RubyGems - actionpack - Versions diffs - 7.1.3.4 → 7.2.0.beta1 - Mend

actionpack 7.1.3.4 → 7.2.0.beta1

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (158) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +70 -541
data/lib/abstract_controller/asset_paths.rb +2 -0
data/lib/abstract_controller/base.rb +102 -98
data/lib/abstract_controller/caching/fragments.rb +50 -53
data/lib/abstract_controller/caching.rb +2 -0
data/lib/abstract_controller/callbacks.rb +66 -64
data/lib/abstract_controller/collector.rb +6 -6
data/lib/abstract_controller/deprecator.rb +2 -0
data/lib/abstract_controller/error.rb +2 -0
data/lib/abstract_controller/helpers.rb +70 -85
data/lib/abstract_controller/logger.rb +2 -0
data/lib/abstract_controller/railties/routes_helpers.rb +2 -0
data/lib/abstract_controller/rendering.rb +13 -12
data/lib/abstract_controller/translation.rb +11 -10
data/lib/abstract_controller/url_for.rb +8 -6
data/lib/abstract_controller.rb +2 -0
data/lib/action_controller/api/api_rendering.rb +2 -0
data/lib/action_controller/api.rb +74 -72
data/lib/action_controller/base.rb +155 -117
data/lib/action_controller/caching.rb +15 -12
data/lib/action_controller/deprecator.rb +2 -0
data/lib/action_controller/form_builder.rb +20 -17
data/lib/action_controller/log_subscriber.rb +3 -1
data/lib/action_controller/metal/allow_browser.rb +119 -0
data/lib/action_controller/metal/basic_implicit_render.rb +2 -0
data/lib/action_controller/metal/conditional_get.rb +188 -174
data/lib/action_controller/metal/content_security_policy.rb +25 -24
data/lib/action_controller/metal/cookies.rb +4 -2
data/lib/action_controller/metal/data_streaming.rb +64 -55
data/lib/action_controller/metal/default_headers.rb +5 -3
data/lib/action_controller/metal/etag_with_flash.rb +3 -1
data/lib/action_controller/metal/etag_with_template_digest.rb +17 -15
data/lib/action_controller/metal/exceptions.rb +11 -9
data/lib/action_controller/metal/flash.rb +12 -10
data/lib/action_controller/metal/head.rb +12 -10
data/lib/action_controller/metal/helpers.rb +63 -55
data/lib/action_controller/metal/http_authentication.rb +209 -201
data/lib/action_controller/metal/implicit_render.rb +17 -15
data/lib/action_controller/metal/instrumentation.rb +15 -12
data/lib/action_controller/metal/live.rb +113 -107
data/lib/action_controller/metal/logging.rb +6 -4
data/lib/action_controller/metal/mime_responds.rb +151 -142
data/lib/action_controller/metal/parameter_encoding.rb +34 -32
data/lib/action_controller/metal/params_wrapper.rb +57 -59
data/lib/action_controller/metal/permissions_policy.rb +13 -12
data/lib/action_controller/metal/rate_limiting.rb +62 -0
data/lib/action_controller/metal/redirecting.rb +108 -82
data/lib/action_controller/metal/renderers.rb +50 -49
data/lib/action_controller/metal/rendering.rb +103 -75
data/lib/action_controller/metal/request_forgery_protection.rb +162 -133
data/lib/action_controller/metal/rescue.rb +11 -9
data/lib/action_controller/metal/streaming.rb +138 -136
data/lib/action_controller/metal/strong_parameters.rb +525 -480
data/lib/action_controller/metal/testing.rb +2 -0
data/lib/action_controller/metal/url_for.rb +17 -15
data/lib/action_controller/metal.rb +58 -57
data/lib/action_controller/railtie.rb +3 -0
data/lib/action_controller/railties/helpers.rb +2 -0
data/lib/action_controller/renderer.rb +42 -36
data/lib/action_controller/template_assertions.rb +4 -2
data/lib/action_controller/test_case.rb +146 -126
data/lib/action_controller.rb +10 -3
data/lib/action_dispatch/constants.rb +2 -0
data/lib/action_dispatch/deprecator.rb +2 -0
data/lib/action_dispatch/http/cache.rb +27 -26
data/lib/action_dispatch/http/content_disposition.rb +2 -0
data/lib/action_dispatch/http/content_security_policy.rb +44 -38
data/lib/action_dispatch/http/filter_parameters.rb +9 -5
data/lib/action_dispatch/http/filter_redirect.rb +15 -1
data/lib/action_dispatch/http/headers.rb +22 -22
data/lib/action_dispatch/http/mime_negotiation.rb +30 -41
data/lib/action_dispatch/http/mime_type.rb +29 -22
data/lib/action_dispatch/http/mime_types.rb +2 -0
data/lib/action_dispatch/http/parameters.rb +11 -9
data/lib/action_dispatch/http/permissions_policy.rb +27 -37
data/lib/action_dispatch/http/rack_cache.rb +2 -0
data/lib/action_dispatch/http/request.rb +71 -71
data/lib/action_dispatch/http/response.rb +61 -61
data/lib/action_dispatch/http/upload.rb +18 -16
data/lib/action_dispatch/http/url.rb +75 -73
data/lib/action_dispatch/journey/formatter.rb +13 -6
data/lib/action_dispatch/journey/gtg/builder.rb +4 -3
data/lib/action_dispatch/journey/gtg/simulator.rb +2 -0
data/lib/action_dispatch/journey/gtg/transition_table.rb +10 -8
data/lib/action_dispatch/journey/nfa/dot.rb +2 -0
data/lib/action_dispatch/journey/nodes/node.rb +6 -5
data/lib/action_dispatch/journey/parser.rb +4 -3
data/lib/action_dispatch/journey/parser_extras.rb +2 -0
data/lib/action_dispatch/journey/path/pattern.rb +4 -1
data/lib/action_dispatch/journey/route.rb +9 -7
data/lib/action_dispatch/journey/router/utils.rb +16 -15
data/lib/action_dispatch/journey/router.rb +4 -2
data/lib/action_dispatch/journey/routes.rb +4 -2
data/lib/action_dispatch/journey/scanner.rb +4 -2
data/lib/action_dispatch/journey/visitors.rb +2 -0
data/lib/action_dispatch/journey.rb +2 -0
data/lib/action_dispatch/log_subscriber.rb +2 -0
data/lib/action_dispatch/middleware/actionable_exceptions.rb +2 -0
data/lib/action_dispatch/middleware/assume_ssl.rb +8 -5
data/lib/action_dispatch/middleware/callbacks.rb +3 -1
data/lib/action_dispatch/middleware/cookies.rb +119 -104
data/lib/action_dispatch/middleware/debug_exceptions.rb +13 -5
data/lib/action_dispatch/middleware/debug_locks.rb +15 -13
data/lib/action_dispatch/middleware/debug_view.rb +2 -0
data/lib/action_dispatch/middleware/exception_wrapper.rb +6 -11
data/lib/action_dispatch/middleware/executor.rb +8 -0
data/lib/action_dispatch/middleware/flash.rb +63 -51
data/lib/action_dispatch/middleware/host_authorization.rb +17 -15
data/lib/action_dispatch/middleware/public_exceptions.rb +8 -6
data/lib/action_dispatch/middleware/reloader.rb +5 -3
data/lib/action_dispatch/middleware/remote_ip.rb +77 -72
data/lib/action_dispatch/middleware/request_id.rb +14 -9
data/lib/action_dispatch/middleware/server_timing.rb +4 -2
data/lib/action_dispatch/middleware/session/abstract_store.rb +2 -0
data/lib/action_dispatch/middleware/session/cache_store.rb +13 -8
data/lib/action_dispatch/middleware/session/cookie_store.rb +27 -26
data/lib/action_dispatch/middleware/session/mem_cache_store.rb +7 -3
data/lib/action_dispatch/middleware/show_exceptions.rb +31 -21
data/lib/action_dispatch/middleware/ssl.rb +43 -40
data/lib/action_dispatch/middleware/stack.rb +11 -10
data/lib/action_dispatch/middleware/static.rb +33 -31
data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb +1 -1
data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb +1 -1
data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +1 -1
data/lib/action_dispatch/railtie.rb +2 -4
data/lib/action_dispatch/request/session.rb +23 -21
data/lib/action_dispatch/request/utils.rb +2 -0
data/lib/action_dispatch/routing/endpoint.rb +2 -0
data/lib/action_dispatch/routing/inspector.rb +5 -3
data/lib/action_dispatch/routing/mapper.rb +670 -635
data/lib/action_dispatch/routing/polymorphic_routes.rb +69 -62
data/lib/action_dispatch/routing/redirection.rb +37 -32
data/lib/action_dispatch/routing/route_set.rb +59 -45
data/lib/action_dispatch/routing/routes_proxy.rb +6 -4
data/lib/action_dispatch/routing/url_for.rb +130 -125
data/lib/action_dispatch/routing.rb +150 -148
data/lib/action_dispatch/system_test_case.rb +91 -81
data/lib/action_dispatch/system_testing/browser.rb +10 -3
data/lib/action_dispatch/system_testing/driver.rb +3 -1
data/lib/action_dispatch/system_testing/server.rb +2 -0
data/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb +32 -21
data/lib/action_dispatch/system_testing/test_helpers/setup_and_teardown.rb +2 -0
data/lib/action_dispatch/testing/assertion_response.rb +8 -6
data/lib/action_dispatch/testing/assertions/response.rb +26 -23
data/lib/action_dispatch/testing/assertions/routing.rb +153 -84
data/lib/action_dispatch/testing/assertions.rb +2 -0
data/lib/action_dispatch/testing/integration.rb +223 -222
data/lib/action_dispatch/testing/request_encoder.rb +2 -0
data/lib/action_dispatch/testing/test_helpers/page_dump_helper.rb +35 -0
data/lib/action_dispatch/testing/test_process.rb +12 -8
data/lib/action_dispatch/testing/test_request.rb +3 -1
data/lib/action_dispatch/testing/test_response.rb +27 -26
data/lib/action_dispatch.rb +22 -28
data/lib/action_pack/gem_version.rb +6 -4
data/lib/action_pack/version.rb +3 -1
data/lib/action_pack.rb +17 -16
metadata +30 -13

data/lib/action_controller/caching.rb CHANGED Viewed

@@ -1,28 +1,31 @@
 # frozen_string_literal: true
+# :markup: markdown
 module ActionController
-  # = Action Controller \Caching
+  # # Action Controller Caching
   #
-  # \Caching is a cheap way of speeding up slow applications by keeping the result of
-  # calculations, renderings, and database calls around for subsequent requests.
+  # Caching is a cheap way of speeding up slow applications by keeping the result
+  # of calculations, renderings, and database calls around for subsequent
+  # requests.
   #
   # You can read more about each approach by clicking the modules below.
   #
   # Note: To turn off all caching provided by Action Controller, set
-  #   config.action_controller.perform_caching = false
+  #     config.action_controller.perform_caching = false
   #
-  # == \Caching stores
+  # ## Caching stores
   #
-  # All the caching stores from ActiveSupport::Cache are available to be used as backends
-  # for Action Controller caching.
+  # All the caching stores from ActiveSupport::Cache are available to be used as
+  # backends for Action Controller caching.
   #
   # Configuration examples (FileStore is the default):
   #
-  #   config.action_controller.cache_store = :memory_store
-  #   config.action_controller.cache_store = :file_store, '/path/to/cache/directory'
-  #   config.action_controller.cache_store = :mem_cache_store, 'localhost'
-  #   config.action_controller.cache_store = :mem_cache_store, Memcached::Rails.new('localhost:11211')
-  #   config.action_controller.cache_store = MyOwnStore.new('parameter')
+  #     config.action_controller.cache_store = :memory_store
+  #     config.action_controller.cache_store = :file_store, '/path/to/cache/directory'
+  #     config.action_controller.cache_store = :mem_cache_store, 'localhost'
+  #     config.action_controller.cache_store = :mem_cache_store, Memcached::Rails.new('localhost:11211')
+  #     config.action_controller.cache_store = MyOwnStore.new('parameter')
   module Caching
     extend ActiveSupport::Concern

data/lib/action_controller/deprecator.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+# :markup: markdown
 module ActionController
   def self.deprecator # :nodoc:
     AbstractController.deprecator

data/lib/action_controller/form_builder.rb CHANGED Viewed

@@ -1,31 +1,33 @@
 # frozen_string_literal: true
+# :markup: markdown
 module ActionController
-  # = Action Controller Form Builder
+  # # Action Controller Form Builder
   #
-  # Override the default form builder for all views rendered by this
-  # controller and any of its descendants. Accepts a subclass of
+  # Override the default form builder for all views rendered by this controller
+  # and any of its descendants. Accepts a subclass of
   # ActionView::Helpers::FormBuilder.
   #
   # For example, given a form builder:
   #
-  #   class AdminFormBuilder < ActionView::Helpers::FormBuilder
-  #     def special_field(name)
+  #     class AdminFormBuilder < ActionView::Helpers::FormBuilder
+  #       def special_field(name)
+  #       end
   #     end
-  #   end
   #
   # The controller specifies a form builder as its default:
   #
-  #   class AdminAreaController < ApplicationController
-  #     default_form_builder AdminFormBuilder
-  #   end
+  #     class AdminAreaController < ApplicationController
+  #       default_form_builder AdminFormBuilder
+  #     end
   #
-  # Then in the view any form using +form_for+ will be an instance of the
+  # Then in the view any form using `form_for` will be an instance of the
   # specified form builder:
   #
-  #   <%= form_for(@instance) do |builder| %>
-  #     <%= builder.special_field(:name) %>
-  #   <% end %>
+  #     <%= form_for(@instance) do |builder| %>
+  #       <%= builder.special_field(:name) %>
+  #     <% end %>
   module FormBuilder
     extend ActiveSupport::Concern
@@ -34,11 +36,12 @@ module ActionController
     end
     module ClassMethods
-      # Set the form builder to be used as the default for all forms
-      # in the views rendered by this controller and its subclasses.
+      # Set the form builder to be used as the default for all forms in the views
+      # rendered by this controller and its subclasses.
       #
-      # ==== Parameters
-      # * <tt>builder</tt> - Default form builder, an instance of ActionView::Helpers::FormBuilder
+      # #### Parameters
+      # *   `builder` - Default form builder, an instance of
+      #     ActionView::Helpers::FormBuilder
       def default_form_builder(builder)
         self._default_form_builder = builder
       end

data/lib/action_controller/log_subscriber.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+# :markup: markdown
 module ActionController
   class LogSubscriber < ActiveSupport::LogSubscriber
     INTERNAL_PARAMS = %w(controller action format _method only_path)
@@ -31,7 +33,7 @@ module ActionController
           status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
         end
-        additions << "Allocations: #{event.allocations}"
+        additions << "GC: #{event.gc_time.round(1)}ms"
         message = +"Completed #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]} in #{event.duration.round}ms" \
                    " (#{additions.join(" | ")})"

data/lib/action_controller/metal/allow_browser.rb ADDED Viewed

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+# :markup: markdown
+module ActionController # :nodoc:
+  module AllowBrowser
+    extend ActiveSupport::Concern
+    module ClassMethods
+      # Specify the browser versions that will be allowed to access all actions (or
+      # some, as limited by `only:` or `except:`). Only browsers matched in the hash
+      # or named set passed to `versions:` will be blocked if they're below the
+      # versions specified. This means that all other browsers, as well as agents that
+      # aren't reporting a user-agent header, will be allowed access.
+      #
+      # A browser that's blocked will by default be served the file in
+      # public/406-unsupported-browser.html with a HTTP status code of "406 Not
+      # Acceptable".
+      #
+      # In addition to specifically named browser versions, you can also pass
+      # `:modern` as the set to restrict support to browsers natively supporting webp
+      # images, web push, badges, import maps, CSS nesting, and CSS :has. This
+      # includes Safari 17.2+, Chrome 120+, Firefox 121+, Opera 106+.
+      #
+      # You can use https://caniuse.com to check for browser versions supporting the
+      # features you use.
+      #
+      # You can use `ActiveSupport::Notifications` to subscribe to events of browsers
+      # being blocked using the `browser_block.action_controller` event name.
+      #
+      # Examples:
+      #
+      #     class ApplicationController < ActionController::Base
+      #       # Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has
+      #       allow_browser versions: :modern
+      #     end
+      #
+      #     class ApplicationController < ActionController::Base
+      #       # All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+.
+      #       allow_browser versions: { safari: 16.4, firefox: 121, ie: false }
+      #     end
+      #
+      #     class MessagesController < ApplicationController
+      #       # In addition to the browsers blocked by ApplicationController, also block Opera below 104 and Chrome below 119 for the show action.
+      #       allow_browser versions: { opera: 104, chrome: 119 }, only: :show
+      #     end
+      def allow_browser(versions:, block: -> { render file: Rails.root.join("public/406-unsupported-browser.html"), layout: false, status: :not_acceptable }, **options)
+        before_action -> { allow_browser(versions: versions, block: block) }, **options
+      end
+    end
+    private
+      def allow_browser(versions:, block:)
+        require "useragent"
+        if BrowserBlocker.new(request, versions: versions).blocked?
+          ActiveSupport::Notifications.instrument("browser_block.action_controller", request: request, versions: versions) do
+            instance_exec(&block)
+          end
+        end
+      end
+      class BrowserBlocker
+        SETS = {
+          modern: { safari: 17.2, chrome: 120, firefox: 121, opera: 106, ie: false }
+        }
+        attr_reader :request, :versions
+        def initialize(request, versions:)
+          @request, @versions = request, versions
+        end
+        def blocked?
+          user_agent_version_reported? && unsupported_browser?
+        end
+        private
+          def parsed_user_agent
+            @parsed_user_agent ||= UserAgent.parse(request.user_agent)
+          end
+          def user_agent_version_reported?
+            request.user_agent.present? && parsed_user_agent.version.to_s.present?
+          end
+          def unsupported_browser?
+            version_guarded_browser? && version_below_minimum_required?
+          end
+          def version_guarded_browser?
+            minimum_browser_version_for_browser != nil
+          end
+          def version_below_minimum_required?
+            if minimum_browser_version_for_browser
+              parsed_user_agent.version < UserAgent::Version.new(minimum_browser_version_for_browser.to_s)
+            else
+              true
+            end
+          end
+          def minimum_browser_version_for_browser
+            expanded_versions[normalized_browser_name]
+          end
+          def expanded_versions
+            @expanded_versions ||= (SETS[versions] || versions).with_indifferent_access
+          end
+          def normalized_browser_name
+            case name = parsed_user_agent.browser.downcase
+            when "internet explorer" then "ie"
+            else name
+            end
+          end
+      end
+  end
+end

data/lib/action_controller/metal/basic_implicit_render.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+# :markup: markdown
 module ActionController
   module BasicImplicitRender # :nodoc:
     def send_action(method, *args)