actionpack 7.2.2.1 → 8.0.0.beta1

data/lib/action_dispatch/http/content_security_policy.rb

@@ -8,7 +8,8 @@ require "active_support/core_ext/array/wrap"
 module ActionDispatch # :nodoc:
   # # Action Dispatch Content Security Policy
   #
-  # Configures the HTTP [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+  # Configures the HTTP [Content-Security-Policy]
+  # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
   # response header to help protect against XSS and
   # injection attacks.
   #
@@ -26,9 +27,6 @@ module ActionDispatch # :nodoc:
   #       policy.report_uri "/csp-violation-report-endpoint"
   #     end
   class ContentSecurityPolicy
-    class InvalidDirectiveError < StandardError
-    end
-
     class Middleware
       def initialize(app)
         @app = app
@@ -128,6 +126,7 @@ module ActionDispatch # :nodoc:
     MAPPINGS = {
       self:             "'self'",
       unsafe_eval:      "'unsafe-eval'",
+      wasm_unsafe_eval: "'wasm-unsafe-eval'",
       unsafe_hashes:    "'unsafe-hashes'",
       unsafe_inline:    "'unsafe-inline'",
       none:             "'none'",
@@ -228,7 +227,8 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Enable the [report-uri](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
+    # Enable the [report-uri]
+    # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri)
     # directive. Violation reports will be sent to the
     # specified URI:
     #
@@ -238,7 +238,8 @@ module ActionDispatch # :nodoc:
       @directives["report-uri"] = [uri]
     end
 
-    # Specify asset types for which [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
+    # Specify asset types for which [Subresource Integrity]
+    # (https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) is required:
     #
     #     policy.require_sri_for :script, :style
     #
@@ -254,7 +255,8 @@ module ActionDispatch # :nodoc:
       end
     end
 
-    # Specify whether a [sandbox](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
+    # Specify whether a [sandbox]
+    # (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox)
     # should be enabled for the requested resource:
     #
     #     policy.sandbox
@@ -322,9 +324,9 @@ module ActionDispatch # :nodoc:
         @directives.map do |directive, sources|
           if sources.is_a?(Array)
             if nonce && nonce_directive?(directive, nonce_directives)
-              "#{directive} #{build_directive(directive, sources, context).join(' ')} 'nonce-#{nonce}'"
+              "#{directive} #{build_directive(sources, context).join(' ')} 'nonce-#{nonce}'"
             else
-              "#{directive} #{build_directive(directive, sources, context).join(' ')}"
+              "#{directive} #{build_directive(sources, context).join(' ')}"
             end
           elsif sources
             directive
@@ -334,22 +336,8 @@ module ActionDispatch # :nodoc:
         end
       end
 
-      def validate(directive, sources)
-        sources.flatten.each do |source|
-          if source.include?(";") || source != source.gsub(/[[:space:]]/, "")
-            raise InvalidDirectiveError, <<~MSG.squish
-              Invalid Content Security Policy #{directive}: "#{source}".
-              Directive values must not contain whitespace or semicolons.
-              Please use multiple arguments or other directive methods instead.
-            MSG
-          end
-        end
-      end
-
-      def build_directive(directive, sources, context)
-        resolved_sources = sources.map { |source| resolve_source(source, context) }
-
-        validate(directive, resolved_sources)
+      def build_directive(sources, context)
+        sources.map { |source| resolve_source(source, context) }
       end
 
       def resolve_source(source, context)

data/lib/action_dispatch/http/filter_parameters.rb

@@ -68,17 +68,12 @@ module ActionDispatch
         ActiveSupport::ParameterFilter.new(filters)
       end
 
+      KV_RE   = "[^&;=]+"
+      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        parts = query_string.split(/([&;])/)
-        filtered_parts = parts.map do |part|
-          if part.include?("=")
-            key, value = part.split("=", 2)
-            parameter_filter.filter(key => value).first.join("=")
-          else
-            part
-          end
+        query_string.gsub(PAIR_RE) do |_|
+          parameter_filter.filter($1 => $2).first.join("=")
         end
-        filtered_parts.join("")
       end
     end
   end

data/lib/action_dispatch/http/filter_redirect.rb

@@ -37,16 +37,9 @@ module ActionDispatch
       def parameter_filtered_location
         uri = URI.parse(location)
         unless uri.query.nil? || uri.query.empty?
-          parts = uri.query.split(/([&;])/)
-          filtered_parts = parts.map do |part|
-            if part.include?("=")
-              key, value = part.split("=", 2)
-              request.parameter_filter.filter(key => value).first.join("=")
-            else
-              part
-            end
+          uri.query.gsub!(FilterParameters::PAIR_RE) do
+            request.parameter_filter.filter($1 => $2).first.join("=")
           end
-          uri.query = filtered_parts.join("")
         end
         uri.to_s
       rescue URI::Error

data/lib/action_dispatch/http/permissions_policy.rb

@@ -86,12 +86,14 @@ module ActionDispatch # :nodoc:
       ambient_light_sensor: "ambient-light-sensor",
       autoplay:             "autoplay",
       camera:               "camera",
+      display_capture:      "display-capture",
       encrypted_media:      "encrypted-media",
       fullscreen:           "fullscreen",
       geolocation:          "geolocation",
       gyroscope:            "gyroscope",
       hid:                  "hid",
       idle_detection:       "idle-detection",
+      keyboard_map:         "keyboard-map",
       magnetometer:         "magnetometer",
       microphone:           "microphone",
       midi:                 "midi",

data/lib/action_dispatch/http/request.rb

@@ -55,6 +55,8 @@ module ActionDispatch
       METHOD
     end
 
+    TRANSFER_ENCODING = "HTTP_TRANSFER_ENCODING" # :nodoc:
+
     def self.empty
       new({})
     end
@@ -282,7 +284,7 @@ module ActionDispatch
 
     # Returns the content length of the request as an integer.
     def content_length
-      return raw_post.bytesize if headers.key?("Transfer-Encoding")
+      return raw_post.bytesize if has_header?(TRANSFER_ENCODING)
       super.to_i
     end
 
@@ -468,7 +470,7 @@ module ActionDispatch
       def read_body_stream
         if body_stream
           reset_stream(body_stream) do
-            if headers.key?("Transfer-Encoding")
+            if has_header?(TRANSFER_ENCODING)
               body_stream.read # Read body stream until EOF if "Transfer-Encoding" is present
             else
               body_stream.read(content_length)

data/lib/action_dispatch/journey/parser.rb

@@ -1,200 +1,103 @@
-#
-# DO NOT MODIFY!!!!
-# This file is automatically generated by Racc 1.4.16 from
-# Racc grammar file "".
+# frozen_string_literal: true
 
-# :markup: markdown
+require "action_dispatch/journey/scanner"
+require "action_dispatch/journey/nodes/node"
 
-require 'racc/parser.rb'
-
-# :stopdoc:
-
-require "action_dispatch/journey/parser_extras"
 module ActionDispatch
-  module Journey
-    class Parser < Racc::Parser
-##### State transition tables begin ###
-
-racc_action_table = [
-    13,    15,    14,     7,    19,    16,     8,    19,    13,    15,
-    14,     7,    17,    16,     8,    13,    15,    14,     7,    21,
-    16,     8,    13,    15,    14,     7,    24,    16,     8 ]
-
-racc_action_check = [
-     2,     2,     2,     2,    22,     2,     2,     2,    19,    19,
-    19,    19,     1,    19,    19,     7,     7,     7,     7,    17,
-     7,     7,     0,     0,     0,     0,    20,     0,     0 ]
-
-racc_action_pointer = [
-    20,    12,    -2,   nil,   nil,   nil,   nil,    13,   nil,   nil,
-   nil,   nil,   nil,   nil,   nil,   nil,   nil,    19,   nil,     6,
-    20,   nil,    -5,   nil,   nil ]
-
-racc_action_default = [
-   -19,   -19,    -2,    -3,    -4,    -5,    -6,   -19,   -10,   -11,
-   -12,   -13,   -14,   -15,   -16,   -17,   -18,   -19,    -1,   -19,
-   -19,    25,    -8,    -9,    -7 ]
-
-racc_goto_table = [
-     1,    22,    18,    23,   nil,   nil,   nil,    20 ]
-
-racc_goto_check = [
-     1,     2,     1,     3,   nil,   nil,   nil,     1 ]
-
-racc_goto_pointer = [
-   nil,     0,   -18,   -16,   nil,   nil,   nil,   nil,   nil,   nil,
-   nil ]
-
-racc_goto_default = [
-   nil,   nil,     2,     3,     4,     5,     6,     9,    10,    11,
-    12 ]
-
-racc_reduce_table = [
-  0, 0, :racc_error,
-  2, 11, :_reduce_1,
-  1, 11, :_reduce_2,
-  1, 11, :_reduce_none,
-  1, 12, :_reduce_none,
-  1, 12, :_reduce_none,
-  1, 12, :_reduce_none,
-  3, 15, :_reduce_7,
-  3, 13, :_reduce_8,
-  3, 13, :_reduce_9,
-  1, 16, :_reduce_10,
-  1, 14, :_reduce_none,
-  1, 14, :_reduce_none,
-  1, 14, :_reduce_none,
-  1, 14, :_reduce_none,
-  1, 19, :_reduce_15,
-  1, 17, :_reduce_16,
-  1, 18, :_reduce_17,
-  1, 20, :_reduce_18 ]
-
-racc_reduce_n = 19
-
-racc_shift_n = 25
-
-racc_token_table = {
-  false => 0,
-  :error => 1,
-  :SLASH => 2,
-  :LITERAL => 3,
-  :SYMBOL => 4,
-  :LPAREN => 5,
-  :RPAREN => 6,
-  :DOT => 7,
-  :STAR => 8,
-  :OR => 9 }
-
-racc_nt_base = 10
-
-racc_use_result_var = false
-
-Racc_arg = [
-  racc_action_table,
-  racc_action_check,
-  racc_action_default,
-  racc_action_pointer,
-  racc_goto_table,
-  racc_goto_check,
-  racc_goto_default,
-  racc_goto_pointer,
-  racc_nt_base,
-  racc_reduce_table,
-  racc_token_table,
-  racc_shift_n,
-  racc_reduce_n,
-  racc_use_result_var ]
-
-Racc_token_to_s_table = [
-  "$end",
-  "error",
-  "SLASH",
-  "LITERAL",
-  "SYMBOL",
-  "LPAREN",
-  "RPAREN",
-  "DOT",
-  "STAR",
-  "OR",
-  "$start",
-  "expressions",
-  "expression",
-  "or",
-  "terminal",
-  "group",
-  "star",
-  "symbol",
-  "literal",
-  "slash",
-  "dot" ]
-
-Racc_debug_parser = false
-
-##### State transition tables end #####
-
-# reduce 0 omitted
-
-def _reduce_1(val, _values)
- Cat.new(val.first, val.last)
-end
-
-def _reduce_2(val, _values)
- val.first
-end
-
-# reduce 3 omitted
-
-# reduce 4 omitted
-
-# reduce 5 omitted
-
-# reduce 6 omitted
-
-def _reduce_7(val, _values)
- Group.new(val[1])
-end
-
-def _reduce_8(val, _values)
- Or.new([val.first, val.last])
-end
-
-def _reduce_9(val, _values)
- Or.new([val.first, val.last])
-end
-
-def _reduce_10(val, _values)
- Star.new(Symbol.new(val.last, Symbol::GREEDY_EXP))
+  module Journey # :nodoc:
+    class Parser # :nodoc:
+      include Journey::Nodes
+
+      def self.parse(string)
+        new.parse string
+      end
+
+      def initialize
+        @scanner = Scanner.new
+        @next_token = nil
+      end
+
+      def parse(string)
+        @scanner.scan_setup(string)
+        advance_token
+        do_parse
+      end
+
+      private
+        def advance_token
+          @next_token = @scanner.next_token
+        end
+
+        def do_parse
+          parse_expressions
+        end
+
+        def parse_expressions
+          node = parse_expression
+
+          while @next_token
+            case @next_token
+            when :RPAREN
+              break
+            when :OR
+              node = parse_or(node)
+            else
+              node = Cat.new(node, parse_expressions)
+            end
+          end
+
+          node
+        end
+
+        def parse_or(lhs)
+          advance_token
+          node = parse_expression
+          Or.new([lhs, node])
+        end
+
+        def parse_expression
+          if @next_token == :STAR
+            parse_star
+          elsif @next_token == :LPAREN
+            parse_group
+          else
+            parse_terminal
+          end
+        end
+
+        def parse_star
+          node = Star.new(Symbol.new(@scanner.last_string, Symbol::GREEDY_EXP))
+          advance_token
+          node
+        end
+
+        def parse_group
+          advance_token
+          node = parse_expressions
+          if @next_token == :RPAREN
+            node = Group.new(node)
+            advance_token
+            node
+          else
+            raise ArgumentError, "missing right parenthesis."
+          end
+        end
+
+        def parse_terminal
+          node = case @next_token
+          when :SYMBOL
+            Symbol.new(@scanner.last_string)
+          when :LITERAL
+            Literal.new(@scanner.last_literal)
+          when :SLASH
+            Slash.new("/")
+          when :DOT
+            Dot.new(".")
+          end
+
+          advance_token
+          node
+        end
+    end
+  end
 end
-
-# reduce 11 omitted
-
-# reduce 12 omitted
-
-# reduce 13 omitted
-
-# reduce 14 omitted
-
-def _reduce_15(val, _values)
- Slash.new(val.first)
-end
-
-def _reduce_16(val, _values)
- Symbol.new(val.first)
-end
-
-def _reduce_17(val, _values)
- Literal.new(val.first)
-end
-
-def _reduce_18(val, _values)
- Dot.new(val.first)
-end
-
-def _reduce_none(val, _values)
-  val[0]
-end
-
-    end   # class Parser
-  end   # module Journey
-end   # module ActionDispatch

data/lib/action_dispatch/journey/scanner.rb

@@ -7,64 +7,62 @@ require "strscan"
 module ActionDispatch
   module Journey # :nodoc:
     class Scanner # :nodoc:
+      STATIC_TOKENS = Array.new(150)
+      STATIC_TOKENS[".".ord] = :DOT
+      STATIC_TOKENS["/".ord] = :SLASH
+      STATIC_TOKENS["(".ord] = :LPAREN
+      STATIC_TOKENS[")".ord] = :RPAREN
+      STATIC_TOKENS["|".ord] = :OR
+      STATIC_TOKENS[":".ord] = :SYMBOL
+      STATIC_TOKENS["*".ord] = :STAR
+      STATIC_TOKENS.freeze
+
+      class Scanner < StringScanner
+        unless method_defined?(:peek_byte) # https://github.com/ruby/strscan/pull/89
+          def peek_byte
+            string.getbyte(pos)
+          end
+        end
+      end
+
       def initialize
-        @ss = nil
+        @scanner = nil
+        @length = nil
       end
 
       def scan_setup(str)
-        @ss = StringScanner.new(str)
+        @scanner = Scanner.new(str)
       end
 
-      def eos?
-        @ss.eos?
-      end
+      def next_token
+        return if @scanner.eos?
 
-      def pos
-        @ss.pos
+        until token = scan || @scanner.eos?; end
+        token
       end
 
-      def pre_match
-        @ss.pre_match
+      def last_string
+        -@scanner.string.byteslice(@scanner.pos - @length, @length)
       end
 
-      def next_token
-        return if @ss.eos?
-
-        until token = scan || @ss.eos?; end
-        token
+      def last_literal
+        last_str = @scanner.string.byteslice(@scanner.pos - @length, @length)
+        last_str.tr! "\\", ""
+        -last_str
       end
 
       private
-        # takes advantage of String @- deduping capabilities in Ruby 2.5 upwards see:
-        # https://bugs.ruby-lang.org/issues/13077
-        def dedup_scan(regex)
-          r = @ss.scan(regex)
-          r ? -r : nil
-        end
-
         def scan
+          next_byte = @scanner.peek_byte
           case
-            # /
-          when @ss.skip(/\//)
-            [:SLASH, "/"]
-          when @ss.skip(/\(/)
-            [:LPAREN, "("]
-          when @ss.skip(/\)/)
-            [:RPAREN, ")"]
-          when @ss.skip(/\|/)
-            [:OR, "|"]
-          when @ss.skip(/\./)
-            [:DOT, "."]
-          when text = dedup_scan(/:\w+/)
-            [:SYMBOL, text]
-          when text = dedup_scan(/\*\w+/)
-            [:STAR, text]
-          when text = @ss.scan(/(?:[\w%\-~!$&'*+,;=@]|\\[:()])+/)
-            text.tr! "\\", ""
-            [:LITERAL, -text]
-            # any char
-          when text = dedup_scan(/./)
-            [:LITERAL, text]
+          when (token = STATIC_TOKENS[next_byte])
+            @scanner.pos += 1
+            @length = @scanner.skip(/\w+/).to_i + 1 if token == :SYMBOL || token == :STAR
+            token
+          when @length = @scanner.skip(/(?:[\w%\-~!$&'*+,;=@]|\\[:()])+/)
+            :LITERAL
+          when @length = @scanner.skip(/./)
+            :LITERAL
           end
         end
     end

data/lib/action_dispatch/middleware/cookies.rb

@@ -116,13 +116,15 @@ module ActionDispatch
   #     cookies[:login] = { value: "XJ-122", expires: Time.utc(2020, 10, 15, 5) }
   #
   #     # Sets a signed cookie, which prevents users from tampering with its value.
-  #     # It can be read using the signed method `cookies.signed[:name]`
   #     cookies.signed[:user_id] = current_user.id
+  #     # It can be read using the signed method.
+  #     cookies.signed[:user_id] # => 123
   #
   #     # Sets an encrypted cookie value before sending it to the client which
   #     # prevent users from reading and tampering with its value.
-  #     # It can be read using the encrypted method `cookies.encrypted[:name]`
   #     cookies.encrypted[:discount] = 45
+  #     # It can be read using the encrypted method.
+  #     cookies.encrypted[:discount] # => 45
   #
   #     # Sets a "permanent" cookie (which expires in 20 years from now).
   #     cookies.permanent[:login] = "XJ-122"

data/lib/action_dispatch/middleware/debug_exceptions.rb

@@ -142,17 +142,30 @@ module ActionDispatch
 
         message = []
         message << "  "
-        message << "#{wrapper.exception_class_name} (#{wrapper.message}):"
         if wrapper.has_cause?
-          message << "\nCauses:"
+          message << "#{wrapper.exception_class_name} (#{wrapper.message})"
           wrapper.wrapped_causes.each do |wrapped_cause|
-            message << "#{wrapped_cause.exception_class_name} (#{wrapped_cause.message})"
+            message << "Caused by: #{wrapped_cause.exception_class_name} (#{wrapped_cause.message})"
           end
+
+          message << "\nInformation for: #{wrapper.exception_class_name} (#{wrapper.message}):"
+        else
+          message << "#{wrapper.exception_class_name} (#{wrapper.message}):"
         end
+
         message.concat(wrapper.annotated_source_code)
         message << "  "
         message.concat(trace)
 
+        if wrapper.has_cause?
+          wrapper.wrapped_causes.each do |wrapped_cause|
+            message << "\nInformation for cause: #{wrapped_cause.exception_class_name} (#{wrapped_cause.message}):"
+            message.concat(wrapped_cause.annotated_source_code)
+            message << "  "
+            message.concat(wrapped_cause.exception_trace)
+          end
+        end
+
         log_array(logger, message, request)
       end
 

data/lib/action_dispatch/middleware/request_id.rb

@@ -25,11 +25,12 @@ module ActionDispatch
     def initialize(app, header:)
       @app = app
       @header = header
+      @env_header = "HTTP_#{header.upcase.tr("-", "_")}"
     end
 
     def call(env)
       req = ActionDispatch::Request.new env
-      req.request_id = make_request_id(req.headers[@header])
+      req.request_id = make_request_id(req.get_header(@env_header))
       @app.call(env).tap { |_status, headers, _body| headers[@header] = req.request_id }
     end