actionpack 7.1.3 → 7.2.1.1

data/lib/action_dispatch/http/content_security_policy.rb

@@ -1,28 +1,31 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/core_ext/object/deep_dup"
 require "active_support/core_ext/array/wrap"
 
 module ActionDispatch # :nodoc:
-  # = Action Dispatch Content Security Policy
+  # # Action Dispatch Content Security Policy
   #
-  # Configures the HTTP
-  # {Content-Security-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy]
-  # response header to help protect against XSS and injection attacks.
+  # Configures the HTTP [Content-Security-Policy]
+  # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+  # response header to help protect against XSS and
+  # injection attacks.
   #
   # Example global policy:
   #
-  #   Rails.application.config.content_security_policy do |policy|
-  #     policy.default_src :self, :https
-  #     policy.font_src    :self, :https, :data
-  #     policy.img_src     :self, :https, :data
-  #     policy.object_src  :none
-  #     policy.script_src  :self, :https
-  #     policy.style_src   :self, :https
+  #     Rails.application.config.content_security_policy do |policy|
+  #       policy.default_src :self, :https
+  #       policy.font_src    :self, :https, :data
+  #       policy.img_src     :self, :https, :data
+  #       policy.object_src  :none
+  #       policy.script_src  :self, :https
+  #       policy.style_src   :self, :https
   #
-  #     # Specify URI for violation reports
-  #     policy.report_uri "/csp-violation-report-endpoint"
-  #   end
+  #       # Specify URI for violation reports
+  #       policy.report_uri "/csp-violation-report-endpoint"
+  #     end
   class ContentSecurityPolicy
     class Middleware
       def initialize(app)
@@ -32,8 +35,8 @@ module ActionDispatch # :nodoc:
       def call(env)
         status, headers, _ = response = @app.call(env)
 
-        # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
-        # CSP headers might not match nonces in the cached HTML.
+        # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the
+        # new CSP headers might not match nonces in the cached HTML.
         return response if status == 304
 
         return response if policy_present?(headers)
@@ -190,14 +193,14 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Specify whether to prevent the user agent from loading any assets over
-    # HTTP when the page uses HTTPS:
+    # Specify whether to prevent the user agent from loading any assets over HTTP
+    # when the page uses HTTPS:
     #
-    #   policy.block_all_mixed_content
+    #     policy.block_all_mixed_content
     #
-    # Pass +false+ to allow it again:
+    # Pass `false` to allow it again:
     #
-    #   policy.block_all_mixed_content false
+    #     policy.block_all_mixed_content false
     #
     def block_all_mixed_content(enabled = true)
       if enabled
@@ -209,11 +212,11 @@ module ActionDispatch # :nodoc:
 
     # Restricts the set of plugins that can be embedded:
     #
-    #   policy.plugin_types "application/x-shockwave-flash"
+    #     policy.plugin_types "application/x-shockwave-flash"
     #
     # Leave empty to allow all plugins:
     #
-    #   policy.plugin_types
+    #     policy.plugin_types
     #
     def plugin_types(*types)
       if types.first
@@ -223,23 +226,25 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Enable the {report-uri}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri]
-    # directive. Violation reports will be sent to the specified URI:
+    # Enable the [report-uri]
+    # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
+    # directive. Violation reports will be sent to the
+    # specified URI:
     #
-    #   policy.report_uri "/csp-violation-report-endpoint"
+    #     policy.report_uri "/csp-violation-report-endpoint"
     #
     def report_uri(uri)
       @directives["report-uri"] = [uri]
     end
 
-    # Specify asset types for which {Subresource Integrity}[https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity]
-    # is required:
+    # Specify asset types for which [Subresource Integrity]
+    # (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
     #
-    #   policy.require_sri_for :script, :style
+    #     policy.require_sri_for :script, :style
     #
     # Leave empty to not require Subresource Integrity:
     #
-    #   policy.require_sri_for
+    #     policy.require_sri_for
     #
     def require_sri_for(*types)
       if types.first
@@ -249,18 +254,19 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Specify whether a {sandbox}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox]
+    # Specify whether a [sandbox]
+    # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
     # should be enabled for the requested resource:
     #
-    #   policy.sandbox
+    #     policy.sandbox
     #
     # Values can be passed as arguments:
     #
-    #   policy.sandbox "allow-scripts", "allow-modals"
+    #     policy.sandbox "allow-scripts", "allow-modals"
     #
-    # Pass +false+ to disable the sandbox:
+    # Pass `false` to disable the sandbox:
     #
-    #   policy.sandbox false
+    #     policy.sandbox false
     #
     def sandbox(*values)
       if values.empty?
@@ -274,11 +280,11 @@ module ActionDispatch # :nodoc:
 
     # Specify whether user agents should treat any assets over HTTP as HTTPS:
     #
-    #   policy.upgrade_insecure_requests
+    #     policy.upgrade_insecure_requests
     #
-    # Pass +false+ to disable it:
+    # Pass `false` to disable it:
     #
-    #   policy.upgrade_insecure_requests false
+    #     policy.upgrade_insecure_requests false
     #
     def upgrade_insecure_requests(enabled = true)
       if enabled

data/lib/action_dispatch/http/filter_parameters.rb

@@ -1,18 +1,21 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
-    # = Action Dispatch HTTP Filter Parameters
+    # # Action Dispatch HTTP Filter Parameters
     #
     # Allows you to specify sensitive query string and POST parameters to filter
     # from the request log.
     #
-    #   # Replaces values with "[FILTERED]" for keys that match /foo|bar/i.
-    #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
+    #     # Replaces values with "[FILTERED]" for keys that match /foo|bar/i.
+    #     env["action_dispatch.parameter_filter"] = [:foo, "bar"]
     #
-    # For more information about filter behavior, see ActiveSupport::ParameterFilter.
+    # For more information about filter behavior, see
+    # ActiveSupport::ParameterFilter.
     module FilterParameters
       ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
       NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
@@ -43,7 +46,8 @@ module ActionDispatch
         @filtered_path ||= query_string.empty? ? path : "#{path}?#{filtered_query_string}"
       end
 
-      # Returns the +ActiveSupport::ParameterFilter+ object used to filter in this request.
+      # Returns the `ActiveSupport::ParameterFilter` object used to filter in this
+      # request.
       def parameter_filter
         @parameter_filter ||= if has_header?("action_dispatch.parameter_filter")
           parameter_filter_for get_header("action_dispatch.parameter_filter")
@@ -64,12 +68,17 @@ module ActionDispatch
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end

data/lib/action_dispatch/http/filter_redirect.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
   module Http
     module FilterRedirect
@@ -9,7 +11,7 @@ module ActionDispatch
         if location_filter_match?
           FILTERED
         else
-          location
+          parameter_filtered_location
         end
       end
 
@@ -31,6 +33,25 @@ module ActionDispatch
           end
         end
       end
+
+      def parameter_filtered_location
+        uri = URI.parse(location)
+        unless uri.query.nil? || uri.query.empty?
+          parts = uri.query.split(/([&;])/)
+          filtered_parts = parts.map do |part|
+            if part.include?("=")
+              key, value = part.split("=", 2)
+              request.parameter_filter.filter(key => value).first.join("=")
+            else
+              part
+            end
+          end
+          uri.query = filtered_parts.join("")
+        end
+        uri.to_s
+      rescue URI::Error
+        FILTERED
+      end
     end
   end
 end

data/lib/action_dispatch/http/headers.rb

@@ -1,28 +1,30 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
   module Http
-    # = Action Dispatch HTTP \Headers
+    # # Action Dispatch HTTP Headers
     #
     # Provides access to the request's HTTP headers from the environment.
     #
-    #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
-    #   headers = ActionDispatch::Http::Headers.from_hash(env)
-    #   headers["Content-Type"] # => "text/plain"
-    #   headers["User-Agent"] # => "curl/7.43.0"
+    #     env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
+    #     headers = ActionDispatch::Http::Headers.from_hash(env)
+    #     headers["Content-Type"] # => "text/plain"
+    #     headers["User-Agent"] # => "curl/7.43.0"
     #
     # Also note that when headers are mapped to CGI-like variables by the Rack
     # server, both dashes and underscores are converted to underscores. This
     # ambiguity cannot be resolved at this stage anymore. Both underscores and
     # dashes have to be interpreted as if they were originally sent as dashes.
     #
-    #   # GET / HTTP/1.1
-    #   # ...
-    #   # User-Agent: curl/7.43.0
-    #   # X_Custom_Header: token
+    #     # GET / HTTP/1.1
+    #     # ...
+    #     # User-Agent: curl/7.43.0
+    #     # X_Custom_Header: token
     #
-    #   headers["X_Custom_Header"] # => nil
-    #   headers["X-Custom-Header"] # => "token"
+    #     headers["X_Custom_Header"] # => nil
+    #     headers["X-Custom-Header"] # => "token"
     class Headers
       CGI_VARIABLES = Set.new(%W[
         AUTH_TYPE
@@ -67,7 +69,7 @@ module ActionDispatch
         @req.set_header env_name(key), value
       end
 
-      # Add a value to a multivalued header like +Vary+ or +Accept-Encoding+.
+      # Add a value to a multivalued header like `Vary` or `Accept-Encoding`.
       def add(key, value)
         @req.add_header env_name(key), value
       end
@@ -81,11 +83,10 @@ module ActionDispatch
 
       # Returns the value for the given key mapped to @env.
       #
-      # If the key is not found and an optional code block is not provided,
-      # raises a <tt>KeyError</tt> exception.
+      # If the key is not found and an optional code block is not provided, raises a
+      # `KeyError` exception.
       #
-      # If the code block is provided, then it will be run and
-      # its result returned.
+      # If the code block is provided, then it will be run and its result returned.
       def fetch(key, default = DEFAULT)
         @req.fetch_header(env_name(key)) do
           return default unless default == DEFAULT
@@ -99,16 +100,15 @@ module ActionDispatch
       end
 
       # Returns a new Http::Headers instance containing the contents of
-      # <tt>headers_or_env</tt> and the original instance.
+      # `headers_or_env` and the original instance.
       def merge(headers_or_env)
         headers = @req.dup.headers
         headers.merge!(headers_or_env)
         headers
       end
 
-      # Adds the contents of <tt>headers_or_env</tt> to original instance
-      # entries; duplicate keys are overwritten with the values from
-      # <tt>headers_or_env</tt>.
+      # Adds the contents of `headers_or_env` to original instance entries; duplicate
+      # keys are overwritten with the values from `headers_or_env`.
       def merge!(headers_or_env)
         headers_or_env.each do |key, value|
           @req.set_header env_name(key), value
@@ -118,8 +118,8 @@ module ActionDispatch
       def env; @req.env.dup; end
 
       private
-        # Converts an HTTP header name to an environment variable name if it is
-        # not contained within the headers hash.
+        # Converts an HTTP header name to an environment variable name if it is not
+        # contained within the headers hash.
         def env_name(key)
           key = key.to_s
           if HTTP_HEADER.match?(key)

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/core_ext/module/attribute_accessors"
 
 module ActionDispatch
@@ -16,23 +18,9 @@ module ActionDispatch
 
       included do
         mattr_accessor :ignore_accept_header, default: false
-
-        def return_only_media_type_on_content_type=(value)
-          ActionDispatch.deprecator.warn(
-            "`config.action_dispatch.return_only_request_media_type_on_content_type` is deprecated and will" \
-              " be removed in Rails 7.2."
-          )
-        end
-
-        def return_only_media_type_on_content_type
-          ActionDispatch.deprecator.warn(
-            "`config.action_dispatch.return_only_request_media_type_on_content_type` is deprecated and will" \
-            " be removed in Rails 7.2."
-          )
-        end
       end
 
-      # The MIME type of the HTTP request, such as Mime[:xml].
+      # The MIME type of the HTTP request, such as [Mime](:xml).
       def content_mime_type
         fetch_header("action_dispatch.request.content_type") do |k|
           v = if get_header("CONTENT_TYPE") =~ /^([^,;]*)/
@@ -66,11 +54,11 @@ module ActionDispatch
         end
       end
 
-      # Returns the MIME type for the \format used in the request.
+      # Returns the MIME type for the format used in the request.
       #
-      #   GET /posts/5.xml   | request.format => Mime[:xml]
-      #   GET /posts/5.xhtml | request.format => Mime[:html]
-      #   GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
+      #     GET /posts/5.xml   | request.format => Mime[:xml]
+      #     GET /posts/5.xhtml | request.format => Mime[:html]
+      #     GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
       #
       def format(_view_path = nil)
         formats.first || Mime::NullType.instance
@@ -98,7 +86,7 @@ module ActionDispatch
         end
       end
 
-      # Sets the \variant for template.
+      # Sets the variant for template.
       def variant=(variant)
         variant = Array(variant)
 
@@ -113,36 +101,37 @@ module ActionDispatch
         @variant ||= ActiveSupport::ArrayInquirer.new
       end
 
-      # Sets the \format by string extension, which can be used to force custom formats
+      # Sets the format by string extension, which can be used to force custom formats
       # that are not controlled by the extension.
       #
-      #   class ApplicationController < ActionController::Base
-      #     before_action :adjust_format_for_iphone
+      #     class ApplicationController < ActionController::Base
+      #       before_action :adjust_format_for_iphone
       #
-      #     private
-      #       def adjust_format_for_iphone
-      #         request.format = :iphone if request.env["HTTP_USER_AGENT"][/iPhone/]
-      #       end
-      #   end
+      #       private
+      #         def adjust_format_for_iphone
+      #           request.format = :iphone if request.env["HTTP_USER_AGENT"][/iPhone/]
+      #         end
+      #     end
       def format=(extension)
         parameters[:format] = extension.to_s
         set_header "action_dispatch.request.formats", [Mime::Type.lookup_by_extension(parameters[:format])]
       end
 
-      # Sets the \formats by string extensions. This differs from #format= by allowing you
-      # to set multiple, ordered formats, which is useful when you want to have a fallback.
+      # Sets the formats by string extensions. This differs from #format= by allowing
+      # you to set multiple, ordered formats, which is useful when you want to have a
+      # fallback.
       #
-      # In this example, the +:iphone+ format will be used if it's available, otherwise it'll fall back
-      # to the +:html+ format.
+      # In this example, the `:iphone` format will be used if it's available,
+      # otherwise it'll fall back to the `:html` format.
       #
-      #   class ApplicationController < ActionController::Base
-      #     before_action :adjust_format_for_iphone_with_html_fallback
+      #     class ApplicationController < ActionController::Base
+      #       before_action :adjust_format_for_iphone_with_html_fallback
       #
-      #     private
-      #       def adjust_format_for_iphone_with_html_fallback
-      #         request.formats = [ :iphone, :html ] if request.env["HTTP_USER_AGENT"][/iPhone/]
-      #       end
-      #   end
+      #       private
+      #         def adjust_format_for_iphone_with_html_fallback
+      #           request.formats = [ :iphone, :html ] if request.env["HTTP_USER_AGENT"][/iPhone/]
+      #         end
+      #     end
       def formats=(extensions)
         parameters[:format] = extensions.first.to_s
         set_header "action_dispatch.request.formats", extensions.collect { |extension|
@@ -168,8 +157,8 @@ module ActionDispatch
       end
 
       private
-        # We use normal content negotiation unless you include */* in your list,
-        # in which case we assume you're a browser and send HTML.
+        # We use normal content negotiation unless you include **/** in your list, in
+        # which case we assume you're a browser and send HTML.
         BROWSER_LIKE_ACCEPTS = /,\s*\*\/\*|\*\/\*\s*,/
 
         def params_readable?

data/lib/action_dispatch/http/mime_type.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "singleton"
 
 module Mime
@@ -65,19 +67,20 @@ module Mime
     end
   end
 
-  # Encapsulates the notion of a MIME type. Can be used at render time, for example, with:
+  # Encapsulates the notion of a MIME type. Can be used at render time, for
+  # example, with:
   #
-  #   class PostsController < ActionController::Base
-  #     def show
-  #       @post = Post.find(params[:id])
+  #     class PostsController < ActionController::Base
+  #       def show
+  #         @post = Post.find(params[:id])
   #
-  #       respond_to do |format|
-  #         format.html
-  #         format.ics { render body: @post.to_ics, mime_type: Mime::Type.lookup("text/calendar")  }
-  #         format.xml { render xml: @post }
+  #         respond_to do |format|
+  #           format.html
+  #           format.ics { render body: @post.to_ics, mime_type: Mime::Type.lookup("text/calendar")  }
+  #           format.xml { render xml: @post }
+  #         end
   #       end
   #     end
-  #   end
   class Type
     attr_reader :symbol
 
@@ -154,7 +157,7 @@ module Mime
       TRAILING_STAR_REGEXP = /^(text|application)\/\*/
       # all media-type parameters need to be before the q-parameter
       # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
-      PARAMETER_SEPARATOR_REGEXP = /\s*;\s*q="?/
+      PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
       ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
 
       def register_callback(&block)
@@ -162,16 +165,20 @@ module Mime
       end
 
       def lookup(string)
+        return LOOKUP[string] if LOOKUP.key?(string)
+
         # fallback to the media-type without parameters if it was not found
-        LOOKUP[string] || LOOKUP[string.split(";", 2)[0]&.rstrip] || Type.new(string)
+        string = string.split(";", 2)[0]&.rstrip
+        LOOKUP[string] || Type.new(string)
       end
 
       def lookup_by_extension(extension)
         EXTENSION_LOOKUP[extension.to_s]
       end
 
-      # Registers an alias that's not used on MIME type lookup, but can be referenced directly. Especially useful for
-      # rendering different HTML versions depending on the user agent, like an iPhone.
+      # Registers an alias that's not used on MIME type lookup, but can be referenced
+      # directly. Especially useful for rendering different HTML versions depending on
+      # the user agent, like an iPhone.
       def register_alias(string, symbol, extension_synonyms = [])
         register(string, symbol, [], extension_synonyms, true)
       end
@@ -193,7 +200,7 @@ module Mime
       def parse(accept_header)
         if !accept_header.include?(",")
           if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
-            accept_header = accept_header[0, index]
+            accept_header = accept_header[0, index].strip
           end
           return [] if accept_header.blank?
           parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))
@@ -221,11 +228,11 @@ module Mime
         parse_data_with_trailing_star($1) if accept_header =~ TRAILING_STAR_REGEXP
       end
 
-      # For an input of <tt>'text'</tt>, returns <tt>[Mime[:json], Mime[:xml], Mime[:ics],
-      # Mime[:html], Mime[:css], Mime[:csv], Mime[:js], Mime[:yaml], Mime[:text]]</tt>.
+      # For an input of `'text'`, returns `[Mime[:json], Mime[:xml], Mime[:ics],
+      # Mime[:html], Mime[:css], Mime[:csv], Mime[:js], Mime[:yaml], Mime[:text]]`.
       #
-      # For an input of <tt>'application'</tt>, returns <tt>[Mime[:html], Mime[:js],
-      # Mime[:xml], Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]]</tt>.
+      # For an input of `'application'`, returns `[Mime[:html], Mime[:js], Mime[:xml],
+      # Mime[:yaml], Mime[:atom], Mime[:json], Mime[:rss], Mime[:url_encoded_form]]`.
       def parse_data_with_trailing_star(type)
         Mime::SET.select { |m| m.match?(type) }
       end
@@ -234,7 +241,7 @@ module Mime
       #
       # To unregister a MIME type:
       #
-      #   Mime::Type.unregister(:mobile)
+      #     Mime::Type.unregister(:mobile)
       def unregister(symbol)
         symbol = symbol.downcase
         if mime = Mime[symbol]
@@ -326,7 +333,7 @@ module Mime
       def to_ary; end
       def to_a; end
 
-      def method_missing(method, *args)
+      def method_missing(method, ...)
         if method.end_with?("?")
           method[0..-2].downcase.to_sym == to_sym
         else
@@ -350,9 +357,9 @@ module Mime
     def html?; true; end
   end
 
-  # ALL isn't a real MIME type, so we don't register it for lookup with the
-  # other concrete types. It's a wildcard match that we use for +respond_to+
-  # negotiation internals.
+  # ALL isn't a real MIME type, so we don't register it for lookup with the other
+  # concrete types. It's a wildcard match that we use for `respond_to` negotiation
+  # internals.
   ALL = AllType.instance
 
   class NullType
@@ -373,7 +380,7 @@ module Mime
         method.end_with?("?")
       end
 
-      def method_missing(method, *args)
+      def method_missing(method, ...)
         false if method.end_with?("?")
       end
   end

data/lib/action_dispatch/http/mime_types.rb

@@ -3,6 +3,8 @@
 # Build list of Mime types for HTTP responses
 # https://www.iana.org/assignments/media-types/
 
+# :markup: markdown
+
 Mime::Type.register "text/html", :html, %w( application/xhtml+xml ), %w( xhtml )
 Mime::Type.register "text/plain", :text, [], %w(txt)
 Mime::Type.register "text/javascript", :js, %w( application/javascript application/x-javascript )