actionpack 7.1.3 → 7.2.1.1

data/lib/action_controller/metal/params_wrapper.rb

@@ -1,12 +1,14 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/core_ext/hash/slice"
 require "active_support/core_ext/hash/except"
 require "active_support/core_ext/module/anonymous"
 require "action_dispatch/http/mime_type"
 
 module ActionController
-  # = Action Controller Params Wrapper
+  # # Action Controller Params Wrapper
   #
   # Wraps the parameters hash into a nested hash. This will allow clients to
   # submit requests without having to specify any root elements.
@@ -24,8 +26,8 @@ module ActionController
   #       wrap_parameters format: [:json, :xml, :url_encoded_form, :multipart_form]
   #     end
   #
-  # If you enable +ParamsWrapper+ for +:json+ format, instead of having to
-  # send JSON parameters like this:
+  # If you enable `ParamsWrapper` for `:json` format, instead of having to send
+  # JSON parameters like this:
   #
   #     {"user": {"name": "Konata"}}
   #
@@ -34,45 +36,44 @@ module ActionController
   #     {"name": "Konata"}
   #
   # And it will be wrapped into a nested hash with the key name matching the
-  # controller's name. For example, if you're posting to +UsersController+,
-  # your new +params+ hash will look like this:
+  # controller's name. For example, if you're posting to `UsersController`, your
+  # new `params` hash will look like this:
   #
   #     {"name" => "Konata", "user" => {"name" => "Konata"}}
   #
-  # You can also specify the key in which the parameters should be wrapped to,
-  # and also the list of attributes it should wrap by using either +:include+ or
-  # +:exclude+ options like this:
+  # You can also specify the key in which the parameters should be wrapped to, and
+  # also the list of attributes it should wrap by using either `:include` or
+  # `:exclude` options like this:
   #
   #     class UsersController < ApplicationController
   #       wrap_parameters :person, include: [:username, :password]
   #     end
   #
-  # On Active Record models with no +:include+ or +:exclude+ option set,
-  # it will only wrap the parameters returned by the class method
-  # <tt>attribute_names</tt>.
+  # On Active Record models with no `:include` or `:exclude` option set, it will
+  # only wrap the parameters returned by the class method `attribute_names`.
   #
-  # If you're going to pass the parameters to an +ActiveModel+ object (such as
-  # <tt>User.new(params[:user])</tt>), you might consider passing the model class to
-  # the method instead. The +ParamsWrapper+ will actually try to determine the
-  # list of attribute names from the model and only wrap those attributes:
+  # If you're going to pass the parameters to an `ActiveModel` object (such as
+  # `User.new(params[:user])`), you might consider passing the model class to the
+  # method instead. The `ParamsWrapper` will actually try to determine the list of
+  # attribute names from the model and only wrap those attributes:
   #
   #     class UsersController < ApplicationController
   #       wrap_parameters Person
   #     end
   #
-  # You still could pass +:include+ and +:exclude+ to set the list of attributes
+  # You still could pass `:include` and `:exclude` to set the list of attributes
   # you want to wrap.
   #
   # By default, if you don't specify the key in which the parameters would be
-  # wrapped to, +ParamsWrapper+ will actually try to determine if there's
-  # a model related to it or not. This controller, for example:
+  # wrapped to, `ParamsWrapper` will actually try to determine if there's a model
+  # related to it or not. This controller, for example:
   #
   #     class Admin::UsersController < ApplicationController
   #     end
   #
-  # will try to check if +Admin::User+ or +User+ model exists, and use it to
-  # determine the wrapper key respectively. If both models don't exist,
-  # it will then fall back to use +user+ as the key.
+  # will try to check if `Admin::User` or `User` model exists, and use it to
+  # determine the wrapper key respectively. If both models don't exist, it will
+  # then fall back to use `user` as the key.
   #
   # To disable this functionality for a controller:
   #
@@ -84,11 +85,7 @@ module ActionController
 
     EXCLUDE_PARAMETERS = %w(authenticity_token _method utf8)
 
-    require "mutex_m"
-
     class Options < Struct.new(:name, :format, :include, :exclude, :klass, :model) # :nodoc:
-      include Mutex_m
-
       def self.from_hash(hash)
         name    = hash[:name]
         format  = Array(hash[:format])
@@ -99,6 +96,7 @@ module ActionController
 
       def initialize(name, format, include, exclude, klass, model) # :nodoc:
         super
+        @mutex = Mutex.new
         @include_set = include
         @name_set    = name
       end
@@ -111,7 +109,7 @@ module ActionController
         return super if @include_set
 
         m = model
-        synchronize do
+        @mutex.synchronize do
           return super if @include_set
 
           @include_set = true
@@ -144,7 +142,7 @@ module ActionController
         return super if @name_set
 
         m = model
-        synchronize do
+        @mutex.synchronize do
           return super if @name_set
 
           @name_set = true
@@ -157,13 +155,13 @@ module ActionController
       end
 
       private
-        # Determine the wrapper model from the controller's name. By convention,
-        # this could be done by trying to find the defined model that has the
-        # same singular name as the controller. For example, +UsersController+
-        # will try to find if the +User+ model exists.
+        # Determine the wrapper model from the controller's name. By convention, this
+        # could be done by trying to find the defined model that has the same singular
+        # name as the controller. For example, `UsersController` will try to find if the
+        # `User` model exists.
         #
-        # This method also does namespace lookup. Foo::Bar::UsersController will
-        # try to find Foo::Bar::User, Foo::User and finally User.
+        # This method also does namespace lookup. Foo::Bar::UsersController will try to
+        # find Foo::Bar::User, Foo::User and finally User.
         def _default_wrap_model
           return nil if klass.anonymous?
           model_name = klass.name.delete_suffix("Controller").classify
@@ -192,33 +190,34 @@ module ActionController
         self._wrapper_options = Options.from_hash(options)
       end
 
-      # Sets the name of the wrapper key, or the model which +ParamsWrapper+
-      # would use to determine the attribute names from.
+      # Sets the name of the wrapper key, or the model which `ParamsWrapper` would use
+      # to determine the attribute names from.
+      #
+      # #### Examples
+      #     wrap_parameters format: :xml
+      #       # enables the parameter wrapper for XML format
       #
-      # ==== Examples
-      #   wrap_parameters format: :xml
-      #     # enables the parameter wrapper for XML format
+      #     wrap_parameters :person
+      #       # wraps parameters into +params[:person]+ hash
       #
-      #   wrap_parameters :person
-      #     # wraps parameters into +params[:person]+ hash
+      #     wrap_parameters Person
+      #       # wraps parameters by determining the wrapper key from Person class
+      #       # (+person+, in this case) and the list of attribute names
       #
-      #   wrap_parameters Person
-      #     # wraps parameters by determining the wrapper key from Person class
-      #     # (+person+, in this case) and the list of attribute names
+      #     wrap_parameters include: [:username, :title]
+      #       # wraps only +:username+ and +:title+ attributes from parameters.
       #
-      #   wrap_parameters include: [:username, :title]
-      #     # wraps only +:username+ and +:title+ attributes from parameters.
+      #     wrap_parameters false
+      #       # disables parameters wrapping for this controller altogether.
       #
-      #   wrap_parameters false
-      #     # disables parameters wrapping for this controller altogether.
+      # #### Options
+      # *   `:format` - The list of formats in which the parameters wrapper will be
+      #     enabled.
+      # *   `:include` - The list of attribute names which parameters wrapper will
+      #     wrap into a nested hash.
+      # *   `:exclude` - The list of attribute names which parameters wrapper will
+      #     exclude from a nested hash.
       #
-      # ==== Options
-      # * <tt>:format</tt> - The list of formats in which the parameters wrapper
-      #   will be enabled.
-      # * <tt>:include</tt> - The list of attribute names which parameters wrapper
-      #   will wrap into a nested hash.
-      # * <tt>:exclude</tt> - The list of attribute names which parameters wrapper
-      #   will exclude from a nested hash.
       def wrap_parameters(name_or_model_or_options, options = {})
         model = nil
 
@@ -240,9 +239,8 @@ module ActionController
         self._wrapper_options = opts
       end
 
-      # Sets the default wrapper key or model which will be used to determine
-      # wrapper key and attribute names. Called automatically when the
-      # module is inherited.
+      # Sets the default wrapper key or model which will be used to determine wrapper
+      # key and attribute names. Called automatically when the module is inherited.
       def inherited(klass)
         if klass._wrapper_options.format.any?
           params = klass._wrapper_options.dup
@@ -254,8 +252,8 @@ module ActionController
     end
 
     private
-      # Performs parameters wrapping upon the request. Called automatically
-      # by the metal call stack.
+      # Performs parameters wrapping upon the request. Called automatically by the
+      # metal call stack.
       def process_action(*)
         _perform_parameter_wrapping if _wrapper_enabled?
         super

data/lib/action_controller/metal/permissions_policy.rb

@@ -1,27 +1,28 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionController # :nodoc:
   module PermissionsPolicy
     extend ActiveSupport::Concern
 
     module ClassMethods
-      # Overrides parts of the globally configured +Feature-Policy+
-      # header:
+      # Overrides parts of the globally configured `Feature-Policy` header:
       #
-      #   class PagesController < ApplicationController
-      #     permissions_policy do |policy|
-      #       policy.geolocation "https://example.com"
+      #     class PagesController < ApplicationController
+      #       permissions_policy do |policy|
+      #         policy.geolocation "https://example.com"
+      #       end
       #     end
-      #   end
       #
-      # Options can be passed similar to +before_action+. For example, pass
-      # <tt>only: :index</tt> to override the header on the index action only:
+      # Options can be passed similar to `before_action`. For example, pass `only:
+      # :index` to override the header on the index action only:
       #
-      #   class PagesController < ApplicationController
-      #     permissions_policy(only: :index) do |policy|
-      #       policy.camera :self
+      #     class PagesController < ApplicationController
+      #       permissions_policy(only: :index) do |policy|
+      #         policy.camera :self
+      #       end
       #     end
-      #   end
       #
       def permissions_policy(**options, &block)
         before_action(options) do

data/lib/action_controller/metal/rate_limiting.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController # :nodoc:
+  module RateLimiting
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      # Applies a rate limit to all actions or those specified by the normal
+      # `before_action` filters with `only:` and `except:`.
+      #
+      # The maximum number of requests allowed is specified `to:` and constrained to
+      # the window of time given by `within:`.
+      #
+      # Rate limits are by default unique to the ip address making the request, but
+      # you can provide your own identity function by passing a callable in the `by:`
+      # parameter. It's evaluated within the context of the controller processing the
+      # request.
+      #
+      # Requests that exceed the rate limit are refused with a `429 Too Many Requests`
+      # response. You can specialize this by passing a callable in the `with:`
+      # parameter. It's evaluated within the context of the controller processing the
+      # request.
+      #
+      # Rate limiting relies on a backing `ActiveSupport::Cache` store and defaults to
+      # `config.action_controller.cache_store`, which itself defaults to the global
+      # `config.cache_store`. If you don't want to store rate limits in the same
+      # datastore as your general caches, you can pass a custom store in the `store`
+      # parameter.
+      #
+      # Examples:
+      #
+      #     class SessionsController < ApplicationController
+      #       rate_limit to: 10, within: 3.minutes, only: :create
+      #     end
+      #
+      #     class SignupsController < ApplicationController
+      #       rate_limit to: 1000, within: 10.seconds,
+      #         by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups on domain!" }, only: :new
+      #     end
+      #
+      #     class APIController < ApplicationController
+      #       RATE_LIMIT_STORE = ActiveSupport::Cache::RedisCacheStore.new(url: ENV["REDIS_URL"])
+      #       rate_limit to: 10, within: 3.minutes, store: RATE_LIMIT_STORE
+      #     end
+      def rate_limit(to:, within:, by: -> { request.remote_ip }, with: -> { head :too_many_requests }, store: cache_store, **options)
+        before_action -> { rate_limiting(to: to, within: within, by: by, with: with, store: store) }, **options
+      end
+    end
+
+    private
+      def rate_limiting(to:, within:, by:, with:, store:)
+        count = store.increment("rate-limit:#{controller_path}:#{instance_exec(&by)}", 1, expires_in: within)
+        if count && count > to
+          ActiveSupport::Notifications.instrument("rate_limit.action_controller", request: request) do
+            instance_exec(&with)
+          end
+        end
+      end
+  end
+end

data/lib/action_controller/metal/redirecting.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionController
   module Redirecting
     extend ActiveSupport::Concern
@@ -9,78 +11,95 @@ module ActionController
 
     class UnsafeRedirectError < StandardError; end
 
-    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/.freeze
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/
 
     included do
       mattr_accessor :raise_on_open_redirects, default: false
     end
 
-    # Redirects the browser to the target specified in +options+. This parameter can be any one of:
+    # Redirects the browser to the target specified in `options`. This parameter can
+    # be any one of:
+    #
+    # *   `Hash` - The URL will be generated by calling url_for with the `options`.
+    # *   `Record` - The URL will be generated by calling url_for with the
+    #     `options`, which will reference a named URL for that record.
+    # *   `String` starting with `protocol://` (like `http://`) or a protocol
+    #     relative reference (like `//`) - Is passed straight through as the target
+    #     for redirection.
+    # *   `String` not containing a protocol - The current protocol and host is
+    #     prepended to the string.
+    # *   `Proc` - A block that will be executed in the controller's context. Should
+    #     return any option accepted by `redirect_to`.
     #
-    # * <tt>Hash</tt> - The URL will be generated by calling url_for with the +options+.
-    # * <tt>Record</tt> - The URL will be generated by calling url_for with the +options+, which will reference a named URL for that record.
-    # * <tt>String</tt> starting with <tt>protocol://</tt> (like <tt>http://</tt>) or a protocol relative reference (like <tt>//</tt>) - Is passed straight through as the target for redirection.
-    # * <tt>String</tt> not containing a protocol - The current protocol and host is prepended to the string.
-    # * <tt>Proc</tt> - A block that will be executed in the controller's context. Should return any option accepted by +redirect_to+.
     #
-    # === Examples
+    # ### Examples
     #
-    #   redirect_to action: "show", id: 5
-    #   redirect_to @post
-    #   redirect_to "http://www.rubyonrails.org"
-    #   redirect_to "/images/screenshot.jpg"
-    #   redirect_to posts_url
-    #   redirect_to proc { edit_post_url(@post) }
+    #     redirect_to action: "show", id: 5
+    #     redirect_to @post
+    #     redirect_to "http://www.rubyonrails.org"
+    #     redirect_to "/images/screenshot.jpg"
+    #     redirect_to posts_url
+    #     redirect_to proc { edit_post_url(@post) }
     #
-    # The redirection happens as a <tt>302 Found</tt> header unless otherwise specified using the <tt>:status</tt> option:
+    # The redirection happens as a `302 Found` header unless otherwise specified
+    # using the `:status` option:
     #
-    #   redirect_to post_url(@post), status: :found
-    #   redirect_to action: 'atom', status: :moved_permanently
-    #   redirect_to post_url(@post), status: 301
-    #   redirect_to action: 'atom', status: 302
+    #     redirect_to post_url(@post), status: :found
+    #     redirect_to action: 'atom', status: :moved_permanently
+    #     redirect_to post_url(@post), status: 301
+    #     redirect_to action: 'atom', status: 302
     #
-    # The status code can either be a standard {HTTP Status code}[https://www.iana.org/assignments/http-status-codes] as an
-    # integer, or a symbol representing the downcased, underscored and symbolized description.
-    # Note that the status code must be a 3xx HTTP code, or redirection will not occur.
+    # The status code can either be a standard [HTTP Status
+    # code](https://www.iana.org/assignments/http-status-codes) as an integer, or a
+    # symbol representing the downcased, underscored and symbolized description.
+    # Note that the status code must be a 3xx HTTP code, or redirection will not
+    # occur.
     #
     # If you are using XHR requests other than GET or POST and redirecting after the
     # request then some browsers will follow the redirect using the original request
     # method. This may lead to undesirable behavior such as a double DELETE. To work
-    # around this you can return a <tt>303 See Other</tt> status code which will be
+    # around this you can return a `303 See Other` status code which will be
     # followed using a GET request.
     #
-    #   redirect_to posts_url, status: :see_other
-    #   redirect_to action: 'index', status: 303
+    #     redirect_to posts_url, status: :see_other
+    #     redirect_to action: 'index', status: 303
     #
-    # It is also possible to assign a flash message as part of the redirection. There are two special accessors for the commonly used flash names
-    # +alert+ and +notice+ as well as a general purpose +flash+ bucket.
+    # It is also possible to assign a flash message as part of the redirection.
+    # There are two special accessors for the commonly used flash names `alert` and
+    # `notice` as well as a general purpose `flash` bucket.
     #
-    #   redirect_to post_url(@post), alert: "Watch it, mister!"
-    #   redirect_to post_url(@post), status: :found, notice: "Pay attention to the road"
-    #   redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
-    #   redirect_to({ action: 'atom' }, alert: "Something serious happened")
+    #     redirect_to post_url(@post), alert: "Watch it, mister!"
+    #     redirect_to post_url(@post), status: :found, notice: "Pay attention to the road"
+    #     redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
+    #     redirect_to({ action: 'atom' }, alert: "Something serious happened")
     #
-    # Statements after +redirect_to+ in our controller get executed, so +redirect_to+ doesn't stop the execution of the function.
-    # To terminate the execution of the function immediately after the +redirect_to+, use return.
+    # Statements after `redirect_to` in our controller get executed, so
+    # `redirect_to` doesn't stop the execution of the function. To terminate the
+    # execution of the function immediately after the `redirect_to`, use return.
     #
-    #   redirect_to post_url(@post) and return
+    #     redirect_to post_url(@post) and return
     #
-    # === Open Redirect protection
+    # ### Open Redirect protection
     #
-    # By default, \Rails protects against redirecting to external hosts for your app's safety, so called open redirects.
-    # Note: this was a new default in \Rails 7.0, after upgrading opt-in by uncommenting the line with +raise_on_open_redirects+ in <tt>config/initializers/new_framework_defaults_7_0.rb</tt>
+    # By default, Rails protects against redirecting to external hosts for your
+    # app's safety, so called open redirects. Note: this was a new default in Rails
+    # 7.0, after upgrading opt-in by uncommenting the line with
+    # `raise_on_open_redirects` in
+    # `config/initializers/new_framework_defaults_7_0.rb`
     #
     # Here #redirect_to automatically validates the potentially-unsafe URL:
     #
-    #   redirect_to params[:redirect_url]
+    #     redirect_to params[:redirect_url]
     #
     # Raises UnsafeRedirectError in the case of an unsafe redirect.
     #
-    # To allow any external redirects pass <tt>allow_other_host: true</tt>, though using a user-provided param in that case is unsafe.
+    # To allow any external redirects pass `allow_other_host: true`, though using a
+    # user-provided param in that case is unsafe.
     #
-    #   redirect_to "https://rubyonrails.org", allow_other_host: true
+    #     redirect_to "https://rubyonrails.org", allow_other_host: true
     #
-    # See #url_from for more information on what an internal and safe URL is, or how to fall back to an alternate redirect URL in the unsafe case.
+    # See #url_from for more information on what an internal and safe URL is, or how
+    # to fall back to an alternate redirect URL in the unsafe case.
     def redirect_to(options = {}, response_options = {})
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
       raise AbstractController::DoubleRenderError if response_body
@@ -96,50 +115,53 @@ module ActionController
       self.response_body = ""
     end
 
-    # Soft deprecated alias for #redirect_back_or_to where the +fallback_location+ location is supplied as a keyword argument instead
-    # of the first positional argument.
+    # Soft deprecated alias for #redirect_back_or_to where the `fallback_location`
+    # location is supplied as a keyword argument instead of the first positional
+    # argument.
     def redirect_back(fallback_location:, allow_other_host: _allow_other_host, **args)
       redirect_back_or_to fallback_location, allow_other_host: allow_other_host, **args
     end
 
-    # Redirects the browser to the page that issued the request (the referrer)
-    # if possible, otherwise redirects to the provided default fallback
-    # location.
+    # Redirects the browser to the page that issued the request (the referrer) if
+    # possible, otherwise redirects to the provided default fallback location.
+    #
+    # The referrer information is pulled from the HTTP `Referer` (sic) header on the
+    # request. This is an optional header and its presence on the request is subject
+    # to browser security settings and user preferences. If the request is missing
+    # this header, the `fallback_location` will be used.
     #
-    # The referrer information is pulled from the HTTP +Referer+ (sic) header on
-    # the request. This is an optional header and its presence on the request is
-    # subject to browser security settings and user preferences. If the request
-    # is missing this header, the <tt>fallback_location</tt> will be used.
+    #     redirect_back_or_to({ action: "show", id: 5 })
+    #     redirect_back_or_to @post
+    #     redirect_back_or_to "http://www.rubyonrails.org"
+    #     redirect_back_or_to "/images/screenshot.jpg"
+    #     redirect_back_or_to posts_url
+    #     redirect_back_or_to proc { edit_post_url(@post) }
+    #     redirect_back_or_to '/', allow_other_host: false
     #
-    #   redirect_back_or_to({ action: "show", id: 5 })
-    #   redirect_back_or_to @post
-    #   redirect_back_or_to "http://www.rubyonrails.org"
-    #   redirect_back_or_to "/images/screenshot.jpg"
-    #   redirect_back_or_to posts_url
-    #   redirect_back_or_to proc { edit_post_url(@post) }
-    #   redirect_back_or_to '/', allow_other_host: false
+    # #### Options
+    # *   `:allow_other_host` - Allow or disallow redirection to the host that is
+    #     different to the current host, defaults to true.
     #
-    # ==== Options
-    # * <tt>:allow_other_host</tt> - Allow or disallow redirection to the host that is different to the current host, defaults to true.
     #
-    # All other options that can be passed to #redirect_to are accepted as
-    # options, and the behavior is identical.
+    # All other options that can be passed to #redirect_to are accepted as options,
+    # and the behavior is identical.
     def redirect_back_or_to(fallback_location, allow_other_host: _allow_other_host, **options)
       if request.referer && (allow_other_host || _url_host_allowed?(request.referer))
         redirect_to request.referer, allow_other_host: allow_other_host, **options
       else
-        # The method level `allow_other_host` doesn't apply in the fallback case, omit and let the `redirect_to` handling take over.
+        # The method level `allow_other_host` doesn't apply in the fallback case, omit
+        # and let the `redirect_to` handling take over.
         redirect_to fallback_location, **options
       end
     end
 
     def _compute_redirect_to_location(request, options) # :nodoc:
       case options
-      # The scheme name consist of a letter followed by any combination of
-      # letters, digits, and the plus ("+"), period ("."), or hyphen ("-")
-      # characters; and is terminated by a colon (":").
-      # See https://tools.ietf.org/html/rfc3986#section-3.1
-      # The protocol relative scheme starts with a double slash "//".
+      # The scheme name consist of a letter followed by any combination of letters,
+      # digits, and the plus ("+"), period ("."), or hyphen ("-") characters; and is
+      # terminated by a colon (":"). See
+      # https://tools.ietf.org/html/rfc3986#section-3.1 The protocol relative scheme
+      # starts with a double slash "//".
       when /\A([a-z][a-z\d\-+.]*:|\/\/).*/i
         options.to_str
       when String
@@ -153,25 +175,30 @@ module ActionController
     module_function :_compute_redirect_to_location
     public :_compute_redirect_to_location
 
-    # Verifies the passed +location+ is an internal URL that's safe to redirect to and returns it, or nil if not.
-    # Useful to wrap a params provided redirect URL and fall back to an alternate URL to redirect to:
+    # Verifies the passed `location` is an internal URL that's safe to redirect to
+    # and returns it, or nil if not. Useful to wrap a params provided redirect URL
+    # and fall back to an alternate URL to redirect to:
     #
-    #   redirect_to url_from(params[:redirect_url]) || root_url
+    #     redirect_to url_from(params[:redirect_url]) || root_url
     #
-    # The +location+ is considered internal, and safe, if it's on the same host as <tt>request.host</tt>:
+    # The `location` is considered internal, and safe, if it's on the same host as
+    # `request.host`:
     #
-    #   # If request.host is example.com:
-    #   url_from("https://example.com/profile") # => "https://example.com/profile"
-    #   url_from("http://example.com/profile")  # => "http://example.com/profile"
-    #   url_from("http://evil.com/profile")     # => nil
+    #     # If request.host is example.com:
+    #     url_from("https://example.com/profile") # => "https://example.com/profile"
+    #     url_from("http://example.com/profile")  # => "http://example.com/profile"
+    #     url_from("http://evil.com/profile")     # => nil
     #
     # Subdomains are considered part of the host:
     #
-    #   # If request.host is on https://example.com or https://app.example.com, you'd get:
-    #   url_from("https://dev.example.com/profile") # => nil
+    #     # If request.host is on https://example.com or https://app.example.com, you'd get:
+    #     url_from("https://dev.example.com/profile") # => nil
     #
-    # NOTE: there's a similarity with {url_for}[rdoc-ref:ActionDispatch::Routing::UrlFor#url_for], which generates an internal URL from various options from within the app, e.g. <tt>url_for(@post)</tt>.
-    # However, #url_from is meant to take an external parameter to verify as in <tt>url_from(params[:redirect_url])</tt>.
+    # NOTE: there's a similarity with
+    # [url_for](rdoc-ref:ActionDispatch::Routing::UrlFor#url_for), which generates
+    # an internal URL from various options from within the app, e.g.
+    # `url_for(@post)`. However, #url_from is meant to take an external parameter to
+    # verify as in `url_from(params[:redirect_url])`.
     def url_from(location)
       location = location.presence
       location if location && _url_host_allowed?(location)
@@ -212,9 +239,8 @@ module ActionController
       end
 
       def _ensure_url_is_http_header_safe(url)
-        # Attempt to comply with the set of valid token characters
-        # defined for an HTTP header value in
-        # https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+        # Attempt to comply with the set of valid token characters defined for an HTTP
+        # header value in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
         if url.match?(ILLEGAL_HEADER_VALUE_REGEX)
           msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
             "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"