actionpack 7.2.1.1 → 8.0.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aa5e422c3ae8a04f0fac4410c72203218277a1b813047ad3ce5aa3274eac5a0e
-  data.tar.gz: 19620a0b88f940ae2a3183dbf20828228ae3f8fb567d32e715ba92fd9ea29db8
+  metadata.gz: 4392b60cf6c4af7ed943daf2c4e438440689b8f869a859510b1e0e5808204cf2
+  data.tar.gz: ee9993b25b397af527f1730dc439a0425a81d4b03afb148e310dac8862003261
 SHA512:
-  metadata.gz: 27b3549782fe4594a04571356362c11a03a1bf9e368fbf49662a1514cc170ec01f85be5085ffe77e62e57435702637db27f0502c118b7084d90d05f00e0d7a1a
-  data.tar.gz: d8ba844e9b95cf76ebcbc899678b2752f5f3ddbf3cb81a4ac94c86ed1f4bb5d3fd471f701e69779f9aee99bbd0612f5aa2ddf79e75d32735aab436f58ef99cb7
+  metadata.gz: 2063ad6ca3243b066226af6a1d1ad616d808c48a18f80df374d02b064ad4839a971e4eff804321621d910111829b0c1130b5a05f5a44afabb380ec9f7d5985b7
+  data.tar.gz: f3f1e1ce84c47654f69cf3f3ada2afa48e412dac1b7a5abd10c4d0fc34b66b7574f2454410c323cfa26a000005da585815db8a27dc3f1e9c2a71a504b0f3021d

data/CHANGELOG.md

@@ -1,164 +1,135 @@
-## Rails 7.2.1.1 (October 15, 2024) ##
+## Rails 8.0.0.beta1 (September 26, 2024) ##
 
-*   Avoid regex backtracking in HTTP Token authentication
+*   Fix non-GET requests not updating cookies in `ActionController::TestCase`.
 
-    [CVE-2024-47887]
+    *Jon Moss*, *Hartley McGuire*
 
-*   Avoid regex backtracking in query parameter filtering
+*   Update `ActionController::Live` to use a thread-pool to reuse threads across requests.
 
-    [CVE-2024-41128]
+    *Adam Renberg Tamm*
 
-## Rails 7.2.1 (August 22, 2024) ##
+*   Introduce safer, more explicit params handling method with `params#expect` such that
+    `params.expect(table: [ :attr ])` replaces `params.require(:table).permit(:attr)`
 
-*   Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
-
-    *Hartley McGuire*
-
-
-## Rails 7.2.0 (August 09, 2024) ##
-
-*   Allow bots to ignore `allow_browser`.
-
-    *Matthew Nguyen*
-
-*   Include the HTTP Permissions-Policy on non-HTML Content-Types
-    [CVE-2024-28103]
-
-    *Aaron Patterson*, *Zack Deveau*
-
-*   Fix `Mime::Type.parse` handling type parameters for HTTP Accept headers.
-
-    *Taylor Chaparro*
-
-*   Fix the error page that is displayed when a view template is missing to account for nested controller paths in the
-    suggested correct location for the missing template.
-
-    *Joshua Young*
-
-*   Add `save_and_open_page` helper to `IntegrationTest`.
-
-    `save_and_open_page` is a helpful helper to keep a short feedback loop when working on system tests.
-    A similar helper with matching signature has been added to integration tests.
-
-    *Joé Dupuis*
-
-*   Fix a regression in 7.1.3 passing a `to:` option without a controller when the controller is already defined by a scope.
+    Ensures params are filtered with consideration for the expected
+    types of values, improving handling of params and avoiding ignorable
+    errors caused by params tampering.
 
     ```ruby
-    Rails.application.routes.draw do
-      controller :home do
-        get "recent", to: "recent_posts"
-      end
-    end
+    # If the url is altered to ?person=hacked
+    # Before
+    params.require(:person).permit(:name, :age, pets: [:name])
+    # raises NoMethodError, causing a 500 and potential error reporting
+
+    # After
+    params.expect(person: [ :name, :age, pets: [[:name]] ])
+    # raises ActionController::ParameterMissing, correctly returning a 400 error
     ```
 
-    *Étienne Barrié*
-
-*   Request Forgery takes relative paths into account.
-
-    *Stefan Wienert*
+    You may also notice the new double array `[[:name]]`. In order to
+    declare when a param is expected to be an array of parameter hashes,
+    this new double array syntax is used to explicitly declare an array.
+    `expect` requires you to declare expected arrays in this way, and will
+    ignore arrays that are passed when, for example, `pet: [:name]` is used.
 
-*   Add ".test" as a default allowed host in development to ensure smooth golden-path setup with puma.dev.
+    In order to preserve compatibility, `permit` does not adopt the new
+    double array syntax and is therefore more permissive about unexpected
+    types. Using `expect` everywhere is recommended.
 
-    *DHH*
+    We suggest replacing `params.require(:person).permit(:name, :age)`
+    with the direct replacement `params.expect(person: [:name, :age])`
+    to prevent external users from manipulating params to trigger 500
+    errors. A 400 error will be returned instead, using public/400.html
 
-*   Add `allow_browser` to set minimum browser versions for the application.
-
-    A browser that's blocked will by default be served the file in `public/406-unsupported-browser.html` with a HTTP status code of "406 Not Acceptable".
+    Usage of `params.require(:id)` should likewise be replaced with
+    `params.expect(:id)` which is designed to ensure that `params[:id]`
+    is a scalar and not an array or hash, also requiring the param.
 
     ```ruby
-    class ApplicationController < ActionController::Base
-      # Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting + :has
-      allow_browser versions: :modern
-    end
-
-    class ApplicationController < ActionController::Base
-      # All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+.
-      allow_browser versions: { safari: 16.4, firefox: 121, ie: false }
-    end
-
-    class MessagesController < ApplicationController
-      # In addition to the browsers blocked by ApplicationController, also block Opera below 104 and Chrome below 119 for the show action.
-      allow_browser versions: { opera: 104, chrome: 119 }, only: :show
-    end
-    ```
-
-    *DHH*
+    # Before
+    User.find(params.require(:id)) # allows an array, altering behavior
 
-*   Add rate limiting API.
-
-    ```ruby
-    class SessionsController < ApplicationController
-      rate_limit to: 10, within: 3.minutes, only: :create
-    end
-
-    class SignupsController < ApplicationController
-      rate_limit to: 1000, within: 10.seconds,
-        by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups!" }, only: :new
-    end
+    # After
+    User.find(params.expect(:id)) # expect only returns non-blank permitted scalars (excludes Hash, Array, nil, "", etc)
     ```
 
-    *DHH*, *Jean Boussier*
+    *Martin Emde*
 
-*   Add `image/svg+xml` to the compressible content types of `ActionDispatch::Static`.
+*   System Testing: Disable Chrome's search engine choice by default in system tests.
 
-    *Georg Ledermann*
+    *glaszig*
 
-*   Add instrumentation for `ActionController::Live#send_stream`.
+*   Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
 
-    Allows subscribing to `send_stream` events. The event payload contains the filename, disposition, and type.
+    *Hartley McGuire*
 
-    *Hannah Ramadan*
+*   Remove `racc` dependency by manually writing `ActionDispatch::Journey::Scanner`.
 
-*   Add support for `with_routing` test helper in `ActionDispatch::IntegrationTest`.
+    *Gannon McGibbon*
+
+*   Speed up `ActionDispatch::Routing::Mapper::Scope#[]` by merging frame hashes.
 
     *Gannon McGibbon*
 
-*   Remove deprecated support to set `Rails.application.config.action_dispatch.show_exceptions` to `true` and `false`.
+*   Allow bots to ignore `allow_browser`.
+
+    *Matthew Nguyen*
 
-    *Rafael Mendonça França*
+*   Deprecate drawing routes with multiple paths to make routing faster.
+    You may use `with_options` or a loop to make drawing multiple paths easier.
 
-*   Remove deprecated `speaker`, `vibrate`, and `vr` permissions policy directives.
+    ```ruby
+    # Before
+    get "/users", "/other_path", to: "users#index"
 
-    *Rafael Mendonça França*
+    # After
+    get "/users", to: "users#index"
+    get "/other_path", to: "users#index"
+    ```
 
-*   Remove deprecated `Rails.application.config.action_dispatch.return_only_request_media_type_on_content_type`.
+    *Gannon McGibbon*
 
-    *Rafael Mendonça França*
+*   Make `http_cache_forever` use `immutable: true`
 
-*   Deprecate `Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality`.
+    *Nate Matykiewicz*
 
-    *Rafael Mendonça França*
+*   Add `config.action_dispatch.strict_freshness`.
 
-*   Remove deprecated comparison between `ActionController::Parameters` and `Hash`.
+    When set to `true`, the `ETag` header takes precedence over the `Last-Modified` header when both are present,
+    as specified by RFC 7232, Section 6.
 
-    *Rafael Mendonça França*
+    Defaults to `false` to maintain compatibility with previous versions of Rails, but is enabled as part of
+    Rails 8.0 defaults.
 
-*   Remove deprecated constant `AbstractController::Helpers::MissingHelperError`.
+    *heka1024*
 
-    *Rafael Mendonça França*
+*   Support `immutable` directive in Cache-Control
 
-*   Fix a race condition that could cause a `Text file busy - chromedriver`
-    error with parallel system tests.
+    ```ruby
+    expires_in 1.minute, public: true, immutable: true
+    # Cache-Control: public, max-age=60, immutable
+    ```
 
-    *Matt Brictson*
+    *heka1024*
 
-*   Add `racc` as a dependency since it will become a bundled gem in Ruby 3.4.0
+*   Add `:wasm_unsafe_eval` mapping for `content_security_policy`
 
-    *Hartley McGuire*
-*   Remove deprecated constant `ActionDispatch::IllegalStateError`.
+    ```ruby
+    # Before
+    policy.script_src "'wasm-unsafe-eval'"
 
-    *Rafael Mendonça França*
+    # After
+    policy.script_src :wasm_unsafe_eval
+    ```
 
-*   Add parameter filter capability for redirect locations.
+    *Joe Haig*
 
-    It uses the `config.filter_parameters` to match what needs to be filtered.
-    The result would be like this:
+*   Add `display_capture` and `keyboard_map` in `permissions_policy`
 
-        Redirected to http://secret.foo.bar?username=roque&password=[FILTERED]
+    *Cyril Blaecke*
 
-    Fixes #14055.
+*   Add `connect` route helper.
 
-    *Roque Pinel*, *Trevor Turk*, *tonytonyjan*
+    *Samuel Williams*
 
-Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [7-2-stable](https://github.com/rails/rails/blob/7-2-stable/actionpack/CHANGELOG.md) for previous changes.

data/lib/action_controller/api.rb

@@ -123,6 +123,7 @@ module ActionController
       BasicImplicitRender,
       StrongParameters,
       RateLimiting,
+      Caching,
 
       DataStreaming,
       DefaultHeaders,

data/lib/action_controller/metal/conditional_get.rb

@@ -76,8 +76,7 @@ module ActionController
     # `:cache_control`
     # :   When given, will overwrite an existing `Cache-Control` header. For a list
     #     of `Cache-Control` directives, see the [article on
-    #     MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Contr
-    #     ol).
+    #     MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control).
     #
     # `:template`
     # :   By default, the template digest for the current controller/action is
@@ -260,6 +259,9 @@ module ActionController
     # `:stale_if_error`
     # :   Sets the value of the `stale-if-error` directive.
     #
+    # `:immutable`
+    # :   If true, adds the `immutable` directive.
+    #
     #
     # Any additional key-value pairs are concatenated as directives. For a list of
     # supported `Cache-Control` directives, see the [article on
@@ -293,6 +295,7 @@ module ActionController
         must_revalidate: options.delete(:must_revalidate),
         stale_while_revalidate: options.delete(:stale_while_revalidate),
         stale_if_error: options.delete(:stale_if_error),
+        immutable: options.delete(:immutable),
       )
       options.delete(:private)
 
@@ -316,7 +319,7 @@ module ActionController
     #     user's web browser. To allow proxies to cache the response, set `true` to
     #     indicate that they can serve the cached response to all users.
     def http_cache_forever(public: false)
-      expires_in 100.years, public: public
+      expires_in 100.years, public: public, immutable: true
 
       yield if stale?(etag: request.fullpath,
                       last_modified: Time.new(2011, 1, 1).utc,

data/lib/action_controller/metal/http_authentication.rb

@@ -211,7 +211,7 @@ module ActionController
         end
       end
 
-      # Returns false on a valid response, true otherwise.
+      # Returns true on a valid response, false otherwise.
       def authenticate(request, realm, &password_procedure)
         request.authorization && validate_digest_response(request, realm, &password_procedure)
       end
@@ -431,7 +431,7 @@ module ActionController
       module ControllerMethods
         # Authenticate using an HTTP Bearer token, or otherwise render an HTTP header
         # requesting the client to send a Bearer token. For the authentication to be
-        # considered successful, `login_procedure` should return a non-nil value.
+        # considered successful, `login_procedure` must not return a false value.
         # Typically, the authenticated user is returned.
         #
         # See ActionController::HttpAuthentication::Token for example usage.
@@ -513,11 +513,14 @@ module ActionController
         array_params.each { |param| (param[1] || +"").gsub! %r/^"|"$/, "" }
       end
 
+      WHITESPACED_AUTHN_PAIR_DELIMITERS = /\s*#{AUTHN_PAIR_DELIMITERS}\s*/
+      private_constant :WHITESPACED_AUTHN_PAIR_DELIMITERS
+
       # This method takes an authorization body and splits up the key-value pairs by
       # the standardized `:`, `;`, or `\t` delimiters defined in
       # `AUTHN_PAIR_DELIMITERS`.
       def raw_params(auth)
-        _raw_params = auth.sub(TOKEN_REGEX, "").split(AUTHN_PAIR_DELIMITERS).map(&:strip)
+        _raw_params = auth.sub(TOKEN_REGEX, "").split(WHITESPACED_AUTHN_PAIR_DELIMITERS)
         _raw_params.reject!(&:empty?)
 
         if !_raw_params.first&.start_with?(TOKEN_KEY)

data/lib/action_controller/metal/instrumentation.rb

@@ -2,7 +2,6 @@
 
 # :markup: markdown
 
-require "benchmark"
 require "abstract_controller/logger"
 
 module ActionController
@@ -29,7 +28,7 @@ module ActionController
     def render(*)
       render_output = nil
       self.view_runtime = cleanup_view_runtime do
-        Benchmark.ms { render_output = super }
+        ActiveSupport::Benchmark.realtime(:float_millisecond) { render_output = super }
       end
       render_output
     end

data/lib/action_controller/metal/live.rb

@@ -77,12 +77,15 @@ module ActionController
     # Writing an object will convert it into standard SSE format with whatever
     # options you have configured. You may choose to set the following options:
     #
-    #     1) Event. If specified, an event with this name will be dispatched on
-    #     the browser.
-    #     2) Retry. The reconnection time in milliseconds used when attempting
-    #     to send the event.
-    #     3) Id. If the connection dies while sending an SSE to the browser, then
-    #     the server will receive a +Last-Event-ID+ header with value equal to +id+.
+    # `:event`
+    # :   If specified, an event with this name will be dispatched on the browser.
+    #
+    # `:retry`
+    # :   The reconnection time in milliseconds used when attempting to send the event.
+    #
+    # `:id`
+    # :   If the connection dies while sending an SSE to the browser, then the
+    #     server will receive a `Last-Event-ID` header with value equal to `id`.
     #
     # After setting an option in the constructor of the SSE object, all future SSEs
     # sent across the stream will use those options unless overridden.
@@ -304,6 +307,10 @@ module ActionController
               error = e
             end
           ensure
+            # Ensure we clean up any thread locals we copied so that the thread can reused.
+            ActiveSupport::IsolatedExecutionState.clear
+            locals.each { |k, _| t2[k] = nil }
+
             @_response.commit!
           end
         end
@@ -368,11 +375,15 @@ module ActionController
       # data from the response bodies. Nobody should call this method except in Rails
       # internals. Seriously!
       def new_controller_thread # :nodoc:
-        Thread.new {
+        ActionController::Live.live_thread_pool_executor.post do
           t2 = Thread.current
           t2.abort_on_exception = true
           yield
-        }
+        end
+      end
+
+      def self.live_thread_pool_executor
+        @live_thread_pool_executor ||= Concurrent::CachedThreadPool.new(name: "action_controller.live")
       end
 
       def log_error(exception)

data/lib/action_controller/metal/rate_limiting.rb

@@ -29,6 +29,9 @@ module ActionController # :nodoc:
       # datastore as your general caches, you can pass a custom store in the `store`
       # parameter.
       #
+      # If you want to use multiple rate limits per controller, you need to give each of
+      # them and explicit name via the `name:` option.
+      #
       # Examples:
       #
       #     class SessionsController < ApplicationController
@@ -44,14 +47,20 @@ module ActionController # :nodoc:
       #       RATE_LIMIT_STORE = ActiveSupport::Cache::RedisCacheStore.new(url: ENV["REDIS_URL"])
       #       rate_limit to: 10, within: 3.minutes, store: RATE_LIMIT_STORE
       #     end
-      def rate_limit(to:, within:, by: -> { request.remote_ip }, with: -> { head :too_many_requests }, store: cache_store, **options)
-        before_action -> { rate_limiting(to: to, within: within, by: by, with: with, store: store) }, **options
+      #
+      #     class SessionsController < ApplicationController
+      #       rate_limit to: 3, within: 2.seconds, name: "short-term"
+      #       rate_limit to: 10, within: 5.minutes, name: "long-term"
+      #     end
+      def rate_limit(to:, within:, by: -> { request.remote_ip }, with: -> { head :too_many_requests }, store: cache_store, name: nil, **options)
+        before_action -> { rate_limiting(to: to, within: within, by: by, with: with, store: store, name: name) }, **options
       end
     end
 
     private
-      def rate_limiting(to:, within:, by:, with:, store:)
-        count = store.increment("rate-limit:#{controller_path}:#{instance_exec(&by)}", 1, expires_in: within)
+      def rate_limiting(to:, within:, by:, with:, store:, name:)
+        cache_key = ["rate-limit", controller_path, name, instance_exec(&by)].compact.join(":")
+        count = store.increment(cache_key, 1, expires_in: within)
         if count && count > to
           ActiveSupport::Notifications.instrument("rate_limit.action_controller", request: request) do
             instance_exec(&with)

data/lib/action_controller/metal/renderers.rb

@@ -154,7 +154,8 @@ module ActionController
     end
 
     add :json do |json, options|
-      json = json.to_json(options) unless json.kind_of?(String)
+      json_options = options.except(:callback, :content_type, :status)
+      json = json.to_json(json_options) unless json.kind_of?(String)
 
       if options[:callback].present?
         if media_type.nil? || media_type == Mime[:json]

data/lib/action_controller/metal/streaming.rb

@@ -165,95 +165,16 @@ module ActionController # :nodoc:
   #
   # ## Web server support
   #
-  # Not all web servers support streaming out-of-the-box. You need to check the
-  # instructions for each of them.
-  #
-  # #### Unicorn
-  #
-  # Unicorn supports streaming but it needs to be configured. For this, you need
-  # to create a config file as follow:
-  #
-  #     # unicorn.config.rb
-  #     listen 3000, tcp_nopush: false
-  #
-  # And use it on initialization:
-  #
-  #     unicorn_rails --config-file unicorn.config.rb
-  #
-  # You may also want to configure other parameters like `:tcp_nodelay`.
-  #
-  # For more information, please check the
-  # [documentation](https://bogomips.org/unicorn/Unicorn/Configurator.html#method-
-  # i-listen).
-  #
-  # If you are using Unicorn with NGINX, you may need to tweak NGINX. Streaming
-  # should work out of the box on Rainbows.
-  #
-  # #### Passenger
-  #
-  # Phusion Passenger with NGINX, offers two streaming mechanisms out of the box.
-  #
-  # 1.  NGINX response buffering mechanism which is dependent on the value of
-  #     `passenger_buffer_response` option (default is "off").
-  # 2.  Passenger buffering system which is always 'on' irrespective of the value
-  #     of `passenger_buffer_response`.
-  #
-  #
-  # When `passenger_buffer_response` is turned "on", then streaming would be done
-  # at the NGINX level which waits until the application is done sending the
-  # response back to the client.
-  #
-  # For more information, please check the [documentation]
-  # (https://www.phusionpassenger.com/docs/references/config_reference/nginx/#passenger_buffer_response).
+  # Rack 3+ compatible servers all support streaming.
   module Streaming
-    class Body # :nodoc:
-      TERM = "\r\n"
-      TAIL = "0#{TERM}"
-
-      # Store the response body to be chunked.
-      def initialize(body)
-        @body = body
-      end
-
-      # For each element yielded by the response body, yield the element in chunked
-      # encoding.
-      def each(&block)
-        term = TERM
-        @body.each do |chunk|
-          size = chunk.bytesize
-          next if size == 0
-
-          yield [size.to_s(16), term, chunk.b, term].join
-        end
-        yield TAIL
-        yield term
-      end
-
-      # Close the response body if the response body supports it.
-      def close
-        @body.close if @body.respond_to?(:close)
-      end
-    end
-
     private
-      # Set proper cache control and transfer encoding when streaming
-      def _process_options(options)
-        super
-        if options[:stream]
-          if request.version == "HTTP/1.0"
-            options.delete(:stream)
-          else
-            headers["Cache-Control"] ||= "no-cache"
-            headers["Transfer-Encoding"] = "chunked"
-            headers.delete("Content-Length")
-          end
-        end
-      end
-
       # Call render_body if we are streaming instead of usual `render`.
       def _render_template(options)
         if options.delete(:stream)
-          Body.new view_renderer.render_body(view_context, options)
+          # It shoudn't be necessary to set this.
+          headers["cache-control"] ||= "no-cache"
+
+          view_renderer.render_body(view_context, options)
         else
           super
         end