actionpack 8.0.3 → 8.1.0

data/lib/action_controller/metal/renderers.rb

@@ -27,8 +27,23 @@ module ActionController
     # Default values are `:json`, `:js`, `:xml`.
     RENDERERS = Set.new
 
+    module DeprecatedEscapeJsonResponses # :nodoc:
+      def escape_json_responses=(value)
+        if value
+          ActionController.deprecator.warn(<<~MSG.squish)
+            Setting action_controller.escape_json_responses = true is deprecated and will have no effect in Rails 8.2.
+            Set it to `false`, or remove the config.
+          MSG
+        end
+        super
+      end
+    end
+
     included do
       class_attribute :_renderers, default: Set.new.freeze
+      class_attribute :escape_json_responses, instance_writer: false, instance_accessor: false, default: true
+
+      singleton_class.prepend DeprecatedEscapeJsonResponses
     end
 
     # Used in ActionController::Base and ActionController::API to include all
@@ -86,7 +101,7 @@ module ActionController
       remove_possible_method(method_name)
     end
 
-    def self._render_with_renderer_method_name(key)
+    def self._render_with_renderer_method_name(key) # :nodoc:
       "_render_with_renderer_#{key}"
     end
 
@@ -140,7 +155,7 @@ module ActionController
       _render_to_body_with_renderer(options) || super
     end
 
-    def _render_to_body_with_renderer(options)
+    def _render_to_body_with_renderer(options) # :nodoc:
       _renderers.each do |name|
         if options.key?(name)
           _process_options(options)
@@ -153,28 +168,34 @@ module ActionController
 
     add :json do |json, options|
       json_options = options.except(:callback, :content_type, :status)
+      json_options[:escape] ||= false if !self.class.escape_json_responses? && options[:callback].blank?
       json = json.to_json(json_options) unless json.kind_of?(String)
 
       if options[:callback].present?
         if media_type.nil? || media_type == Mime[:json]
-          self.content_type = Mime[:js]
+          self.content_type = :js
         end
 
         "/**/#{options[:callback]}(#{json})"
       else
-        self.content_type = Mime[:json] if media_type.nil?
+        self.content_type = :json if media_type.nil?
         json
       end
     end
 
     add :js do |js, options|
-      self.content_type = Mime[:js] if media_type.nil?
+      self.content_type = :js if media_type.nil?
       js.respond_to?(:to_js) ? js.to_js(options) : js
     end
 
     add :xml do |xml, options|
-      self.content_type = Mime[:xml] if media_type.nil?
+      self.content_type = :xml if media_type.nil?
       xml.respond_to?(:to_xml) ? xml.to_xml(options) : xml
     end
+
+    add :markdown do |md, options|
+      self.content_type = :md if media_type.nil?
+      md.respond_to?(:to_markdown) ? md.to_markdown : md
+    end
   end
 end

data/lib/action_controller/metal/rendering.rb

@@ -160,6 +160,12 @@ module ActionController
     #         render "posts/new", status: :unprocessable_entity
     #         # => renders app/views/posts/new.html.erb with HTTP status code 422
     #
+    # `:variants`
+    # :  This tells Rails to look for the first template matching any of the variations.
+    #
+    #         render "posts/index", variants: [:mobile]
+    #         # => renders app/views/posts/index.html+mobile.erb
+    #
     #--
     # Check for double render errors and set the content_type after rendering.
     def render(*args)
@@ -208,7 +214,7 @@ module ActionController
       end
 
       def _set_html_content_type
-        self.content_type = Mime[:html].to_s
+        self.content_type = :html
       end
 
       def _set_rendered_content_type(format)

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -71,32 +71,39 @@ module ActionController # :nodoc:
     included do
       # Sets the token parameter name for RequestForgery. Calling
       # `protect_from_forgery` sets it to `:authenticity_token` by default.
-      config_accessor :request_forgery_protection_token
+      singleton_class.delegate :request_forgery_protection_token, :request_forgery_protection_token=, to: :config
+      delegate :request_forgery_protection_token, :request_forgery_protection_token=, to: :config
       self.request_forgery_protection_token ||= :authenticity_token
 
       # Holds the class which implements the request forgery protection.
-      config_accessor :forgery_protection_strategy
+      singleton_class.delegate :forgery_protection_strategy, :forgery_protection_strategy=, to: :config
+      delegate :forgery_protection_strategy, :forgery_protection_strategy=, to: :config
       self.forgery_protection_strategy = nil
 
       # Controls whether request forgery protection is turned on or not. Turned off by
       # default only in test mode.
-      config_accessor :allow_forgery_protection
+      singleton_class.delegate :allow_forgery_protection, :allow_forgery_protection=, to: :config
+      delegate :allow_forgery_protection, :allow_forgery_protection=, to: :config
       self.allow_forgery_protection = true if allow_forgery_protection.nil?
 
       # Controls whether a CSRF failure logs a warning. On by default.
-      config_accessor :log_warning_on_csrf_failure
+      singleton_class.delegate :log_warning_on_csrf_failure, :log_warning_on_csrf_failure=, to: :config
+      delegate :log_warning_on_csrf_failure, :log_warning_on_csrf_failure=, to: :config
       self.log_warning_on_csrf_failure = true
 
       # Controls whether the Origin header is checked in addition to the CSRF token.
-      config_accessor :forgery_protection_origin_check
+      singleton_class.delegate :forgery_protection_origin_check, :forgery_protection_origin_check=, to: :config
+      delegate :forgery_protection_origin_check, :forgery_protection_origin_check=, to: :config
       self.forgery_protection_origin_check = false
 
       # Controls whether form-action/method specific CSRF tokens are used.
-      config_accessor :per_form_csrf_tokens
+      singleton_class.delegate :per_form_csrf_tokens, :per_form_csrf_tokens=, to: :config
+      delegate :per_form_csrf_tokens, :per_form_csrf_tokens=, to: :config
       self.per_form_csrf_tokens = false
 
       # The strategy to use for storing and retrieving CSRF tokens.
-      config_accessor :csrf_token_storage_strategy
+      singleton_class.delegate :csrf_token_storage_strategy, :csrf_token_storage_strategy=, to: :config
+      delegate :csrf_token_storage_strategy, :csrf_token_storage_strategy=, to: :config
       self.csrf_token_storage_strategy = SessionStore.new
 
       helper_method :form_authenticity_token
@@ -461,7 +468,7 @@ module ActionController # :nodoc:
       # *   Does the `X-CSRF-Token` header match the form_authenticity_token?
       #
       def verified_request? # :doc:
-        !protect_against_forgery? || request.get? || request.head? ||
+        request.get? || request.head? || !protect_against_forgery? ||
           (valid_request_origin? && any_authenticity_token_valid?)
       end
 
@@ -621,6 +628,7 @@ module ActionController # :nodoc:
         If you cannot change the referrer policy, you can disable origin checking with the
         Rails.application.config.action_controller.forgery_protection_origin_check setting.
       MSG
+      private_constant :NULL_ORIGIN_MESSAGE
 
       # Checks if the request originated from the same origin by looking at the Origin
       # header.
@@ -634,7 +642,7 @@ module ActionController # :nodoc:
         end
       end
 
-      def normalize_action_path(action_path) # :doc:
+      def normalize_action_path(action_path)
         uri = URI.parse(action_path)
 
         if uri.relative? && (action_path.blank? || !action_path.start_with?("/"))
@@ -644,7 +652,7 @@ module ActionController # :nodoc:
         end
       end
 
-      def normalize_relative_action_path(rel_action_path) # :doc:
+      def normalize_relative_action_path(rel_action_path)
         uri = URI.parse(request.path)
         # add the action path to the request.path
         uri.path += "/#{rel_action_path}"

data/lib/action_controller/metal/rescue.rb

@@ -13,6 +13,15 @@ module ActionController # :nodoc:
     extend ActiveSupport::Concern
     include ActiveSupport::Rescuable
 
+    module ClassMethods
+      def handler_for_rescue(exception, ...) # :nodoc:
+        if handler = super
+          ActiveSupport::Notifications.instrument("rescue_from_callback.action_controller", exception: exception)
+          handler
+        end
+      end
+    end
+
     # Override this method if you want to customize when detailed exceptions must be
     # shown. This method is only called when `consider_all_requests_local` is
     # `false`. By default, it returns `false`, but someone may set it to

data/lib/action_controller/railtie.rb

@@ -12,9 +12,11 @@ require "action_view/railtie"
 module ActionController
   class Railtie < Rails::Railtie # :nodoc:
     config.action_controller = ActiveSupport::OrderedOptions.new
-    config.action_controller.raise_on_open_redirects = false
+    config.action_controller.action_on_open_redirect = :log
+    config.action_controller.action_on_path_relative_redirect = :log
     config.action_controller.log_query_tags_around_actions = true
     config.action_controller.wrap_parameters_by_default = false
+    config.action_controller.allowed_redirect_hosts = []
 
     config.eager_load_namespaces << AbstractController
     config.eager_load_namespaces << ActionController
@@ -55,7 +57,8 @@ module ActionController
       paths   = app.config.paths
       options = app.config.action_controller
 
-      options.logger      ||= Rails.logger
+      options.logger = options.fetch(:logger, Rails.logger)
+
       options.cache_store ||= Rails.cache
 
       options.javascripts_dir ||= paths["public/javascripts"].first
@@ -93,12 +96,6 @@ module ActionController
       end
     end
 
-    initializer "action_controller.compile_config_methods" do
-      ActiveSupport.on_load(:action_controller) do
-        config.compile_methods! if config.respond_to?(:compile_methods!)
-      end
-    end
-
     initializer "action_controller.request_forgery_protection" do |app|
       ActiveSupport.on_load(:action_controller_base) do
         if app.config.action_controller.default_protect_from_forgery
@@ -107,6 +104,22 @@ module ActionController
       end
     end
 
+    initializer "action_controller.open_redirects" do |app|
+      ActiveSupport.on_load(:action_controller, run_once: true) do
+        if app.config.action_controller.has_key?(:raise_on_open_redirects)
+          ActiveSupport.deprecator.warn(<<~MSG.squish)
+            `raise_on_open_redirects` is deprecated and will be removed in a future Rails version.
+            Use `config.action_controller.action_on_open_redirect = :raise` instead.
+          MSG
+
+          # Fallback to the default behavior in case of `load_default` set `action_on_open_redirect`, but apps set `raise_on_open_redirects`.
+          if app.config.action_controller.raise_on_open_redirects == false && app.config.action_controller.action_on_open_redirect == :raise
+            self.action_on_open_redirect = :log
+          end
+        end
+      end
+    end
+
     initializer "action_controller.query_log_tags" do |app|
       query_logs_tags_enabled = app.config.respond_to?(:active_record) &&
         app.config.active_record.query_log_tags_enabled &&
@@ -139,5 +152,11 @@ module ActionController
         ActionController::TestCase.executor_around_each_request = app.config.active_support.executor_around_test_case
       end
     end
+
+    initializer "action_controller.backtrace_cleaner" do
+      ActiveSupport.on_load(:action_controller) do
+        ActionController::LogSubscriber.backtrace_cleaner = Rails.backtrace_cleaner
+      end
+    end
   end
 end

data/lib/action_controller/structured_event_subscriber.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+module ActionController
+  class StructuredEventSubscriber < ActiveSupport::StructuredEventSubscriber # :nodoc:
+    INTERNAL_PARAMS = %w(controller action format _method only_path)
+
+    def start_processing(event)
+      payload = event.payload
+      params = {}
+      payload[:params].each_pair do |k, v|
+        params[k] = v unless INTERNAL_PARAMS.include?(k)
+      end
+      format = payload[:format]
+      format = format.to_s.upcase if format.is_a?(Symbol)
+      format = "*/*" if format.nil?
+
+      emit_event("action_controller.request_started",
+        controller: payload[:controller],
+        action: payload[:action],
+        format:,
+        params:,
+      )
+    end
+
+    def process_action(event)
+      payload = event.payload
+      status = payload[:status]
+
+      if status.nil? && (exception_class_name = payload[:exception]&.first)
+        status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
+      end
+
+      emit_event("action_controller.request_completed", {
+        controller: payload[:controller],
+        action: payload[:action],
+        status: status,
+        **additions_for(payload),
+        duration_ms: event.duration.round(2),
+        gc_time_ms: event.gc_time.round(1),
+      }.compact)
+    end
+
+    def halted_callback(event)
+      emit_event("action_controller.callback_halted", filter: event.payload[:filter])
+    end
+
+    def rescue_from_callback(event)
+      exception = event.payload[:exception]
+      emit_event("action_controller.rescue_from_handled",
+        exception_class: exception.class.name,
+        exception_message: exception.message,
+        exception_backtrace: exception.backtrace&.first&.delete_prefix("#{Rails.root}/")
+      )
+    end
+
+    def send_file(event)
+      emit_event("action_controller.file_sent", path: event.payload[:path], duration_ms: event.duration.round(1))
+    end
+
+    def redirect_to(event)
+      emit_event("action_controller.redirected", location: event.payload[:location])
+    end
+
+    def send_data(event)
+      emit_event("action_controller.data_sent", filename: event.payload[:filename], duration_ms: event.duration.round(1))
+    end
+
+    def unpermitted_parameters(event)
+      unpermitted_keys = event.payload[:keys]
+      context = event.payload[:context]
+
+      emit_debug_event("action_controller.unpermitted_parameters",
+        unpermitted_keys:,
+        context: context.except(:request)
+      )
+    end
+    debug_only :unpermitted_parameters
+
+    def write_fragment(event)
+      fragment_cache(__method__, event)
+    end
+
+    def read_fragment(event)
+      fragment_cache(__method__, event)
+    end
+
+    def exist_fragment?(event)
+      fragment_cache(__method__, event)
+    end
+
+    def expire_fragment(event)
+      fragment_cache(__method__, event)
+    end
+
+    private
+      def fragment_cache(method_name, event)
+        key = ActiveSupport::Cache.expand_cache_key(event.payload[:key] || event.payload[:path])
+
+        emit_event("action_controller.fragment_cache",
+          method: "#{method_name}",
+          key: key,
+          duration_ms: event.duration.round(1)
+        )
+      end
+
+      def additions_for(payload)
+        payload.slice(:view_runtime, :db_runtime, :queries_count, :cached_queries_count)
+      end
+  end
+end
+
+ActionController::StructuredEventSubscriber.attach_to :action_controller

data/lib/action_dispatch/http/cache.rb

@@ -63,6 +63,114 @@ module ActionDispatch
             success
           end
         end
+
+        def cache_control_directives
+          @cache_control_directives ||= CacheControlDirectives.new(get_header("HTTP_CACHE_CONTROL"))
+        end
+
+        # Represents the HTTP Cache-Control header for requests,
+        # providing methods to access various cache control directives
+        # Reference: https://www.rfc-editor.org/rfc/rfc9111.html#name-request-directives
+        class CacheControlDirectives
+          def initialize(cache_control_header)
+            @only_if_cached = false
+            @no_cache = false
+            @no_store = false
+            @no_transform = false
+            @max_age = nil
+            @max_stale = nil
+            @min_fresh = nil
+            @stale_if_error = false
+            parse_directives(cache_control_header)
+          end
+
+          # Returns true if the only-if-cached directive is present.
+          # This directive indicates that the client only wishes to obtain a
+          # stored response. If a valid stored response is not available,
+          # the server should respond with a 504 (Gateway Timeout) status.
+          def only_if_cached?
+            @only_if_cached
+          end
+
+          # Returns true if the no-cache directive is present.
+          # This directive indicates that a cache must not use the response
+          # to satisfy subsequent requests without successful validation on the origin server.
+          def no_cache?
+            @no_cache
+          end
+
+          # Returns true if the no-store directive is present.
+          # This directive indicates that a cache must not store any part of the
+          # request or response.
+          def no_store?
+            @no_store
+          end
+
+          # Returns true if the no-transform directive is present.
+          # This directive indicates that a cache or proxy must not transform the payload.
+          def no_transform?
+            @no_transform
+          end
+
+          # Returns the value of the max-age directive.
+          # This directive indicates that the client is willing to accept a response
+          # whose age is no greater than the specified number of seconds.
+          attr_reader :max_age
+
+          # Returns the value of the max-stale directive.
+          # When max-stale is present with a value, returns that integer value.
+          # When max-stale is present without a value, returns true (unlimited staleness).
+          # When max-stale is not present, returns nil.
+          attr_reader :max_stale
+
+          # Returns true if max-stale directive is present (with or without a value)
+          def max_stale?
+            !@max_stale.nil?
+          end
+
+          # Returns true if max-stale directive is present without a value (unlimited staleness)
+          def max_stale_unlimited?
+            @max_stale == true
+          end
+
+          # Returns the value of the min-fresh directive.
+          # This directive indicates that the client is willing to accept a response
+          # whose freshness lifetime is no less than its current age plus the specified time in seconds.
+          attr_reader :min_fresh
+
+          # Returns the value of the stale-if-error directive.
+          # This directive indicates that the client is willing to accept a stale response
+          # if the check for a fresh one fails with an error for the specified number of seconds.
+          attr_reader :stale_if_error
+
+          private
+            def parse_directives(header_value)
+              return unless header_value
+
+              header_value.delete(" ").downcase.split(",").each do |directive|
+                name, value = directive.split("=", 2)
+
+                case name
+                when "max-age"
+                  @max_age = value.to_i
+                when "min-fresh"
+                  @min_fresh = value.to_i
+                when "stale-if-error"
+                  @stale_if_error = value.to_i
+                when "no-cache"
+                  @no_cache = true
+                when "no-store"
+                  @no_store = true
+                when "no-transform"
+                  @no_transform = true
+                when "only-if-cached"
+                  @only_if_cached = true
+                when "max-stale"
+                  @max_stale = value ? value.to_i : true
+                end
+              end
+            end
+        end
       end
 
       module Response
@@ -142,7 +250,7 @@ module ActionDispatch
       private
         DATE          = "Date"
         LAST_MODIFIED = "Last-Modified"
-        SPECIAL_KEYS  = Set.new(%w[extras no-store no-cache max-age public private must-revalidate])
+        SPECIAL_KEYS  = Set.new(%w[extras no-store no-cache max-age public private must-revalidate must-understand])
 
         def generate_weak_etag(validators)
           "W/#{generate_strong_etag(validators)}"
@@ -187,6 +295,7 @@ module ActionDispatch
         PRIVATE               = "private"
         MUST_REVALIDATE       = "must-revalidate"
         IMMUTABLE             = "immutable"
+        MUST_UNDERSTAND       = "must-understand"
 
         def handle_conditional_get!
           # Normally default cache control setting is handled by ETag middleware. But, if
@@ -221,6 +330,7 @@ module ActionDispatch
 
           if control[:no_store]
             options << PRIVATE if control[:private]
+            options << MUST_UNDERSTAND if control[:must_understand]
             options << NO_STORE
           elsif control[:no_cache]
             options << PUBLIC if control[:public]

data/lib/action_dispatch/http/filter_parameters.rb

@@ -17,9 +17,11 @@ module ActionDispatch
     # For more information about filter behavior, see
     # ActiveSupport::ParameterFilter.
     module FilterParameters
-      ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"] # :nodoc:
-      NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new # :nodoc:
-      NULL_ENV_FILTER   = ActiveSupport::ParameterFilter.new ENV_MATCH # :nodoc:
+      # :stopdoc:
+      ENV_MATCH = [/RAW_POST_DATA/, "rack.request.form_vars"]
+      NULL_PARAM_FILTER = ActiveSupport::ParameterFilter.new
+      NULL_ENV_FILTER   = ActiveSupport::ParameterFilter.new ENV_MATCH
+      # :startdoc:
 
       def initialize
         super

data/lib/action_dispatch/http/mime_negotiation.rb

@@ -91,7 +91,49 @@ module ActionDispatch
         end
       end
 
-      # Sets the variant for template.
+      # Sets the \variant for the response template.
+      #
+      # When determining which template to render, Action View will incorporate
+      # all variants from the request. For example, if an
+      # `ArticlesController#index` action needs to respond to
+      # `request.variant = [:ios, :turbo_native]`, it will render the
+      # first template file it can find in the following list:
+      #
+      # - `app/views/articles/index.html+ios.erb`
+      # - `app/views/articles/index.html+turbo_native.erb`
+      # - `app/views/articles/index.html.erb`
+      #
+      # Variants add context to the requests that views render appropriately.
+      # Variant names are arbitrary, and can communicate anything from the
+      # request's platform (`:android`, `:ios`, `:linux`, `:macos`, `:windows`)
+      # to its browser (`:chrome`, `:edge`, `:firefox`, `:safari`), to the type
+      # of user (`:admin`, `:guest`, `:user`).
+      #
+      # Note: Adding many new variant templates with similarities to existing
+      # template files can make maintaining your view code more difficult.
+      #
+      # #### Parameters
+      #
+      # * `variant` - a symbol name or an array of symbol names for variants
+      #   used to render the response template
+      #
+      # #### Examples
+      #
+      #     class ApplicationController < ActionController::Base
+      #       before_action :determine_variants
+      #
+      #       private
+      #         def determine_variants
+      #           variants = []
+      #
+      #           # some code to determine the variant(s) to use
+      #
+      #           variants << :ios if request.user_agent.include?("iOS")
+      #           variants << :turbo_native if request.user_agent.include?("Turbo Native")
+      #
+      #           request.variant = variants
+      #         end
+      #     end
       def variant=(variant)
         variant = Array(variant)
 
@@ -102,6 +144,18 @@ module ActionDispatch
         end
       end
 
+      # Returns the \variant for the response template as an instance of
+      # ActiveSupport::ArrayInquirer.
+      #
+      #     request.variant = :phone
+      #     request.variant.phone?  # => true
+      #     request.variant.tablet? # => false
+      #
+      #     request.variant = [:phone, :tablet]
+      #     request.variant.phone?                  # => true
+      #     request.variant.desktop?                # => false
+      #     request.variant.any?(:phone, :desktop)  # => true
+      #     request.variant.any?(:desktop, :watch)  # => false
       def variant
         @variant ||= ActiveSupport::ArrayInquirer.new
       end

data/lib/action_dispatch/http/mime_types.rb

@@ -13,6 +13,7 @@ Mime::Type.register "text/calendar", :ics
 Mime::Type.register "text/csv", :csv
 Mime::Type.register "text/vcard", :vcf
 Mime::Type.register "text/vtt", :vtt, %w(vtt)
+Mime::Type.register "text/markdown", :md, [], %w(md markdown)
 
 Mime::Type.register "image/png", :png, [], %w(png)
 Mime::Type.register "image/jpeg", :jpeg, [], %w(jpg jpeg jpe pjpeg)