actionpack 5.1.0.rc1 → 5.1.0.rc2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e2d161d451c124876c1a7514f155780ba418d16e
-  data.tar.gz: f22881573e854eac0be7c4727d5f1289a7d849e9
+  metadata.gz: e39f685ae0790d0a921d6c8671f476b177f76b5c
+  data.tar.gz: a5df75af538dd2eddccbb78c9af25812095198bd
 SHA512:
-  metadata.gz: d5c053839dd73ab090207928e1a5635c31bf637425f2d875d1dd6d26366d3b23e66e0c7004b4577e38b9049a9b9511c0ca3aa8d679c24784db2e0452bcdc1667
-  data.tar.gz: 9dd0e7bc6a77d7f84ed680c0298ba3d6d890eb679a0b912a0206e286d536cdee8f1ac6ab53fb1b49e938180a0ff625a6e3189b623d79bdbb082404f683569b90
+  metadata.gz: dc81f45547b89eb5d37c9bb0ccf95440693d323634beaaec56797bbfe6e706dd4913a5c8ae0bc92c82af526c829d9632e767570060607a6d12861172e67ae0f5
+  data.tar.gz: a7d302843440b69b5596f99f5b1341697f577999599aca6563d7dc8a6d7f7f25beadc85928f4497eea8fac8f8da29101f8b0a6c699e9610ced9baf26d2a823fc

data/CHANGELOG.md

@@ -1,3 +1,70 @@
+## Rails 5.1.0.rc2 (April 20, 2017) ##
+
+*   Raise exception when calling `to_h` and `to_hash` in an unpermitted Parameters.
+
+    Before we returned either an empty hash or only the always permitted parameters
+    (`:controller` and `:action` by default).
+
+    The previous behavior was dangerous because in order to get the attributes users
+    usually fallback to use `to_unsafe_h that` could potentially introduce security issues.
+
+    *Rafael Mendonça França*
+
+*   Deprecate `config.action_controller.raise_on_unfiltered_parameters`.
+
+    This option has no effect in Rails 5.1.
+
+    *Rafael Mendonça França*
+
+*   Use more specific check for :format in route path
+
+    The current check for whether to add an optional format to the path is very lax
+    and will match things like `:format_id` where there are nested resources, e.g:
+
+    ``` ruby
+    resources :formats do
+      resources :items
+    end
+    ```
+
+    Fix this by using a more restrictive regex pattern that looks for the patterns
+    `(.:format)`, `.:format` or `/` at the end of the path. Note that we need to
+    allow for multiple closing parenthesis since the route may be of this form:
+
+    ``` ruby
+    get "/books(/:action(.:format))", controller: "books"
+    ```
+
+    This probably isn't what's intended since it means that the default index action
+    route doesn't support a format but we have a test for it so we need to allow it.
+
+    Fixes #28517.
+
+    *Andrew White*
+
+*   Add `action_controller_api` and `action_controller_base` load hooks to be called in `ActiveSupport.on_load`
+
+    `ActionController::Base` and `ActionController::API` have differing implementations. This means that
+    the one umbrella hook `action_controller` is not able to address certain situations where a method
+    may not exist in a certain implementation.
+
+    This is fixed by adding two new hooks so you can target `ActionController::Base` vs `ActionController::API`
+
+    Fixes #27013.
+
+    *Julian Nadeau*
+
+*   Don't include default headers in `ActionController::Metal` responses
+
+    The commit e16afe6 introduced an unintentional change of behavior where the default
+    headers were included in responses from `ActionController::Metai` based controllers.
+    This is now reverted to the previous behavior of having no default headers.
+
+    Fixes #25820.
+
+    *Jon Moss*
+
+
 ## Rails 5.1.0.rc1 (March 20, 2017) ##
 
 *   Fix `NameError` raised in `ActionController::Renderer#with_defaults`

data/lib/action_controller/api.rb

@@ -141,6 +141,7 @@ module ActionController
       include mod
     end
 
+    ActiveSupport.run_load_hooks(:action_controller_api, self)
     ActiveSupport.run_load_hooks(:action_controller, self)
   end
 end

data/lib/action_controller/base.rb

@@ -261,6 +261,13 @@ module ActionController
       PROTECTED_IVARS
     end
 
+    def self.make_response!(request)
+      ActionDispatch::Response.create.tap do |res|
+        res.request = request
+      end
+    end
+
+    ActiveSupport.run_load_hooks(:action_controller_base, self)
     ActiveSupport.run_load_hooks(:action_controller, self)
   end
 end

data/lib/action_controller/metal.rb

@@ -129,7 +129,7 @@ module ActionController
     end
 
     def self.make_response!(request)
-      ActionDispatch::Response.create.tap do |res|
+      ActionDispatch::Response.new.tap do |res|
         res.request = request
       end
     end

data/lib/action_controller/metal/params_wrapper.rb

@@ -105,7 +105,11 @@ module ActionController
 
           unless super || exclude
             if m.respond_to?(:attribute_names) && m.attribute_names.any?
-              self.include = m.attribute_names
+              if m.respond_to?(:stored_attributes) && !m.stored_attributes.empty?
+                self.include = m.attribute_names + m.stored_attributes.values.flatten.map(&:to_s)
+              else
+                self.include = m.attribute_names
+              end
             end
           end
         end

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -213,7 +213,11 @@ module ActionController #:nodoc:
 
         if !verified_request?
           if logger && log_warning_on_csrf_failure
-            logger.warn "Can't verify CSRF token authenticity."
+            if valid_request_origin?
+              logger.warn "Can't verify CSRF token authenticity."
+            else
+              logger.warn "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})"
+            end
           end
           handle_unverified_request
         end

data/lib/action_controller/metal/strong_parameters.rb

@@ -43,6 +43,18 @@ module ActionController
     end
   end
 
+  # Raised when a Parameters instance is not marked as permitted and
+  # an operation to transform it to hash is called.
+  #
+  #   params = ActionController::Parameters.new(a: "123", b: "456")
+  #   params.to_h
+  #   # => ActionController::UnfilteredParameters: unable to convert unpermitted parameters to hash
+  class UnfilteredParameters < ArgumentError
+    def initialize # :nodoc:
+      super("unable to convert unpermitted parameters to hash")
+    end
+  end
+
   # == Action Controller \Parameters
   #
   # Allows you to choose which attributes should be whitelisted for mass updating
@@ -53,9 +65,9 @@ module ActionController
   #
   #   params = ActionController::Parameters.new({
   #     person: {
-  #       name: 'Francesco',
+  #       name: "Francesco",
   #       age:  22,
-  #       role: 'admin'
+  #       role: "admin"
   #     }
   #   })
   #
@@ -103,7 +115,7 @@ module ActionController
   # You can fetch values of <tt>ActionController::Parameters</tt> using either
   # <tt>:key</tt> or <tt>"key"</tt>.
   #
-  #   params = ActionController::Parameters.new(key: 'value')
+  #   params = ActionController::Parameters.new(key: "value")
   #   params[:key]  # => "value"
   #   params["key"] # => "value"
   class Parameters
@@ -203,13 +215,13 @@ module ActionController
     #   class Person < ActiveRecord::Base
     #   end
     #
-    #   params = ActionController::Parameters.new(name: 'Francesco')
+    #   params = ActionController::Parameters.new(name: "Francesco")
     #   params.permitted?  # => false
     #   Person.new(params) # => ActiveModel::ForbiddenAttributesError
     #
     #   ActionController::Parameters.permit_all_parameters = true
     #
-    #   params = ActionController::Parameters.new(name: 'Francesco')
+    #   params = ActionController::Parameters.new(name: "Francesco")
     #   params.permitted?  # => true
     #   Person.new(params) # => #<Person id: nil, name: "Francesco">
     def initialize(parameters = {})
@@ -228,13 +240,14 @@ module ActionController
     end
 
     # Returns a safe <tt>ActiveSupport::HashWithIndifferentAccess</tt>
-    # representation of this parameter with all unpermitted keys removed.
+    # representation of the parameters with all unpermitted keys removed.
     #
     #   params = ActionController::Parameters.new({
-    #     name: 'Senjougahara Hitagi',
-    #     oddity: 'Heavy stone crab'
+    #     name: "Senjougahara Hitagi",
+    #     oddity: "Heavy stone crab"
     #   })
-    #   params.to_h # => {}
+    #   params.to_h
+    #   # => ActionController::UnfilteredParameters: unable to convert unfiltered parameters to hash
     #
     #   safe_params = params.permit(:name)
     #   safe_params.to_h # => {"name"=>"Senjougahara Hitagi"}
@@ -242,17 +255,61 @@ module ActionController
       if permitted?
         convert_parameters_to_hashes(@parameters, :to_h)
       else
-        slice(*self.class.always_permitted_parameters).permit!.to_h
+        raise UnfilteredParameters
       end
     end
 
+    # Returns a safe <tt>Hash</tt> representation of the parameters
+    # with all unpermitted keys removed.
+    #
+    #   params = ActionController::Parameters.new({
+    #     name: "Senjougahara Hitagi",
+    #     oddity: "Heavy stone crab"
+    #   })
+    #   params.to_hash
+    #   # => ActionController::UnfilteredParameters: unable to convert unfiltered parameters to hash
+    #
+    #   safe_params = params.permit(:name)
+    #   safe_params.to_hash # => {"name"=>"Senjougahara Hitagi"}
+    def to_hash
+      to_h.to_hash
+    end
+
+    # Returns a string representation of the receiver suitable for use as a URL
+    # query string:
+    #
+    #   params = ActionController::Parameters.new({
+    #     name: "David",
+    #     nationality: "Danish"
+    #   })
+    #   params.to_query
+    #   # => "name=David&nationality=Danish"
+    #
+    # An optional namespace can be passed to enclose key names:
+    #
+    #   params = ActionController::Parameters.new({
+    #     name: "David",
+    #     nationality: "Danish"
+    #   })
+    #   params.to_query("user")
+    #   # => "user%5Bname%5D=David&user%5Bnationality%5D=Danish"
+    #
+    # The string pairs "key=value" that conform the query string
+    # are sorted lexicographically in ascending order.
+    #
+    # This method is also aliased as +to_param+.
+    def to_query(*args)
+      to_h.to_query(*args)
+    end
+    alias_method :to_param, :to_query
+
     # Returns an unsafe, unfiltered
-    # <tt>ActiveSupport::HashWithIndifferentAccess</tt> representation of this
-    # parameter.
+    # <tt>ActiveSupport::HashWithIndifferentAccess</tt> representation of the
+    # parameters.
     #
     #   params = ActionController::Parameters.new({
-    #     name: 'Senjougahara Hitagi',
-    #     oddity: 'Heavy stone crab'
+    #     name: "Senjougahara Hitagi",
+    #     oddity: "Heavy stone crab"
     #   })
     #   params.to_unsafe_h
     #   # => {"name"=>"Senjougahara Hitagi", "oddity" => "Heavy stone crab"}
@@ -297,7 +354,7 @@ module ActionController
     #   class Person < ActiveRecord::Base
     #   end
     #
-    #   params = ActionController::Parameters.new(name: 'Francesco')
+    #   params = ActionController::Parameters.new(name: "Francesco")
     #   params.permitted?  # => false
     #   Person.new(params) # => ActiveModel::ForbiddenAttributesError
     #   params.permit!
@@ -319,7 +376,7 @@ module ActionController
     # When passed a single key, if it exists and its associated value is
     # either present or the singleton +false+, returns said value:
     #
-    #   ActionController::Parameters.new(person: { name: 'Francesco' }).require(:person)
+    #   ActionController::Parameters.new(person: { name: "Francesco" }).require(:person)
     #   # => <ActionController::Parameters {"name"=>"Francesco"} permitted: false>
     #
     # Otherwise raises <tt>ActionController::ParameterMissing</tt>:
@@ -352,7 +409,7 @@ module ActionController
     # Technically this method can be used to fetch terminal values:
     #
     #   # CAREFUL
-    #   params = ActionController::Parameters.new(person: { name: 'Finn' })
+    #   params = ActionController::Parameters.new(person: { name: "Finn" })
     #   name = params.require(:person).require(:name) # CAREFUL
     #
     # but take into account that at some point those ones have to be permitted:
@@ -382,7 +439,7 @@ module ActionController
     # for the object to +true+. This is useful for limiting which attributes
     # should be allowed for mass updating.
     #
-    #   params = ActionController::Parameters.new(user: { name: 'Francesco', age: 22, role: 'admin' })
+    #   params = ActionController::Parameters.new(user: { name: "Francesco", age: 22, role: "admin" })
     #   permitted = params.require(:user).permit(:name, :age)
     #   permitted.permitted?      # => true
     #   permitted.has_key?(:name) # => true
@@ -402,7 +459,7 @@ module ActionController
     # You may declare that the parameter should be an array of permitted scalars
     # by mapping it to an empty array:
     #
-    #   params = ActionController::Parameters.new(tags: ['rails', 'parameters'])
+    #   params = ActionController::Parameters.new(tags: ["rails", "parameters"])
     #   params.permit(tags: [])
     #
     # Sometimes it is not possible or convenient to declare the valid keys of
@@ -418,11 +475,11 @@ module ActionController
     #
     #   params = ActionController::Parameters.new({
     #     person: {
-    #       name: 'Francesco',
+    #       name: "Francesco",
     #       age:  22,
     #       pets: [{
-    #         name: 'Purplish',
-    #         category: 'dogs'
+    #         name: "Purplish",
+    #         category: "dogs"
     #       }]
     #     }
     #   })
@@ -441,8 +498,8 @@ module ActionController
     #   params = ActionController::Parameters.new({
     #     person: {
     #       contact: {
-    #         email: 'none@test.com',
-    #         phone: '555-1234'
+    #         email: "none@test.com",
+    #         phone: "555-1234"
     #       }
     #     }
     #   })
@@ -475,7 +532,7 @@ module ActionController
     # Returns a parameter for the given +key+. If not found,
     # returns +nil+.
     #
-    #   params = ActionController::Parameters.new(person: { name: 'Francesco' })
+    #   params = ActionController::Parameters.new(person: { name: "Francesco" })
     #   params[:person] # => <ActionController::Parameters {"name"=>"Francesco"} permitted: false>
     #   params[:none]   # => nil
     def [](key)
@@ -494,11 +551,11 @@ module ActionController
     # if more arguments are given, then that will be returned; if a block
     # is given, then that will be run and its result returned.
     #
-    #   params = ActionController::Parameters.new(person: { name: 'Francesco' })
+    #   params = ActionController::Parameters.new(person: { name: "Francesco" })
     #   params.fetch(:person)               # => <ActionController::Parameters {"name"=>"Francesco"} permitted: false>
     #   params.fetch(:none)                 # => ActionController::ParameterMissing: param is missing or the value is empty: none
-    #   params.fetch(:none, 'Francesco')    # => "Francesco"
-    #   params.fetch(:none) { 'Francesco' } # => "Francesco"
+    #   params.fetch(:none, "Francesco")    # => "Francesco"
+    #   params.fetch(:none) { "Francesco" } # => "Francesco"
     def fetch(key, *args)
       convert_value_to_parameters(
         @parameters.fetch(key) {
@@ -713,8 +770,6 @@ module ActionController
       end
     end
 
-    undef_method :to_param
-
     # Returns duplicate of object including all parameters.
     def deep_dup
       self.class.new(@parameters.deep_dup).tap do |duplicate|

data/lib/action_controller/railtie.rb

@@ -22,6 +22,10 @@ module ActionController
     initializer "action_controller.parameters_config" do |app|
       options = app.config.action_controller
 
+      if options.delete(:raise_on_unfiltered_parameters)
+        ActiveSupport::Deprecation.warn("raise_on_unfiltered_parameters is deprecated and has no effect in Rails 5.1.")
+      end
+
       ActionController::Parameters.permit_all_parameters = options.delete(:permit_all_parameters) { false }
       if app.config.action_controller[:always_permitted_parameters]
         ActionController::Parameters.always_permitted_parameters =

data/lib/action_controller/test_case.rb

@@ -534,7 +534,6 @@ module ActionController
             @request.delete_header "HTTP_ACCEPT"
           end
           @request.query_string = ""
-          @request.env.delete "PATH_INFO"
 
           @response.sent!
         end

data/lib/action_dispatch/http/parameters.rb

@@ -115,6 +115,7 @@ module ActionDispatch
   end
 
   module ParamsParser
-    ParseError = ActiveSupport::Deprecation::DeprecatedConstantProxy.new("ActionDispatch::ParamsParser::ParseError", "ActionDispatch::Http::Parameters::ParseError")
+    include ActiveSupport::Deprecation::DeprecatedConstantAccessor
+    deprecate_constant "ParseError", "ActionDispatch::Http::Parameters::ParseError"
   end
 end

data/lib/action_dispatch/routing.rb

@@ -254,14 +254,5 @@ module ActionDispatch
 
     SEPARATORS = %w( / . ? ) #:nodoc:
     HTTP_METHODS = [:get, :head, :post, :patch, :put, :delete, :options] #:nodoc:
-
-    #:stopdoc:
-    INSECURE_URL_PARAMETERS_MESSAGE = <<-MSG.squish
-      Attempting to generate a URL from non-sanitized request parameters!
-
-      An attacker can inject malicious data into the generated URL, such as
-      changing the host. Whitelist and sanitize passed parameters to be secure.
-    MSG
-    #:startdoc:
   end
 end

data/lib/action_dispatch/routing/mapper.rb

@@ -54,6 +54,7 @@ module ActionDispatch
 
       class Mapping #:nodoc:
         ANCHOR_CHARACTERS_REGEX = %r{\A(\\A|\^)|(\\Z|\\z|\$)\Z}
+        OPTIONAL_FORMAT_REGEX = %r{(?:\(\.:format\)+|\.:format|/)\Z}
 
         attr_reader :requirements, :defaults
         attr_reader :to, :default_controller, :default_action
@@ -93,7 +94,7 @@ module ActionDispatch
         end
 
         def self.optional_format?(path, format)
-          format != false && !path.include?(":format") && !path.end_with?("/")
+          format != false && path !~ OPTIONAL_FORMAT_REGEX
         end
 
         def initialize(set, ast, defaults, controller, default_action, modyoule, to, formatted, scope_constraints, blocks, via, options_constraints, anchor, options)

data/lib/action_dispatch/routing/route_set.rb

@@ -318,11 +318,7 @@ module ActionDispatch
                   when Hash
                     args.pop
                   when ActionController::Parameters
-                    if last.permitted?
-                      args.pop.to_h
-                    else
-                      raise ArgumentError, ActionDispatch::Routing::INSECURE_URL_PARAMETERS_MESSAGE
-                    end
+                    args.pop.to_h
                   end
                 helper.call self, args, options
               end

data/lib/action_dispatch/routing/url_for.rb

@@ -171,17 +171,10 @@ module ActionDispatch
         case options
         when nil
           _routes.url_for(url_options.symbolize_keys)
-        when Hash
+        when Hash, ActionController::Parameters
           route_name = options.delete :use_route
-          _routes.url_for(options.symbolize_keys.reverse_merge!(url_options),
-                         route_name)
-        when ActionController::Parameters
-          unless options.permitted?
-            raise ArgumentError.new(ActionDispatch::Routing::INSECURE_URL_PARAMETERS_MESSAGE)
-          end
-          route_name = options.delete :use_route
-          _routes.url_for(options.to_h.symbolize_keys.
-                          reverse_merge!(url_options), route_name)
+          merged_url_options = options.to_h.symbolize_keys.reverse_merge!(url_options)
+          _routes.url_for(merged_url_options, route_name)
         when String
           options
         when Symbol

data/lib/action_dispatch/system_test_case.rb

@@ -87,7 +87,7 @@ module ActionDispatch
 
     def initialize(*) # :nodoc:
       super
-      self.class.superclass.driver.use
+      self.class.driver.use
     end
 
     def self.start_application # :nodoc:
@@ -100,6 +100,8 @@ module ActionDispatch
       SystemTesting::Server.new.run
     end
 
+    class_attribute :driver, instance_accessor: false
+
     # System Test configuration options
     #
     # The default settings are Selenium, using Chrome, with a screen size
@@ -113,13 +115,10 @@ module ActionDispatch
     #
     #   driven_by :selenium, screen_size: [800, 800]
     def self.driven_by(driver, using: :chrome, screen_size: [1400, 1400], options: {})
-      @driver = SystemTesting::Driver.new(driver, using: using, screen_size: screen_size, options: options)
+      self.driver = SystemTesting::Driver.new(driver, using: using, screen_size: screen_size, options: options)
     end
 
-    # Returns the driver object for the initialized system test
-    def self.driver
-      @driver ||= SystemTestCase.driven_by(:selenium)
-    end
+    driven_by :selenium
   end
 
   SystemTestCase.start_application

data/lib/action_pack/gem_version.rb

@@ -8,7 +8,7 @@ module ActionPack
     MAJOR = 5
     MINOR = 1
     TINY  = 0
-    PRE   = "rc1"
+    PRE   = "rc2"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 5.1.0.rc1
+  version: 5.1.0.rc2
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-20 00:00:00.000000000 Z
+date: 2017-04-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.1.0.rc1
+        version: 5.1.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.1.0.rc1
+        version: 5.1.0.rc2
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.1.0.rc1
+        version: 5.1.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.1.0.rc1
+        version: 5.1.0.rc2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.1.0.rc1
+        version: 5.1.0.rc2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.1.0.rc1
+        version: 5.1.0.rc2
 description: Web apps on Rails. Simple, battle-tested conventions for building and
   testing MVC web applications. Works with any Rack-compatible server.
 email: david@loudthinking.com