actionpack 7.0.0.alpha2 → 7.0.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 54388e4a1ef9b5042049784e3866619467e79e5c3944de4e7f46bc7b4484b9fc
-  data.tar.gz: c09a1504b3deaa3f14b5f169ca2a9df9c8d174ed4ba463e5f275f8ab6e803aa1
+  metadata.gz: a040a28754f07052c56e9ef1c1c940413642486fc047c3c844ed8beb37493f5d
+  data.tar.gz: 559e290b6f39a7bc50d3b1791dbb7fc48500ff38642e6ae28d4804dcb8429a33
 SHA512:
-  metadata.gz: 1057c5a7b53bd81075c061b0235ba399f04976fd58df7de676539911a258f5ad32ab26c0576a7b33ae34084e80b17a778c349f26b6a3e83797f14d729cba6c89
-  data.tar.gz: 443b33703639b2382762d5752c00d37e29f07ff258a5bd38f325e3d6e7ffe1e4755053695fcdbb56844b36bb3c06ac0bde558a5690b368ffa44efc5bc64ee39e
+  metadata.gz: 0ab82978fa296a09c177352859e3f8b39938250339ff4d67473ae174799f5a4fd102e545c83615f3ca83eaf00c01f3ab34c654a63e2872161a0758ab9fd8bd2a
+  data.tar.gz: e8b8ae155bd7c6ea6516bc3d980a40eec92b710057b8a461ca91541e4ce488105d09d47f72fb20a328845874420c7f576a0125c3ad92fe0ec444f78e79417927

data/CHANGELOG.md

@@ -1,3 +1,142 @@
+*   `Rails.application.executor` hooks can now be called around every request in a `ActionController::TestCase`
+
+    This helps to better simulate request or job local state being reset between requests and prevent state
+    leaking from one request to another.
+
+    To enable this, set `config.active_support.executor_around_test_case = true` (this is the default in Rails 7).
+
+    *Alex Ghiculescu*
+
+*   Consider onion services secure for cookies.
+
+    *Justin Tracey*
+
+*   Remove deprecated `Rails.config.action_view.raise_on_missing_translations`.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated support to passing a path to `fixture_file_upload` relative to `fixture_path`.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated `ActionDispatch::SystemTestCase#host!`.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated `Rails.config.action_dispatch.hosts_response_app`.
+
+    *Rafael Mendonça França*
+
+*   Remove deprecated `ActionDispatch::Response.return_only_media_type_on_content_type`.
+
+    *Rafael Mendonça França*
+
+*   Raise `ActionController::Redirecting::UnsafeRedirectError` for unsafe `redirect_to` redirects.
+
+    This allows `rescue_from` to be used to add a default fallback route:
+
+    ```ruby
+    rescue_from ActionController::Redirecting::UnsafeRedirectError do
+      redirect_to root_url
+    end
+    ```
+
+    *Kasper Timm Hansen*, *Chris Oliver*
+
+*   Add `url_from` to verify a redirect location is internal.
+
+    Takes the open redirect protection from `redirect_to` so users can wrap a
+    param, and fall back to an alternate redirect URL when the param provided
+    one is unsafe.
+
+    ```ruby
+    def create
+      redirect_to url_from(params[:redirect_url]) || root_url
+    end
+    ```
+
+    *dmcge*, *Kasper Timm Hansen*
+
+*   Allow Capybara driver name overrides in `SystemTestCase::driven_by`
+
+    Allow users to prevent conflicts among drivers that use the same driver
+    type (selenium, poltergeist, webkit, rack test).
+
+    Fixes #42502
+
+    *Chris LaRose*
+
+*   Allow multiline to be passed in routes when using wildcard segments.
+
+    Previously routes with newlines weren't detected when using wildcard segments, returning
+    a `No route matches` error.
+    After this change, routes with newlines are detected on wildcard segments. Example
+
+    ```ruby
+      draw do
+        get "/wildcard/*wildcard_segment", to: SimpleApp.new("foo#index"), as: :wildcard
+      end
+
+      # After the change, the path matches.
+      assert_equal "/wildcard/a%0Anewline", url_helpers.wildcard_path(wildcard_segment: "a\nnewline")
+    ```
+
+    Fixes #39103
+
+    *Ignacio Chiazzo*
+
+*   Treat html suffix in controller translation.
+
+    *Rui Onodera*, *Gavin Miller*
+
+*   Allow permitting numeric params.
+
+    Previously it was impossible to permit different fields on numeric parameters.
+    After this change you can specify different fields for each numbered parameter.
+    For example params like,
+    ```ruby
+    book: {
+            authors_attributes: {
+              '0': { name: "William Shakespeare", age_of_death: "52" },
+              '1': { name: "Unattributed Assistant" },
+              '2': "Not a hash",
+              'new_record': { name: "Some name" }
+            }
+          }
+    ```
+
+    Before you could permit name on each author with,
+    `permit book: { authors_attributes: [ :name ] }`
+
+    After this change you can permit different keys on each numbered element,
+    `permit book: { authors_attributes: { '1': [ :name ], '0': [ :name, :age_of_death ] } }`
+
+    Fixes #41625
+
+    *Adam Hess*
+
+*   Update `HostAuthorization` middleware to render debug info only
+    when `config.consider_all_requests_local` is set to true.
+
+    Also, blocked host info is always logged with level `error`.
+
+    Fixes #42813
+
+    *Nikita Vyrko*
+
+*  Add Server-Timing middleware
+
+   Server-Timing specification defines how the server can communicate to browsers performance metrics
+   about the request it is responding to.
+
+   The ServerTiming middleware is enabled by default on `development` environment by default using the
+   `config.server_timing` setting and set the relevant duration metrics in the `Server-Timing` header
+
+   The full specification for Server-Timing header can be found in: https://www.w3.org/TR/server-timing/#dfn-server-timing-header-field
+
+   *Sebastian Sogamoso*, *Guillermo Iguaran*
+
+
 ## Rails 7.0.0.alpha2 (September 15, 2021) ##
 
 *   No changes.

data/lib/abstract_controller/callbacks.rb

@@ -35,6 +35,20 @@ module AbstractController
                        skip_after_callbacks_if_terminated: true
     end
 
+    class ActionFilter # :nodoc:
+      def initialize(actions)
+        @actions = Array(actions).map(&:to_s).to_set
+      end
+
+      def match?(controller)
+        @actions.include?(controller.action_name)
+      end
+
+      alias after  match?
+      alias before match?
+      alias around match?
+    end
+
     module ClassMethods
       # If +:only+ or +:except+ are used, convert the options into the
       # +:if+ and +:unless+ options of ActiveSupport::Callbacks.
@@ -62,8 +76,7 @@ module AbstractController
 
       def _normalize_callback_option(options, from, to) # :nodoc:
         if from = options.delete(from)
-          _from = Array(from).map(&:to_s).to_set
-          from = proc { |c| _from.include? c.action_name }
+          from = ActionFilter.new(from)
           options[to] = Array(options[to]).unshift(from)
         end
       end

data/lib/abstract_controller/translation.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "active_support/html_safe_translation"
+
 module AbstractController
   module Translation
     mattr_accessor :raise_on_missing_translations, default: false
@@ -22,7 +24,8 @@ module AbstractController
       end
 
       i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)
-      I18n.translate(key, **options, raise: i18n_raise)
+
+      ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
     end
     alias :t :translate
 

data/lib/action_controller/log_subscriber.rb

@@ -62,8 +62,7 @@ module ActionController
       end
     end
 
-    %w(write_fragment read_fragment exist_fragment?
-       expire_fragment expire_page write_page).each do |method|
+    %w(write_fragment read_fragment exist_fragment? expire_fragment).each do |method|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
         def #{method}(event)
           return unless logger.info? && ActionController::Base.enable_fragment_cache_logging

data/lib/action_controller/metal/helpers.rb

@@ -26,7 +26,7 @@ module ActionController
   #
   #   module FormattedTimeHelper
   #     def format_time(time, format=:long, blank_message=" ")
-  #       time.blank? ? blank_message : time.to_s(format)
+  #       time.blank? ? blank_message : time.to_formatted_s(format)
   #     end
   #   end
   #

data/lib/action_controller/metal/http_authentication.rb

@@ -2,6 +2,7 @@
 
 require "base64"
 require "active_support/security_utils"
+require "active_support/core_ext/array/access"
 
 module ActionController
   # HTTP Basic, Digest and Token authentication.
@@ -103,7 +104,7 @@ module ActionController
       end
 
       def has_basic_credentials?(request)
-        request.authorization.present? && (auth_scheme(request).downcase == "basic")
+        request.authorization.present? && (auth_scheme(request).downcase == "basic") && user_name_and_password(request).length == 2
       end
 
       def user_name_and_password(request)

data/lib/action_controller/metal/instrumentation.rb

@@ -48,6 +48,8 @@ module ActionController
 
     private
       def process_action(*)
+        ActiveSupport::ExecutionContext[:controller] = self
+
         raw_payload = {
           controller: self.class.name,
           action: action_name,

data/lib/action_controller/metal/params_wrapper.rb

@@ -9,11 +9,14 @@ module ActionController
   # Wraps the parameters hash into a nested hash. This will allow clients to
   # submit requests without having to specify any root elements.
   #
-  # This functionality is enabled in +config/initializers/wrap_parameters.rb+
-  # and can be customized.
+  # This functionality is enabled by default for JSON, and can be customized by
+  # setting the format array:
   #
-  # You could also turn it on per controller by setting the format array to
-  # a non-empty array:
+  #     class ApplicationController < ActionController::Base
+  #       wrap_parameters format: [:json, :xml]
+  #     end
+  #
+  # You could also turn it on per controller:
   #
   #     class UsersController < ApplicationController
   #       wrap_parameters format: [:json, :xml, :url_encoded_form, :multipart_form]
@@ -68,6 +71,12 @@ module ActionController
   # will try to check if <tt>Admin::User</tt> or +User+ model exists, and use it to
   # determine the wrapper key respectively. If both models don't exist,
   # it will then fallback to use +user+ as the key.
+  #
+  # To disable this functionality for a controller:
+  #
+  #     class UsersController < ApplicationController
+  #       wrap_parameters false
+  #     end
   module ParamsWrapper
     extend ActiveSupport::Concern
 

data/lib/action_controller/metal/redirecting.rb

@@ -7,6 +7,8 @@ module ActionController
     include AbstractController::Logger
     include ActionController::UrlFor
 
+    class UnsafeRedirectError < StandardError; end
+
     included do
       mattr_accessor :raise_on_open_redirects, default: false
     end
@@ -61,20 +63,34 @@ module ActionController
     #
     #   redirect_to post_url(@post) and return
     #
-    # Passing user input directly into +redirect_to+ is considered dangerous (e.g. `redirect_to(params[:location])`).
-    # Always use regular expressions or a permitted list when redirecting to a user specified location.
+    # === Open Redirect protection
+    #
+    # By default, Rails protects against redirecting to external hosts for your app's safety, so called open redirects.
+    # Note: this was a new default in Rails 7.0, after upgrading opt-in by uncommenting the line with +raise_on_open_redirects+ in <tt>config/initializers/new_framework_defaults_7_0.rb</tt>
+    #
+    # Here #redirect_to automatically validates the potentially-unsafe URL:
+    #
+    #   redirect_to params[:redirect_url]
+    #
+    # Raises UnsafeRedirectError in the case of an unsafe redirect.
+    #
+    # To allow any external redirects pass `allow_other_host: true`, though using a user-provided param in that case is unsafe.
+    #
+    #   redirect_to "https://rubyonrails.org", allow_other_host: true
+    #
+    # See #url_from for more information on what an internal and safe URL is, or how to fall back to an alternate redirect URL in the unsafe case.
     def redirect_to(options = {}, response_options = {})
-      response_options[:allow_other_host] ||= _allow_other_host unless response_options.key?(:allow_other_host)
-
       raise ActionControllerError.new("Cannot redirect to nil!") unless options
       raise AbstractController::DoubleRenderError if response_body
 
+      allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
+
       self.status        = _extract_redirect_to_status(options, response_options)
-      self.location      = _compute_safe_redirect_to_location(request, options, response_options)
+      self.location      = _enforce_open_redirect_protection(_compute_redirect_to_location(request, options), allow_other_host: allow_other_host)
       self.response_body = "<html><body>You are being <a href=\"#{ERB::Util.unwrapped_html_escape(response.location)}\">redirected</a>.</body></html>"
     end
 
-    # Soft deprecated alias for <tt>redirect_back_or_to</tt> where the fallback_location location is supplied as a keyword argument instead
+    # Soft deprecated alias for #redirect_back_or_to where the +fallback_location+ location is supplied as a keyword argument instead
     # of the first positional argument.
     def redirect_back(fallback_location:, allow_other_host: _allow_other_host, **args)
       redirect_back_or_to fallback_location, allow_other_host: allow_other_host, **args
@@ -103,23 +119,11 @@ module ActionController
     # All other options that can be passed to #redirect_to are accepted as
     # options and the behavior is identical.
     def redirect_back_or_to(fallback_location, allow_other_host: _allow_other_host, **options)
-      location = request.referer || fallback_location
-      location = fallback_location unless allow_other_host || _url_host_allowed?(request.referer)
-      allow_other_host = true if _allow_other_host && !allow_other_host # if the fallback is an open redirect
-
-      redirect_to location, allow_other_host: allow_other_host, **options
-    end
-
-    def _compute_safe_redirect_to_location(request, options, response_options)
-      location = _compute_redirect_to_location(request, options)
-
-      if response_options[:allow_other_host] || _url_host_allowed?(location)
-        location
+      if request.referer && (allow_other_host || _url_host_allowed?(request.referer))
+        redirect_to request.referer, allow_other_host: allow_other_host, **options
       else
-        raise(ArgumentError, <<~MSG.squish)
-          Unsafe redirect #{location.truncate(100).inspect},
-          use :allow_other_host to redirect anyway.
-        MSG
+        # The method level `allow_other_host` doesn't apply in the fallback case, omit and let the `redirect_to` handling take over.
+        redirect_to fallback_location, **options
       end
     end
 
@@ -143,6 +147,30 @@ module ActionController
     module_function :_compute_redirect_to_location
     public :_compute_redirect_to_location
 
+    # Verifies the passed +location+ is an internal URL that's safe to redirect to and returns it, or nil if not.
+    # Useful to wrap a params provided redirect URL and fallback to an alternate URL to redirect to:
+    #
+    #   redirect_to url_from(params[:redirect_url]) || root_url
+    #
+    # The +location+ is considered internal, and safe, if it's on the same host as <tt>request.host</tt>:
+    #
+    #   # If request.host is example.com:
+    #   url_from("https://example.com/profile") # => "https://example.com/profile"
+    #   url_from("http://example.com/profile")  # => "http://example.com/profile"
+    #   url_from("http://evil.com/profile")     # => nil
+    #
+    # Subdomains are considered part of the host:
+    #
+    #   # If request.host is on https://example.com or https://app.example.com, you'd get:
+    #   url_from("https://dev.example.com/profile") # => nil
+    #
+    # NOTE: there's a similarity with {url_for}[rdoc-ref:ActionDispatch::Routing::UrlFor#url_for], which generates an internal URL from various options from within the app, e.g. <tt>url_for(@post)</tt>.
+    # However, #url_from is meant to take an external parameter to verify as in <tt>url_from(params[:redirect_url])</tt>.
+    def url_from(location)
+      location = location.presence
+      location if location && _url_host_allowed?(location)
+    end
+
     private
       def _allow_other_host
         !raise_on_open_redirects
@@ -158,6 +186,14 @@ module ActionController
         end
       end
 
+      def _enforce_open_redirect_protection(location, allow_other_host:)
+        if allow_other_host || _url_host_allowed?(location)
+          location
+        else
+          raise UnsafeRedirectError, "Unsafe redirect to #{location.truncate(100).inspect}, pass allow_other_host: true to redirect anyway."
+        end
+      end
+
       def _url_host_allowed?(url)
         URI(url.to_s).host == request.host
       rescue ArgumentError, URI::Error

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -57,17 +57,6 @@ module ActionController # :nodoc:
   module RequestForgeryProtection
     extend ActiveSupport::Concern
 
-    class DisabledSessionError < StandardError
-      MESSAGE = <<~EOS.squish
-        Request forgery protection requires a working session store but your application has sessions disabled.
-        You need to either disable request forgery protection, or configure a working session store.
-      EOS
-
-      def initialize(message = MESSAGE)
-        super
-      end
-    end
-
     include AbstractController::Helpers
     include AbstractController::Callbacks
 
@@ -101,11 +90,6 @@ module ActionController # :nodoc:
       config_accessor :default_protect_from_forgery
       self.default_protect_from_forgery = false
 
-      # Controls whether trying to use forgery protection without a working session store
-      # issues a warning or raises an error.
-      config_accessor :silence_disabled_session_errors
-      self.silence_disabled_session_errors = true
-
       # Controls whether URL-safe CSRF tokens are generated.
       config_accessor :urlsafe_csrf_tokens, instance_writer: false
       self.urlsafe_csrf_tokens = false
@@ -140,10 +124,26 @@ module ActionController # :nodoc:
       #   If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
       # * <tt>:with</tt> - Set the method to handle unverified request.
       #
-      # Valid unverified request handling methods are:
+      # Built-in unverified request handling methods are:
       # * <tt>:exception</tt> - Raises ActionController::InvalidAuthenticityToken exception.
       # * <tt>:reset_session</tt> - Resets the session.
       # * <tt>:null_session</tt> - Provides an empty session during request but doesn't reset it completely. Used as default if <tt>:with</tt> option is not specified.
+      #
+      # You can also implement custom strategy classes for unverified request handling:
+      #
+      #    class CustomStrategy
+      #      def initialize(controller)
+      #        @controller = controller
+      #      end
+      #
+      #      def handle_unverified_request
+      #        # Custom behaviour for unverfied request
+      #      end
+      #    end
+      #
+      #    class ApplicationController < ActionController:x:Base
+      #      protect_from_forgery with: CustomStrategy
+      #    end
       def protect_from_forgery(options = {})
         options = options.reverse_merge(prepend: false)
 
@@ -164,9 +164,18 @@ module ActionController # :nodoc:
 
       private
         def protection_method_class(name)
-          ActionController::RequestForgeryProtection::ProtectionMethods.const_get(name.to_s.classify)
-        rescue NameError
-          raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, or :reset_session"
+          case name
+          when :null_session
+            ProtectionMethods::NullSession
+          when :reset_session
+            ProtectionMethods::ResetSession
+          when :exception
+            ProtectionMethods::Exception
+          when Class
+            name
+          else
+            raise ArgumentError, "Invalid request forgery protection method, use :null_session, :exception, :reset_session, or a custom forgery protection class."
+          end
         end
     end
 
@@ -469,20 +478,7 @@ module ActionController # :nodoc:
 
       # Checks if the controller allows forgery protection.
       def protect_against_forgery? # :doc:
-        allow_forgery_protection && ensure_session_is_enabled!
-      end
-
-      def ensure_session_is_enabled!
-        if !session.respond_to?(:enabled?) || session.enabled?
-          true
-        else
-          if silence_disabled_session_errors
-            ActiveSupport::Deprecation.warn(DisabledSessionError::MESSAGE)
-            false
-          else
-            raise DisabledSessionError
-          end
-        end
+        allow_forgery_protection && (!session.respond_to?(:enabled?) || session.enabled?)
       end
 
       NULL_ORIGIN_MESSAGE = <<~MSG