actionpack 8.0.3 → 8.1.0.rc1

data/lib/abstract_controller/base.rb

@@ -3,7 +3,6 @@
 # :markup: markdown
 
 require "abstract_controller/error"
-require "active_support/configurable"
 require "active_support/descendants_tracker"
 require "active_support/core_ext/module/anonymous"
 require "active_support/core_ext/module/attr_internal"
@@ -47,7 +46,7 @@ module AbstractController
     # Returns the formats that can be processed by the controller.
     attr_internal :formats
 
-    include ActiveSupport::Configurable
+    class_attribute :config, instance_predicate: false, default: ActiveSupport::OrderedOptions.new
     extend ActiveSupport::DescendantsTracker
 
     class << self
@@ -65,6 +64,7 @@ module AbstractController
         unless klass.instance_variable_defined?(:@abstract)
           klass.instance_variable_set(:@abstract, false)
         end
+        klass.config = ActiveSupport::InheritableOptions.new(config)
         super
       end
 
@@ -97,7 +97,8 @@ module AbstractController
           methods = public_instance_methods(true) - internal_methods
           # Be sure to include shadowed public instance methods of this class.
           methods.concat(public_instance_methods(false))
-          methods.map!(&:to_s)
+          methods.reject! { |m| m.start_with?("_") }
+          methods.map!(&:name)
           methods.to_set
         end
       end
@@ -121,6 +122,10 @@ module AbstractController
         @controller_path ||= name.delete_suffix("Controller").underscore unless anonymous?
       end
 
+      def configure # :nodoc:
+        yield config
+      end
+
       # Refresh the cached action_methods when a new action_method is added.
       def method_added(name)
         super
@@ -190,6 +195,10 @@ module AbstractController
       true
     end
 
+    def config # :nodoc:
+      @_config ||= self.class.config.inheritable_copy
+    end
+
     def inspect # :nodoc:
       "#<#{self.class.name}:#{'%#016x' % (object_id << 1)}>"
     end

data/lib/abstract_controller/caching.rb

@@ -32,13 +32,16 @@ module AbstractController
     included do
       extend ConfigMethods
 
-      config_accessor :default_static_extension
+      singleton_class.delegate :default_static_extension, :default_static_extension=, to: :config
+      delegate :default_static_extension, :default_static_extension=, to: :config
       self.default_static_extension ||= ".html"
 
-      config_accessor :perform_caching
+      singleton_class.delegate :perform_caching, :perform_caching=, to: :config
+      delegate :perform_caching, :perform_caching=, to: :config
       self.perform_caching = true if perform_caching.nil?
 
-      config_accessor :enable_fragment_cache_logging
+      singleton_class.delegate :enable_fragment_cache_logging, :enable_fragment_cache_logging=, to: :config
+      delegate :enable_fragment_cache_logging, :enable_fragment_cache_logging=, to: :config
       self.enable_fragment_cache_logging = false
 
       class_attribute :_view_cache_dependencies, default: []

data/lib/abstract_controller/logger.rb

@@ -9,7 +9,8 @@ module AbstractController
     extend ActiveSupport::Concern
 
     included do
-      config_accessor :logger
+      singleton_class.delegate :logger, :logger=, to: :config
+      delegate :logger, :logger=, to: :config
       include ActiveSupport::Benchmarkable
     end
   end

data/lib/action_controller/api.rb

@@ -5,6 +5,7 @@
 require "action_view"
 require "action_controller"
 require "action_controller/log_subscriber"
+require "action_controller/structured_event_subscriber"
 
 module ActionController
   # # Action Controller API

data/lib/action_controller/base.rb

@@ -4,6 +4,7 @@
 
 require "action_view"
 require "action_controller/log_subscriber"
+require "action_controller/structured_event_subscriber"
 require "action_controller/metal/params_wrapper"
 
 module ActionController
@@ -128,7 +129,7 @@ module ActionController
   #
   # Action Controller sends content to the user by using one of five rendering
   # methods. The most versatile and common is the rendering of a template.
-  # Included in the Action Pack is the Action View, which enables rendering of ERB
+  # Also included with \Rails is Action View, which enables rendering of ERB
   # templates. It's automatically configured. The controller passes objects to the
   # view by assigning instance variables:
   #

data/lib/action_controller/caching.rb

@@ -9,9 +9,8 @@ module ActionController
   # of calculations, renderings, and database calls around for subsequent
   # requests.
   #
-  # You can read more about each approach by clicking the modules below.
-  #
   # Note: To turn off all caching provided by Action Controller, set
+  #
   #     config.action_controller.perform_caching = false
   #
   # ## Caching stores

data/lib/action_controller/form_builder.rb

@@ -40,7 +40,7 @@ module ActionController
       # rendered by this controller and its subclasses.
       #
       # #### Parameters
-      # *   `builder` - Default form builder, an instance of
+      # *   `builder` - Default form builder. Accepts a subclass of
       #     ActionView::Helpers::FormBuilder
       def default_form_builder(builder)
         self._default_form_builder = builder

data/lib/action_controller/log_subscriber.rb

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
-# :markup: markdown
-
 module ActionController
-  class LogSubscriber < ActiveSupport::LogSubscriber
+  class LogSubscriber < ActiveSupport::LogSubscriber # :nodoc:
     INTERNAL_PARAMS = %w(controller action format _method only_path)
 
+    class_attribute :backtrace_cleaner, default: ActiveSupport::BacktraceCleaner.new
+
     def start_processing(event)
       return unless logger.info?
 
@@ -49,6 +49,13 @@ module ActionController
     end
     subscribe_log_level :halted_callback, :info
 
+    # Manually subscribed below
+    def rescue_from_callback(event)
+      exception = event.payload[:exception]
+      info { "rescue_from handled #{exception.class} (#{exception.message}) - #{exception.backtrace.first.delete_prefix("#{Rails.root}/")}" }
+    end
+    subscribe_log_level :rescue_from_callback, :info
+
     def send_file(event)
       info { "Sent file #{event.payload[:path]} (#{event.duration.round(1)}ms)" }
     end
@@ -56,6 +63,10 @@ module ActionController
 
     def redirect_to(event)
       info { "Redirected to #{event.payload[:location]}" }
+
+      if ActionDispatch.verbose_redirect_logs && (source = redirect_source_location)
+        info { "↳ #{source}" }
+      end
     end
     subscribe_log_level :redirect_to, :info
 
@@ -90,6 +101,10 @@ module ActionController
     def logger
       ActionController::Base.logger
     end
+
+    def redirect_source_location
+      backtrace_cleaner.first_clean_frame
+    end
   end
 end
 

data/lib/action_controller/metal/allow_browser.rb

@@ -14,7 +14,7 @@ module ActionController # :nodoc:
       # aren't reporting a user-agent header, will be allowed access.
       #
       # A browser that's blocked will by default be served the file in
-      # public/406-unsupported-browser.html with a HTTP status code of "406 Not
+      # public/406-unsupported-browser.html with an HTTP status code of "406 Not
       # Acceptable".
       #
       # In addition to specifically named browser versions, you can also pass

data/lib/action_controller/metal/conditional_get.rb

@@ -332,6 +332,31 @@ module ActionController
       response.cache_control.replace(no_store: true)
     end
 
+    # Adds the `must-understand` directive to the `Cache-Control` header, which indicates
+    # that a cache MUST understand the semantics of the response status code that has been
+    # received, or discard the response.
+    #
+    # This is particularly useful when returning responses with new or uncommon
+    # status codes that might not be properly interpreted by older caches.
+    #
+    # #### Example
+    #
+    #     def show
+    #       @article = Article.find(params[:id])
+    #
+    #       if @article.early_access?
+    #         must_understand
+    #         render status: 203 # Non-Authoritative Information
+    #       else
+    #         fresh_when @article
+    #       end
+    #     end
+    #
+    def must_understand
+      response.cache_control[:must_understand] = true
+      response.cache_control[:no_store] = true
+    end
+
     private
       def combine_etags(validator, options)
         [validator, *etaggers.map { |etagger| instance_exec(options, &etagger) }].compact

data/lib/action_controller/metal/data_streaming.rb

@@ -134,9 +134,7 @@ module ActionController # :nodoc:
         raise ArgumentError, ":type option required" if content_type.nil?
 
         if content_type.is_a?(Symbol)
-          extension = Mime[content_type]
-          raise ArgumentError, "Unknown MIME type #{options[:type]}" unless extension
-          self.content_type = extension
+          self.content_type = content_type
         else
           if !type_provided && options[:filename]
             # If type wasn't provided, try guessing from file extension.

data/lib/action_controller/metal/exceptions.rb

@@ -103,4 +103,9 @@ module ActionController
       super(message)
     end
   end
+
+  # Raised when a Rate Limit is exceeded by too many requests within a period of
+  # time.
+  class TooManyRequests < ActionControllerError
+  end
 end

data/lib/action_controller/metal/flash.rb

@@ -38,15 +38,12 @@ module ActionController # :nodoc:
           define_method(type) do
             request.flash[type]
           end
+          private type
           helper_method(type) if respond_to?(:helper_method)
 
           self._flash_types += [type]
         end
       end
-
-      def action_methods # :nodoc:
-        @action_methods ||= super - _flash_types.map(&:to_s).to_set
-      end
     end
 
     private

data/lib/action_controller/metal/head.rb

@@ -25,6 +25,8 @@ module ActionController
         raise ArgumentError, "#{status.inspect} is not a valid value for `status`."
       end
 
+      raise ::AbstractController::DoubleRenderError if response_body
+
       status ||= :ok
 
       if options
@@ -41,7 +43,7 @@ module ActionController
 
       if include_content?(response_code)
         unless self.media_type
-          self.content_type = content_type || ((f = formats) && Mime[f.first]) || Mime[:html]
+          self.content_type = content_type || ((f = formats) && Mime[f.first]) || :html
         end
 
         response.charset = false

data/lib/action_controller/metal/live.rb

@@ -133,15 +133,16 @@ module ActionController
       private
         def perform_write(json, options)
           current_options = @options.merge(options).stringify_keys
-
+          event = +""
           PERMITTED_OPTIONS.each do |option_name|
             if (option_value = current_options[option_name])
-              @stream.write "#{option_name}: #{option_value}\n"
+              event << "#{option_name}: #{option_value}\n"
             end
           end
 
           message = json.gsub("\n", "\ndata: ")
-          @stream.write "data: #{message}\n\n"
+          event << "data: #{message}\n\n"
+          @stream.write event
         end
     end
 
@@ -236,12 +237,7 @@ module ActionController
 
       private
         def each_chunk(&block)
-          loop do
-            str = nil
-            ActiveSupport::Dependencies.interlock.permit_concurrent_loads do
-              str = @buf.pop
-            end
-            break unless str
+          while str = @buf.pop
             yield str
           end
         end
@@ -275,16 +271,14 @@ module ActionController
       # This processes the action in a child thread. It lets us return the response
       # code and headers back up the Rack stack, and still process the body in
       # parallel with sending data to the client.
-      new_controller_thread {
+      new_controller_thread do
         ActiveSupport::Dependencies.interlock.running do
           t2 = Thread.current
 
           # Since we're processing the view in a different thread, copy the thread locals
           # from the main thread to the child thread. :'(
           locals.each { |k, v| t2[k] = v }
-          ActiveSupport::IsolatedExecutionState.share_with(t1)
-
-          begin
+          ActiveSupport::IsolatedExecutionState.share_with(t1) do
             super(name)
           rescue => e
             if @_response.committed?
@@ -301,18 +295,15 @@ module ActionController
               error = e
             end
           ensure
-            ActiveSupport::IsolatedExecutionState.clear
             clean_up_thread_locals(locals, t2)
 
             @_response.commit!
           end
         end
-      }
-
-      ActiveSupport::Dependencies.interlock.permit_concurrent_loads do
-        @_response.await_commit
       end
 
+      @_response.await_commit
+
       raise error if error
     end
 

data/lib/action_controller/metal/permissions_policy.rb

@@ -24,8 +24,17 @@ module ActionController # :nodoc:
       #       end
       #     end
       #
+      # Requires a global policy defined in an initializer, which can be
+      # empty:
+      #
+      #     Rails.application.config.permissions_policy do |policy|
+      #       # policy.gyroscope :none
+      #     end
       def permissions_policy(**options, &block)
         before_action(options) do
+          unless request.respond_to?(:permissions_policy)
+            raise "Cannot override permissions_policy if no global permissions_policy configured."
+          end
           if block_given?
             policy = request.permissions_policy.clone
             instance_exec(policy, &block)

data/lib/action_controller/metal/rate_limiting.rb

@@ -18,8 +18,13 @@ module ActionController # :nodoc:
       # parameter. It's evaluated within the context of the controller processing the
       # request.
       #
-      # Requests that exceed the rate limit are refused with a `429 Too Many Requests`
-      # response. You can specialize this by passing a callable in the `with:`
+      # By default, rate limits are scoped to the controller's path. If you want to
+      # share rate limits across multiple controllers, you can provide your own scope,
+      # by passing value in the `scope:` parameter.
+      #
+      # Requests that exceed the rate limit will raise an `ActionController::TooManyRequests`
+      # error. By default, Action Dispatch will rescue from the error and refuse the request
+      # with a `429 Too Many Requests` response. You can specialize this by passing a callable in the `with:`
       # parameter. It's evaluated within the context of the controller processing the
       # request.
       #
@@ -40,30 +45,46 @@ module ActionController # :nodoc:
       #
       #     class SignupsController < ApplicationController
       #       rate_limit to: 1000, within: 10.seconds,
-      #         by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups on domain!" }, only: :new
+      #         by: -> { request.domain }, with: :redirect_to_busy, only: :new
+      #
+      #       private
+      #         def redirect_to_busy
+      #           redirect_to busy_controller_url, alert: "Too many signups on domain!"
+      #         end
       #     end
       #
       #     class APIController < ApplicationController
       #       RATE_LIMIT_STORE = ActiveSupport::Cache::RedisCacheStore.new(url: ENV["REDIS_URL"])
       #       rate_limit to: 10, within: 3.minutes, store: RATE_LIMIT_STORE
+      #       rate_limit to: 100, within: 5.minutes, scope: :api_global
       #     end
       #
       #     class SessionsController < ApplicationController
       #       rate_limit to: 3, within: 2.seconds, name: "short-term"
       #       rate_limit to: 10, within: 5.minutes, name: "long-term"
       #     end
-      def rate_limit(to:, within:, by: -> { request.remote_ip }, with: -> { head :too_many_requests }, store: cache_store, name: nil, **options)
-        before_action -> { rate_limiting(to: to, within: within, by: by, with: with, store: store, name: name) }, **options
+      def rate_limit(to:, within:, by: -> { request.remote_ip }, with: -> { raise TooManyRequests }, store: cache_store, name: nil, scope: nil, **options)
+        before_action -> { rate_limiting(to: to, within: within, by: by, with: with, store: store, name: name, scope: scope || controller_path) }, **options
       end
     end
 
     private
-      def rate_limiting(to:, within:, by:, with:, store:, name:)
-        cache_key = ["rate-limit", controller_path, name, instance_exec(&by)].compact.join(":")
+      def rate_limiting(to:, within:, by:, with:, store:, name:, scope:)
+        by = by.is_a?(Symbol) ? send(by) : instance_exec(&by)
+
+        cache_key = ["rate-limit", scope, name, by].compact.join(":")
         count = store.increment(cache_key, 1, expires_in: within)
         if count && count > to
-          ActiveSupport::Notifications.instrument("rate_limit.action_controller", request: request) do
-            instance_exec(&with)
+          ActiveSupport::Notifications.instrument("rate_limit.action_controller",
+              request: request,
+              count: count,
+              to: to,
+              within: within,
+              by: by,
+              name: name,
+              scope: scope,
+              cache_key: cache_key) do
+            with.is_a?(Symbol) ? send(with) : instance_exec(&with)
           end
         end
       end

data/lib/action_controller/metal/redirecting.rb

@@ -11,10 +11,36 @@ module ActionController
 
     class UnsafeRedirectError < StandardError; end
 
+    class OpenRedirectError < UnsafeRedirectError
+      def initialize(location)
+        super("Unsafe redirect to #{location.to_s.truncate(100).inspect}, pass allow_other_host: true to redirect anyway.")
+      end
+    end
+
+    class PathRelativeRedirectError < UnsafeRedirectError
+      def initialize(url)
+        super("Path relative URL redirect detected: #{url.inspect}")
+      end
+    end
+
     ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/
 
     included do
       mattr_accessor :raise_on_open_redirects, default: false
+      mattr_accessor :action_on_open_redirect, default: :log
+      mattr_accessor :action_on_path_relative_redirect, default: :log
+      class_attribute :_allowed_redirect_hosts, :allowed_redirect_hosts_permissions, instance_accessor: false, instance_predicate: false
+      singleton_class.alias_method :allowed_redirect_hosts, :_allowed_redirect_hosts
+    end
+
+    module ClassMethods # :nodoc:
+      def allowed_redirect_hosts=(hosts)
+        hosts = hosts.dup.freeze
+        self._allowed_redirect_hosts = hosts
+        self.allowed_redirect_hosts_permissions = if hosts.present?
+          ActionDispatch::HostAuthorization::Permissions.new(hosts)
+        end
+      end
     end
 
     # Redirects the browser to the target specified in `options`. This parameter can
@@ -91,7 +117,11 @@ module ActionController
     #
     #     redirect_to params[:redirect_url]
     #
-    # Raises UnsafeRedirectError in the case of an unsafe redirect.
+    # The `action_on_open_redirect` configuration option controls the behavior when an unsafe
+    # redirect is detected:
+    # * `:log` - Logs a warning but allows the redirect
+    # * `:notify` - Sends an ActiveSupport notification for monitoring
+    # * `:raise` - Raises an UnsafeRedirectError
     #
     # To allow any external redirects pass `allow_other_host: true`, though using a
     # user-provided param in that case is unsafe.
@@ -100,11 +130,31 @@ module ActionController
     #
     # See #url_from for more information on what an internal and safe URL is, or how
     # to fall back to an alternate redirect URL in the unsafe case.
+    #
+    # ### Path Relative URL Redirect Protection
+    #
+    # Rails also protects against potentially unsafe path relative URL redirects that don't
+    # start with a leading slash. These can create security vulnerabilities:
+    #
+    #     redirect_to "example.com"     # Creates http://yourdomain.comexample.com
+    #     redirect_to "@attacker.com"   # Creates http://yourdomain.com@attacker.com
+    #                                   # which browsers interpret as user@host
+    #
+    # You can configure how Rails handles these cases using:
+    #
+    #     config.action_controller.action_on_path_relative_redirect = :log    # default
+    #     config.action_controller.action_on_path_relative_redirect = :notify
+    #     config.action_controller.action_on_path_relative_redirect = :raise
+    #
+    # * `:log` - Logs a warning but allows the redirect
+    # * `:notify` - Sends an ActiveSupport notification but allows the redirect
+    #   (includes stack trace to help identify the source)
+    # * `:raise` - Raises an UnsafeRedirectError
     def redirect_to(options = {}, response_options = {})
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
       raise AbstractController::DoubleRenderError if response_body
 
-      allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
+      allow_other_host = response_options.delete(:allow_other_host)
 
       proposed_status = _extract_redirect_to_status(options, response_options)
 
@@ -166,6 +216,10 @@ module ActionController
       when /\A([a-z][a-z\d\-+.]*:|\/\/).*/i
         options.to_str
       when String
+        if !options.start_with?("/", "?") && !options.empty?
+          _handle_path_relative_redirect(options)
+        end
+
         request.protocol + request.host_with_port + options
       when Proc
         _compute_redirect_to_location request, instance_eval(&options)
@@ -207,7 +261,9 @@ module ActionController
 
     private
       def _allow_other_host
-        !raise_on_open_redirects
+        return false if raise_on_open_redirects
+
+        action_on_open_redirect != :raise
       end
 
       def _extract_redirect_to_status(options, response_options)
@@ -221,20 +277,42 @@ module ActionController
       end
 
       def _enforce_open_redirect_protection(location, allow_other_host:)
+        # Explictly allowed other host or host is in allow list allow redirect
         if allow_other_host || _url_host_allowed?(location)
           location
+        # Explicitly disallowed other host
+        elsif allow_other_host == false
+          raise OpenRedirectError.new(location)
+        # Configuration disallows other hosts
+        elsif !_allow_other_host
+          raise OpenRedirectError.new(location)
+        # Log but allow redirect
+        elsif action_on_open_redirect == :log
+          logger.warn "Open redirect to #{location.inspect} detected" if logger
+          location
+        # Notify but allow redirect
+        elsif action_on_open_redirect == :notify
+          ActiveSupport::Notifications.instrument("open_redirect.action_controller",
+            location: location,
+            request: request,
+            stack_trace: caller,
+          )
+          location
+        # Fall through, should not happen but raise for safety
         else
-          raise UnsafeRedirectError, "Unsafe redirect to #{location.truncate(100).inspect}, pass allow_other_host: true to redirect anyway."
+          raise OpenRedirectError.new(location)
         end
       end
 
       def _url_host_allowed?(url)
-        host = URI(url.to_s).host
+        url_to_s = url.to_s
+        host = URI(url_to_s).host
 
-        return true if host == request.host
-        return false unless host.nil?
-        return false unless url.to_s.start_with?("/")
-        !url.to_s.start_with?("//")
+        if host.nil?
+          url_to_s.start_with?("/") && !url_to_s.start_with?("//")
+        else
+          host == request.host || self.class.allowed_redirect_hosts_permissions&.allows?(host)
+        end
       rescue ArgumentError, URI::Error
         false
       end
@@ -248,5 +326,22 @@ module ActionController
           raise UnsafeRedirectError, msg
         end
       end
+
+      def _handle_path_relative_redirect(url)
+        message = "Path relative URL redirect detected: #{url.inspect}"
+
+        case action_on_path_relative_redirect
+        when :log
+          logger&.warn message
+        when :notify
+          ActiveSupport::Notifications.instrument("unsafe_redirect.action_controller",
+            url: url,
+            message: message,
+            stack_trace: caller
+          )
+        when :raise
+          raise PathRelativeRedirectError.new(url)
+        end
+      end
   end
 end