remember: They'll be gone by the time the next action has been performed.
   #
@@ -98,12 +105,12 @@ module ActionDispatch
         @flash[k.to_s]
       end
 
-      # Convenience accessor for <tt>flash.now[:alert]=</tt>.
+      # Convenience accessor for `flash.now[:alert]=`.
       def alert=(message)
         self[:alert] = message
       end
 
-      # Convenience accessor for <tt>flash.now[:notice]=</tt>.
+      # Convenience accessor for `flash.now[:notice]=`.
       def notice=(message)
         self[:notice] = message
       end
@@ -131,8 +138,8 @@ module ActionDispatch
         end
       end
 
-      # Builds a hash containing the flashes to keep for the next request.
-      # If there are none to keep, returns +nil+.
+      # Builds a hash containing the flashes to keep for the next request. If there
+      # are none to keep, returns `nil`.
       def to_session_value # :nodoc:
         flashes_to_keep = @flashes.except(*@discard)
         return nil if flashes_to_keep.empty?
@@ -177,8 +184,8 @@ module ActionDispatch
         @flashes.key? name.to_s
       end
 
-      # Immediately deletes the single flash entry. Use this method when you
-      # want remove the message within the current action. See also #discard.
+      # Immediately deletes the single flash entry. Use this method when you want
+      # remove the message within the current action. See also #discard.
       def delete(key)
         key = key.to_s
         @discard.delete key
@@ -211,45 +218,49 @@ module ActionDispatch
         self
       end
 
-      # Sets a flash that will not be available to the next action, only to the current.
+      # Sets a flash that will not be available to the next action, only to the
+      # current.
       #
       #     flash.now[:message] = "Hello current action"
       #
-      # This method enables you to use the flash as a central messaging system in your app.
-      # When you need to pass an object to the next action, you use the standard flash assign (<tt>[]=</tt>).
-      # When you need to pass an object to the current action, you use <tt>now</tt>, and your object will
-      # vanish when the current action is done.
+      # This method enables you to use the flash as a central messaging system in your
+      # app. When you need to pass an object to the next action, you use the standard
+      # flash assign (`[]=`). When you need to pass an object to the current action,
+      # you use `now`, and your object will vanish when the current action is done.
       #
-      # Entries set via <tt>now</tt> are accessed the same way as standard entries: <tt>flash['my-key']</tt>.
+      # Entries set via `now` are accessed the same way as standard entries:
+      # `flash['my-key']`.
       #
       # Also, brings two convenience accessors:
       #
-      #   flash.now.alert = "Beware now!"
-      #   # Equivalent to flash.now[:alert] = "Beware now!"
+      #     flash.now.alert = "Beware now!"
+      #     # Equivalent to flash.now[:alert] = "Beware now!"
       #
-      #   flash.now.notice = "Good luck now!"
-      #   # Equivalent to flash.now[:notice] = "Good luck now!"
+      #     flash.now.notice = "Good luck now!"
+      #     # Equivalent to flash.now[:notice] = "Good luck now!"
       def now
         @now ||= FlashNow.new(self)
       end
 
-      # Keeps either the entire current flash or a specific flash entry available for the next action:
+      # Keeps either the entire current flash or a specific flash entry available for
+      # the next action:
       #
-      #    flash.keep            # keeps the entire flash
-      #    flash.keep(:notice)   # keeps only the "notice" entry, the rest of the flash is discarded
+      #     flash.keep            # keeps the entire flash
+      #     flash.keep(:notice)   # keeps only the "notice" entry, the rest of the flash is discarded
       def keep(k = nil)
         k = k.to_s if k
         @discard.subtract Array(k || keys)
         k ? self[k] : self
       end
 
-      # Marks the entire flash or a single flash entry to be discarded by the end of the current action:
+      # Marks the entire flash or a single flash entry to be discarded by the end of
+      # the current action:
       #
       #     flash.discard              # discard the entire flash at the end of the current action
       #     flash.discard(:warning)    # discard only the "warning" entry at the end of the current action
       #
-      # Use this method when you want to display the message in the current
-      # action but not in the next one. See also #delete.
+      # Use this method when you want to display the message in the current action but
+      # not in the next one. See also #delete.
       def discard(k = nil)
         k = k.to_s if k
         @discard.merge Array(k || keys)
@@ -258,28 +269,29 @@ module ActionDispatch
 
       # Mark for removal entries that were kept, and delete unkept ones.
       #
-      # This method is called automatically by filters, so you generally don't need to care about it.
+      # This method is called automatically by filters, so you generally don't need to
+      # care about it.
       def sweep # :nodoc:
         @discard.each { |k| @flashes.delete k }
         @discard.replace @flashes.keys
       end
 
-      # Convenience accessor for <tt>flash[:alert]</tt>.
+      # Convenience accessor for `flash[:alert]`.
       def alert
         self[:alert]
       end
 
-      # Convenience accessor for <tt>flash[:alert]=</tt>.
+      # Convenience accessor for `flash[:alert]=`.
       def alert=(message)
         self[:alert] = message
       end
 
-      # Convenience accessor for <tt>flash[:notice]</tt>.
+      # Convenience accessor for `flash[:notice]`.
       def notice
         self[:notice]
       end
 
-      # Convenience accessor for <tt>flash[:notice]=</tt>.
+      # Convenience accessor for `flash[:notice]=`.
       def notice=(message)
         self[:notice] = message
       end

data/lib/action_dispatch/middleware/host_authorization.rb

@@ -1,24 +1,26 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
-  # = Action Dispatch \HostAuthorization
+  # # Action Dispatch HostAuthorization
   #
-  # This middleware guards from DNS rebinding attacks by explicitly permitting
-  # the hosts a request can be sent to, and is passed the options set in
-  # +config.host_authorization+.
+  # This middleware guards from DNS rebinding attacks by explicitly permitting the
+  # hosts a request can be sent to, and is passed the options set in
+  # `config.host_authorization`.
   #
-  # Requests can opt-out of Host Authorization with +exclude+:
+  # Requests can opt-out of Host Authorization with `exclude`:
   #
-  #    config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }
+  #     config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }
   #
-  # When a request comes to an unauthorized host, the +response_app+
-  # application will be executed and rendered. If no +response_app+ is given, a
-  # default one will run.
-  # The default response app logs blocked host info with level 'error' and
-  # responds with <tt>403 Forbidden</tt>. The body of the response contains debug info
-  # if +config.consider_all_requests_local+ is set to true, otherwise the body is empty.
+  # When a request comes to an unauthorized host, the `response_app` application
+  # will be executed and rendered. If no `response_app` is given, a default one
+  # will run. The default response app logs blocked host info with level 'error'
+  # and responds with `403 Forbidden`. The body of the response contains debug
+  # info if `config.consider_all_requests_local` is set to true, otherwise the
+  # body is empty.
   class HostAuthorization
-    ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
+    ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", ".test", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
     PORT_REGEX = /(?::\d+)/ # :nodoc:
     SUBDOMAIN_REGEX = /(?:[a-z0-9-]+\.)/i # :nodoc:
     IPV4_HOSTNAME = /(?<host>\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/ # :nodoc:
@@ -45,8 +47,8 @@ module ActionDispatch
             begin
               allowed === extract_hostname(host)
             rescue
-              # IPAddr#=== raises an error if you give it a hostname instead of
-              # IP. Treat similar errors as blocked access.
+              # IPAddr#=== raises an error if you give it a hostname instead of IP. Treat
+              # similar errors as blocked access.
               false
             end
           else

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -1,15 +1,17 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
-  # = Action Dispatch \PublicExceptions
+  # # Action Dispatch PublicExceptions
   #
   # When called, this middleware renders an error page. By default if an HTML
-  # response is expected it will render static error pages from the <tt>/public</tt>
+  # response is expected it will render static error pages from the `/public`
   # directory. For example when this middleware receives a 500 response it will
-  # render the template found in <tt>/public/500.html</tt>.
-  # If an internationalized locale is set, this middleware will attempt to render
-  # the template in <tt>/public/500.<locale>.html</tt>. If an internationalized template
-  # is not found it will fall back on <tt>/public/500.html</tt>.
+  # render the template found in `/public/500.html`. If an internationalized
+  # locale is set, this middleware will attempt to render the template in
+  # `/public/500.<locale>.html`. If an internationalized template is not found it
+  # will fall back on `/public/500.html`.
   #
   # When a request with a content type other than HTML is made, this middleware
   # will attempt to convert error information into the appropriate response type.

data/lib/action_dispatch/middleware/reloader.rb

@@ -1,14 +1,16 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
-  # = Action Dispatch \Reloader
+  # # Action Dispatch Reloader
   #
   # ActionDispatch::Reloader wraps the request with callbacks provided by
   # ActiveSupport::Reloader, intended to assist with code reloading during
   # development.
   #
-  # ActionDispatch::Reloader is included in the middleware stack only if
-  # reloading is enabled, which it is by the default in +development+ mode.
+  # ActionDispatch::Reloader is included in the middleware stack only if reloading
+  # is enabled, which it is by the default in `development` mode.
   class Reloader < Executor
   end
 end

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -1,37 +1,41 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "ipaddr"
 
 module ActionDispatch
-  # = Action Dispatch \RemoteIp
+  # # Action Dispatch RemoteIp
   #
-  # This middleware calculates the IP address of the remote client that is
-  # making the request. It does this by checking various headers that could
-  # contain the address, and then picking the last-set address that is not
-  # on the list of trusted IPs. This follows the precedent set by e.g.
-  # {the Tomcat server}[https://issues.apache.org/bugzilla/show_bug.cgi?id=50453].
-  # A more detailed explanation of the algorithm is given at GetIp#calculate_ip.
+  # This middleware calculates the IP address of the remote client that is making
+  # the request. It does this by checking various headers that could contain the
+  # address, and then picking the last-set address that is not on the list of
+  # trusted IPs. This follows the precedent set by e.g. [the Tomcat
+  # server](https://issues.apache.org/bugzilla/show_bug.cgi?id=50453). A more
+  # detailed explanation of the algorithm is given at GetIp#calculate_ip.
   #
-  # Some Rack servers concatenate repeated headers, like {HTTP RFC 2616}[https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2]
-  # requires. Some Rack servers simply drop preceding headers, and only report
-  # the value that was {given in the last header}[https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-servers].
-  # If you are behind multiple proxy servers (like NGINX to HAProxy to Unicorn)
-  # then you should test your Rack server to make sure your data is good.
+  # Some Rack servers concatenate repeated headers, like [HTTP RFC
+  # 2616](https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2) requires.
+  # Some Rack servers simply drop preceding headers, and only report the value
+  # that was [given in the last
+  # header](https://andre.arko.net/2011/12/26/repeated-headers-and-ruby-web-server
+  # s). If you are behind multiple proxy servers (like NGINX to HAProxy to
+  # Unicorn) then you should test your Rack server to make sure your data is good.
   #
-  # IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING.
-  # This middleware assumes that there is at least one proxy sitting around
-  # and setting headers with the client's remote IP address. If you don't use
-  # a proxy, because you are hosted on e.g. Heroku without SSL, any client can
-  # claim to have any IP address by setting the +X-Forwarded-For+ header. If you
-  # care about that, then you need to explicitly drop or ignore those headers
-  # sometime before this middleware runs. Alternatively, remove this middleware
-  # to avoid inadvertently relying on it.
+  # IF YOU DON'T USE A PROXY, THIS MAKES YOU VULNERABLE TO IP SPOOFING. This
+  # middleware assumes that there is at least one proxy sitting around and setting
+  # headers with the client's remote IP address. If you don't use a proxy, because
+  # you are hosted on e.g. Heroku without SSL, any client can claim to have any IP
+  # address by setting the `X-Forwarded-For` header. If you care about that, then
+  # you need to explicitly drop or ignore those headers sometime before this
+  # middleware runs. Alternatively, remove this middleware to avoid inadvertently
+  # relying on it.
   class RemoteIp
     class IpSpoofAttackError < StandardError; end
 
-    # The default trusted IPs list simply includes IP addresses that are
-    # guaranteed by the IP specification to be private addresses. Those will
-    # not be the ultimate client IP in production, and so are discarded. See
+    # The default trusted IPs list simply includes IP addresses that are guaranteed
+    # by the IP specification to be private addresses. Those will not be the
+    # ultimate client IP in production, and so are discarded. See
     # https://en.wikipedia.org/wiki/Private_network for details.
     TRUSTED_PROXIES = [
       "127.0.0.0/8",    # localhost IPv4 range, per RFC-3330
@@ -44,20 +48,20 @@ module ActionDispatch
 
     attr_reader :check_ip, :proxies
 
-    # Create a new +RemoteIp+ middleware instance.
+    # Create a new `RemoteIp` middleware instance.
     #
-    # The +ip_spoofing_check+ option is on by default. When on, an exception
-    # is raised if it looks like the client is trying to lie about its own IP
-    # address. It makes sense to turn off this check on sites aimed at non-IP
-    # clients (like WAP devices), or behind proxies that set headers in an
-    # incorrect or confusing way (like AWS ELB).
+    # The `ip_spoofing_check` option is on by default. When on, an exception is
+    # raised if it looks like the client is trying to lie about its own IP address.
+    # It makes sense to turn off this check on sites aimed at non-IP clients (like
+    # WAP devices), or behind proxies that set headers in an incorrect or confusing
+    # way (like AWS ELB).
     #
-    # The +custom_proxies+ argument can take an enumerable which will be used
-    # instead of +TRUSTED_PROXIES+. Any proxy setup will put the value you
-    # want in the middle (or at the beginning) of the +X-Forwarded-For+ list,
-    # with your proxy servers after it. If your proxies aren't removed, pass
-    # them in via the +custom_proxies+ parameter. That way, the middleware will
-    # ignore those IP addresses, and return the one that you want.
+    # The `custom_proxies` argument can take an enumerable which will be used
+    # instead of `TRUSTED_PROXIES`. Any proxy setup will put the value you want in
+    # the middle (or at the beginning) of the `X-Forwarded-For` list, with your
+    # proxy servers after it. If your proxies aren't removed, pass them in via the
+    # `custom_proxies` parameter. That way, the middleware will ignore those IP
+    # addresses, and return the one that you want.
     def initialize(app, ip_spoofing_check = true, custom_proxies = nil)
       @app = app
       @check_ip = ip_spoofing_check
@@ -82,19 +86,19 @@ module ActionDispatch
       end
     end
 
-    # Since the IP address may not be needed, we store the object here
-    # without calculating the IP to keep from slowing down the majority of
-    # requests. For those requests that do need to know the IP, the
-    # GetIp#calculate_ip method will calculate the memoized client IP address.
+    # Since the IP address may not be needed, we store the object here without
+    # calculating the IP to keep from slowing down the majority of requests. For
+    # those requests that do need to know the IP, the GetIp#calculate_ip method will
+    # calculate the memoized client IP address.
     def call(env)
       req = ActionDispatch::Request.new env
       req.remote_ip = GetIp.new(req, check_ip, proxies)
       @app.call(req.env)
     end
 
-    # The GetIp class exists as a way to defer processing of the request data
-    # into an actual IP address. If the ActionDispatch::Request#remote_ip method
-    # is called, this class will calculate the value and then memoize it.
+    # The GetIp class exists as a way to defer processing of the request data into
+    # an actual IP address. If the ActionDispatch::Request#remote_ip method is
+    # called, this class will calculate the value and then memoize it.
     class GetIp
       def initialize(req, check_ip, proxies)
         @req      = req
@@ -102,24 +106,25 @@ module ActionDispatch
         @proxies  = proxies
       end
 
-      # Sort through the various IP address headers, looking for the IP most
-      # likely to be the address of the actual remote client making this
-      # request.
+      # Sort through the various IP address headers, looking for the IP most likely to
+      # be the address of the actual remote client making this request.
       #
-      # REMOTE_ADDR will be correct if the request is made directly against the
-      # Ruby process, on e.g. Heroku. When the request is proxied by another
-      # server like HAProxy or NGINX, the IP address that made the original
-      # request will be put in an +X-Forwarded-For+ header. If there are multiple
-      # proxies, that header may contain a list of IPs. Other proxy services
-      # set the +Client-Ip+ header instead, so we check that too.
+      # REMOTE_ADDR will be correct if the request is made directly against the Ruby
+      # process, on e.g. Heroku. When the request is proxied by another server like
+      # HAProxy or NGINX, the IP address that made the original request will be put in
+      # an `X-Forwarded-For` header. If there are multiple proxies, that header may
+      # contain a list of IPs. Other proxy services set the `Client-Ip` header
+      # instead, so we check that too.
       #
-      # As discussed in {this post about Rails IP Spoofing}[https://web.archive.org/web/20170626095448/https://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/],
-      # while the first IP in the list is likely to be the "originating" IP,
-      # it could also have been set by the client maliciously.
+      # As discussed in [this post about Rails IP
+      # Spoofing](https://web.archive.org/web/20170626095448/https://blog.gingerlime.c
+      # om/2012/rails-ip-spoofing-vulnerabilities-and-protection/), while the first IP
+      # in the list is likely to be the "originating" IP, it could also have been set
+      # by the client maliciously.
       #
-      # In order to find the first address that is (probably) accurate, we
-      # take the list of IPs, remove known and trusted proxies, and then take
-      # the last address left, which was presumably set by one of those proxies.
+      # In order to find the first address that is (probably) accurate, we take the
+      # list of IPs, remove known and trusted proxies, and then take the last address
+      # left, which was presumably set by one of those proxies.
       def calculate_ip
         # Set by the Rack web server, this is a single value.
         remote_addr = ips_from(@req.remote_addr).last
@@ -128,19 +133,19 @@ module ActionDispatch
         client_ips    = ips_from(@req.client_ip).reverse!
         forwarded_ips = ips_from(@req.x_forwarded_for).reverse!
 
-        # +Client-Ip+ and +X-Forwarded-For+ should not, generally, both be set.
-        # If they are both set, it means that either:
+        # `Client-Ip` and `X-Forwarded-For` should not, generally, both be set. If they
+        # are both set, it means that either:
         #
         # 1) This request passed through two proxies with incompatible IP header
-        #    conventions.
-        # 2) The client passed one of +Client-Ip+ or +X-Forwarded-For+
-        #    (whichever the proxy servers weren't using) themselves.
+        #     conventions.
+        #
+        # 2) The client passed one of `Client-Ip` or `X-Forwarded-For`
+        #     (whichever the proxy servers weren't using) themselves.
         #
-        # Either way, there is no way for us to determine which header is the
-        # right one after the fact. Since we have no idea, if we are concerned
-        # about IP spoofing we need to give up and explode. (If you're not
-        # concerned about IP spoofing you can turn the +ip_spoofing_check+
-        # option off.)
+        # Either way, there is no way for us to determine which header is the right one
+        # after the fact. Since we have no idea, if we are concerned about IP spoofing
+        # we need to give up and explode. (If you're not concerned about IP spoofing you
+        # can turn the `ip_spoofing_check` option off.)
         should_check_ip = @check_ip && client_ips.last && forwarded_ips.last
         if should_check_ip && !forwarded_ips.include?(client_ips.last)
           # We don't know which came from the proxy, and which from the user
@@ -151,14 +156,14 @@ module ActionDispatch
 
         # We assume these things about the IP headers:
         #
-        #   - X-Forwarded-For will be a list of IPs, one per proxy, or blank
-        #   - Client-Ip is propagated from the outermost proxy, or is blank
-        #   - REMOTE_ADDR will be the IP that made the request to Rack
+        #     - X-Forwarded-For will be a list of IPs, one per proxy, or blank
+        #     - Client-Ip is propagated from the outermost proxy, or is blank
+        #     - REMOTE_ADDR will be the IP that made the request to Rack
         ips = forwarded_ips + client_ips
         ips.compact!
 
-        # If every single IP option is in the trusted list, return the IP
-        # that's furthest away
+        # If every single IP option is in the trusted list, return the IP that's
+        # furthest away
         filter_proxies(ips + [remote_addr]).first || ips.last || remote_addr
       end
 

data/lib/action_dispatch/middleware/request_id.rb

@@ -1,21 +1,26 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "securerandom"
 require "active_support/core_ext/string/access"
 
 module ActionDispatch
-  # = Action Dispatch \RequestId
+  # # Action Dispatch RequestId
   #
-  # Makes a unique request id available to the +action_dispatch.request_id+ env variable (which is then accessible
-  # through ActionDispatch::Request#request_id or the alias ActionDispatch::Request#uuid) and sends
-  # the same id to the client via the +X-Request-Id+ header.
+  # Makes a unique request id available to the `action_dispatch.request_id` env
+  # variable (which is then accessible through ActionDispatch::Request#request_id
+  # or the alias ActionDispatch::Request#uuid) and sends the same id to the client
+  # via the `X-Request-Id` header.
   #
-  # The unique request id is either based on the +X-Request-Id+ header in the request, which would typically be generated
-  # by a firewall, load balancer, or the web server, or, if this header is not available, a random uuid. If the
-  # header is accepted from the outside world, we sanitize it to a max of 255 chars and alphanumeric and dashes only.
+  # The unique request id is either based on the `X-Request-Id` header in the
+  # request, which would typically be generated by a firewall, load balancer, or
+  # the web server, or, if this header is not available, a random uuid. If the
+  # header is accepted from the outside world, we sanitize it to a max of 255
+  # chars and alphanumeric and dashes only.
   #
-  # The unique request id can be used to trace a request end-to-end and would typically end up being part of log files
-  # from multiple pieces of the stack.
+  # The unique request id can be used to trace a request end-to-end and would
+  # typically end up being part of log files from multiple pieces of the stack.
   class RequestId
     def initialize(app, header:)
       @app = app