actionpack 7.2.3 → 8.1.3

data/lib/action_dispatch/middleware/public_exceptions.rb

@@ -25,11 +25,7 @@ module ActionDispatch
     def call(env)
       request      = ActionDispatch::Request.new(env)
       status       = request.path_info[1..-1].to_i
-      begin
-        content_type = request.formats.first
-      rescue ActionDispatch::Http::MimeNegotiation::InvalidType
-        content_type = Mime[:text]
-      end
+      content_type = request.formats.first
       body = { status: status, error: Rack::Utils::HTTP_STATUS_CODES.fetch(status, Rack::Utils::HTTP_STATUS_CODES[500]) }
 
       if env["action_dispatch.original_request_method"] == "HEAD"

data/lib/action_dispatch/middleware/remote_ip.rb

@@ -44,6 +44,8 @@ module ActionDispatch
       "10.0.0.0/8",     # private IPv4 range 10.x.x.x
       "172.16.0.0/12",  # private IPv4 range 172.16.0.0 .. 172.31.255.255
       "192.168.0.0/16", # private IPv4 range 192.168.x.x
+      "169.254.0.0/16", # link-local IPv4 range 169.254.x.x
+      "fe80::/10",      # link-local IPv6 range fe80::/10
     ].map { |proxy| IPAddr.new(proxy) }
 
     attr_reader :check_ip, :proxies
@@ -126,11 +128,11 @@ module ActionDispatch
       # left, which was presumably set by one of those proxies.
       def calculate_ip
         # Set by the Rack web server, this is a single value.
-        remote_addr = ips_from(@req.remote_addr).last
+        remote_addr = sanitize_ips(ips_from(@req.remote_addr)).last
 
         # Could be a CSV list and/or repeated headers that were concatenated.
-        client_ips    = ips_from(@req.client_ip).reverse!
-        forwarded_ips = ips_from(@req.x_forwarded_for).reverse!
+        client_ips    = sanitize_ips(ips_from(@req.client_ip)).reverse!
+        forwarded_ips = sanitize_ips(@req.forwarded_for || []).reverse!
 
         # `Client-Ip` and `X-Forwarded-For` should not, generally, both be set. If they
         # are both set, it means that either:
@@ -150,7 +152,8 @@ module ActionDispatch
           # We don't know which came from the proxy, and which from the user
           raise IpSpoofAttackError, "IP spoofing attack?! " \
             "HTTP_CLIENT_IP=#{@req.client_ip.inspect} " \
-            "HTTP_X_FORWARDED_FOR=#{@req.x_forwarded_for.inspect}"
+            "HTTP_X_FORWARDED_FOR=#{@req.x_forwarded_for.inspect}" \
+            " HTTP_FORWARDED=" + @req.forwarded_for.map { "for=#{_1}" }.join(", ").inspect if @req.forwarded_for.any?
         end
 
         # We assume these things about the IP headers:
@@ -176,7 +179,10 @@ module ActionDispatch
       def ips_from(header) # :doc:
         return [] unless header
         # Split the comma-separated list into an array of strings.
-        ips = header.strip.split(/[,\s]+/)
+        header.strip.split(/[,\s]+/)
+      end
+
+      def sanitize_ips(ips) # :doc:
         ips.select! do |ip|
           # Only return IPs that are valid according to the IPAddr#new method.
           range = IPAddr.new(ip).to_range

data/lib/action_dispatch/middleware/request_id.rb

@@ -25,11 +25,12 @@ module ActionDispatch
     def initialize(app, header:)
       @app = app
       @header = header
+      @env_header = "HTTP_#{header.upcase.tr("-", "_")}"
     end
 
     def call(env)
       req = ActionDispatch::Request.new env
-      req.request_id = make_request_id(req.headers[@header])
+      req.request_id = make_request_id(req.get_header(@env_header))
       @app.call(env).tap { |_status, headers, _body| headers[@header] = req.request_id }
     end
 

data/lib/action_dispatch/middleware/session/cache_store.rb

@@ -18,11 +18,16 @@ module ActionDispatch
     # *   `expire_after`  - The length of time a session will be stored before
     #     automatically expiring. By default, the `:expires_in` option of the cache
     #     is used.
+    # *   `check_collisions`  - Check if newly generated session ids aren't already in use.
+    #     If for some reason 128 bits of randomness aren't considered secure enough to avoid
+    #     collisions, this option can be enabled to ensure newly generated ids aren't in use.
+    #     By default, it is set to `false` to avoid additional cache write operations.
     #
     class CacheStore < AbstractSecureStore
       def initialize(app, options = {})
         @cache = options[:cache] || Rails.cache
         options[:expire_after] ||= @cache.options[:expires_in]
+        @check_collisions = options[:check_collisions] || false
         super
       end
 
@@ -61,6 +66,18 @@ module ActionDispatch
         def get_session_with_fallback(sid)
           @cache.read(cache_key(sid.private_id)) || @cache.read(cache_key(sid.public_id))
         end
+
+        def generate_sid
+          if @check_collisions
+            loop do
+              sid = super
+              key = cache_key(sid.private_id)
+              break sid if @cache.write(key, {}, unless_exist: true, expires_in: default_options[:expire_after])
+            end
+          else
+            super
+          end
+        end
     end
   end
 end

data/lib/action_dispatch/middleware/ssl.rb

@@ -11,9 +11,11 @@ module ActionDispatch
   #
   # 1.  **TLS redirect**: Permanently redirects `http://` requests to `https://`
   #     with the same URL host, path, etc. Enabled by default. Set
-  #     `config.ssl_options` to modify the destination URL (e.g. `redirect: {
-  #     host: "secure.widgets.com", port: 8080 }`), or set `redirect: false` to
-  #     disable this feature.
+  #     `config.ssl_options` to modify the destination URL:
+  #
+  #         config.ssl_options = { redirect: { host: "secure.widgets.com", port: 8080 }`
+  #
+  #     Or set `redirect: false` to disable redirection.
   #
   #     Requests can opt-out of redirection with `exclude`:
   #
@@ -21,6 +23,14 @@ module ActionDispatch
   #
   #     Cookies will not be flagged as secure for excluded requests.
   #
+  #     When proxying through a load balancer that terminates SSL, the forwarded
+  #     request will appear as though it's HTTP instead of HTTPS to the application.
+  #     This makes redirects and cookie security target HTTP instead of HTTPS.
+  #     To make the server assume that the proxy already terminated SSL, and
+  #     that the request really is HTTPS, set `config.assume_ssl` to `true`:
+  #
+  #         config.assume_ssl = true
+  #
   # 2.  **Secure cookies**: Sets the `secure` flag on cookies to tell browsers
   #     they must not be sent along with `http://` requests. Enabled by default.
   #     Set `config.ssl_options` with `secure_cookies: false` to disable this

data/lib/action_dispatch/middleware/templates/rescues/_copy_button.html.erb

@@ -0,0 +1 @@
+<button onclick="copyAsText.bind(this)()">Copy as text</button>

data/lib/action_dispatch/middleware/templates/rescues/_source.html.erb

@@ -11,8 +11,9 @@
           <tr>
             <td>
               <pre class="line_numbers">
-                <% source_extract[:code].each_key do |line_number| %>
-<span><%= line_number -%></span>
+                <% source_extract[:code].each_key do |line| %>
+                  <% file_url = editor_url(source_extract[:trace], line: line) %>
+<span><%= link_to_if file_url, line, file_url -%></span>
                 <% end %>
               </pre>
             </td>
@@ -28,9 +29,6 @@
           </tr>
         </table>
       </div>
-      <%- unless self.error_highlight_available? -%>
-        <p class="error_highlight_tip">Tip: You may want to add <code>gem "error_highlight", "&gt;= 0.4.0"</code> into your Gemfile, which will display the fine-grained error location.</p>
-      <%- end -%>
     </div>
   <% end %>
 <% end %>

data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb

@@ -13,13 +13,17 @@
   <% end %>
 
   <% traces.each do |name, trace| %>
-    <div id="<%= "#{name.gsub(/\s/, '-')}-#{error_index}" %>" style="display: <%= (name == trace_to_show) ? 'block' : 'none' %>;">
+    <div id="<%= "#{name.gsub(/\s/, '-')}-#{error_index}" %>" class="trace-container" style="display: <%= (name == trace_to_show) ? 'block' : 'none' %>;">
       <code class="traces">
         <% trace.each do |frame| %>
-          <a class="trace-frames trace-frames-<%= error_index %>" data-exception-object-id="<%= frame[:exception_object_id] %>" data-frame-id="<%= frame[:id] %>" href="#">
-            <%= frame[:trace] %>
-          </a>
-          <br>
+          <div class="trace">
+            <% file_url = editor_url(frame[:trace]) %>
+            <%= file_url && link_to("✏️", file_url, class: "edit-icon") %>
+            <a class="trace-frames trace-frames-<%= error_index %>" data-exception-object-id="<%= frame[:exception_object_id] %>" data-frame-id="<%= frame[:id] %>" href="#">
+              <%= frame[:trace] %>
+            </a>
+            <br>
+          </div>
         <% end %>
       </code>
     </div>

data/lib/action_dispatch/middleware/templates/rescues/blocked_host.html.erb

@@ -1,4 +1,5 @@
 <header>
+  <%= render "rescues/copy_button" %>
   <h1>Blocked hosts: <%= @hosts.join(", ") %></h1>
 </header>
 <main role="main" id="container">

data/lib/action_dispatch/middleware/templates/rescues/diagnostics.html.erb

@@ -1,4 +1,5 @@
 <header>
+  <%= render "rescues/copy_button" %>
   <h1>
     <%= @exception_wrapper.exception_class_name %>
     <% if params_valid? && @request.parameters['controller'] %>

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.html.erb

@@ -1,4 +1,5 @@
 <header role="banner">
+  <%= render "rescues/copy_button" %>
   <h1>
     <%= @exception.class.to_s %>
     <% if @request.parameters['controller'] %>
@@ -10,6 +11,9 @@
 <main role="main" id="container">
   <h2>
     <%= h @exception.message %>
+    <% if defined?(ActionText) && @exception.message.match?(%r{#{ActionText::RichText.table_name}}) %>
+      <br />To resolve this issue run: bin/rails action_text:install
+    <% end %>
     <% if defined?(ActiveStorage) && @exception.message.match?(%r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}) %>
       <br />To resolve this issue run: bin/rails active_storage:install
     <% end %>

data/lib/action_dispatch/middleware/templates/rescues/invalid_statement.text.erb

@@ -4,6 +4,9 @@
 <% end %>
 
 <%= @exception.message %>
+<% if defined?(ActionText) && @exception.message.match?(%r{#{ActionText::RichText.table_name}}) %>
+To resolve this issue run: bin/rails action_text:install
+<% end %>
 <% if defined?(ActiveStorage) && @exception.message.match?(%r{#{ActiveStorage::Blob.table_name}|#{ActiveStorage::Attachment.table_name}}) %>
 To resolve this issue run: bin/rails active_storage:install
 <% end %>

data/lib/action_dispatch/middleware/templates/rescues/layout.erb

@@ -38,6 +38,22 @@
       padding: 0.5em 1.5em;
     }
 
+    header button {
+      appearance: none;
+      background-color: hsl(0 0% 0% / 0.2);
+      border: 0;
+      border-radius: 14px;
+      color: white;
+      float: right;
+      font-weight: 500;
+      height: 28px;
+      padding-inline: 14px;
+      margin: 0.35em 0;
+    }
+    header button:active {
+      background-color: hsl(0 0% 0% / 0.25);
+    }
+
     h1 {
       overflow-wrap: break-word;
       margin: 0.2em 0;
@@ -54,6 +70,30 @@
       font-size: 11px;
     }
 
+    .trace-container {
+      margin-top: 10px;
+    }
+
+    code.traces .trace {
+      display: flex;
+      align-items: center;
+      gap: 2px;
+    }
+
+    .edit-icon {
+      width: 16px;
+      height: 16px;
+      display: flex;
+      font-size: 13px;
+      align-items: center;
+      justify-content: center;
+      text-decoration: none;
+    }
+
+    .edit-icon:hover {
+      scale: 1.05;
+    }
+
     .response-heading, .request-heading {
       margin-top: 30px;
     }
@@ -274,11 +314,21 @@
     var toggleEnvDump = function() {
       return toggle('env_dump');
     }
+    var copyAsText = function() {
+      const text = document.getElementById("exception-message-for-copy").textContent;
+
+      navigator.clipboard.writeText(text).then(() => {
+        const beforeText = this.innerText;
+        this.innerText = "Copied!"
+        setTimeout(() => this.innerText = beforeText, 1000)
+      })
+    }
   </script>
 </head>
 <body>
 
   <%= yield %>
+  <script type="text/plain" id="exception-message-for-copy"><%= @exception_message_for_copy %></script>
 
 </body>
 </html>

data/lib/action_dispatch/middleware/templates/rescues/missing_exact_template.html.erb

@@ -1,4 +1,5 @@
 <header role="banner">
+  <%= render "rescues/copy_button" %>
   <h1>No view template for interactive request</h1>
 </header>
 

data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb

@@ -1,4 +1,5 @@
 <header role="banner">
+  <%= render "rescues/copy_button" %>
   <h1>Template is missing</h1>
 </header>
 

data/lib/action_dispatch/middleware/templates/rescues/routing_error.html.erb

@@ -1,4 +1,5 @@
 <header role="banner">
+  <%= render "rescues/copy_button" %>
   <h1>Routing Error</h1>
 </header>
 <main role="main" id="container">

data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb

@@ -1,4 +1,5 @@
 <header role="banner">
+  <%= render "rescues/copy_button" %>
   <h1>
     <%= @exception_wrapper.exception_name %> in
     <%= @request.parameters["controller"].camelize if @request.parameters["controller"] %>#<%= @request.parameters["action"] %>

data/lib/action_dispatch/middleware/templates/rescues/unknown_action.html.erb

@@ -1,4 +1,5 @@
 <header role="banner">
+  <%= render "rescues/copy_button" %>
   <h1>Unknown action</h1>
 </header>
 <main role="main" id="container">

data/lib/action_dispatch/railtie.rb

@@ -4,7 +4,9 @@
 
 require "action_dispatch"
 require "action_dispatch/log_subscriber"
+require "action_dispatch/structured_event_subscriber"
 require "active_support/messages/rotation_configuration"
+require "rails/railtie"
 
 module ActionDispatch
   class Railtie < Rails::Railtie # :nodoc:
@@ -29,6 +31,11 @@ module ActionDispatch
     config.action_dispatch.request_id_header = ActionDispatch::Constants::X_REQUEST_ID
     config.action_dispatch.log_rescued_responses = true
     config.action_dispatch.debug_exception_log_level = :fatal
+    config.action_dispatch.strict_freshness = false
+
+    config.action_dispatch.ignore_leading_brackets = nil
+    config.action_dispatch.strict_query_string_separator = nil
+    config.action_dispatch.verbose_redirect_logs = false
 
     config.action_dispatch.default_headers = {
       "X-Frame-Options" => "SAMEORIGIN",
@@ -51,6 +58,19 @@ module ActionDispatch
       ActionDispatch::Http::URL.secure_protocol = app.config.force_ssl
       ActionDispatch::Http::URL.tld_length = app.config.action_dispatch.tld_length
 
+      unless app.config.action_dispatch.domain_extractor.nil?
+        ActionDispatch::Http::URL.domain_extractor = app.config.action_dispatch.domain_extractor
+      end
+
+      unless app.config.action_dispatch.ignore_leading_brackets.nil?
+        ActionDispatch::ParamBuilder.ignore_leading_brackets = app.config.action_dispatch.ignore_leading_brackets
+      end
+      unless app.config.action_dispatch.strict_query_string_separator.nil?
+        ActionDispatch::QueryParser.strict_query_string_separator = app.config.action_dispatch.strict_query_string_separator
+      end
+
+      ActionDispatch.verbose_redirect_logs = app.config.action_dispatch.verbose_redirect_logs
+
       ActiveSupport.on_load(:action_dispatch_request) do
         self.ignore_accept_header = app.config.action_dispatch.ignore_accept_header
         ActionDispatch::Request::Utils.perform_deep_munge = app.config.action_dispatch.perform_deep_munge
@@ -69,6 +89,7 @@ module ActionDispatch
 
       ActionDispatch::Routing::Mapper.route_source_locations = Rails.env.development?
 
+      ActionDispatch::Http::Cache::Request.strict_freshness = app.config.action_dispatch.strict_freshness
       ActionDispatch.test_app = app
     end
   end

data/lib/action_dispatch/request/session.rb

@@ -155,6 +155,7 @@ module ActionDispatch
         load_for_write!
         @delegate[key.to_s] = value
       end
+      alias store []=
 
       # Clears the session.
       def clear

data/lib/action_dispatch/request/utils.rb

@@ -83,8 +83,8 @@ module ActionDispatch
       end
 
       class CustomParamEncoder # :nodoc:
-        def self.encode(request, params, controller, action)
-          return params unless controller && controller.valid_encoding? && encoding_template = action_encoding_template(request, controller, action)
+        def self.encode_for_template(params, encoding_template)
+          return params unless encoding_template
           params.except(:controller, :action).each do |key, value|
             ActionDispatch::Request::Utils.each_param_value(value) do |param|
               # If `param` is frozen, it comes from the router defaults
@@ -98,8 +98,14 @@ module ActionDispatch
           params
         end
 
+        def self.encode(request, params, controller, action)
+          encoding_template = action_encoding_template(request, controller, action)
+          encode_for_template(params, encoding_template)
+        end
+
         def self.action_encoding_template(request, controller, action) # :nodoc:
-          request.controller_class_for(controller).action_encoding_template(action)
+          controller && controller.valid_encoding? &&
+            request.controller_class_for(controller).action_encoding_template(action)
         rescue MissingController
           nil
         end

data/lib/action_dispatch/routing/inspector.rb

@@ -64,6 +64,14 @@ module ActionDispatch
       def engine?
         app.engine?
       end
+
+      def to_h
+        { name: name,
+          verb: verb,
+          path: path,
+          reqs: reqs,
+          source_location: source_location }
+      end
     end
 
     ##
@@ -72,36 +80,57 @@ module ActionDispatch
     # not use this class.
     class RoutesInspector # :nodoc:
       def initialize(routes)
-        @engines = {}
-        @routes = routes
+        @routes = wrap_routes(routes)
+        @engines = load_engines_routes
       end
 
       def format(formatter, filter = {})
-        routes_to_display = filter_routes(normalize_filter(filter))
-        routes = collect_routes(routes_to_display)
-        if routes.none?
-          formatter.no_routes(collect_routes(@routes), filter)
-          return formatter.result
-        end
+        all_routes = { nil => @routes }.merge(@engines)
 
-        formatter.header routes
-        formatter.section routes
-
-        @engines.each do |name, engine_routes|
-          formatter.section_title "Routes for #{name}"
-          formatter.section engine_routes
+        all_routes.each do |engine_name, routes|
+          format_routes(formatter, filter, engine_name, routes)
         end
 
         formatter.result
       end
 
       private
+        def format_routes(formatter, filter, engine_name, routes)
+          routes = filter_routes(routes, normalize_filter(filter)).map(&:to_h)
+
+          formatter.section_title "Routes for #{engine_name || "application"}" if @engines.any?
+          if routes.any?
+            formatter.header routes
+            formatter.section routes
+          else
+            formatter.no_routes engine_name, routes, filter
+          end
+          formatter.footer routes
+        end
+
+        def wrap_routes(routes)
+          routes.routes.map { |route| RouteWrapper.new(route) }.reject(&:internal?)
+        end
+
+        def load_engines_routes
+          engine_routes = @routes.select(&:engine?)
+
+          engines = engine_routes.to_h do |engine_route|
+            engine_app_routes = engine_route.rack_app.routes
+            engine_app_routes = engine_app_routes.routes if engine_app_routes.is_a?(ActionDispatch::Routing::RouteSet)
+
+            [engine_route.endpoint, wrap_routes(engine_app_routes)]
+          end
+
+          engines
+        end
+
         def normalize_filter(filter)
           if filter[:controller]
             { controller: /#{filter[:controller].underscore.sub(/_?controller\z/, "")}/ }
           elsif filter[:grep]
             grep_pattern = Regexp.new(filter[:grep])
-            path = RFC2396_PARSER.escape(filter[:grep])
+            path = URI::RFC2396_PARSER.escape(filter[:grep])
             normalized_path = ("/" + path).squeeze("/")
 
             {
@@ -115,39 +144,13 @@ module ActionDispatch
           end
         end
 
-        def filter_routes(filter)
+        def filter_routes(routes, filter)
           if filter
-            @routes.select do |route|
-              route_wrapper = RouteWrapper.new(route)
-              filter.any? { |filter_type, value| route_wrapper.matches_filter?(filter_type, value) }
+            routes.select do |route|
+              filter.any? { |filter_type, value| route.matches_filter?(filter_type, value) }
             end
           else
-            @routes
-          end
-        end
-
-        def collect_routes(routes)
-          routes.collect do |route|
-            RouteWrapper.new(route)
-          end.reject(&:internal?).collect do |route|
-            collect_engine_routes(route)
-
-            { name: route.name,
-              verb: route.verb,
-              path: route.path,
-              reqs: route.reqs,
-              source_location: route.source_location }
-          end
-        end
-
-        def collect_engine_routes(route)
-          name = route.endpoint
-          return unless route.engine?
-          return if @engines[name]
-
-          routes = route.rack_app.routes
-          if routes.is_a?(ActionDispatch::Routing::RouteSet)
-            @engines[name] = collect_routes(routes.routes)
+            routes
           end
         end
     end
@@ -171,27 +174,36 @@ module ActionDispatch
         def header(routes)
         end
 
-        def no_routes(routes, filter)
-          @buffer <<
-            if routes.none?
-              <<~MESSAGE
-                You don't have any routes defined!
+        def footer(routes)
+        end
 
-                Please add some routes in config/routes.rb.
-              MESSAGE
-            elsif filter.key?(:controller)
+        def no_routes(engine, routes, filter)
+          @buffer <<
+            if filter.key?(:controller)
               "No routes were found for this controller."
             elsif filter.key?(:grep)
               "No routes were found for this grep pattern."
+            elsif routes.none?
+              if engine
+                "No routes defined."
+              else
+                <<~MESSAGE
+                  You don't have any routes defined!
+
+                  Please add some routes in config/routes.rb.
+                MESSAGE
+              end
             end
 
-          @buffer << "For more information about routes, see the Rails guide: https://guides.rubyonrails.org/routing.html."
+          unless engine
+            @buffer << "For more information about routes, see the Rails guide: https://guides.rubyonrails.org/routing.html."
+          end
         end
       end
 
       class Sheet < Base
         def section_title(title)
-          @buffer << "\n#{title}:"
+          @buffer << "#{title}:"
         end
 
         def section(routes)
@@ -202,6 +214,10 @@ module ActionDispatch
           @buffer << draw_header(routes)
         end
 
+        def footer(routes)
+          @buffer << ""
+        end
+
         private
           def draw_section(routes)
             header_lengths = ["Prefix", "Verb", "URI Pattern"].map(&:length)
@@ -232,13 +248,17 @@ module ActionDispatch
         end
 
         def section_title(title)
-          @buffer << "\n#{"[ #{title} ]"}"
+          @buffer << "#{"[ #{title} ]"}"
         end
 
         def section(routes)
           @buffer << draw_expanded_section(routes)
         end
 
+        def footer(routes)
+          @buffer << ""
+        end
+
         private
           def draw_expanded_section(routes)
             routes.map.each_with_index do |r, i|
@@ -269,7 +289,7 @@ module ActionDispatch
           super
         end
 
-        def no_routes(routes, filter)
+        def no_routes(engine, routes, filter)
           @buffer <<
             if filter.none?
               "No unused routes found."
@@ -300,6 +320,9 @@ module ActionDispatch
       def header(routes)
       end
 
+      def footer(routes)
+      end
+
       def no_routes(*)
         @buffer << <<~MESSAGE
           <p>You don't have any routes defined!</p>