actionpack 7.2.3 → 8.1.3

data/lib/action_controller/metal/rate_limiting.rb

@@ -18,8 +18,13 @@ module ActionController # :nodoc:
       # parameter. It's evaluated within the context of the controller processing the
       # request.
       #
-      # Requests that exceed the rate limit are refused with a `429 Too Many Requests`
-      # response. You can specialize this by passing a callable in the `with:`
+      # By default, rate limits are scoped to the controller's path. If you want to
+      # share rate limits across multiple controllers, you can provide your own scope,
+      # by passing value in the `scope:` parameter.
+      #
+      # Requests that exceed the rate limit will raise an `ActionController::TooManyRequests`
+      # error. By default, Action Dispatch will rescue from the error and refuse the request
+      # with a `429 Too Many Requests` response. You can specialize this by passing a callable in the `with:`
       # parameter. It's evaluated within the context of the controller processing the
       # request.
       #
@@ -29,6 +34,9 @@ module ActionController # :nodoc:
       # datastore as your general caches, you can pass a custom store in the `store`
       # parameter.
       #
+      # If you want to use multiple rate limits per controller, you need to give each of
+      # them an explicit name via the `name:` option.
+      #
       # Examples:
       #
       #     class SessionsController < ApplicationController
@@ -37,24 +45,46 @@ module ActionController # :nodoc:
       #
       #     class SignupsController < ApplicationController
       #       rate_limit to: 1000, within: 10.seconds,
-      #         by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups on domain!" }, only: :new
+      #         by: -> { request.domain }, with: :redirect_to_busy, only: :new
+      #
+      #       private
+      #         def redirect_to_busy
+      #           redirect_to busy_controller_url, alert: "Too many signups on domain!"
+      #         end
       #     end
       #
       #     class APIController < ApplicationController
       #       RATE_LIMIT_STORE = ActiveSupport::Cache::RedisCacheStore.new(url: ENV["REDIS_URL"])
       #       rate_limit to: 10, within: 3.minutes, store: RATE_LIMIT_STORE
+      #       rate_limit to: 100, within: 5.minutes, scope: :api_global
       #     end
-      def rate_limit(to:, within:, by: -> { request.remote_ip }, with: -> { head :too_many_requests }, store: cache_store, **options)
-        before_action -> { rate_limiting(to: to, within: within, by: by, with: with, store: store) }, **options
+      #
+      #     class SessionsController < ApplicationController
+      #       rate_limit to: 3, within: 2.seconds, name: "short-term"
+      #       rate_limit to: 10, within: 5.minutes, name: "long-term"
+      #     end
+      def rate_limit(to:, within:, by: -> { request.remote_ip }, with: -> { raise TooManyRequests }, store: cache_store, name: nil, scope: nil, **options)
+        before_action -> { rate_limiting(to: to, within: within, by: by, with: with, store: store, name: name, scope: scope || controller_path) }, **options
       end
     end
 
     private
-      def rate_limiting(to:, within:, by:, with:, store:)
-        count = store.increment("rate-limit:#{controller_path}:#{instance_exec(&by)}", 1, expires_in: within)
+      def rate_limiting(to:, within:, by:, with:, store:, name:, scope:)
+        by = by.is_a?(Symbol) ? send(by) : instance_exec(&by)
+
+        cache_key = ["rate-limit", scope, name, by].compact.join(":")
+        count = store.increment(cache_key, 1, expires_in: within)
         if count && count > to
-          ActiveSupport::Notifications.instrument("rate_limit.action_controller", request: request) do
-            instance_exec(&with)
+          ActiveSupport::Notifications.instrument("rate_limit.action_controller",
+              request: request,
+              count: count,
+              to: to,
+              within: within,
+              by: by,
+              name: name,
+              scope: scope,
+              cache_key: cache_key) do
+            with.is_a?(Symbol) ? send(with) : instance_exec(&with)
           end
         end
       end

data/lib/action_controller/metal/redirecting.rb

@@ -11,10 +11,36 @@ module ActionController
 
     class UnsafeRedirectError < StandardError; end
 
+    class OpenRedirectError < UnsafeRedirectError
+      def initialize(location)
+        super("Unsafe redirect to #{location.to_s.truncate(100).inspect}, pass allow_other_host: true to redirect anyway.")
+      end
+    end
+
+    class PathRelativeRedirectError < UnsafeRedirectError
+      def initialize(url)
+        super("Path relative URL redirect detected: #{url.inspect}")
+      end
+    end
+
     ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/
 
     included do
       mattr_accessor :raise_on_open_redirects, default: false
+      mattr_accessor :action_on_open_redirect, default: :log
+      mattr_accessor :action_on_path_relative_redirect, default: :log
+      class_attribute :_allowed_redirect_hosts, :allowed_redirect_hosts_permissions, instance_accessor: false, instance_predicate: false
+      singleton_class.alias_method :allowed_redirect_hosts, :_allowed_redirect_hosts
+    end
+
+    module ClassMethods # :nodoc:
+      def allowed_redirect_hosts=(hosts)
+        hosts = hosts.dup.freeze
+        self._allowed_redirect_hosts = hosts
+        self.allowed_redirect_hosts_permissions = if hosts.present?
+          ActionDispatch::HostAuthorization::Permissions.new(hosts)
+        end
+      end
     end
 
     # Redirects the browser to the target specified in `options`. This parameter can
@@ -82,16 +108,17 @@ module ActionController
     # ### Open Redirect protection
     #
     # By default, Rails protects against redirecting to external hosts for your
-    # app's safety, so called open redirects. Note: this was a new default in Rails
-    # 7.0, after upgrading opt-in by uncommenting the line with
-    # `raise_on_open_redirects` in
-    # `config/initializers/new_framework_defaults_7_0.rb`
+    # app's safety, so called open redirects.
     #
     # Here #redirect_to automatically validates the potentially-unsafe URL:
     #
     #     redirect_to params[:redirect_url]
     #
-    # Raises UnsafeRedirectError in the case of an unsafe redirect.
+    # The `action_on_open_redirect` configuration option controls the behavior when an unsafe
+    # redirect is detected:
+    # * `:log` - Logs a warning but allows the redirect
+    # * `:notify` - Sends an Active Support notification for monitoring
+    # * `:raise` - Raises an UnsafeRedirectError
     #
     # To allow any external redirects pass `allow_other_host: true`, though using a
     # user-provided param in that case is unsafe.
@@ -100,11 +127,31 @@ module ActionController
     #
     # See #url_from for more information on what an internal and safe URL is, or how
     # to fall back to an alternate redirect URL in the unsafe case.
+    #
+    # ### Path Relative URL Redirect Protection
+    #
+    # Rails also protects against potentially unsafe path relative URL redirects that don't
+    # start with a leading slash. These can create security vulnerabilities:
+    #
+    #     redirect_to "example.com"     # Creates http://yourdomain.comexample.com
+    #     redirect_to "@attacker.com"   # Creates http://yourdomain.com@attacker.com
+    #                                   # which browsers interpret as user@host
+    #
+    # You can configure how Rails handles these cases using:
+    #
+    #     config.action_controller.action_on_path_relative_redirect = :log    # default
+    #     config.action_controller.action_on_path_relative_redirect = :notify
+    #     config.action_controller.action_on_path_relative_redirect = :raise
+    #
+    # * `:log` - Logs a warning but allows the redirect
+    # * `:notify` - Sends an Active Support notification but allows the redirect
+    #   (includes stack trace to help identify the source)
+    # * `:raise` - Raises an UnsafeRedirectError
     def redirect_to(options = {}, response_options = {})
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
       raise AbstractController::DoubleRenderError if response_body
 
-      allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
+      allow_other_host = response_options.delete(:allow_other_host)
 
       proposed_status = _extract_redirect_to_status(options, response_options)
 
@@ -166,6 +213,10 @@ module ActionController
       when /\A([a-z][a-z\d\-+.]*:|\/\/).*/i
         options.to_str
       when String
+        if !options.start_with?("/", "?") && !options.empty?
+          _handle_path_relative_redirect(options)
+        end
+
         request.protocol + request.host_with_port + options
       when Proc
         _compute_redirect_to_location request, instance_eval(&options)
@@ -207,7 +258,9 @@ module ActionController
 
     private
       def _allow_other_host
-        !raise_on_open_redirects
+        return false if raise_on_open_redirects
+
+        action_on_open_redirect != :raise
       end
 
       def _extract_redirect_to_status(options, response_options)
@@ -221,20 +274,42 @@ module ActionController
       end
 
       def _enforce_open_redirect_protection(location, allow_other_host:)
+        # Explictly allowed other host or host is in allow list allow redirect
         if allow_other_host || _url_host_allowed?(location)
           location
+        # Explicitly disallowed other host
+        elsif allow_other_host == false
+          raise OpenRedirectError.new(location)
+        # Configuration disallows other hosts
+        elsif !_allow_other_host
+          raise OpenRedirectError.new(location)
+        # Log but allow redirect
+        elsif action_on_open_redirect == :log
+          logger.warn "Open redirect to #{location.inspect} detected" if logger
+          location
+        # Notify but allow redirect
+        elsif action_on_open_redirect == :notify
+          ActiveSupport::Notifications.instrument("open_redirect.action_controller",
+            location: location,
+            request: request,
+            stack_trace: caller,
+          )
+          location
+        # Fall through, should not happen but raise for safety
         else
-          raise UnsafeRedirectError, "Unsafe redirect to #{location.truncate(100).inspect}, pass allow_other_host: true to redirect anyway."
+          raise OpenRedirectError.new(location)
         end
       end
 
       def _url_host_allowed?(url)
-        host = URI(url.to_s).host
+        url_to_s = url.to_s
+        host = URI(url_to_s).host
 
-        return true if host == request.host
-        return false unless host.nil?
-        return false unless url.to_s.start_with?("/")
-        !url.to_s.start_with?("//")
+        if host.nil?
+          url_to_s.start_with?("/") && !url_to_s.start_with?("//")
+        else
+          host == request.host || self.class.allowed_redirect_hosts_permissions&.allows?(host)
+        end
       rescue ArgumentError, URI::Error
         false
       end
@@ -248,5 +323,22 @@ module ActionController
           raise UnsafeRedirectError, msg
         end
       end
+
+      def _handle_path_relative_redirect(url)
+        message = "Path relative URL redirect detected: #{url.inspect}"
+
+        case action_on_path_relative_redirect
+        when :log
+          logger&.warn message
+        when :notify
+          ActiveSupport::Notifications.instrument("unsafe_redirect.action_controller",
+            url: url,
+            message: message,
+            stack_trace: caller
+          )
+        when :raise
+          raise PathRelativeRedirectError.new(url)
+        end
+      end
   end
 end

data/lib/action_controller/metal/renderers.rb

@@ -2,8 +2,6 @@
 
 # :markup: markdown
 
-require "set"
-
 module ActionController
   # See Renderers.add
   def self.add_renderer(key, &block)
@@ -29,8 +27,23 @@ module ActionController
     # Default values are `:json`, `:js`, `:xml`.
     RENDERERS = Set.new
 
+    module DeprecatedEscapeJsonResponses # :nodoc:
+      def escape_json_responses=(value)
+        if value
+          ActionController.deprecator.warn(<<~MSG.squish)
+            Setting action_controller.escape_json_responses = true is deprecated and will have no effect in Rails 8.2.
+            Set it to `false`, or remove the config.
+          MSG
+        end
+        super
+      end
+    end
+
     included do
       class_attribute :_renderers, default: Set.new.freeze
+      class_attribute :escape_json_responses, instance_writer: false, instance_accessor: false, default: true
+
+      singleton_class.prepend DeprecatedEscapeJsonResponses
     end
 
     # Used in ActionController::Base and ActionController::API to include all
@@ -88,7 +101,7 @@ module ActionController
       remove_possible_method(method_name)
     end
 
-    def self._render_with_renderer_method_name(key)
+    def self._render_with_renderer_method_name(key) # :nodoc:
       "_render_with_renderer_#{key}"
     end
 
@@ -142,7 +155,7 @@ module ActionController
       _render_to_body_with_renderer(options) || super
     end
 
-    def _render_to_body_with_renderer(options)
+    def _render_to_body_with_renderer(options) # :nodoc:
       _renderers.each do |name|
         if options.key?(name)
           _process_options(options)
@@ -154,28 +167,35 @@ module ActionController
     end
 
     add :json do |json, options|
-      json = json.to_json(options) unless json.kind_of?(String)
+      json_options = options.except(:callback, :content_type, :status)
+      json_options[:escape] ||= false if !self.class.escape_json_responses? && options[:callback].blank?
+      json = json.to_json(json_options) unless json.kind_of?(String)
 
       if options[:callback].present?
         if media_type.nil? || media_type == Mime[:json]
-          self.content_type = Mime[:js]
+          self.content_type = :js
         end
 
         "/**/#{options[:callback]}(#{json})"
       else
-        self.content_type = Mime[:json] if media_type.nil?
+        self.content_type = :json if media_type.nil?
         json
       end
     end
 
     add :js do |js, options|
-      self.content_type = Mime[:js] if media_type.nil?
+      self.content_type = :js if media_type.nil?
       js.respond_to?(:to_js) ? js.to_js(options) : js
     end
 
     add :xml do |xml, options|
-      self.content_type = Mime[:xml] if media_type.nil?
+      self.content_type = :xml if media_type.nil?
       xml.respond_to?(:to_xml) ? xml.to_xml(options) : xml
     end
+
+    add :markdown do |md, options|
+      self.content_type = :md if media_type.nil?
+      md.respond_to?(:to_markdown) ? md.to_markdown : md
+    end
   end
 end

data/lib/action_controller/metal/rendering.rb

@@ -160,6 +160,12 @@ module ActionController
     #         render "posts/new", status: :unprocessable_entity
     #         # => renders app/views/posts/new.html.erb with HTTP status code 422
     #
+    # `:variants`
+    # :  This tells Rails to look for the first template matching any of the variations.
+    #
+    #         render "posts/index", variants: [:mobile]
+    #         # => renders app/views/posts/index.html+mobile.erb
+    #
     #--
     # Check for double render errors and set the content_type after rendering.
     def render(*args)
@@ -208,7 +214,7 @@ module ActionController
       end
 
       def _set_html_content_type
-        self.content_type = Mime[:html].to_s
+        self.content_type = :html
       end
 
       def _set_rendered_content_type(format)

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -71,32 +71,39 @@ module ActionController # :nodoc:
     included do
       # Sets the token parameter name for RequestForgery. Calling
       # `protect_from_forgery` sets it to `:authenticity_token` by default.
-      config_accessor :request_forgery_protection_token
+      singleton_class.delegate :request_forgery_protection_token, :request_forgery_protection_token=, to: :config
+      delegate :request_forgery_protection_token, :request_forgery_protection_token=, to: :config
       self.request_forgery_protection_token ||= :authenticity_token
 
       # Holds the class which implements the request forgery protection.
-      config_accessor :forgery_protection_strategy
+      singleton_class.delegate :forgery_protection_strategy, :forgery_protection_strategy=, to: :config
+      delegate :forgery_protection_strategy, :forgery_protection_strategy=, to: :config
       self.forgery_protection_strategy = nil
 
       # Controls whether request forgery protection is turned on or not. Turned off by
       # default only in test mode.
-      config_accessor :allow_forgery_protection
+      singleton_class.delegate :allow_forgery_protection, :allow_forgery_protection=, to: :config
+      delegate :allow_forgery_protection, :allow_forgery_protection=, to: :config
       self.allow_forgery_protection = true if allow_forgery_protection.nil?
 
       # Controls whether a CSRF failure logs a warning. On by default.
-      config_accessor :log_warning_on_csrf_failure
+      singleton_class.delegate :log_warning_on_csrf_failure, :log_warning_on_csrf_failure=, to: :config
+      delegate :log_warning_on_csrf_failure, :log_warning_on_csrf_failure=, to: :config
       self.log_warning_on_csrf_failure = true
 
       # Controls whether the Origin header is checked in addition to the CSRF token.
-      config_accessor :forgery_protection_origin_check
+      singleton_class.delegate :forgery_protection_origin_check, :forgery_protection_origin_check=, to: :config
+      delegate :forgery_protection_origin_check, :forgery_protection_origin_check=, to: :config
       self.forgery_protection_origin_check = false
 
       # Controls whether form-action/method specific CSRF tokens are used.
-      config_accessor :per_form_csrf_tokens
+      singleton_class.delegate :per_form_csrf_tokens, :per_form_csrf_tokens=, to: :config
+      delegate :per_form_csrf_tokens, :per_form_csrf_tokens=, to: :config
       self.per_form_csrf_tokens = false
 
       # The strategy to use for storing and retrieving CSRF tokens.
-      config_accessor :csrf_token_storage_strategy
+      singleton_class.delegate :csrf_token_storage_strategy, :csrf_token_storage_strategy=, to: :config
+      delegate :csrf_token_storage_strategy, :csrf_token_storage_strategy=, to: :config
       self.csrf_token_storage_strategy = SessionStore.new
 
       helper_method :form_authenticity_token
@@ -461,7 +468,7 @@ module ActionController # :nodoc:
       # *   Does the `X-CSRF-Token` header match the form_authenticity_token?
       #
       def verified_request? # :doc:
-        !protect_against_forgery? || request.get? || request.head? ||
+        request.get? || request.head? || !protect_against_forgery? ||
           (valid_request_origin? && any_authenticity_token_valid?)
       end
 
@@ -621,6 +628,7 @@ module ActionController # :nodoc:
         If you cannot change the referrer policy, you can disable origin checking with the
         Rails.application.config.action_controller.forgery_protection_origin_check setting.
       MSG
+      private_constant :NULL_ORIGIN_MESSAGE
 
       # Checks if the request originated from the same origin by looking at the Origin
       # header.
@@ -634,7 +642,7 @@ module ActionController # :nodoc:
         end
       end
 
-      def normalize_action_path(action_path) # :doc:
+      def normalize_action_path(action_path)
         uri = URI.parse(action_path)
 
         if uri.relative? && (action_path.blank? || !action_path.start_with?("/"))
@@ -644,7 +652,7 @@ module ActionController # :nodoc:
         end
       end
 
-      def normalize_relative_action_path(rel_action_path) # :doc:
+      def normalize_relative_action_path(rel_action_path)
         uri = URI.parse(request.path)
         # add the action path to the request.path
         uri.path += "/#{rel_action_path}"

data/lib/action_controller/metal/rescue.rb

@@ -13,6 +13,15 @@ module ActionController # :nodoc:
     extend ActiveSupport::Concern
     include ActiveSupport::Rescuable
 
+    module ClassMethods
+      def handler_for_rescue(exception, ...) # :nodoc:
+        if handler = super
+          ActiveSupport::Notifications.instrument("rescue_from_callback.action_controller", exception: exception)
+          handler
+        end
+      end
+    end
+
     # Override this method if you want to customize when detailed exceptions must be
     # shown. This method is only called when `consider_all_requests_local` is
     # `false`. By default, it returns `false`, but someone may set it to

data/lib/action_controller/metal/streaming.rb

@@ -165,95 +165,16 @@ module ActionController # :nodoc:
   #
   # ## Web server support
   #
-  # Not all web servers support streaming out-of-the-box. You need to check the
-  # instructions for each of them.
-  #
-  # #### Unicorn
-  #
-  # Unicorn supports streaming but it needs to be configured. For this, you need
-  # to create a config file as follow:
-  #
-  #     # unicorn.config.rb
-  #     listen 3000, tcp_nopush: false
-  #
-  # And use it on initialization:
-  #
-  #     unicorn_rails --config-file unicorn.config.rb
-  #
-  # You may also want to configure other parameters like `:tcp_nodelay`.
-  #
-  # For more information, please check the
-  # [documentation](https://bogomips.org/unicorn/Unicorn/Configurator.html#method-
-  # i-listen).
-  #
-  # If you are using Unicorn with NGINX, you may need to tweak NGINX. Streaming
-  # should work out of the box on Rainbows.
-  #
-  # #### Passenger
-  #
-  # Phusion Passenger with NGINX, offers two streaming mechanisms out of the box.
-  #
-  # 1.  NGINX response buffering mechanism which is dependent on the value of
-  #     `passenger_buffer_response` option (default is "off").
-  # 2.  Passenger buffering system which is always 'on' irrespective of the value
-  #     of `passenger_buffer_response`.
-  #
-  #
-  # When `passenger_buffer_response` is turned "on", then streaming would be done
-  # at the NGINX level which waits until the application is done sending the
-  # response back to the client.
-  #
-  # For more information, please check the [documentation]
-  # (https://www.phusionpassenger.com/docs/references/config_reference/nginx/#passenger_buffer_response).
+  # Rack 3+ compatible servers all support streaming.
   module Streaming
-    class Body # :nodoc:
-      TERM = "\r\n"
-      TAIL = "0#{TERM}"
-
-      # Store the response body to be chunked.
-      def initialize(body)
-        @body = body
-      end
-
-      # For each element yielded by the response body, yield the element in chunked
-      # encoding.
-      def each(&block)
-        term = TERM
-        @body.each do |chunk|
-          size = chunk.bytesize
-          next if size == 0
-
-          yield [size.to_s(16), term, chunk.b, term].join
-        end
-        yield TAIL
-        yield term
-      end
-
-      # Close the response body if the response body supports it.
-      def close
-        @body.close if @body.respond_to?(:close)
-      end
-    end
-
     private
-      # Set proper cache control and transfer encoding when streaming
-      def _process_options(options)
-        super
-        if options[:stream]
-          if request.version == "HTTP/1.0"
-            options.delete(:stream)
-          else
-            headers["Cache-Control"] ||= "no-cache"
-            headers["Transfer-Encoding"] = "chunked"
-            headers.delete("Content-Length")
-          end
-        end
-      end
-
       # Call render_body if we are streaming instead of usual `render`.
       def _render_template(options)
         if options.delete(:stream)
-          Body.new view_renderer.render_body(view_context, options)
+          # It shouldn't be necessary to set this.
+          headers["cache-control"] ||= "no-cache"
+
+          view_renderer.render_body(view_context, options)
         else
           super
         end