actionpack 7.1.5.1 → 8.1.2

data/lib/action_dispatch/middleware/ssl.rb

@@ -1,57 +1,70 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionDispatch
-  # = Action Dispatch \SSL
+  # # Action Dispatch SSL
+  #
+  # This middleware is added to the stack when `config.force_ssl = true`, and is
+  # passed the options set in `config.ssl_options`. It does three jobs to enforce
+  # secure HTTP requests:
+  #
+  # 1.  **TLS redirect**: Permanently redirects `http://` requests to `https://`
+  #     with the same URL host, path, etc. Enabled by default. Set
+  #     `config.ssl_options` to modify the destination URL:
+  #
+  #         config.ssl_options = { redirect: { host: "secure.widgets.com", port: 8080 }`
   #
-  # This middleware is added to the stack when <tt>config.force_ssl = true</tt>, and is passed
-  # the options set in +config.ssl_options+. It does three jobs to enforce secure HTTP
-  # requests:
+  #     Or set `redirect: false` to disable redirection.
   #
-  # 1. <b>TLS redirect</b>: Permanently redirects +http://+ requests to +https://+
-  #    with the same URL host, path, etc. Enabled by default. Set +config.ssl_options+
-  #    to modify the destination URL
-  #    (e.g. <tt>redirect: { host: "secure.widgets.com", port: 8080 }</tt>), or set
-  #    <tt>redirect: false</tt> to disable this feature.
+  #     Requests can opt-out of redirection with `exclude`:
   #
-  #    Requests can opt-out of redirection with +exclude+:
+  #         config.ssl_options = { redirect: { exclude: -> request { request.path == "/up" } } }
   #
-  #      config.ssl_options = { redirect: { exclude: -> request { /healthcheck/.match?(request.path) } } }
+  #     Cookies will not be flagged as secure for excluded requests.
   #
-  #    Cookies will not be flagged as secure for excluded requests.
+  #     When proxying through a load balancer that terminates SSL, the forwarded
+  #     request will appear as though it's HTTP instead of HTTPS to the application.
+  #     This makes redirects and cookie security target HTTP instead of HTTPS.
+  #     To make the server assume that the proxy already terminated SSL, and
+  #     that the request really is HTTPS, set `config.assume_ssl` to `true`:
   #
-  # 2. <b>Secure cookies</b>: Sets the +secure+ flag on cookies to tell browsers they
-  #    must not be sent along with +http://+ requests. Enabled by default. Set
-  #    +config.ssl_options+ with <tt>secure_cookies: false</tt> to disable this feature.
+  #         config.assume_ssl = true
   #
-  # 3. <b>HTTP Strict Transport Security (HSTS)</b>: Tells the browser to remember
-  #    this site as TLS-only and automatically redirect non-TLS requests.
-  #    Enabled by default. Configure +config.ssl_options+ with <tt>hsts: false</tt> to disable.
+  # 2.  **Secure cookies**: Sets the `secure` flag on cookies to tell browsers
+  #     they must not be sent along with `http://` requests. Enabled by default.
+  #     Set `config.ssl_options` with `secure_cookies: false` to disable this
+  #     feature.
   #
-  #    Set +config.ssl_options+ with <tt>hsts: { ... }</tt> to configure HSTS:
+  # 3.  **HTTP Strict Transport Security (HSTS)**: Tells the browser to remember
+  #     this site as TLS-only and automatically redirect non-TLS requests. Enabled
+  #     by default. Configure `config.ssl_options` with `hsts: false` to disable.
   #
-  #    * +expires+: How long, in seconds, these settings will stick. The minimum
-  #      required to qualify for browser preload lists is 1 year. Defaults to
-  #      2 years (recommended).
+  #     Set `config.ssl_options` with `hsts: { ... }` to configure HSTS:
   #
-  #    * +subdomains+: Set to +true+ to tell the browser to apply these settings
-  #      to all subdomains. This protects your cookies from interception by a
-  #      vulnerable site on a subdomain. Defaults to +true+.
+  #     *   `expires`: How long, in seconds, these settings will stick. The
+  #         minimum required to qualify for browser preload lists is 1 year.
+  #         Defaults to 2 years (recommended).
   #
-  #    * +preload+: Advertise that this site may be included in browsers'
-  #      preloaded HSTS lists. HSTS protects your site on every visit <i>except the
-  #      first visit</i> since it hasn't seen your HSTS header yet. To close this
-  #      gap, browser vendors include a baked-in list of HSTS-enabled sites.
-  #      Go to https://hstspreload.org to submit your site for inclusion.
-  #      Defaults to +false+.
+  #     *   `subdomains`: Set to `true` to tell the browser to apply these
+  #         settings to all subdomains. This protects your cookies from
+  #         interception by a vulnerable site on a subdomain. Defaults to `true`.
+  #
+  #     *   `preload`: Advertise that this site may be included in browsers'
+  #         preloaded HSTS lists. HSTS protects your site on every visit *except
+  #         the first visit* since it hasn't seen your HSTS header yet. To close
+  #         this gap, browser vendors include a baked-in list of HSTS-enabled
+  #         sites. Go to https://hstspreload.org to submit your site for
+  #         inclusion. Defaults to `false`.
+  #
+  #
+  #     To turn off HSTS, omitting the header is not enough. Browsers will
+  #     remember the original HSTS directive until it expires. Instead, use the
+  #     header to tell browsers to expire HSTS immediately. Setting `hsts: false`
+  #     is a shortcut for `hsts: { expires: 0 }`.
   #
-  #    To turn off HSTS, omitting the header is not enough. Browsers will remember the
-  #    original HSTS directive until it expires. Instead, use the header to tell browsers to
-  #    expire HSTS immediately. Setting <tt>hsts: false</tt> is a shortcut for
-  #    <tt>hsts: { expires: 0 }</tt>.
   class SSL
-    # :stopdoc:
-
-    # Default to 2 years as recommended on hstspreload.org.
+    # :stopdoc: Default to 2 years as recommended on hstspreload.org.
     HSTS_EXPIRES_IN = 63072000
 
     PERMANENT_REDIRECT_REQUEST_METHODS = %w[GET HEAD] # :nodoc:
@@ -93,8 +106,8 @@ module ActionDispatch
 
       def normalize_hsts_options(options)
         case options
-        # Explicitly disabling HSTS clears the existing setting from browsers
-        # by setting expiry to 0.
+        # Explicitly disabling HSTS clears the existing setting from browsers by setting
+        # expiry to 0.
         when false
           self.class.default_hsts_options.merge(expires: 0)
         # Default to enabled, with default options.

data/lib/action_dispatch/middleware/stack.rb

@@ -1,13 +1,15 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/inflector/methods"
 require "active_support/dependencies"
 
 module ActionDispatch
-  # = Action Dispatch \MiddlewareStack
+  # # Action Dispatch MiddlewareStack
   #
-  # Read more about {Rails middleware
-  # stack}[https://guides.rubyonrails.org/rails_on_rack.html#action-dispatcher-middleware-stack]
+  # Read more about [Rails middleware
+  # stack](https://guides.rubyonrails.org/rails_on_rack.html#action-dispatcher-middleware-stack)
   # in the guides.
   class MiddlewareStack
     class Middleware
@@ -47,9 +49,8 @@ module ActionDispatch
       end
     end
 
-    # This class is used to instrument the execution of a single middleware.
-    # It proxies the +call+ method transparently and instruments the method
-    # call.
+    # This class is used to instrument the execution of a single middleware. It
+    # proxies the `call` method transparently and instruments the method call.
     class InstrumentationProxy
       EVENT_NAME = "process_middleware.action_dispatch"
 
@@ -125,16 +126,16 @@ module ActionDispatch
 
     # Deletes a middleware from the middleware stack.
     #
-    # Returns the array of middlewares not including the deleted item, or
-    # returns nil if the target is not found.
+    # Returns the array of middlewares not including the deleted item, or returns
+    # nil if the target is not found.
     def delete(target)
       middlewares.reject! { |m| m.name == target.name }
     end
 
     # Deletes a middleware from the middleware stack.
     #
-    # Returns the array of middlewares not including the deleted item, or
-    # raises +RuntimeError+ if the target is not found.
+    # Returns the array of middlewares not including the deleted item, or raises
+    # `RuntimeError` if the target is not found.
     def delete!(target)
       delete(target) || (raise "No such middleware to remove: #{target.inspect}")
     end

data/lib/action_dispatch/middleware/static.rb

@@ -1,18 +1,20 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "rack/utils"
 
 module ActionDispatch
-  # = Action Dispatch \Static
+  # # Action Dispatch Static
   #
-  # This middleware serves static files from disk, if available.
-  # If no file is found, it hands off to the main app.
+  # This middleware serves static files from disk, if available. If no file is
+  # found, it hands off to the main app.
   #
-  # In \Rails apps, this middleware is configured to serve assets from
-  # the +public/+ directory.
+  # In Rails apps, this middleware is configured to serve assets from the
+  # `public/` directory.
   #
-  # Only GET and HEAD requests are served. POST and other HTTP methods
-  # are handed off to the main app.
+  # Only GET and HEAD requests are served. POST and other HTTP methods are handed
+  # off to the main app.
   #
   # Only files in the root directory are served; path traversal is denied.
   class Static
@@ -26,31 +28,31 @@ module ActionDispatch
     end
   end
 
-  # = Action Dispatch \FileHandler
+  # # Action Dispatch FileHandler
   #
-  # This endpoint serves static files from disk using +Rack::Files+.
+  # This endpoint serves static files from disk using `Rack::Files`.
   #
-  # URL paths are matched with static files according to expected
-  # conventions: +path+, +path+.html, +path+/index.html.
+  # URL paths are matched with static files according to expected conventions:
+  # `path`, `path`.html, `path`/index.html.
   #
-  # Precompressed versions of these files are checked first. Brotli (.br)
-  # and gzip (.gz) files are supported. If +path+.br exists, this
-  # endpoint returns that file with a <tt>content-encoding: br</tt> header.
+  # Precompressed versions of these files are checked first. Brotli (.br) and gzip
+  # (.gz) files are supported. If `path`.br exists, this endpoint returns that
+  # file with a `content-encoding: br` header.
   #
-  # If no matching file is found, this endpoint responds <tt>404 Not Found</tt>.
+  # If no matching file is found, this endpoint responds `404 Not Found`.
   #
-  # Pass the +root+ directory to search for matching files, an optional
-  # <tt>index: "index"</tt> to change the default +path+/index.html, and optional
-  # additional response headers.
+  # Pass the `root` directory to search for matching files, an optional `index:
+  # "index"` to change the default `path`/index.html, and optional additional
+  # response headers.
   class FileHandler
-    # +Accept-Encoding+ value -> file extension
+    # `Accept-Encoding` value -> file extension
     PRECOMPRESSED = {
       "br" => ".br",
       "gzip" => ".gz",
       "identity" => nil
     }
 
-    def initialize(root, index: "index", headers: {}, precompressed: %i[ br gzip ], compressible_content_types: /\A(?:text\/|application\/javascript)/)
+    def initialize(root, index: "index", headers: {}, precompressed: %i[ br gzip ], compressible_content_types: /\A(?:text\/|application\/javascript|image\/svg\+xml)/)
       @root = root.chomp("/").b
       @index = index
 
@@ -91,11 +93,11 @@ module ActionDispatch
 
       # Match a URI path to a static file to be served.
       #
-      # Used by the +Static+ class to negotiate a servable file in the
-      # +public/+ directory (see Static#call).
+      # Used by the `Static` class to negotiate a servable file in the `public/`
+      # directory (see Static#call).
       #
-      # Checks for +path+, +path+.html, and +path+/index.html files,
-      # in that order, including .br and .gzip compressed extensions.
+      # Checks for `path`, `path`.html, and `path`/index.html files, in that order,
+      # including .br and .gzip compressed extensions.
       #
       # If a matching file is found, the path and necessary response headers
       # (Content-Type, Content-Encoding) are returned.
@@ -120,11 +122,11 @@ module ActionDispatch
       def try_precompressed_files(filepath, headers, accept_encoding:)
         each_precompressed_filepath(filepath) do |content_encoding, precompressed_filepath|
           if file_readable? precompressed_filepath
-            # Identity encoding is default, so we skip Accept-Encoding
-            # negotiation and needn't set Content-Encoding.
+            # Identity encoding is default, so we skip Accept-Encoding negotiation and
+            # needn't set Content-Encoding.
             #
-            # Vary header is expected when we've found other available
-            # encodings that Accept-Encoding ruled out.
+            # Vary header is expected when we've found other available encodings that
+            # Accept-Encoding ruled out.
             if content_encoding == "identity"
               return precompressed_filepath, headers
             else
@@ -164,9 +166,9 @@ module ActionDispatch
         content_type = ::Rack::Mime.mime_type(ext, nil)
         yield path, content_type || "text/plain"
 
-        # Tack on .html and /index.html only for paths that don't have
-        # an explicit, resolvable file extension. No need to check
-        # for foo.js.html and foo.js/index.html.
+        # Tack on .html and /index.html only for paths that don't have an explicit,
+        # resolvable file extension. No need to check for foo.js.html and
+        # foo.js/index.html.
         unless content_type
           default_ext = ::ActionController::Base.default_static_extension
           if ext != default_ext

data/lib/action_dispatch/middleware/templates/rescues/_copy_button.html.erb

@@ -0,0 +1 @@
+<button onclick="copyAsText.bind(this)()">Copy as text</button>

data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb

@@ -11,8 +11,9 @@
           <tr>
             <td>
               <pre class="line_numbers">
-                <% source_extract[:code].each_key do |line_number| %>
-<span><%= line_number -%></span>
+                <% source_extract[:code].each_key do |line| %>
+                  <% file_url = editor_url(source_extract[:trace], line: line) %>
+<span><%= link_to_if file_url, line, file_url -%></span>
                 <% end %>
               </pre>
             </td>
@@ -28,9 +29,6 @@
           </tr>
         </table>
       </div>
-      <%- unless self.error_highlight_available? -%>
-        <p class="error_highlight_tip">Tip: You may want to add <code>gem 'error_highlight', '&gt;= 0.4.0'</code> into your Gemfile, which will display the fine-grained error location.</p>
-      <%- end -%>
     </div>
   <% end %>
 <% end %>

data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb

@@ -13,13 +13,17 @@
   <% end %>
 
   <% traces.each do |name, trace| %>
-    <div id="<%= "#{name.gsub(/\s/, '-')}-#{error_index}" %>" style="display: <%= (name == trace_to_show) ? 'block' : 'none' %>;">
+    <div id="<%= "#{name.gsub(/\s/, '-')}-#{error_index}" %>" class="trace-container" style="display: <%= (name == trace_to_show) ? 'block' : 'none' %>;">
       <code class="traces">
         <% trace.each do |frame| %>
-          <a class="trace-frames trace-frames-<%= error_index %>" data-exception-object-id="<%= frame[:exception_object_id] %>" data-frame-id="<%= frame[:id] %>" href="#">
-            <%= frame[:trace] %>
-          </a>
-          <br>
+          <div class="trace">
+            <% file_url = editor_url(frame[:trace]) %>
+            <%= file_url && link_to("✏️", file_url, class: "edit-icon") %>
+            <a class="trace-frames trace-frames-<%= error_index %>" data-exception-object-id="<%= frame[:exception_object_id] %>" data-frame-id="<%= frame[:id] %>" href="#">
+              <%= frame[:trace] %>
+            </a>
+            <br>
+          </div>
         <% end %>
       </code>
     </div>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb

@@ -1,4 +1,5 @@
 <header>
+  <%= render "rescues/copy_button" %>
   <h1>Blocked hosts: <%= @hosts.join(", ") %></h1>
 </header>
 <main role="main" id="container">

data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb

@@ -1,4 +1,5 @@
 <header>
+  <%= render "rescues/copy_button" %>
   <h1>
     <%= @exception_wrapper.exception_class_name %>
     <% if params_valid? && @request.parameters['controller'] %>

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb

@@ -1,4 +1,5 @@
 <header role="banner">
+  <%= render "rescues/copy_button" %>
   <h1>
     <%= @exception.class.to_s %>
     <% if @request.parameters['controller'] %>
@@ -10,6 +11,9 @@
 <main role="main" id="container">
   <h2>
     <%= h @exception.message %>
+    <% if defined?(ActionText) && @exception.message.match?(%r{#{ActionText::RichText.table_name}}) %>
+      <br />To resolve this issue run: bin/rails action_text:install
+    <% end %>
     <% if defined?(ActiveStorage) && @exception.message.match?(%r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}) %>
       <br />To resolve this issue run: bin/rails active_storage:install
     <% end %>

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb

@@ -4,6 +4,9 @@
 <% end %>
 
 <%= @exception.message %>
+<% if defined?(ActionText) && @exception.message.match?(%r{#{ActionText::RichText.table_name}}) %>
+To resolve this issue run: bin/rails action_text:install
+<% end %>
 <% if defined?(ActiveStorage) && @exception.message.match?(%r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}) %>
 To resolve this issue run: bin/rails active_storage:install
 <% end %>

data/lib/action_dispatch/middleware/templates/rescues/layout.erb

@@ -38,6 +38,22 @@
       padding: 0.5em 1.5em;
     }
 
+    header button {
+      appearance: none;
+      background-color: hsl(0 0% 0% / 0.2);
+      border: 0;
+      border-radius: 14px;
+      color: white;
+      float: right;
+      font-weight: 500;
+      height: 28px;
+      padding-inline: 14px;
+      margin: 0.35em 0;
+    }
+    header button:active {
+      background-color: hsl(0 0% 0% / 0.25);
+    }
+
     h1 {
       overflow-wrap: break-word;
       margin: 0.2em 0;
@@ -54,6 +70,30 @@
       font-size: 11px;
     }
 
+    .trace-container {
+      margin-top: 10px;
+    }
+
+    code.traces .trace {
+      display: flex;
+      align-items: center;
+      gap: 2px;
+    }
+
+    .edit-icon {
+      width: 16px;
+      height: 16px;
+      display: flex;
+      font-size: 13px;
+      align-items: center;
+      justify-content: center;
+      text-decoration: none;
+    }
+
+    .edit-icon:hover {
+      scale: 1.05;
+    }
+
     .response-heading, .request-heading {
       margin-top: 30px;
     }
@@ -274,11 +314,21 @@
     var toggleEnvDump = function() {
       return toggle('env_dump');
     }
+    var copyAsText = function() {
+      const text = document.getElementById("exception-message-for-copy").textContent;
+
+      navigator.clipboard.writeText(text).then(() => {
+        const beforeText = this.innerText;
+        this.innerText = "Copied!"
+        setTimeout(() => this.innerText = beforeText, 1000)
+      })
+    }
   </script>
 </head>
 <body>
 
   <%= yield %>
+  <script type="text/plain" id="exception-message-for-copy"><%= raw @exception_message_for_copy %></script>
 
 </body>
 </html>

data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb

@@ -1,4 +1,5 @@
 <header role="banner">
+  <%= render "rescues/copy_button" %>
   <h1>No view template for interactive request</h1>
 </header>
 

data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb

@@ -1,4 +1,5 @@
 <header role="banner">
+  <%= render "rescues/copy_button" %>
   <h1>Template is missing</h1>
 </header>
 

data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb

@@ -1,4 +1,5 @@
 <header role="banner">
+  <%= render "rescues/copy_button" %>
   <h1>Routing Error</h1>
 </header>
 <main role="main" id="container">

data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb

@@ -1,4 +1,5 @@
 <header role="banner">
+  <%= render "rescues/copy_button" %>
   <h1>
     <%= @exception_wrapper.exception_name %> in
     <%= @request.parameters["controller"].camelize if @request.parameters["controller"] %>#<%= @request.parameters["action"] %>

data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb

@@ -1,4 +1,5 @@
 <header role="banner">
+  <%= render "rescues/copy_button" %>
   <h1>Unknown action</h1>
 </header>
 <main role="main" id="container">

data/lib/action_dispatch/middleware/templates/routes/_table.html.erb

@@ -158,7 +158,7 @@
     function buildTr(string) {
       var tr = document.createElement('tr');
       var th = document.createElement('th');
-      th.setAttribute('colspan', 4);
+      th.setAttribute('colspan', 5);
       tr.appendChild(th);
       th.innerText = string;
       return tr;

data/lib/action_dispatch/railtie.rb

@@ -1,8 +1,12 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "action_dispatch"
 require "action_dispatch/log_subscriber"
+require "action_dispatch/structured_event_subscriber"
 require "active_support/messages/rotation_configuration"
+require "rails/railtie"
 
 module ActionDispatch
   class Railtie < Rails::Railtie # :nodoc:
@@ -27,6 +31,11 @@ module ActionDispatch
     config.action_dispatch.request_id_header = ActionDispatch::Constants::X_REQUEST_ID
     config.action_dispatch.log_rescued_responses = true
     config.action_dispatch.debug_exception_log_level = :fatal
+    config.action_dispatch.strict_freshness = false
+
+    config.action_dispatch.ignore_leading_brackets = nil
+    config.action_dispatch.strict_query_string_separator = nil
+    config.action_dispatch.verbose_redirect_logs = false
 
     config.action_dispatch.default_headers = {
       "X-Frame-Options" => "SAMEORIGIN",
@@ -49,11 +58,21 @@ module ActionDispatch
       ActionDispatch::Http::URL.secure_protocol = app.config.force_ssl
       ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
 
+      unless app.config.action_dispatch.domain_extractor.nil?
+        ActionDispatch::Http::URL.domain_extractor = app.config.action_dispatch.domain_extractor
+      end
+
+      unless app.config.action_dispatch.ignore_leading_brackets.nil?
+        ActionDispatch::ParamBuilder.ignore_leading_brackets = app.config.action_dispatch.ignore_leading_brackets
+      end
+      unless app.config.action_dispatch.strict_query_string_separator.nil?
+        ActionDispatch::QueryParser.strict_query_string_separator = app.config.action_dispatch.strict_query_string_separator
+      end
+
+      ActionDispatch.verbose_redirect_logs = app.config.action_dispatch.verbose_redirect_logs
+
       ActiveSupport.on_load(:action_dispatch_request) do
         self.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
-        unless app.config.action_dispatch.respond_to?(:return_only_request_media_type_on_content_type)
-          self.return_only_media_type_on_content_type = app.config.action_dispatch.return_only_request_media_type_on_content_type
-        end
         ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge
       end
 
@@ -70,6 +89,7 @@ module ActionDispatch
 
       ActionDispatch::Routing::Mapper.route_source_locations = Rails.env.development?
 
+      ActionDispatch::Http::Cache::Request.strict_freshness = app.config.action_dispatch.strict_freshness
       ActionDispatch.test_app = app
     end
   end

data/lib/action_dispatch/request/session.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "rack/session/abstract/id"
 
 module ActionDispatch
@@ -107,8 +109,8 @@ module ActionDispatch
         end
       end
 
-      # Returns value of the key stored in the session or
-      # +nil+ if the given key is not found in the session.
+      # Returns value of the key stored in the session or `nil` if the given key is
+      # not found in the session.
       def [](key)
         load_for_read!
         key = key.to_s
@@ -120,8 +122,8 @@ module ActionDispatch
         end
       end
 
-      # Returns the nested value specified by the sequence of keys, returning
-      # +nil+ if any intermediate step is +nil+.
+      # Returns the nested value specified by the sequence of keys, returning `nil` if
+      # any intermediate step is `nil`.
       def dig(*keys)
         load_for_read!
         keys = keys.map.with_index { |key, i| i.zero? ? key.to_s : key }
@@ -153,6 +155,7 @@ module ActionDispatch
         load_for_write!
         @delegate[key.to_s] = value
       end
+      alias store []=
 
       # Clears the session.
       def clear
@@ -169,14 +172,14 @@ module ActionDispatch
 
       # Updates the session with given Hash.
       #
-      #   session.to_hash
-      #   # => {"session_id"=>"e29b9ea315edf98aad94cc78c34cc9b2"}
+      #     session.to_hash
+      #     # => {"session_id"=>"e29b9ea315edf98aad94cc78c34cc9b2"}
       #
-      #   session.update({ "foo" => "bar" })
-      #   # => {"session_id"=>"e29b9ea315edf98aad94cc78c34cc9b2", "foo" => "bar"}
+      #     session.update({ "foo" => "bar" })
+      #     # => {"session_id"=>"e29b9ea315edf98aad94cc78c34cc9b2", "foo" => "bar"}
       #
-      #   session.to_hash
-      #   # => {"session_id"=>"e29b9ea315edf98aad94cc78c34cc9b2", "foo" => "bar"}
+      #     session.to_hash
+      #     # => {"session_id"=>"e29b9ea315edf98aad94cc78c34cc9b2", "foo" => "bar"}
       def update(hash)
         unless hash.respond_to?(:to_hash)
           raise TypeError, "no implicit conversion of #{hash.class.name} into Hash"
@@ -193,20 +196,20 @@ module ActionDispatch
         @delegate.delete key.to_s
       end
 
-      # Returns value of the given key from the session, or raises +KeyError+
-      # if can't find the given key and no default value is set.
-      # Returns default value if specified.
+      # Returns value of the given key from the session, or raises `KeyError` if can't
+      # find the given key and no default value is set. Returns default value if
+      # specified.
       #
-      #   session.fetch(:foo)
-      #   # => KeyError: key not found: "foo"
+      #     session.fetch(:foo)
+      #     # => KeyError: key not found: "foo"
       #
-      #   session.fetch(:foo, :bar)
-      #   # => :bar
+      #     session.fetch(:foo, :bar)
+      #     # => :bar
       #
-      #   session.fetch(:foo) do
-      #     :bar
-      #   end
-      #   # => :bar
+      #     session.fetch(:foo) do
+      #       :bar
+      #     end
+      #     # => :bar
       def fetch(key, default = Unspecified, &block)
         load_for_read!
         if default == Unspecified