activesupport 3.1.0 → 5.0.0

data/lib/active_support/json/decoding.rb

@@ -1,15 +1,25 @@
 require 'active_support/core_ext/module/attribute_accessors'
 require 'active_support/core_ext/module/delegation'
-require 'multi_json'
+require 'json'
 
 module ActiveSupport
   # Look for and parse json strings that look like ISO 8601 times.
   mattr_accessor :parse_json_times
 
   module JSON
+    # matches YAML-formatted dates
+    DATE_REGEX = /^\d{4}-\d{2}-\d{2}$/
+    DATETIME_REGEX = /^(?:\d{4}-\d{2}-\d{2}|\d{4}-\d{1,2}-\d{1,2}[T \t]+\d{1,2}:\d{2}:\d{2}(\.[0-9]*)?(([ \t]*)Z|[-+]\d{2}?(:\d{2})?)?)$/
+
     class << self
-      def decode(json, options ={})
-        data = MultiJson.decode(json, options)
+      # Parses a JSON string (JavaScript Object Notation) into a hash.
+      # See http://www.json.org for more info.
+      #
+      #   ActiveSupport::JSON.decode("{\"team\":\"rails\",\"players\":\"36\"}")
+      #   => {"team" => "rails", "players" => "36"}
+      def decode(json)
+        data = ::JSON.parse(json, quirks_mode: true)
+
         if ActiveSupport.parse_json_times
           convert_dates_from(data)
         else
@@ -17,25 +27,18 @@ module ActiveSupport
         end
       end
 
-      def engine
-        MultiJson.engine
-      end
-      alias :backend :engine
-
-      def engine=(name)
-        MultiJson.engine = name
-      end
-      alias :backend= :engine=
-
-      def with_backend(name)
-        old_backend, self.backend = backend, name
-        yield
-      ensure
-        self.backend = old_backend
-      end
-
+      # Returns the class of the error that will be raised when there is an
+      # error in decoding JSON. Using this method means you won't directly
+      # depend on the ActiveSupport's JSON implementation, in case it changes
+      # in the future.
+      #
+      #   begin
+      #     obj = ActiveSupport::JSON.decode(some_string)
+      #   rescue ActiveSupport::JSON.parse_error
+      #     Rails.logger.warn("Attempted to decode invalid JSON: #{some_string}")
+      #   end
       def parse_error
-        MultiJson::DecodeError
+        ::JSON::ParserError
       end
 
       private
@@ -46,7 +49,13 @@ module ActiveSupport
           nil
         when DATE_REGEX
           begin
-            DateTime.parse(data)
+            Date.parse(data)
+          rescue ArgumentError
+            data
+          end
+        when DATETIME_REGEX
+          begin
+            Time.zone.parse(data)
           rescue ArgumentError
             data
           end

data/lib/active_support/json/encoding.rb

@@ -1,287 +1,127 @@
-require 'active_support/core_ext/object/to_json'
+require 'active_support/core_ext/object/json'
 require 'active_support/core_ext/module/delegation'
-require 'active_support/deprecation'
-require 'active_support/json/variable'
-require 'active_support/ordered_hash'
-
-require 'bigdecimal'
-require 'active_support/core_ext/big_decimal/conversions' # for #to_s
-require 'active_support/core_ext/array/wrap'
-require 'active_support/core_ext/hash/except'
-require 'active_support/core_ext/hash/slice'
-require 'active_support/core_ext/object/instance_variables'
-require 'time'
-require 'active_support/core_ext/time/conversions'
-require 'active_support/core_ext/date_time/conversions'
-require 'active_support/core_ext/date/conversions'
 
 module ActiveSupport
   class << self
     delegate :use_standard_json_time_format, :use_standard_json_time_format=,
+      :time_precision, :time_precision=,
       :escape_html_entities_in_json, :escape_html_entities_in_json=,
+      :json_encoder, :json_encoder=,
       :to => :'ActiveSupport::JSON::Encoding'
   end
 
   module JSON
-    # matches YAML-formatted dates
-    DATE_REGEX = /^(?:\d{4}-\d{2}-\d{2}|\d{4}-\d{1,2}-\d{1,2}[T \t]+\d{1,2}:\d{2}:\d{2}(\.[0-9]*)?(([ \t]*)Z|[-+]\d{2}?(:\d{2})?))$/
-
-    # Dumps object in JSON (JavaScript Object Notation). See www.json.org for more info.
+    # Dumps objects in JSON (JavaScript Object Notation).
+    # See http://www.json.org for more info.
+    #
+    #   ActiveSupport::JSON.encode({ team: 'rails', players: '36' })
+    #   # => "{\"team\":\"rails\",\"players\":\"36\"}"
     def self.encode(value, options = nil)
-      Encoding::Encoder.new(options).encode(value)
+      Encoding.json_encoder.new(options).encode(value)
     end
 
     module Encoding #:nodoc:
-      class CircularReferenceError < StandardError; end
-
-      class Encoder
+      class JSONGemEncoder #:nodoc:
         attr_reader :options
 
         def initialize(options = nil)
-          @options = options
-          @seen = []
-        end
-
-        def encode(value, use_options = true)
-          check_for_circular_references(value) do
-            jsonified = use_options ? value.as_json(options_for(value)) : value.as_json
-            jsonified.encode_json(self)
-          end
-        end
-
-        # like encode, but only calls as_json, without encoding to string
-        def as_json(value)
-          check_for_circular_references(value) do
-            value.as_json(options_for(value))
-          end
-        end
-
-        def options_for(value)
-          if value.is_a?(Array) || value.is_a?(Hash)
-            # hashes and arrays need to get encoder in the options, so that they can detect circular references
-            (options || {}).merge(:encoder => self)
-          else
-            options
-          end
+          @options = options || {}
         end
 
-        def escape(string)
-          Encoding.escape(string)
+        # Encode the given object into a JSON string
+        def encode(value)
+          stringify jsonify value.as_json(options.dup)
         end
 
         private
-          def check_for_circular_references(value)
-            if @seen.any? { |object| object.equal?(value) }
-              raise CircularReferenceError, 'object references itself'
+          # Rails does more escaping than the JSON gem natively does (we
+          # escape \u2028 and \u2029 and optionally >, <, & to work around
+          # certain browser problems).
+          ESCAPED_CHARS = {
+            "\u2028" => '\u2028',
+            "\u2029" => '\u2029',
+            '>'      => '\u003e',
+            '<'      => '\u003c',
+            '&'      => '\u0026',
+            }
+
+          ESCAPE_REGEX_WITH_HTML_ENTITIES = /[\u2028\u2029><&]/u
+          ESCAPE_REGEX_WITHOUT_HTML_ENTITIES = /[\u2028\u2029]/u
+
+          # This class wraps all the strings we see and does the extra escaping
+          class EscapedString < String #:nodoc:
+            def to_json(*)
+              if Encoding.escape_html_entities_in_json
+                super.gsub ESCAPE_REGEX_WITH_HTML_ENTITIES, ESCAPED_CHARS
+              else
+                super.gsub ESCAPE_REGEX_WITHOUT_HTML_ENTITIES, ESCAPED_CHARS
+              end
             end
-            @seen.unshift value
-            yield
-          ensure
-            @seen.shift
-          end
-      end
-
 
-      ESCAPED_CHARS = {
-        "\x00" => '\u0000', "\x01" => '\u0001', "\x02" => '\u0002',
-        "\x03" => '\u0003', "\x04" => '\u0004', "\x05" => '\u0005',
-        "\x06" => '\u0006', "\x07" => '\u0007', "\x0B" => '\u000B',
-        "\x0E" => '\u000E', "\x0F" => '\u000F', "\x10" => '\u0010',
-        "\x11" => '\u0011', "\x12" => '\u0012', "\x13" => '\u0013',
-        "\x14" => '\u0014', "\x15" => '\u0015', "\x16" => '\u0016',
-        "\x17" => '\u0017', "\x18" => '\u0018', "\x19" => '\u0019',
-        "\x1A" => '\u001A', "\x1B" => '\u001B', "\x1C" => '\u001C',
-        "\x1D" => '\u001D', "\x1E" => '\u001E', "\x1F" => '\u001F',
-        "\010" =>  '\b',
-        "\f"   =>  '\f',
-        "\n"   =>  '\n',
-        "\r"   =>  '\r',
-        "\t"   =>  '\t',
-        '"'    =>  '\"',
-        '\\'   =>  '\\\\',
-        '>'    =>  '\u003E',
-        '<'    =>  '\u003C',
-        '&'    =>  '\u0026' }
-
-      class << self
-        # If true, use ISO 8601 format for dates and times. Otherwise, fall back to the Active Support legacy format.
-        attr_accessor :use_standard_json_time_format
-
-        attr_accessor :escape_regex
-        attr_reader :escape_html_entities_in_json
+            def to_s
+              self
+            end
+          end
 
-        def escape_html_entities_in_json=(value)
-          self.escape_regex = \
-            if @escape_html_entities_in_json = value
-              /[\x00-\x1F"\\><&]/
+          # Mark these as private so we don't leak encoding-specific constructs
+          private_constant :ESCAPED_CHARS, :ESCAPE_REGEX_WITH_HTML_ENTITIES,
+            :ESCAPE_REGEX_WITHOUT_HTML_ENTITIES, :EscapedString
+
+          # Convert an object into a "JSON-ready" representation composed of
+          # primitives like Hash, Array, String, Numeric, and true/false/nil.
+          # Recursively calls #as_json to the object to recursively build a
+          # fully JSON-ready object.
+          #
+          # This allows developers to implement #as_json without having to
+          # worry about what base types of objects they are allowed to return
+          # or having to remember to call #as_json recursively.
+          #
+          # Note: the +options+ hash passed to +object.to_json+ is only passed
+          # to +object.as_json+, not any of this method's recursive +#as_json+
+          # calls.
+          def jsonify(value)
+            case value
+            when String
+              EscapedString.new(value)
+            when Numeric, NilClass, TrueClass, FalseClass
+              value
+            when Hash
+              Hash[value.map { |k, v| [jsonify(k), jsonify(v)] }]
+            when Array
+              value.map { |v| jsonify(v) }
             else
-              /[\x00-\x1F"\\]/
+              jsonify value.as_json
             end
-        end
+          end
 
-        def escape(string)
-          if string.respond_to?(:force_encoding)
-            string = string.encode(::Encoding::UTF_8, :undef => :replace).force_encoding(::Encoding::BINARY)
+          # Encode a "jsonified" Ruby data structure using the JSON gem
+          def stringify(jsonified)
+            ::JSON.generate(jsonified, quirks_mode: true, max_nesting: false)
           end
-          json = string.
-            gsub(escape_regex) { |s| ESCAPED_CHARS[s] }.
-            gsub(/([\xC0-\xDF][\x80-\xBF]|
-                   [\xE0-\xEF][\x80-\xBF]{2}|
-                   [\xF0-\xF7][\x80-\xBF]{3})+/nx) { |s|
-            s.unpack("U*").pack("n*").unpack("H*")[0].gsub(/.{4}/n, '\\\\u\&')
-          }
-          json = %("#{json}")
-          json.force_encoding(::Encoding::UTF_8) if json.respond_to?(:force_encoding)
-          json
-        end
       end
 
-      self.use_standard_json_time_format = true
-      self.escape_html_entities_in_json  = false
-    end
-
-    CircularReferenceError = Deprecation::DeprecatedConstantProxy.new('ActiveSupport::JSON::CircularReferenceError', Encoding::CircularReferenceError)
-  end
-end
-
-class Object
-  def as_json(options = nil) #:nodoc:
-    if respond_to?(:to_hash)
-      to_hash
-    else
-      instance_values
-    end
-  end
-end
-
-class Struct
-  def as_json(options = nil) #:nodoc:
-    Hash[members.zip(values)]
-  end
-end
-
-class TrueClass
-  AS_JSON = ActiveSupport::JSON::Variable.new('true').freeze
-  def as_json(options = nil) AS_JSON end #:nodoc:
-end
-
-class FalseClass
-  AS_JSON = ActiveSupport::JSON::Variable.new('false').freeze
-  def as_json(options = nil) AS_JSON end #:nodoc:
-end
-
-class NilClass
-  AS_JSON = ActiveSupport::JSON::Variable.new('null').freeze
-  def as_json(options = nil) AS_JSON end #:nodoc:
-end
-
-class String
-  def as_json(options = nil) self end #:nodoc:
-  def encode_json(encoder) encoder.escape(self) end #:nodoc:
-end
-
-class Symbol
-  def as_json(options = nil) to_s end #:nodoc:
-end
-
-class Numeric
-  def as_json(options = nil) self end #:nodoc:
-  def encode_json(encoder) to_s end #:nodoc:
-end
-
-class BigDecimal
-  # A BigDecimal would be naturally represented as a JSON number. Most libraries,
-  # however, parse non-integer JSON numbers directly as floats. Clients using
-  # those libraries would get in general a wrong number and no way to recover
-  # other than manually inspecting the string with the JSON code itself.
-  #
-  # That's why a JSON string is returned. The JSON literal is not numeric, but if
-  # the other end knows by contract that the data is supposed to be a BigDecimal,
-  # it still has the chance to post-process the string and get the real value.
-  def as_json(options = nil) to_s end #:nodoc:
-end
-
-class Regexp
-  def as_json(options = nil) to_s end #:nodoc:
-end
-
-module Enumerable
-  def as_json(options = nil) #:nodoc:
-    to_a.as_json(options)
-  end
-end
+      class << self
+        # If true, use ISO 8601 format for dates and times. Otherwise, fall back
+        # to the Active Support legacy format.
+        attr_accessor :use_standard_json_time_format
 
-class Array
-  def as_json(options = nil) #:nodoc:
-    # use encoder as a proxy to call as_json on all elements, to protect from circular references
-    encoder = options && options[:encoder] || ActiveSupport::JSON::Encoding::Encoder.new(options)
-    map { |v| encoder.as_json(v) }
-  end
+        # If true, encode >, <, & as escaped unicode sequences (e.g. > as \u003e)
+        # as a safety measure.
+        attr_accessor :escape_html_entities_in_json
 
-  def encode_json(encoder) #:nodoc:
-    # we assume here that the encoder has already run as_json on self and the elements, so we run encode_json directly
-    "[#{map { |v| v.encode_json(encoder) } * ','}]"
-  end
-end
+        # Sets the precision of encoded time values.
+        # Defaults to 3 (equivalent to millisecond precision)
+        attr_accessor :time_precision
 
-class Hash
-  def as_json(options = nil) #:nodoc:
-    # create a subset of the hash by applying :only or :except
-    subset = if options
-      if attrs = options[:only]
-        slice(*Array.wrap(attrs))
-      elsif attrs = options[:except]
-        except(*Array.wrap(attrs))
-      else
-        self
+        # Sets the encoder used by Rails to encode Ruby objects into JSON strings
+        # in +Object#to_json+ and +ActiveSupport::JSON.encode+.
+        attr_accessor :json_encoder
       end
-    else
-      self
-    end
-
-    # use encoder as a proxy to call as_json on all values in the subset, to protect from circular references
-    encoder = options && options[:encoder] || ActiveSupport::JSON::Encoding::Encoder.new(options)
-    result = self.is_a?(ActiveSupport::OrderedHash) ? ActiveSupport::OrderedHash : Hash
-    result[subset.map { |k, v| [k.to_s, encoder.as_json(v)] }]
-  end
-
-  def encode_json(encoder)
-    # values are encoded with use_options = false, because we don't want hash representations from ActiveModel to be
-    # processed once again with as_json with options, as this could cause unexpected results (i.e. missing fields);
-
-    # on the other hand, we need to run as_json on the elements, because the model representation may contain fields
-    # like Time/Date in their original (not jsonified) form, etc.
-
-    "{#{map { |k,v| "#{encoder.encode(k.to_s)}:#{encoder.encode(v, false)}" } * ','}}"
-  end
-end
 
-class Time
-  def as_json(options = nil) #:nodoc:
-    if ActiveSupport.use_standard_json_time_format
-      xmlschema
-    else
-      %(#{strftime("%Y/%m/%d %H:%M:%S")} #{formatted_offset(false)})
-    end
-  end
-end
-
-class Date
-  def as_json(options = nil) #:nodoc:
-    if ActiveSupport.use_standard_json_time_format
-      strftime("%Y-%m-%d")
-    else
-      strftime("%Y/%m/%d")
-    end
-  end
-end
-
-class DateTime
-  def as_json(options = nil) #:nodoc:
-    if ActiveSupport.use_standard_json_time_format
-      xmlschema
-    else
-      strftime('%Y/%m/%d %H:%M:%S %z')
+      self.use_standard_json_time_format = true
+      self.escape_html_entities_in_json  = true
+      self.json_encoder = JSONGemEncoder
+      self.time_precision = 3
     end
   end
 end

data/lib/active_support/key_generator.rb

@@ -0,0 +1,71 @@
+require 'concurrent/map'
+require 'openssl'
+
+module ActiveSupport
+  # KeyGenerator is a simple wrapper around OpenSSL's implementation of PBKDF2.
+  # It can be used to derive a number of keys for various purposes from a given secret.
+  # This lets Rails applications have a single secure secret, but avoid reusing that
+  # key in multiple incompatible contexts.
+  class KeyGenerator
+    def initialize(secret, options = {})
+      @secret = secret
+      # The default iterations are higher than required for our key derivation uses
+      # on the off chance someone uses this for password storage
+      @iterations = options[:iterations] || 2**16
+    end
+
+    # Returns a derived key suitable for use.  The default key_size is chosen
+    # to be compatible with the default settings of ActiveSupport::MessageVerifier.
+    # i.e. OpenSSL::Digest::SHA1#block_length
+    def generate_key(salt, key_size=64)
+      OpenSSL::PKCS5.pbkdf2_hmac_sha1(@secret, salt, @iterations, key_size)
+    end
+  end
+
+  # CachingKeyGenerator is a wrapper around KeyGenerator which allows users to avoid
+  # re-executing the key generation process when it's called using the same salt and
+  # key_size.
+  class CachingKeyGenerator
+    def initialize(key_generator)
+      @key_generator = key_generator
+      @cache_keys = Concurrent::Map.new
+    end
+
+    # Returns a derived key suitable for use.
+    def generate_key(*args)
+      @cache_keys[args.join] ||= @key_generator.generate_key(*args)
+    end
+  end
+
+  class LegacyKeyGenerator # :nodoc:
+    SECRET_MIN_LENGTH = 30 # Characters
+
+    def initialize(secret)
+      ensure_secret_secure(secret)
+      @secret = secret
+    end
+
+    def generate_key(salt)
+      @secret
+    end
+
+    private
+
+    # To prevent users from using something insecure like "Password" we make sure that the
+    # secret they've provided is at least 30 characters in length.
+    def ensure_secret_secure(secret)
+      if secret.blank?
+        raise ArgumentError, "A secret is required to generate an integrity hash " \
+          "for cookie session data. Set a secret_key_base of at least " \
+          "#{SECRET_MIN_LENGTH} characters in config/secrets.yml."
+      end
+
+      if secret.length < SECRET_MIN_LENGTH
+        raise ArgumentError, "Secret should be something secure, " \
+          "like \"#{SecureRandom.hex(16)}\". The value you " \
+          "provided, \"#{secret}\", is shorter than the minimum length " \
+          "of #{SECRET_MIN_LENGTH} characters."
+      end
+    end
+  end
+end

data/lib/active_support/lazy_load_hooks.rb

@@ -1,32 +1,34 @@
-# lazy_load_hooks allows rails to lazily load a lot of components and thus making the app boot faster. Because of
-# this feature now there is no need to require <tt>ActiveRecord::Base</tt> at boot time purely to apply configuration. Instead
-# a hook is registered that applies configuration once <tt>ActiveRecord::Base</tt> is loaded. Here <tt>ActiveRecord::Base</tt> is used
-# as example but this feature can be applied elsewhere too.
-#
-# Here is an example where +on_load+ method is called to register a hook.
-#
-#   initializer "active_record.initialize_timezone" do
-#     ActiveSupport.on_load(:active_record) do
-#       self.time_zone_aware_attributes = true
-#       self.default_timezone = :utc
-#     end
-#   end
-#
-# When the entirety of +activerecord/lib/active_record/base.rb+ has been evaluated then +run_load_hooks+ is invoked.
-# The very last line of +activerecord/lib/active_record/base.rb+ is:
-#
-#   ActiveSupport.run_load_hooks(:active_record, ActiveRecord::Base)
-#
 module ActiveSupport
-  @load_hooks = Hash.new {|h,k| h[k] = [] }
-  @loaded = {}
+  # lazy_load_hooks allows Rails to lazily load a lot of components and thus
+  # making the app boot faster. Because of this feature now there is no need to
+  # require <tt>ActiveRecord::Base</tt> at boot time purely to apply
+  # configuration. Instead a hook is registered that applies configuration once
+  # <tt>ActiveRecord::Base</tt> is loaded. Here <tt>ActiveRecord::Base</tt> is
+  # used as example but this feature can be applied elsewhere too.
+  #
+  # Here is an example where +on_load+ method is called to register a hook.
+  #
+  #   initializer 'active_record.initialize_timezone' do
+  #     ActiveSupport.on_load(:active_record) do
+  #       self.time_zone_aware_attributes = true
+  #       self.default_timezone = :utc
+  #     end
+  #   end
+  #
+  # When the entirety of +activerecord/lib/active_record/base.rb+ has been
+  # evaluated then +run_load_hooks+ is invoked. The very last line of
+  # +activerecord/lib/active_record/base.rb+ is:
+  #
+  #   ActiveSupport.run_load_hooks(:active_record, ActiveRecord::Base)
+  @load_hooks = Hash.new { |h,k| h[k] = [] }
+  @loaded = Hash.new { |h,k| h[k] = [] }
 
   def self.on_load(name, options = {}, &block)
-    if base = @loaded[name]
+    @loaded[name].each do |base|
       execute_hook(base, options, block)
-    else
-      @load_hooks[name] << [block, options]
     end
+
+    @load_hooks[name] << [block, options]
   end
 
   def self.execute_hook(base, options, block)
@@ -38,7 +40,7 @@ module ActiveSupport
   end
 
   def self.run_load_hooks(name, base = Object)
-    @loaded[name] = base
+    @loaded[name] << base
     @load_hooks[name].each do |hook, options|
       execute_hook(base, options, hook)
     end