actionpack 7.2.2.1 → 8.1.2

data/lib/action_controller/renderer.rb

@@ -96,7 +96,6 @@ module ActionController
     #     *   `:script_name` - The portion of the incoming request's URL path that
     #         corresponds to the application. Converts to Rack's `SCRIPT_NAME`.
     #     *   `:input` - The input stream. Converts to Rack's `rack.input`.
-    #
     # *   `defaults` - Default values for the Rack env. Entries are specified in the
     #     same format as `env`. `env` will be merged on top of these values.
     #     `defaults` will be retained when calling #new on a renderer instance.

data/lib/action_controller/structured_event_subscriber.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+module ActionController
+  class StructuredEventSubscriber < ActiveSupport::StructuredEventSubscriber # :nodoc:
+    INTERNAL_PARAMS = %w(controller action format _method only_path)
+
+    def start_processing(event)
+      payload = event.payload
+      params = {}
+      payload[:params].each_pair do |k, v|
+        params[k] = v unless INTERNAL_PARAMS.include?(k)
+      end
+      format = payload[:format]
+      format = format.to_s.upcase if format.is_a?(Symbol)
+      format = "*/*" if format.nil?
+
+      emit_event("action_controller.request_started",
+        controller: payload[:controller],
+        action: payload[:action],
+        format:,
+        params:,
+      )
+    end
+
+    def process_action(event)
+      payload = event.payload
+      status = payload[:status]
+
+      if status.nil? && (exception_class_name = payload[:exception]&.first)
+        status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
+      end
+
+      emit_event("action_controller.request_completed", {
+        controller: payload[:controller],
+        action: payload[:action],
+        status: status,
+        **additions_for(payload),
+        duration_ms: event.duration.round(2),
+        gc_time_ms: event.gc_time.round(1),
+      }.compact)
+    end
+
+    def halted_callback(event)
+      emit_event("action_controller.callback_halted", filter: event.payload[:filter])
+    end
+
+    def rescue_from_callback(event)
+      exception = event.payload[:exception]
+
+      exception_backtrace = exception.backtrace&.first
+      exception_backtrace = exception_backtrace&.delete_prefix("#{Rails.root}/") if defined?(Rails.root) && Rails.root
+
+      emit_event("action_controller.rescue_from_handled",
+        exception_class: exception.class.name,
+        exception_message: exception.message,
+        exception_backtrace:
+      )
+    end
+
+    def send_file(event)
+      emit_event("action_controller.file_sent", path: event.payload[:path], duration_ms: event.duration.round(1))
+    end
+
+    def redirect_to(event)
+      emit_event("action_controller.redirected", location: event.payload[:location])
+    end
+
+    def send_data(event)
+      emit_event("action_controller.data_sent", filename: event.payload[:filename], duration_ms: event.duration.round(1))
+    end
+
+    def unpermitted_parameters(event)
+      unpermitted_keys = event.payload[:keys]
+      context = event.payload[:context]
+
+      emit_debug_event("action_controller.unpermitted_parameters",
+        unpermitted_keys:,
+        context: context.except(:request)
+      )
+    end
+    debug_only :unpermitted_parameters
+
+    def write_fragment(event)
+      fragment_cache(__method__, event)
+    end
+
+    def read_fragment(event)
+      fragment_cache(__method__, event)
+    end
+
+    def exist_fragment?(event)
+      fragment_cache(__method__, event)
+    end
+
+    def expire_fragment(event)
+      fragment_cache(__method__, event)
+    end
+
+    private
+      def fragment_cache(method_name, event)
+        key = ActiveSupport::Cache.expand_cache_key(event.payload[:key] || event.payload[:path])
+
+        emit_event("action_controller.fragment_cache",
+          method: "#{method_name}",
+          key: key,
+          duration_ms: event.duration.round(1)
+        )
+      end
+
+      def additions_for(payload)
+        payload.slice(:view_runtime, :db_runtime, :queries_count, :cached_queries_count)
+      end
+  end
+end
+
+ActionController::StructuredEventSubscriber.attach_to :action_controller

data/lib/action_controller/test_case.rb

@@ -22,11 +22,21 @@ module ActionController
     # database on the main thread, so they could open a txn, then the controller
     # thread will open a new connection and try to access data that's only visible
     # to the main thread's txn. This is the problem in #23483.
+    alias_method :original_new_controller_thread, :new_controller_thread
+
     silence_redefinition_of_method :new_controller_thread
     def new_controller_thread # :nodoc:
       yield
     end
 
+    # Because of the above, we need to prevent the clearing of thread locals, since
+    # no new thread is actually spawned in the test environment.
+    alias_method :original_clean_up_thread_locals, :clean_up_thread_locals
+
+    silence_redefinition_of_method :clean_up_thread_locals
+    def clean_up_thread_locals(*args) # :nodoc:
+    end
+
     # Avoid a deadlock from the queue filling up
     Buffer.queue_size = nil
   end
@@ -106,7 +116,7 @@ module ActionController
             set_header k, "application/x-www-form-urlencoded"
           end
 
-          case content_mime_type.to_sym
+          case content_mime_type&.to_sym
           when nil
             raise "Unknown Content-Type: #{content_type}"
           when :json
@@ -121,7 +131,7 @@ module ActionController
           end
         end
 
-        data_stream = StringIO.new(data)
+        data_stream = StringIO.new(data.b)
         set_header "CONTENT_LENGTH", data_stream.length.to_s
         set_header "rack.input", data_stream
       end

data/lib/action_dispatch/constants.rb

@@ -30,5 +30,11 @@ module ActionDispatch
       SERVER_TIMING = "server-timing"
       STRICT_TRANSPORT_SECURITY = "strict-transport-security"
     end
+
+    if Gem::Version.new(Rack::RELEASE) < Gem::Version.new("3.1")
+      UNPROCESSABLE_CONTENT = :unprocessable_entity
+    else
+      UNPROCESSABLE_CONTENT = :unprocessable_content
+    end
   end
 end

data/lib/action_dispatch/http/cache.rb

@@ -9,6 +9,8 @@ module ActionDispatch
         HTTP_IF_MODIFIED_SINCE = "HTTP_IF_MODIFIED_SINCE"
         HTTP_IF_NONE_MATCH     = "HTTP_IF_NONE_MATCH"
 
+        mattr_accessor :strict_freshness, default: false
+
         def if_modified_since
           if since = get_header(HTTP_IF_MODIFIED_SINCE)
             Time.rfc2822(since) rescue nil
@@ -34,19 +36,140 @@ module ActionDispatch
           end
         end
 
-        # Check response freshness (`Last-Modified` and ETag) against request
-        # `If-Modified-Since` and `If-None-Match` conditions. If both headers are
-        # supplied, both must match, or the request is not considered fresh.
+        # Check response freshness (`Last-Modified` and `ETag`) against request
+        # `If-Modified-Since` and `If-None-Match` conditions.
+        # If both headers are supplied, based on configuration, either `ETag` is preferred over `Last-Modified`
+        # or both are considered equally. You can adjust the preference with
+        # `config.action_dispatch.strict_freshness`.
+        # Reference: http://tools.ietf.org/html/rfc7232#section-6
         def fresh?(response)
-          last_modified = if_modified_since
-          etag          = if_none_match
+          if Request.strict_freshness
+            if if_none_match
+              etag_matches?(response.etag)
+            elsif if_modified_since
+              not_modified?(response.last_modified)
+            else
+              false
+            end
+          else
+            last_modified = if_modified_since
+            etag          = if_none_match
+
+            return false unless last_modified || etag
+
+            success = true
+            success &&= not_modified?(response.last_modified) if last_modified
+            success &&= etag_matches?(response.etag) if etag
+            success
+          end
+        end
+
+        def cache_control_directives
+          @cache_control_directives ||= CacheControlDirectives.new(get_header("HTTP_CACHE_CONTROL"))
+        end
+
+        # Represents the HTTP Cache-Control header for requests,
+        # providing methods to access various cache control directives
+        # Reference: https://www.rfc-editor.org/rfc/rfc9111.html#name-request-directives
+        class CacheControlDirectives
+          def initialize(cache_control_header)
+            @only_if_cached = false
+            @no_cache = false
+            @no_store = false
+            @no_transform = false
+            @max_age = nil
+            @max_stale = nil
+            @min_fresh = nil
+            @stale_if_error = false
+            parse_directives(cache_control_header)
+          end
+
+          # Returns true if the only-if-cached directive is present.
+          # This directive indicates that the client only wishes to obtain a
+          # stored response. If a valid stored response is not available,
+          # the server should respond with a 504 (Gateway Timeout) status.
+          def only_if_cached?
+            @only_if_cached
+          end
+
+          # Returns true if the no-cache directive is present.
+          # This directive indicates that a cache must not use the response
+          # to satisfy subsequent requests without successful validation on the origin server.
+          def no_cache?
+            @no_cache
+          end
+
+          # Returns true if the no-store directive is present.
+          # This directive indicates that a cache must not store any part of the
+          # request or response.
+          def no_store?
+            @no_store
+          end
+
+          # Returns true if the no-transform directive is present.
+          # This directive indicates that a cache or proxy must not transform the payload.
+          def no_transform?
+            @no_transform
+          end
 
-          return false unless last_modified || etag
+          # Returns the value of the max-age directive.
+          # This directive indicates that the client is willing to accept a response
+          # whose age is no greater than the specified number of seconds.
+          attr_reader :max_age
 
-          success = true
-          success &&= not_modified?(response.last_modified) if last_modified
-          success &&= etag_matches?(response.etag) if etag
-          success
+          # Returns the value of the max-stale directive.
+          # When max-stale is present with a value, returns that integer value.
+          # When max-stale is present without a value, returns true (unlimited staleness).
+          # When max-stale is not present, returns nil.
+          attr_reader :max_stale
+
+          # Returns true if max-stale directive is present (with or without a value)
+          def max_stale?
+            !@max_stale.nil?
+          end
+
+          # Returns true if max-stale directive is present without a value (unlimited staleness)
+          def max_stale_unlimited?
+            @max_stale == true
+          end
+
+          # Returns the value of the min-fresh directive.
+          # This directive indicates that the client is willing to accept a response
+          # whose freshness lifetime is no less than its current age plus the specified time in seconds.
+          attr_reader :min_fresh
+
+          # Returns the value of the stale-if-error directive.
+          # This directive indicates that the client is willing to accept a stale response
+          # if the check for a fresh one fails with an error for the specified number of seconds.
+          attr_reader :stale_if_error
+
+          private
+            def parse_directives(header_value)
+              return unless header_value
+
+              header_value.delete(" ").downcase.split(",").each do |directive|
+                name, value = directive.split("=", 2)
+
+                case name
+                when "max-age"
+                  @max_age = value.to_i
+                when "min-fresh"
+                  @min_fresh = value.to_i
+                when "stale-if-error"
+                  @stale_if_error = value.to_i
+                when "no-cache"
+                  @no_cache = true
+                when "no-store"
+                  @no_store = true
+                when "no-transform"
+                  @no_transform = true
+                when "only-if-cached"
+                  @only_if_cached = true
+                when "max-stale"
+                  @max_stale = value ? value.to_i : true
+                end
+              end
+            end
         end
       end
 
@@ -127,7 +250,7 @@ module ActionDispatch
       private
         DATE          = "Date"
         LAST_MODIFIED = "Last-Modified"
-        SPECIAL_KEYS  = Set.new(%w[extras no-store no-cache max-age public private must-revalidate])
+        SPECIAL_KEYS  = Set.new(%w[extras no-store no-cache max-age public private must-revalidate must-understand])
 
         def generate_weak_etag(validators)
           "W/#{generate_strong_etag(validators)}"
@@ -171,6 +294,8 @@ module ActionDispatch
         PUBLIC                = "public"
         PRIVATE               = "private"
         MUST_REVALIDATE       = "must-revalidate"
+        IMMUTABLE             = "immutable"
+        MUST_UNDERSTAND       = "must-understand"
 
         def handle_conditional_get!
           # Normally default cache control setting is handled by ETag middleware. But, if
@@ -205,6 +330,7 @@ module ActionDispatch
 
           if control[:no_store]
             options << PRIVATE if control[:private]
+            options << MUST_UNDERSTAND if control[:must_understand]
             options << NO_STORE
           elsif control[:no_cache]
             options << PUBLIC if control[:public]
@@ -221,6 +347,7 @@ module ActionDispatch
             options << MUST_REVALIDATE if control[:must_revalidate]
             options << "stale-while-revalidate=#{stale_while_revalidate.to_i}" if stale_while_revalidate
             options << "stale-if-error=#{stale_if_error.to_i}" if stale_if_error
+            options << IMMUTABLE if control[:immutable]
             options.concat(extras) if extras
           end
 

data/lib/action_dispatch/http/content_security_policy.rb

@@ -128,6 +128,7 @@ module ActionDispatch # :nodoc:
     MAPPINGS = {
       self:             "'self'",
       unsafe_eval:      "'unsafe-eval'",
+      wasm_unsafe_eval: "'wasm-unsafe-eval'",
       unsafe_hashes:    "'unsafe-hashes'",
       unsafe_inline:    "'unsafe-inline'",
       none:             "'none'",
@@ -170,6 +171,8 @@ module ActionDispatch # :nodoc:
       worker_src:                 "worker-src"
     }.freeze
 
+    HASH_SOURCE_ALGORITHM_PREFIXES = ["sha256-", "sha384-", "sha512-"].freeze
+
     DEFAULT_NONCE_DIRECTIVES = %w[script-src style-src].freeze
 
     private_constant :MAPPINGS, :DIRECTIVES, :DEFAULT_NONCE_DIRECTIVES
@@ -304,7 +307,13 @@ module ActionDispatch # :nodoc:
           case source
           when Symbol
             apply_mapping(source)
-          when String, Proc
+          when String
+            if hash_source?(source)
+              "'#{source}'"
+            else
+              source
+            end
+          when Proc
             source
           else
             raise ArgumentError, "Invalid content security policy source: #{source.inspect}"
@@ -373,5 +382,9 @@ module ActionDispatch # :nodoc:
       def nonce_directive?(directive, nonce_directives)
         nonce_directives.include?(directive)
       end
+
+      def hash_source?(source)
+        source.start_with?(*HASH_SOURCE_ALGORITHM_PREFIXES)
+      end
   end
 end

data/lib/action_dispatch/http/filter_parameters.rb

@@ -17,9 +17,11 @@ module ActionDispatch
     # For more information about filter behavior, see
     # ActiveSupport::ParameterFilter.
     module FilterParameters
-      ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
-      NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
-      NULL_ENV_FILTER   = ActiveSupport::ParameterFilter.new ENV_MATCH # :nodoc:
+      # :stopdoc:
+      ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"]
+      NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new
+      NULL_ENV_FILTER   = ActiveSupport::ParameterFilter.new ENV_MATCH
+      # :startdoc:
 
       def initialize
         super

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -56,9 +56,14 @@ module ActionDispatch
 
       # Returns the MIME type for the format used in the request.
       #
-      #     GET /posts/5.xml   | request.format => Mime[:xml]
-      #     GET /posts/5.xhtml | request.format => Mime[:html]
-      #     GET /posts/5       | request.format => Mime[:html] or Mime[:js], or request.accepts.first
+      #     # GET /posts/5.xml
+      #     request.format # => Mime[:xml]
+      #
+      #     # GET /posts/5.xhtml
+      #     request.format # => Mime[:html]
+      #
+      #     # GET /posts/5
+      #     request.format # => Mime[:html] or Mime[:js], or request.accepts.first
       #
       def format(_view_path = nil)
         formats.first || Mime::NullType.instance
@@ -86,7 +91,49 @@ module ActionDispatch
         end
       end
 
-      # Sets the variant for template.
+      # Sets the \variant for the response template.
+      #
+      # When determining which template to render, Action View will incorporate
+      # all variants from the request. For example, if an
+      # `ArticlesController#index` action needs to respond to
+      # `request.variant = [:ios, :turbo_native]`, it will render the
+      # first template file it can find in the following list:
+      #
+      # - `app/views/articles/index.html+ios.erb`
+      # - `app/views/articles/index.html+turbo_native.erb`
+      # - `app/views/articles/index.html.erb`
+      #
+      # Variants add context to the requests that views render appropriately.
+      # Variant names are arbitrary, and can communicate anything from the
+      # request's platform (`:android`, `:ios`, `:linux`, `:macos`, `:windows`)
+      # to its browser (`:chrome`, `:edge`, `:firefox`, `:safari`), to the type
+      # of user (`:admin`, `:guest`, `:user`).
+      #
+      # Note: Adding many new variant templates with similarities to existing
+      # template files can make maintaining your view code more difficult.
+      #
+      # #### Parameters
+      #
+      # * `variant` - a symbol name or an array of symbol names for variants
+      #   used to render the response template
+      #
+      # #### Examples
+      #
+      #     class ApplicationController < ActionController::Base
+      #       before_action :determine_variants
+      #
+      #       private
+      #         def determine_variants
+      #           variants = []
+      #
+      #           # some code to determine the variant(s) to use
+      #
+      #           variants << :ios if request.user_agent.include?("iOS")
+      #           variants << :turbo_native if request.user_agent.include?("Turbo Native")
+      #
+      #           request.variant = variants
+      #         end
+      #     end
       def variant=(variant)
         variant = Array(variant)
 
@@ -97,6 +144,18 @@ module ActionDispatch
         end
       end
 
+      # Returns the \variant for the response template as an instance of
+      # ActiveSupport::ArrayInquirer.
+      #
+      #     request.variant = :phone
+      #     request.variant.phone?  # => true
+      #     request.variant.tablet? # => false
+      #
+      #     request.variant = [:phone, :tablet]
+      #     request.variant.phone?                  # => true
+      #     request.variant.desktop?                # => false
+      #     request.variant.any?(:phone, :desktop)  # => true
+      #     request.variant.any?(:desktop, :watch)  # => false
       def variant
         @variant ||= ActiveSupport::ArrayInquirer.new
       end

data/lib/action_dispatch/http/mime_types.rb

@@ -13,6 +13,7 @@ Mime::Type.register "text/calendar", :ics
 Mime::Type.register "text/csv", :csv
 Mime::Type.register "text/vcard", :vcf
 Mime::Type.register "text/vtt", :vtt, %w(vtt)
+Mime::Type.register "text/markdown", :md, [], %w(md markdown)
 
 Mime::Type.register "image/png", :png, [], %w(png)
 Mime::Type.register "image/jpeg", :jpeg, [], %w(jpg jpeg jpe pjpeg)