actionpack 7.1.5.1 → 8.1.2

data/lib/action_dispatch/http/cache.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
   module Http
     module Cache
@@ -7,6 +9,8 @@ module ActionDispatch
         HTTP_IF_MODIFIED_SINCE = "HTTP_IF_MODIFIED_SINCE"
         HTTP_IF_NONE_MATCH     = "HTTP_IF_NONE_MATCH"
 
+        mattr_accessor :strict_freshness, default: false
+
         def if_modified_since
           if since = get_header(HTTP_IF_MODIFIED_SINCE)
             Time.rfc2822(since) rescue nil
@@ -32,19 +36,140 @@ module ActionDispatch
           end
         end
 
-        # Check response freshness (+Last-Modified+ and ETag) against request
-        # +If-Modified-Since+ and +If-None-Match+ conditions. If both headers are
-        # supplied, both must match, or the request is not considered fresh.
+        # Check response freshness (`Last-Modified` and `ETag`) against request
+        # `If-Modified-Since` and `If-None-Match` conditions.
+        # If both headers are supplied, based on configuration, either `ETag` is preferred over `Last-Modified`
+        # or both are considered equally. You can adjust the preference with
+        # `config.action_dispatch.strict_freshness`.
+        # Reference: http://tools.ietf.org/html/rfc7232#section-6
         def fresh?(response)
-          last_modified = if_modified_since
-          etag          = if_none_match
+          if Request.strict_freshness
+            if if_none_match
+              etag_matches?(response.etag)
+            elsif if_modified_since
+              not_modified?(response.last_modified)
+            else
+              false
+            end
+          else
+            last_modified = if_modified_since
+            etag          = if_none_match
+
+            return false unless last_modified || etag
+
+            success = true
+            success &&= not_modified?(response.last_modified) if last_modified
+            success &&= etag_matches?(response.etag) if etag
+            success
+          end
+        end
+
+        def cache_control_directives
+          @cache_control_directives ||= CacheControlDirectives.new(get_header("HTTP_CACHE_CONTROL"))
+        end
 
-          return false unless last_modified || etag
+        # Represents the HTTP Cache-Control header for requests,
+        # providing methods to access various cache control directives
+        # Reference: https://www.rfc-editor.org/rfc/rfc9111.html#name-request-directives
+        class CacheControlDirectives
+          def initialize(cache_control_header)
+            @only_if_cached = false
+            @no_cache = false
+            @no_store = false
+            @no_transform = false
+            @max_age = nil
+            @max_stale = nil
+            @min_fresh = nil
+            @stale_if_error = false
+            parse_directives(cache_control_header)
+          end
+
+          # Returns true if the only-if-cached directive is present.
+          # This directive indicates that the client only wishes to obtain a
+          # stored response. If a valid stored response is not available,
+          # the server should respond with a 504 (Gateway Timeout) status.
+          def only_if_cached?
+            @only_if_cached
+          end
 
-          success = true
-          success &&= not_modified?(response.last_modified) if last_modified
-          success &&= etag_matches?(response.etag) if etag
-          success
+          # Returns true if the no-cache directive is present.
+          # This directive indicates that a cache must not use the response
+          # to satisfy subsequent requests without successful validation on the origin server.
+          def no_cache?
+            @no_cache
+          end
+
+          # Returns true if the no-store directive is present.
+          # This directive indicates that a cache must not store any part of the
+          # request or response.
+          def no_store?
+            @no_store
+          end
+
+          # Returns true if the no-transform directive is present.
+          # This directive indicates that a cache or proxy must not transform the payload.
+          def no_transform?
+            @no_transform
+          end
+
+          # Returns the value of the max-age directive.
+          # This directive indicates that the client is willing to accept a response
+          # whose age is no greater than the specified number of seconds.
+          attr_reader :max_age
+
+          # Returns the value of the max-stale directive.
+          # When max-stale is present with a value, returns that integer value.
+          # When max-stale is present without a value, returns true (unlimited staleness).
+          # When max-stale is not present, returns nil.
+          attr_reader :max_stale
+
+          # Returns true if max-stale directive is present (with or without a value)
+          def max_stale?
+            !@max_stale.nil?
+          end
+
+          # Returns true if max-stale directive is present without a value (unlimited staleness)
+          def max_stale_unlimited?
+            @max_stale == true
+          end
+
+          # Returns the value of the min-fresh directive.
+          # This directive indicates that the client is willing to accept a response
+          # whose freshness lifetime is no less than its current age plus the specified time in seconds.
+          attr_reader :min_fresh
+
+          # Returns the value of the stale-if-error directive.
+          # This directive indicates that the client is willing to accept a stale response
+          # if the check for a fresh one fails with an error for the specified number of seconds.
+          attr_reader :stale_if_error
+
+          private
+            def parse_directives(header_value)
+              return unless header_value
+
+              header_value.delete(" ").downcase.split(",").each do |directive|
+                name, value = directive.split("=", 2)
+
+                case name
+                when "max-age"
+                  @max_age = value.to_i
+                when "min-fresh"
+                  @min_fresh = value.to_i
+                when "stale-if-error"
+                  @stale_if_error = value.to_i
+                when "no-cache"
+                  @no_cache = true
+                when "no-store"
+                  @no_store = true
+                when "no-transform"
+                  @no_transform = true
+                when "only-if-cached"
+                  @only_if_cached = true
+                when "max-stale"
+                  @max_stale = value ? value.to_i : true
+                end
+              end
+            end
         end
       end
 
@@ -79,25 +204,24 @@ module ActionDispatch
           set_header DATE, utc_time.httpdate
         end
 
-        # This method sets a weak ETag validator on the response so browsers
-        # and proxies may cache the response, keyed on the ETag. On subsequent
-        # requests, the +If-None-Match+ header is set to the cached ETag. If it
-        # matches the current ETag, we can return a <tt>304 Not Modified</tt> response
-        # with no body, letting the browser or proxy know that their cache is
-        # current. Big savings in request time and network bandwidth.
+        # This method sets a weak ETag validator on the response so browsers and proxies
+        # may cache the response, keyed on the ETag. On subsequent requests, the
+        # `If-None-Match` header is set to the cached ETag. If it matches the current
+        # ETag, we can return a `304 Not Modified` response with no body, letting the
+        # browser or proxy know that their cache is current. Big savings in request time
+        # and network bandwidth.
         #
-        # Weak ETags are considered to be semantically equivalent but not
-        # byte-for-byte identical. This is perfect for browser caching of HTML
-        # pages where we don't care about exact equality, just what the user
-        # is viewing.
+        # Weak ETags are considered to be semantically equivalent but not byte-for-byte
+        # identical. This is perfect for browser caching of HTML pages where we don't
+        # care about exact equality, just what the user is viewing.
         #
-        # Strong ETags are considered byte-for-byte identical. They allow a
-        # browser or proxy cache to support +Range+ requests, useful for paging
-        # through a PDF file or scrubbing through a video. Some CDNs only
-        # support strong ETags and will ignore weak ETags entirely.
+        # Strong ETags are considered byte-for-byte identical. They allow a browser or
+        # proxy cache to support `Range` requests, useful for paging through a PDF file
+        # or scrubbing through a video. Some CDNs only support strong ETags and will
+        # ignore weak ETags entirely.
         #
-        # Weak ETags are what we almost always need, so they're the default.
-        # Check out #strong_etag= to provide a strong ETag validator.
+        # Weak ETags are what we almost always need, so they're the default. Check out
+        # #strong_etag= to provide a strong ETag validator.
         def etag=(weak_validators)
           self.weak_etag = weak_validators
         end
@@ -112,12 +236,13 @@ module ActionDispatch
 
         def etag?; etag; end
 
-        # True if an ETag is set, and it's a weak validator (preceded with <tt>W/</tt>).
+        # True if an ETag is set, and it's a weak validator (preceded with `W/`).
         def weak_etag?
           etag? && etag.start_with?('W/"')
         end
 
-        # True if an ETag is set, and it isn't a weak validator (not preceded with <tt>W/</tt>).
+        # True if an ETag is set, and it isn't a weak validator (not preceded with
+        # `W/`).
         def strong_etag?
           etag? && !weak_etag?
         end
@@ -125,7 +250,7 @@ module ActionDispatch
       private
         DATE          = "Date"
         LAST_MODIFIED = "Last-Modified"
-        SPECIAL_KEYS  = Set.new(%w[extras no-store no-cache max-age public private must-revalidate])
+        SPECIAL_KEYS  = Set.new(%w[extras no-store no-cache max-age public private must-revalidate must-understand])
 
         def generate_weak_etag(validators)
           "W/#{generate_strong_etag(validators)}"
@@ -169,12 +294,13 @@ module ActionDispatch
         PUBLIC                = "public"
         PRIVATE               = "private"
         MUST_REVALIDATE       = "must-revalidate"
+        IMMUTABLE             = "immutable"
+        MUST_UNDERSTAND       = "must-understand"
 
         def handle_conditional_get!
-          # Normally default cache control setting is handled by ETag
-          # middleware. But, if an etag is already set, the middleware
-          # defaults to `no-cache` unless a default `Cache-Control` value is
-          # previously set. So, set a default one here.
+          # Normally default cache control setting is handled by ETag middleware. But, if
+          # an etag is already set, the middleware defaults to `no-cache` unless a default
+          # `Cache-Control` value is previously set. So, set a default one here.
           if (etag? || last_modified?) && !self._cache_control
             self._cache_control = DEFAULT_CACHE_CONTROL
           end
@@ -186,8 +312,8 @@ module ActionDispatch
           return if control.empty? && cache_control.empty?  # Let middleware handle default behavior
 
           if cache_control.any?
-            # Any caching directive coming from a controller overrides
-            # no-cache/no-store in the default Cache-Control header.
+            # Any caching directive coming from a controller overrides no-cache/no-store in
+            # the default Cache-Control header.
             control.delete(:no_cache)
             control.delete(:no_store)
 
@@ -204,6 +330,7 @@ module ActionDispatch
 
           if control[:no_store]
             options << PRIVATE if control[:private]
+            options << MUST_UNDERSTAND if control[:must_understand]
             options << NO_STORE
           elsif control[:no_cache]
             options << PUBLIC if control[:public]
@@ -220,6 +347,7 @@ module ActionDispatch
             options << MUST_REVALIDATE if control[:must_revalidate]
             options << "stale-while-revalidate=#{stale_while_revalidate.to_i}" if stale_while_revalidate
             options << "stale-if-error=#{stale_if_error.to_i}" if stale_if_error
+            options << IMMUTABLE if control[:immutable]
             options.concat(extras) if extras
           end
 

data/lib/action_dispatch/http/content_disposition.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
   module Http
     class ContentDisposition # :nodoc:

data/lib/action_dispatch/http/content_security_policy.rb

@@ -1,28 +1,30 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/core_ext/object/deep_dup"
 require "active_support/core_ext/array/wrap"
 
 module ActionDispatch # :nodoc:
-  # = Action Dispatch Content Security Policy
+  # # Action Dispatch Content Security Policy
   #
-  # Configures the HTTP
-  # {Content-Security-Policy}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy]
-  # response header to help protect against XSS and injection attacks.
+  # Configures the HTTP [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+  # response header to help protect against XSS and
+  # injection attacks.
   #
   # Example global policy:
   #
-  #   Rails.application.config.content_security_policy do |policy|
-  #     policy.default_src :self, :https
-  #     policy.font_src    :self, :https, :data
-  #     policy.img_src     :self, :https, :data
-  #     policy.object_src  :none
-  #     policy.script_src  :self, :https
-  #     policy.style_src   :self, :https
+  #     Rails.application.config.content_security_policy do |policy|
+  #       policy.default_src :self, :https
+  #       policy.font_src    :self, :https, :data
+  #       policy.img_src     :self, :https, :data
+  #       policy.object_src  :none
+  #       policy.script_src  :self, :https
+  #       policy.style_src   :self, :https
   #
-  #     # Specify URI for violation reports
-  #     policy.report_uri "/csp-violation-report-endpoint"
-  #   end
+  #       # Specify URI for violation reports
+  #       policy.report_uri "/csp-violation-report-endpoint"
+  #     end
   class ContentSecurityPolicy
     class InvalidDirectiveError < StandardError
     end
@@ -35,8 +37,8 @@ module ActionDispatch # :nodoc:
       def call(env)
         status, headers, _ = response = @app.call(env)
 
-        # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the new
-        # CSP headers might not match nonces in the cached HTML.
+        # Returning CSP headers with a 304 Not Modified is harmful, since nonces in the
+        # new CSP headers might not match nonces in the cached HTML.
         return response if status == 304
 
         return response if policy_present?(headers)
@@ -126,6 +128,7 @@ module ActionDispatch # :nodoc:
     MAPPINGS = {
       self:             "'self'",
       unsafe_eval:      "'unsafe-eval'",
+      wasm_unsafe_eval: "'wasm-unsafe-eval'",
       unsafe_hashes:    "'unsafe-hashes'",
       unsafe_inline:    "'unsafe-inline'",
       none:             "'none'",
@@ -168,6 +171,8 @@ module ActionDispatch # :nodoc:
       worker_src:                 "worker-src"
     }.freeze
 
+    HASH_SOURCE_ALGORITHM_PREFIXES = ["sha256-", "sha384-", "sha512-"].freeze
+
     DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze
 
     private_constant :MAPPINGS, :DIRECTIVES, :DEFAULT_NONCE_DIRECTIVES
@@ -193,14 +198,14 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Specify whether to prevent the user agent from loading any assets over
-    # HTTP when the page uses HTTPS:
+    # Specify whether to prevent the user agent from loading any assets over HTTP
+    # when the page uses HTTPS:
     #
-    #   policy.block_all_mixed_content
+    #     policy.block_all_mixed_content
     #
-    # Pass +false+ to allow it again:
+    # Pass `false` to allow it again:
     #
-    #   policy.block_all_mixed_content false
+    #     policy.block_all_mixed_content false
     #
     def block_all_mixed_content(enabled = true)
       if enabled
@@ -212,11 +217,11 @@ module ActionDispatch # :nodoc:
 
     # Restricts the set of plugins that can be embedded:
     #
-    #   policy.plugin_types "application/x-shockwave-flash"
+    #     policy.plugin_types "application/x-shockwave-flash"
     #
     # Leave empty to allow all plugins:
     #
-    #   policy.plugin_types
+    #     policy.plugin_types
     #
     def plugin_types(*types)
       if types.first
@@ -226,23 +231,23 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Enable the {report-uri}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri]
-    # directive. Violation reports will be sent to the specified URI:
+    # Enable the [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
+    # directive. Violation reports will be sent to the
+    # specified URI:
     #
-    #   policy.report_uri "/csp-violation-report-endpoint"
+    #     policy.report_uri "/csp-violation-report-endpoint"
     #
     def report_uri(uri)
       @directives["report-uri"] = [uri]
     end
 
-    # Specify asset types for which {Subresource Integrity}[https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity]
-    # is required:
+    # Specify asset types for which [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
     #
-    #   policy.require_sri_for :script, :style
+    #     policy.require_sri_for :script, :style
     #
     # Leave empty to not require Subresource Integrity:
     #
-    #   policy.require_sri_for
+    #     policy.require_sri_for
     #
     def require_sri_for(*types)
       if types.first
@@ -252,18 +257,18 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Specify whether a {sandbox}[https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox]
+    # Specify whether a [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
     # should be enabled for the requested resource:
     #
-    #   policy.sandbox
+    #     policy.sandbox
     #
     # Values can be passed as arguments:
     #
-    #   policy.sandbox "allow-scripts", "allow-modals"
+    #     policy.sandbox "allow-scripts", "allow-modals"
     #
-    # Pass +false+ to disable the sandbox:
+    # Pass `false` to disable the sandbox:
     #
-    #   policy.sandbox false
+    #     policy.sandbox false
     #
     def sandbox(*values)
       if values.empty?
@@ -277,11 +282,11 @@ module ActionDispatch # :nodoc:
 
     # Specify whether user agents should treat any assets over HTTP as HTTPS:
     #
-    #   policy.upgrade_insecure_requests
+    #     policy.upgrade_insecure_requests
     #
-    # Pass +false+ to disable it:
+    # Pass `false` to disable it:
     #
-    #   policy.upgrade_insecure_requests false
+    #     policy.upgrade_insecure_requests false
     #
     def upgrade_insecure_requests(enabled = true)
       if enabled
@@ -302,7 +307,13 @@ module ActionDispatch # :nodoc:
           case source
           when Symbol
             apply_mapping(source)
-          when String, Proc
+          when String
+            if hash_source?(source)
+              "'#{source}'"
+            else
+              source
+            end
+          when Proc
             source
           else
             raise ArgumentError, "Invalid content security policy source: #{source.inspect}"
@@ -371,5 +382,9 @@ module ActionDispatch # :nodoc:
       def nonce_directive?(directive, nonce_directives)
         nonce_directives.include?(directive)
       end
+
+      def hash_source?(source)
+        source.start_with?(*HASH_SOURCE_ALGORITHM_PREFIXES)
+      end
   end
 end

data/lib/action_dispatch/http/filter_parameters.rb

@@ -1,22 +1,27 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/parameter_filter"
 
 module ActionDispatch
   module Http
-    # = Action Dispatch HTTP Filter Parameters
+    # # Action Dispatch HTTP Filter Parameters
     #
     # Allows you to specify sensitive query string and POST parameters to filter
     # from the request log.
     #
-    #   # Replaces values with "[FILTERED]" for keys that match /foo|bar/i.
-    #   env["action_dispatch.parameter_filter"] = [:foo, "bar"]
+    #     # Replaces values with "[FILTERED]" for keys that match /foo|bar/i.
+    #     env["action_dispatch.parameter_filter"] = [:foo, "bar"]
     #
-    # For more information about filter behavior, see ActiveSupport::ParameterFilter.
+    # For more information about filter behavior, see
+    # ActiveSupport::ParameterFilter.
     module FilterParameters
-      ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
-      NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
-      NULL_ENV_FILTER   = ActiveSupport::ParameterFilter.new ENV_MATCH # :nodoc:
+      # :stopdoc:
+      ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"]
+      NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new
+      NULL_ENV_FILTER   = ActiveSupport::ParameterFilter.new ENV_MATCH
+      # :startdoc:
 
       def initialize
         super
@@ -43,7 +48,8 @@ module ActionDispatch
         @filtered_path ||= query_string.empty? ? path : "#{path}?#{filtered_query_string}"
       end
 
-      # Returns the +ActiveSupport::ParameterFilter+ object used to filter in this request.
+      # Returns the `ActiveSupport::ParameterFilter` object used to filter in this
+      # request.
       def parameter_filter
         @parameter_filter ||= if has_header?("action_dispatch.parameter_filter")
           parameter_filter_for get_header("action_dispatch.parameter_filter")

data/lib/action_dispatch/http/filter_redirect.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
   module Http
     module FilterRedirect
@@ -9,7 +11,7 @@ module ActionDispatch
         if location_filter_match?
           FILTERED
         else
-          location
+          parameter_filtered_location
         end
       end
 
@@ -31,6 +33,25 @@ module ActionDispatch
           end
         end
       end
+
+      def parameter_filtered_location
+        uri = URI.parse(location)
+        unless uri.query.nil? || uri.query.empty?
+          parts = uri.query.split(/([&;])/)
+          filtered_parts = parts.map do |part|
+            if part.include?("=")
+              key, value = part.split("=", 2)
+              request.parameter_filter.filter(key => value).first.join("=")
+            else
+              part
+            end
+          end
+          uri.query = filtered_parts.join("")
+        end
+        uri.to_s
+      rescue URI::Error
+        FILTERED
+      end
     end
   end
 end

data/lib/action_dispatch/http/headers.rb

@@ -1,28 +1,30 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
   module Http
-    # = Action Dispatch HTTP \Headers
+    # # Action Dispatch HTTP Headers
     #
     # Provides access to the request's HTTP headers from the environment.
     #
-    #   env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
-    #   headers = ActionDispatch::Http::Headers.from_hash(env)
-    #   headers["Content-Type"] # => "text/plain"
-    #   headers["User-Agent"] # => "curl/7.43.0"
+    #     env     = { "CONTENT_TYPE" => "text/plain", "HTTP_USER_AGENT" => "curl/7.43.0" }
+    #     headers = ActionDispatch::Http::Headers.from_hash(env)
+    #     headers["Content-Type"] # => "text/plain"
+    #     headers["User-Agent"] # => "curl/7.43.0"
     #
     # Also note that when headers are mapped to CGI-like variables by the Rack
     # server, both dashes and underscores are converted to underscores. This
     # ambiguity cannot be resolved at this stage anymore. Both underscores and
     # dashes have to be interpreted as if they were originally sent as dashes.
     #
-    #   # GET / HTTP/1.1
-    #   # ...
-    #   # User-Agent: curl/7.43.0
-    #   # X_Custom_Header: token
+    #     # GET / HTTP/1.1
+    #     # ...
+    #     # User-Agent: curl/7.43.0
+    #     # X_Custom_Header: token
     #
-    #   headers["X_Custom_Header"] # => nil
-    #   headers["X-Custom-Header"] # => "token"
+    #     headers["X_Custom_Header"] # => nil
+    #     headers["X-Custom-Header"] # => "token"
     class Headers
       CGI_VARIABLES = Set.new(%W[
         AUTH_TYPE
@@ -67,7 +69,7 @@ module ActionDispatch
         @req.set_header env_name(key), value
       end
 
-      # Add a value to a multivalued header like +Vary+ or +Accept-Encoding+.
+      # Add a value to a multivalued header like `Vary` or `Accept-Encoding`.
       def add(key, value)
         @req.add_header env_name(key), value
       end
@@ -81,11 +83,10 @@ module ActionDispatch
 
       # Returns the value for the given key mapped to @env.
       #
-      # If the key is not found and an optional code block is not provided,
-      # raises a <tt>KeyError</tt> exception.
+      # If the key is not found and an optional code block is not provided, raises a
+      # `KeyError` exception.
       #
-      # If the code block is provided, then it will be run and
-      # its result returned.
+      # If the code block is provided, then it will be run and its result returned.
       def fetch(key, default = DEFAULT)
         @req.fetch_header(env_name(key)) do
           return default unless default == DEFAULT
@@ -99,16 +100,15 @@ module ActionDispatch
       end
 
       # Returns a new Http::Headers instance containing the contents of
-      # <tt>headers_or_env</tt> and the original instance.
+      # `headers_or_env` and the original instance.
       def merge(headers_or_env)
         headers = @req.dup.headers
         headers.merge!(headers_or_env)
         headers
       end
 
-      # Adds the contents of <tt>headers_or_env</tt> to original instance
-      # entries; duplicate keys are overwritten with the values from
-      # <tt>headers_or_env</tt>.
+      # Adds the contents of `headers_or_env` to original instance entries; duplicate
+      # keys are overwritten with the values from `headers_or_env`.
       def merge!(headers_or_env)
         headers_or_env.each do |key, value|
           @req.set_header env_name(key), value
@@ -118,8 +118,8 @@ module ActionDispatch
       def env; @req.env.dup; end
 
       private
-        # Converts an HTTP header name to an environment variable name if it is
-        # not contained within the headers hash.
+        # Converts an HTTP header name to an environment variable name if it is not
+        # contained within the headers hash.
         def env_name(key)
           key = key.to_s
           if HTTP_HEADER.match?(key)