actionpack 8.0.3 → 8.1.0.rc1

data/lib/action_dispatch/http/param_builder.rb

@@ -16,15 +16,27 @@ module ActionDispatch
       @param_depth_limit = param_depth_limit
     end
 
-    cattr_accessor :ignore_leading_brackets
-
-    LEADING_BRACKETS_COMPAT = defined?(::Rack::RELEASE) && ::Rack::RELEASE.to_s.start_with?("2.")
-
     cattr_accessor :default
     self.default = make_default(100)
 
     class << self
       delegate :from_query_string, :from_pairs, :from_hash, to: :default
+
+      def ignore_leading_brackets
+        ActionDispatch.deprecator.warn <<~MSG
+          ActionDispatch::ParamBuilder.ignore_leading_brackets is deprecated and have no effect and will be removed in Rails 8.2.
+        MSG
+
+        @ignore_leading_brackets
+      end
+
+      def ignore_leading_brackets=(value)
+        ActionDispatch.deprecator.warn <<~MSG
+          ActionDispatch::ParamBuilder.ignore_leading_brackets is deprecated and have no effect and will be removed in Rails 8.2.
+        MSG
+
+        @ignore_leading_brackets = value
+      end
     end
 
     def from_query_string(qs, separator: nil, encoding_template: nil)
@@ -69,30 +81,15 @@ module ActionDispatch
           # nil name, treat same as empty string (required by tests)
           k = after = ""
         elsif depth == 0
-          if ignore_leading_brackets || (ignore_leading_brackets.nil? && LEADING_BRACKETS_COMPAT)
-            # Rack 2 compatible behavior, ignore leading brackets
-            if name =~ /\A[\[\]]*([^\[\]]+)\]*/
-              k = $1
-              after = $' || ""
-
-              if !ignore_leading_brackets && (k != $& || !after.empty? && !after.start_with?("["))
-                ActionDispatch.deprecator.warn("Skipping over leading brackets in parameter name #{name.inspect} is deprecated and will parse differently in Rails 8.1 or Rack 3.0.")
-              end
-            else
-              k = name
-              after = ""
-            end
+          # Start of parsing, don't treat [] or [ at start of string specially
+          if start = name.index("[", 1)
+            # Start of parameter nesting, use part before brackets as key
+            k = name[0, start]
+            after = name[start, name.length]
           else
-            # Start of parsing, don't treat [] or [ at start of string specially
-            if start = name.index("[", 1)
-              # Start of parameter nesting, use part before brackets as key
-              k = name[0, start]
-              after = name[start, name.length]
-            else
-              # Plain parameter with no nesting
-              k = name
-              after = ""
-            end
+            # Plain parameter with no nesting
+            k = name
+            after = ""
           end
         elsif name.start_with?("[]")
           # Array nesting
@@ -111,6 +108,10 @@ module ActionDispatch
 
         return if k.empty?
 
+        unless k.valid_encoding?
+          raise InvalidParameterError, "Invalid encoding for parameter: #{k}"
+        end
+
         if depth == 0 && String === v
           # We have to wait until we've found the top part of the name,
           # because that's what the encoding template is configured with

data/lib/action_dispatch/http/parameters.rb

@@ -65,14 +65,14 @@ module ActionDispatch
       alias :params :parameters
 
       def path_parameters=(parameters) # :nodoc:
-        delete_header("action_dispatch.request.parameters")
+        @env.delete("action_dispatch.request.parameters")
 
         parameters = Request::Utils.set_binary_encoding(self, parameters, parameters[:controller], parameters[:action])
         # If any of the path parameters has an invalid encoding then raise since it's
         # likely to trigger errors further on.
         Request::Utils.check_param_encoding(parameters)
 
-        set_header PARAMETERS_KEY, parameters
+        @env[PARAMETERS_KEY] = parameters
       rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
         raise ActionController::BadRequest.new("Invalid path parameters: #{e.message}")
       end
@@ -82,7 +82,7 @@ module ActionDispatch
       #
       #     { action: "my_action", controller: "my_controller" }
       def path_parameters
-        get_header(PARAMETERS_KEY) || set_header(PARAMETERS_KEY, {})
+        @env[PARAMETERS_KEY] ||= {}
       end
 
       private

data/lib/action_dispatch/http/permissions_policy.rb

@@ -186,4 +186,8 @@ module ActionDispatch # :nodoc:
         end
       end
   end
+
+  ActiveSupport.on_load(:action_dispatch_request) do
+    include ActionDispatch::PermissionsPolicy::Request
+  end
 end

data/lib/action_dispatch/http/query_parser.rb

@@ -6,12 +6,21 @@ require "rack"
 module ActionDispatch
   class QueryParser
     DEFAULT_SEP = /& */n
-    COMPAT_SEP = /[&;] */n
     COMMON_SEP = { ";" => /; */n, ";," => /[;,] */n, "&" => /& */n, "&;" => /[&;] */n }
 
-    cattr_accessor :strict_query_string_separator
+    def self.strict_query_string_separator
+      ActionDispatch.deprecator.warn <<~MSG
+        The `strict_query_string_separator` configuration is deprecated have no effect and will be removed in Rails 8.2.
+      MSG
+      @strict_query_string_separator
+    end
 
-    SEMICOLON_COMPAT = defined?(::Rack::QueryParser::DEFAULT_SEP) && ::Rack::QueryParser::DEFAULT_SEP.to_s.include?(";")
+    def self.strict_query_string_separator=(value)
+      ActionDispatch.deprecator.warn <<~MSG
+        The `strict_query_string_separator` configuration is deprecated have no effect and will be removed in Rails 8.2.
+      MSG
+      @strict_query_string_separator = value
+    end
 
     #--
     # Note this departs from WHATWG's specified parsing algorithm by
@@ -25,13 +34,6 @@ module ActionDispatch
       splitter =
         if separator
           COMMON_SEP[separator] || /[#{separator}] */n
-        elsif strict_query_string_separator
-          DEFAULT_SEP
-        elsif SEMICOLON_COMPAT && s.include?(";")
-          if strict_query_string_separator.nil?
-            ActionDispatch.deprecator.warn("Using semicolon as a query string separator is deprecated and will not be supported in Rails 8.1 or Rack 3.0. Use `&` instead.")
-          end
-          COMPAT_SEP
         else
           DEFAULT_SEP
         end

data/lib/action_dispatch/http/request.rb

@@ -25,7 +25,6 @@ module ActionDispatch
     include ActionDispatch::Http::FilterParameters
     include ActionDispatch::Http::URL
     include ActionDispatch::ContentSecurityPolicy::Request
-    include ActionDispatch::PermissionsPolicy::Request
     include Rack::Request::Env
 
     autoload :Session, "action_dispatch/request/session"
@@ -139,7 +138,7 @@ module ActionDispatch
 
     # Populate the HTTP method lookup cache.
     HTTP_METHODS.each { |method|
-      HTTP_METHOD_LOOKUP[method] = method.downcase.underscore.to_sym
+      HTTP_METHOD_LOOKUP[method] = method.downcase.tap { |m| m.tr!("-", "_") }.to_sym
     }
 
     alias raw_request_method request_method # :nodoc:
@@ -158,11 +157,17 @@ module ActionDispatch
     #
     #     request.route_uri_pattern # => "/:controller(/:action(/:id))(.:format)"
     def route_uri_pattern
-      get_header("action_dispatch.route_uri_pattern")
+      unless pattern = get_header("action_dispatch.route_uri_pattern")
+        route = get_header("action_dispatch.route")
+        return if route.nil?
+        pattern = route.path.spec.to_s
+        set_header("action_dispatch.route_uri_pattern", pattern)
+      end
+      pattern
     end
 
-    def route_uri_pattern=(pattern) # :nodoc:
-      set_header("action_dispatch.route_uri_pattern", pattern)
+    def route=(route) # :nodoc:
+      @env["action_dispatch.route"] = route
     end
 
     def routes # :nodoc:

data/lib/action_dispatch/http/response.rb

@@ -277,14 +277,27 @@ module ActionDispatch # :nodoc:
     # Sets the HTTP response's content MIME type. For example, in the controller you
     # could write this:
     #
-    #     response.content_type = "text/plain"
+    #     response.content_type = "text/html"
+    #
+    # This method also accepts a symbol with the extension of the MIME type:
+    #
+    #     response.content_type = :html
     #
     # If a character set has been defined for this response (see #charset=) then the
     # character set information will also be included in the content type
     # information.
     def content_type=(content_type)
-      return unless content_type
-      new_header_info = parse_content_type(content_type.to_s)
+      case content_type
+      when NilClass
+        return
+      when Symbol
+        mime_type = Mime[content_type]
+        raise ArgumentError, "Unknown MIME type #{content_type}" unless mime_type
+        new_header_info = ContentTypeHeader.new(mime_type.to_s)
+      else
+        new_header_info = parse_content_type(content_type.to_s)
+      end
+
       prev_header_info = parsed_content_type_header
       charset = new_header_info.charset || prev_header_info.charset
       charset ||= self.class.default_charset unless prev_header_info.mime_type

data/lib/action_dispatch/http/url.rb

@@ -11,8 +11,105 @@ module ActionDispatch
       HOST_REGEXP     = /(^[^:]+:\/\/)?(\[[^\]]+\]|[^:]+)(?::(\d+$))?/
       PROTOCOL_REGEXP = /^([^:]+)(:)?(\/\/)?$/
 
+      # DomainExtractor provides utility methods for extracting domain and subdomain
+      # information from host strings. This module is used internally by Action Dispatch
+      # to parse host names and separate the domain from subdomains based on the
+      # top-level domain (TLD) length.
+      #
+      # The module assumes a standard domain structure where domains consist of:
+      # - Subdomains (optional, can be multiple levels)
+      # - Domain name
+      # - Top-level domain (TLD, can be multiple levels like .co.uk)
+      #
+      # For example, in "api.staging.example.co.uk":
+      # - Subdomains: ["api", "staging"]
+      # - Domain: "example.co.uk" (with tld_length=2)
+      # - TLD: "co.uk"
+      module DomainExtractor
+        extend self
+
+        # Extracts the domain part from a host string, including the specified
+        # number of top-level domain components.
+        #
+        # The domain includes the main domain name plus the TLD components.
+        # The +tld_length+ parameter specifies how many components from the right
+        # should be considered part of the TLD.
+        #
+        # ==== Parameters
+        #
+        # [+host+]
+        #   The host string to extract the domain from.
+        #
+        # [+tld_length+]
+        #   The number of domain components that make up the TLD. For example,
+        #   use 1 for ".com" or 2 for ".co.uk".
+        #
+        # ==== Examples
+        #
+        #   # Standard TLD (tld_length = 1)
+        #   DomainExtractor.domain_from("www.example.com", 1)
+        #   # => "example.com"
+        #
+        #   # Country-code TLD (tld_length = 2)
+        #   DomainExtractor.domain_from("www.example.co.uk", 2)
+        #   # => "example.co.uk"
+        #
+        #   # Multiple subdomains
+        #   DomainExtractor.domain_from("api.staging.myapp.herokuapp.com", 1)
+        #   # => "herokuapp.com"
+        #
+        #   # Single component (returns the host itself)
+        #   DomainExtractor.domain_from("localhost", 1)
+        #   # => "localhost"
+        def domain_from(host, tld_length)
+          host.split(".").last(1 + tld_length).join(".")
+        end
+
+        # Extracts the subdomain components from a host string as an Array.
+        #
+        # Returns all the components that come before the domain and TLD parts.
+        # The +tld_length+ parameter is used to determine where the domain begins
+        # so that everything before it is considered a subdomain.
+        #
+        # ==== Parameters
+        #
+        # [+host+]
+        #   The host string to extract subdomains from.
+        #
+        # [+tld_length+]
+        #   The number of domain components that make up the TLD. This affects
+        #   where the domain boundary is calculated.
+        #
+        # ==== Examples
+        #
+        #   # Standard TLD (tld_length = 1)
+        #   DomainExtractor.subdomains_from("www.example.com", 1)
+        #   # => ["www"]
+        #
+        #   # Country-code TLD (tld_length = 2)
+        #   DomainExtractor.subdomains_from("api.staging.example.co.uk", 2)
+        #   # => ["api", "staging"]
+        #
+        #   # No subdomains
+        #   DomainExtractor.subdomains_from("example.com", 1)
+        #   # => []
+        #
+        #   # Single subdomain with complex TLD
+        #   DomainExtractor.subdomains_from("www.mysite.co.uk", 2)
+        #   # => ["www"]
+        #
+        #   # Multiple levels of subdomains
+        #   DomainExtractor.subdomains_from("dev.api.staging.example.com", 1)
+        #   # => ["dev", "api", "staging"]
+        def subdomains_from(host, tld_length)
+          parts = host.split(".")
+          parts[0..-(tld_length + 2)]
+        end
+      end
+
       mattr_accessor :secure_protocol, default: false
       mattr_accessor :tld_length, default: 1
+      mattr_accessor :domain_extractor, default: DomainExtractor
 
       class << self
         # Returns the domain part of a host given the domain level.
@@ -96,34 +193,33 @@ module ActionDispatch
           end
 
           def extract_domain_from(host, tld_length)
-            host.split(".").last(1 + tld_length).join(".")
+            domain_extractor.domain_from(host, tld_length)
           end
 
           def extract_subdomains_from(host, tld_length)
-            parts = host.split(".")
-            parts[0..-(tld_length + 2)]
+            domain_extractor.subdomains_from(host, tld_length)
           end
 
           def build_host_url(host, port, protocol, options, path)
             if match = host.match(HOST_REGEXP)
-              protocol ||= match[1] unless protocol == false
-              host       = match[2]
-              port       = match[3] unless options.key? :port
+              protocol_from_host = match[1] if protocol.nil?
+              host               = match[2]
+              port               = match[3] unless options.key? :port
             end
 
-            protocol = normalize_protocol protocol
+            protocol = protocol_from_host || normalize_protocol(protocol).dup
             host     = normalize_host(host, options)
+            port     = normalize_port(port, protocol)
 
-            result = protocol.dup
+            result = protocol
 
             if options[:user] && options[:password]
               result << "#{Rack::Utils.escape(options[:user])}:#{Rack::Utils.escape(options[:password])}@"
             end
 
             result << host
-            normalize_port(port, protocol) { |normalized_port|
-              result << ":#{normalized_port}"
-            }
+
+            result << ":" << port.to_s if port
 
             result.concat path
           end
@@ -169,11 +265,11 @@ module ActionDispatch
             return unless port
 
             case protocol
-            when "//" then yield port
+            when "//" then port
             when "https://"
-              yield port unless port.to_i == 443
+              port unless port.to_i == 443
             else
-              yield port unless port.to_i == 80
+              port unless port.to_i == 80
             end
           end
       end

data/lib/action_dispatch/journey/gtg/simulator.rb

@@ -2,8 +2,6 @@
 
 # :markup: markdown
 
-require "strscan"
-
 module ActionDispatch
   module Journey # :nodoc:
     module GTG # :nodoc:
@@ -16,7 +14,13 @@ module ActionDispatch
       end
 
       class Simulator # :nodoc:
-        INITIAL_STATE = [ [0, nil] ].freeze
+        STATIC_TOKENS = Array.new(64)
+        STATIC_TOKENS[".".ord] = "."
+        STATIC_TOKENS["/".ord] = "/"
+        STATIC_TOKENS["?".ord] = "?"
+        STATIC_TOKENS.freeze
+
+        INITIAL_STATE = [0, nil].freeze
 
         attr_reader :tt
 
@@ -25,21 +29,38 @@ module ActionDispatch
         end
 
         def memos(string)
-          input = StringScanner.new(string)
           state = INITIAL_STATE
-          start_index = 0
 
-          while sym = input.scan(%r([/.?]|[^/.?]+))
-            end_index = start_index + sym.length
+          pos = 0
+          eos = string.bytesize
+
+          while pos < eos
+            start_index = pos
+            pos += 1
 
-            state = tt.move(state, string, start_index, end_index)
+            if (token = STATIC_TOKENS[string.getbyte(start_index)])
+              state = tt.move(state, string, token, start_index, false)
+            else
+              while pos < eos && STATIC_TOKENS[string.getbyte(pos)].nil?
+                pos += 1
+              end
 
-            start_index = end_index
+              token = string.byteslice(start_index, pos - start_index)
+              state = tt.move(state, string, token, start_index, true)
+            end
           end
 
-          acceptance_states = state.each_with_object([]) do |s_d, memos|
-            s, idx = s_d
-            memos.concat(tt.memo(s)) if idx.nil? && tt.accepting?(s)
+          acceptance_states = []
+          states_count = state.size
+          i = 0
+          while i < states_count
+            if state[i + 1].nil?
+              s = state[i]
+              if tt.accepting?(s)
+                acceptance_states.concat(tt.memo(s))
+              end
+            end
+            i += 2
           end
 
           acceptance_states.empty? ? yield : acceptance_states

data/lib/action_dispatch/journey/gtg/transition_table.rb

@@ -13,7 +13,6 @@ module ActionDispatch
         attr_reader :memos
 
         DEFAULT_EXP = /[^.\/?]+/
-        DEFAULT_EXP_ANCHORED = /\A#{DEFAULT_EXP}\Z/
 
         def initialize
           @stdparam_states = {}
@@ -47,25 +46,27 @@ module ActionDispatch
           Array(t)
         end
 
-        def move(t, full_string, start_index, end_index)
+        def move(t, full_string, token, start_index, token_matches_default)
           return [] if t.empty?
 
           next_states = []
 
-          tok = full_string.slice(start_index, end_index - start_index)
-          token_matches_default_component = DEFAULT_EXP_ANCHORED.match?(tok)
-
-          t.each { |s, previous_start|
+          transitions_count = t.size
+          i = 0
+          while i < transitions_count
+            s = t[i]
+            previous_start = t[i + 1]
             if previous_start.nil?
               # In the simple case of a "default" param regex do this fast-path and add all
               # next states.
-              if token_matches_default_component && states = @stdparam_states[s]
-                states.each { |re, v| next_states << [v, nil].freeze if !v.nil? }
+              if token_matches_default && std_state = @stdparam_states[s]
+                next_states << std_state << nil
               end
 
               # When we have a literal string, we can just pull the next state
               if states = @string_states[s]
-                next_states << [states[tok], nil].freeze unless states[tok].nil?
+                state = states[token]
+                next_states << state << nil unless state.nil?
               end
             end
 
@@ -80,19 +81,21 @@ module ActionDispatch
                 previous_start
               end
 
-              slice_length = end_index - slice_start
+              slice_length = start_index + token.length - slice_start
               curr_slice = full_string.slice(slice_start, slice_length)
 
               states.each { |re, v|
                 # if we match, we can try moving past this
-                next_states << [v, nil].freeze if !v.nil? && re.match?(curr_slice)
+                next_states << v << nil if !v.nil? && re.match?(curr_slice)
               }
 
               # and regardless, we must continue accepting tokens and retrying this regexp. we
               # need to remember where we started as well so we can take bigger slices.
-              next_states << [s, slice_start].freeze
+              next_states << s << slice_start
             end
-          }
+
+            i += 2
+          end
 
           next_states
         end
@@ -163,54 +166,43 @@ module ActionDispatch
         end
 
         def []=(from, to, sym)
-          to_mappings = states_hash_for(sym)[from] ||= {}
           case sym
+          when String, Symbol
+            to_mapping = @string_states[from] ||= {}
+            # account for symbols in the constraints the same as strings
+            to_mapping[sym.to_s] = to
           when Regexp
-            # we must match the whole string to a token boundary
             if sym == DEFAULT_EXP
-              sym = DEFAULT_EXP_ANCHORED
+              @stdparam_states[from] = to
             else
-              sym = /\A#{sym}\Z/
+              to_mapping = @regexp_states[from] ||= {}
+              # we must match the whole string to a token boundary
+              to_mapping[/\A#{sym}\Z/] = to
             end
-          when Symbol
-            # account for symbols in the constraints the same as strings
-            sym = sym.to_s
+          else
+            raise ArgumentError, "unknown symbol: %s" % sym.class
           end
-          to_mappings[sym] = to
         end
 
         def states
           ss = @string_states.keys + @string_states.values.flat_map(&:values)
-          ps = @stdparam_states.keys + @stdparam_states.values.flat_map(&:values)
+          ps = @stdparam_states.keys + @stdparam_states.values
           rs = @regexp_states.keys + @regexp_states.values.flat_map(&:values)
           (ss + ps + rs).uniq
         end
 
         def transitions
+          # double escaped because dot evaluates escapes
+          default_exp_anchored = "\\\\A#{DEFAULT_EXP.source}\\\\Z"
+
           @string_states.flat_map { |from, hash|
             hash.map { |s, to| [from, s, to] }
-          } + @stdparam_states.flat_map { |from, hash|
-            hash.map { |s, to| [from, s, to] }
+          } + @stdparam_states.map { |from, to|
+            [from, default_exp_anchored, to]
           } + @regexp_states.flat_map { |from, hash|
-            hash.map { |s, to| [from, s, to] }
+            hash.map { |r, to| [from, r.source.gsub("\\") { "\\\\" }, to] }
           }
         end
-
-        private
-          def states_hash_for(sym)
-            case sym
-            when String, Symbol
-              @string_states
-            when Regexp
-              if sym == DEFAULT_EXP
-                @stdparam_states
-              else
-                @regexp_states
-              end
-            else
-              raise ArgumentError, "unknown symbol: %s" % sym.class
-            end
-          end
       end
     end
   end

data/lib/action_dispatch/journey/nodes/node.rb

@@ -74,6 +74,7 @@ module ActionDispatch
         def initialize(left)
           @left = left
           @memo = nil
+          @to_s = nil
         end
 
         def each(&block)
@@ -81,7 +82,7 @@ module ActionDispatch
         end
 
         def to_s
-          Visitors::String::INSTANCE.accept(self, "")
+          @to_s ||= Visitors::String::INSTANCE.accept(self, "".dup).freeze
         end
 
         def to_dot