activesupport 5.2.7.1 → 6.1.4.6

data/lib/active_support/number_helper.rb

@@ -71,6 +71,8 @@ module ActiveSupport
     #   (defaults to current locale).
     # * <tt>:precision</tt> - Sets the level of precision (defaults
     #   to 2).
+    # * <tt>:round_mode</tt> - Determine how rounding is performed
+    #   (defaults to :default. See BigDecimal::mode)
     # * <tt>:unit</tt> - Sets the denomination of the currency
     #   (defaults to "$").
     # * <tt>:separator</tt> - Sets the separator between the units
@@ -85,6 +87,9 @@ module ActiveSupport
     #   number given by <tt>:format</tt>).  Accepts the same fields
     #   than <tt>:format</tt>, except <tt>%n</tt> is here the
     #   absolute value of the number.
+    # * <tt>:strip_insignificant_zeros</tt> - If +true+ removes
+    #   insignificant zeros after the decimal separator (defaults to
+    #   +false+).
     #
     # ==== Examples
     #
@@ -94,12 +99,20 @@ module ActiveSupport
     #   number_to_currency(1234567890.506, locale: :fr)  # => "1 234 567 890,51 €"
     #   number_to_currency('123a456')                    # => "$123a456"
     #
+    #   number_to_currency("123a456", raise: true)       # => InvalidNumberError
+    #
+    #   number_to_currency(-0.456789, precision: 0)
+    #   # => "$0"
     #   number_to_currency(-1234567890.50, negative_format: '(%u%n)')
     #   # => "($1,234,567,890.50)"
     #   number_to_currency(1234567890.50, unit: '&pound;', separator: ',', delimiter: '')
     #   # => "&pound;1234567890,50"
     #   number_to_currency(1234567890.50, unit: '&pound;', separator: ',', delimiter: '', format: '%n %u')
     #   # => "1234567890,50 &pound;"
+    #   number_to_currency(1234567890.50, strip_insignificant_zeros: true)
+    #   # => "$1,234,567,890.5"
+    #   number_to_currency(1234567890.50, precision: 0, round_mode: :up)
+    #   # => "$1,234,567,891"
     def number_to_currency(number, options = {})
       NumberToCurrencyConverter.convert(number, options)
     end
@@ -113,6 +126,8 @@ module ActiveSupport
     #   (defaults to current locale).
     # * <tt>:precision</tt> - Sets the precision of the number
     #   (defaults to 3). Keeps the number's precision if +nil+.
+    # * <tt>:round_mode</tt> - Determine how rounding is performed
+    #   (defaults to :default. See BigDecimal::mode)
     # * <tt>:significant</tt> - If +true+, precision will be the number
     #   of significant_digits. If +false+, the number of fractional
     #   digits (defaults to +false+).
@@ -128,15 +143,16 @@ module ActiveSupport
     #
     # ==== Examples
     #
-    #   number_to_percentage(100)                                  # => "100.000%"
-    #   number_to_percentage('98')                                 # => "98.000%"
-    #   number_to_percentage(100, precision: 0)                    # => "100%"
-    #   number_to_percentage(1000, delimiter: '.', separator: ',') # => "1.000,000%"
-    #   number_to_percentage(302.24398923423, precision: 5)        # => "302.24399%"
-    #   number_to_percentage(1000, locale: :fr)                    # => "1000,000%"
-    #   number_to_percentage(1000, precision: nil)                 # => "1000%"
-    #   number_to_percentage('98a')                                # => "98a%"
-    #   number_to_percentage(100, format: '%n  %')                 # => "100.000  %"
+    #   number_to_percentage(100)                                              # => "100.000%"
+    #   number_to_percentage('98')                                             # => "98.000%"
+    #   number_to_percentage(100, precision: 0)                                # => "100%"
+    #   number_to_percentage(1000, delimiter: '.', separator: ',')             # => "1.000,000%"
+    #   number_to_percentage(302.24398923423, precision: 5)                    # => "302.24399%"
+    #   number_to_percentage(1000, locale: :fr)                                # => "1000,000%"
+    #   number_to_percentage(1000, precision: nil)                             # => "1000%"
+    #   number_to_percentage('98a')                                            # => "98a%"
+    #   number_to_percentage(100, format: '%n  %')                             # => "100.000  %"
+    #   number_to_percentage(302.24398923423, precision: 5, round_mode: :down) # => "302.24398%"
     def number_to_percentage(number, options = {})
       NumberToPercentageConverter.convert(number, options)
     end
@@ -187,6 +203,8 @@ module ActiveSupport
     #   (defaults to current locale).
     # * <tt>:precision</tt> - Sets the precision of the number
     #   (defaults to 3). Keeps the number's precision if +nil+.
+    # * <tt>:round_mode</tt> - Determine how rounding is performed
+    #   (defaults to :default. See BigDecimal::mode)
     # * <tt>:significant</tt> - If +true+, precision will be the number
     #   of significant_digits. If +false+, the number of fractional
     #   digits (defaults to +false+).
@@ -208,6 +226,7 @@ module ActiveSupport
     #   number_to_rounded(111.2345, precision: 1, significant: true) # => "100"
     #   number_to_rounded(13, precision: 5, significant: true)       # => "13.000"
     #   number_to_rounded(13, precision: nil)                        # => "13"
+    #   number_to_rounded(389.32314, precision: 0, round_mode: :up)  # => "390"
     #   number_to_rounded(111.234, locale: :fr)                      # => "111,234"
     #
     #   number_to_rounded(13, precision: 5, significant: true, strip_insignificant_zeros: true)
@@ -221,7 +240,7 @@ module ActiveSupport
     end
 
     # Formats the bytes in +number+ into a more understandable
-    # representation (e.g., giving it 1500 yields 1.5 KB). This
+    # representation (e.g., giving it 1500 yields 1.46 KB). This
     # method is useful for reporting file sizes to users. You can
     # customize the format in the +options+ hash.
     #
@@ -234,6 +253,8 @@ module ActiveSupport
     #   (defaults to current locale).
     # * <tt>:precision</tt> - Sets the precision of the number
     #   (defaults to 3).
+    # * <tt>:round_mode</tt> - Determine how rounding is performed
+    #   (defaults to :default. See BigDecimal::mode)
     # * <tt>:significant</tt> - If +true+, precision will be the number
     #   of significant_digits. If +false+, the number of fractional
     #   digits (defaults to +true+)
@@ -257,6 +278,7 @@ module ActiveSupport
     #   number_to_human_size(1234567890123456789)                    # => "1.07 EB"
     #   number_to_human_size(1234567, precision: 2)                  # => "1.2 MB"
     #   number_to_human_size(483989, precision: 2)                   # => "470 KB"
+    #   number_to_human_size(483989, precision: 2, round_mode: :up)  # => "480 KB"
     #   number_to_human_size(1234567, precision: 2, separator: ',')  # => "1,2 MB"
     #   number_to_human_size(1234567890123, precision: 5)            # => "1.1228 TB"
     #   number_to_human_size(524288000, precision: 5)                # => "500 MB"
@@ -265,7 +287,7 @@ module ActiveSupport
     end
 
     # Pretty prints (formats and approximates) a number in a way it
-    # is more readable by humans (eg.: 1200000000 becomes "1.2
+    # is more readable by humans (e.g.: 1200000000 becomes "1.2
     # Billion"). This is useful for numbers that can get very large
     # (and too hard to read).
     #
@@ -273,7 +295,7 @@ module ActiveSupport
     # size.
     #
     # You can also define your own unit-quantifier names if you want
-    # to use other decimal units (eg.: 1500 becomes "1.5
+    # to use other decimal units (e.g.: 1500 becomes "1.5
     # kilometers", 0.150 becomes "150 milliliters", etc). You may
     # define a wide range of unit quantifiers, even fractional ones
     # (centi, deci, mili, etc).
@@ -284,6 +306,8 @@ module ActiveSupport
     #   (defaults to current locale).
     # * <tt>:precision</tt> - Sets the precision of the number
     #   (defaults to 3).
+    # * <tt>:round_mode</tt> - Determine how rounding is performed
+    #   (defaults to :default. See BigDecimal::mode)
     # * <tt>:significant</tt> - If +true+, precision will be the number
     #   of significant_digits. If +false+, the number of fractional
     #   digits (defaults to +true+)
@@ -321,6 +345,8 @@ module ActiveSupport
     #   number_to_human(1234567890123456789)         # => "1230 Quadrillion"
     #   number_to_human(489939, precision: 2)        # => "490 Thousand"
     #   number_to_human(489939, precision: 4)        # => "489.9 Thousand"
+    #   number_to_human(489939, precision: 2
+    #                         , round_mode: :down)   # => "480 Thousand"
     #   number_to_human(1234567, precision: 4,
     #                            significant: false) # => "1.2346 Million"
     #   number_to_human(1234567, precision: 1,

data/lib/active_support/option_merger.rb

@@ -1,11 +1,12 @@
 # frozen_string_literal: true
 
 require "active_support/core_ext/hash/deep_merge"
+require "active_support/core_ext/symbol/starts_ends_with"
 
 module ActiveSupport
   class OptionMerger #:nodoc:
     instance_methods.each do |method|
-      undef_method(method) if method !~ /^(__|instance_eval|class|object_id)/
+      undef_method(method) unless method.start_with?("__", "instance_eval", "class", "object_id")
     end
 
     def initialize(context, options)
@@ -14,14 +15,32 @@ module ActiveSupport
 
     private
       def method_missing(method, *arguments, &block)
+        options = nil
         if arguments.first.is_a?(Proc)
           proc = arguments.pop
           arguments << lambda { |*args| @options.deep_merge(proc.call(*args)) }
+        elsif arguments.last.respond_to?(:to_hash)
+          options = @options.deep_merge(arguments.pop)
         else
-          arguments << (arguments.last.respond_to?(:to_hash) ? @options.deep_merge(arguments.pop) : @options.dup)
+          options = @options
         end
 
-        @context.__send__(method, *arguments, &block)
+        invoke_method(method, arguments, options, &block)
+      end
+
+      if RUBY_VERSION >= "2.7"
+        def invoke_method(method, arguments, options, &block)
+          if options
+            @context.__send__(method, *arguments, **options, &block)
+          else
+            @context.__send__(method, *arguments, &block)
+          end
+        end
+      else
+        def invoke_method(method, arguments, options, &block)
+          arguments << options.dup if options
+          @context.__send__(method, *arguments, &block)
+        end
       end
   end
 end

data/lib/active_support/ordered_hash.rb

@@ -16,7 +16,7 @@ module ActiveSupport
   #   oh.keys # => [:a, :b], this order is guaranteed
   #
   # Also, maps the +omap+ feature for YAML files
-  # (See http://yaml.org/type/omap.html) to support ordered items
+  # (See https://yaml.org/type/omap.html) to support ordered items
   # when loading from yaml.
   #
   # <tt>ActiveSupport::OrderedHash</tt> is namespaced to prevent conflicts

data/lib/active_support/ordered_options.rb

@@ -3,7 +3,9 @@
 require "active_support/core_ext/object/blank"
 
 module ActiveSupport
-  # Usually key value pairs are handled something like this:
+  # +OrderedOptions+ inherits from +Hash+ and provides dynamic accessor methods.
+  #
+  # With a +Hash+, key-value pairs are typically managed like this:
   #
   #   h = {}
   #   h[:boy] = 'John'
@@ -12,7 +14,7 @@ module ActiveSupport
   #   h[:girl] # => 'Mary'
   #   h[:dog]  # => nil
   #
-  # Using +OrderedOptions+, the above code could be reduced to:
+  # Using +OrderedOptions+, the above code can be written as:
   #
   #   h = ActiveSupport::OrderedOptions.new
   #   h.boy = 'John'
@@ -39,7 +41,7 @@ module ActiveSupport
     end
 
     def method_missing(name, *args)
-      name_string = name.to_s.dup
+      name_string = +name.to_s
       if name_string.chomp!("=")
         self[name_string] = args.first
       else
@@ -56,6 +58,14 @@ module ActiveSupport
     def respond_to_missing?(name, include_private)
       true
     end
+
+    def extractable_options?
+      true
+    end
+
+    def inspect
+      "#<#{self.class.name} #{super}>"
+    end
   end
 
   # +InheritableOptions+ provides a constructor to build an +OrderedOptions+

data/lib/active_support/parameter_filter.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/object/duplicable"
+
+module ActiveSupport
+  # +ParameterFilter+ allows you to specify keys for sensitive data from
+  # hash-like object and replace corresponding value. Filtering only certain
+  # sub-keys from a hash is possible by using the dot notation:
+  # 'credit_card.number'. If a proc is given, each key and value of a hash and
+  # all sub-hashes are passed to it, where the value or the key can be replaced
+  # using String#replace or similar methods.
+  #
+  #   ActiveSupport::ParameterFilter.new([:password])
+  #   => replaces the value to all keys matching /password/i with "[FILTERED]"
+  #
+  #   ActiveSupport::ParameterFilter.new([:foo, "bar"])
+  #   => replaces the value to all keys matching /foo|bar/i with "[FILTERED]"
+  #
+  #   ActiveSupport::ParameterFilter.new(["credit_card.code"])
+  #   => replaces { credit_card: {code: "xxxx"} } with "[FILTERED]", does not
+  #   change { file: { code: "xxxx"} }
+  #
+  #   ActiveSupport::ParameterFilter.new([-> (k, v) do
+  #     v.reverse! if /secret/i.match?(k)
+  #   end])
+  #   => reverses the value to all keys matching /secret/i
+  class ParameterFilter
+    FILTERED = "[FILTERED]" # :nodoc:
+
+    # Create instance with given filters. Supported type of filters are +String+, +Regexp+, and +Proc+.
+    # Other types of filters are treated as +String+ using +to_s+.
+    # For +Proc+ filters, key, value, and optional original hash is passed to block arguments.
+    #
+    # ==== Options
+    #
+    # * <tt>:mask</tt> - A replaced object when filtered. Defaults to <tt>"[FILTERED]"</tt>.
+    def initialize(filters = [], mask: FILTERED)
+      @filters = filters
+      @mask = mask
+    end
+
+    # Mask value of +params+ if key matches one of filters.
+    def filter(params)
+      compiled_filter.call(params)
+    end
+
+    # Returns filtered value for given key. For +Proc+ filters, third block argument is not populated.
+    def filter_param(key, value)
+      @filters.empty? ? value : compiled_filter.value_for_key(key, value)
+    end
+
+  private
+    def compiled_filter
+      @compiled_filter ||= CompiledFilter.compile(@filters, mask: @mask)
+    end
+
+    class CompiledFilter # :nodoc:
+      def self.compile(filters, mask:)
+        return lambda { |params| params.dup } if filters.empty?
+
+        strings, regexps, blocks, deep_regexps, deep_strings = [], [], [], nil, nil
+
+        filters.each do |item|
+          case item
+          when Proc
+            blocks << item
+          when Regexp
+            if item.to_s.include?("\\.")
+              (deep_regexps ||= []) << item
+            else
+              regexps << item
+            end
+          else
+            s = Regexp.escape(item.to_s)
+            if s.include?("\\.")
+              (deep_strings ||= []) << s
+            else
+              strings << s
+            end
+          end
+        end
+
+        regexps << Regexp.new(strings.join("|"), true) unless strings.empty?
+        (deep_regexps ||= []) << Regexp.new(deep_strings.join("|"), true) if deep_strings&.any?
+
+        new regexps, deep_regexps, blocks, mask: mask
+      end
+
+      attr_reader :regexps, :deep_regexps, :blocks
+
+      def initialize(regexps, deep_regexps, blocks, mask:)
+        @regexps = regexps
+        @deep_regexps = deep_regexps&.any? ? deep_regexps : nil
+        @blocks = blocks
+        @mask = mask
+      end
+
+      def call(params, parents = [], original_params = params)
+        filtered_params = params.class.new
+
+        params.each do |key, value|
+          filtered_params[key] = value_for_key(key, value, parents, original_params)
+        end
+
+        filtered_params
+      end
+
+      def value_for_key(key, value, parents = [], original_params = nil)
+        parents.push(key) if deep_regexps
+        if regexps.any? { |r| r.match?(key.to_s) }
+          value = @mask
+        elsif deep_regexps && (joined = parents.join(".")) && deep_regexps.any? { |r| r.match?(joined) }
+          value = @mask
+        elsif value.is_a?(Hash)
+          value = call(value, parents, original_params)
+        elsif value.is_a?(Array)
+          # If we don't pop the current parent it will be duplicated as we
+          # process each array value.
+          parents.pop if deep_regexps
+          value = value.map { |v| value_for_key(key, v, parents, original_params) }
+          # Restore the parent stack after processing the array.
+          parents.push(key) if deep_regexps
+        elsif blocks.any?
+          key = key.dup if key.duplicable?
+          value = value.dup if value.duplicable?
+          blocks.each { |b| b.arity == 2 ? b.call(key, value) : b.call(key, value, original_params) }
+        end
+        parents.pop if deep_regexps
+        value
+      end
+    end
+  end
+end

data/lib/active_support/per_thread_registry.rb

@@ -40,7 +40,7 @@ module ActiveSupport
   # If the class has an initializer, it must accept no arguments.
   module PerThreadRegistry
     def self.extended(object)
-      object.instance_variable_set "@per_thread_registry_key", object.name.freeze
+      object.instance_variable_set :@per_thread_registry_key, object.name.freeze
     end
 
     def instance

data/lib/active_support/rails.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-# This is private interface.
+# This is a private interface.
 #
 # Rails components cherry pick from Active Support as needed, but there are a
 # few features that are used for sure in some way or another and it is not worth
@@ -13,9 +13,6 @@
 # Defines Object#blank? and Object#present?.
 require "active_support/core_ext/object/blank"
 
-# Rails own autoload, eager_load, etc.
-require "active_support/dependencies/autoload"
-
 # Support for ClassMethods and the included macro.
 require "active_support/concern"
 
@@ -27,9 +24,3 @@ require "active_support/core_ext/module/delegation"
 
 # Defines ActiveSupport::Deprecation.
 require "active_support/deprecation"
-
-# Defines Regexp#match?.
-#
-# This should be removed when Rails needs Ruby 2.4 or later, and the require
-# added where other Regexp extensions are being used (easy to grep).
-require "active_support/core_ext/regexp"

data/lib/active_support/railtie.rb

@@ -22,12 +22,25 @@ module ActiveSupport
       app.reloader.before_class_unload { ActiveSupport::CurrentAttributes.clear_all }
       app.executor.to_run              { ActiveSupport::CurrentAttributes.reset_all }
       app.executor.to_complete         { ActiveSupport::CurrentAttributes.reset_all }
+
+      ActiveSupport.on_load(:active_support_test_case) do
+        require "active_support/current_attributes/test_helper"
+        include ActiveSupport::CurrentAttributes::TestHelper
+      end
     end
 
     initializer "active_support.deprecation_behavior" do |app|
       if deprecation = app.config.active_support.deprecation
         ActiveSupport::Deprecation.behavior = deprecation
       end
+
+      if disallowed_deprecation = app.config.active_support.disallowed_deprecation
+        ActiveSupport::Deprecation.disallowed_behavior = disallowed_deprecation
+      end
+
+      if disallowed_warnings = app.config.active_support.disallowed_deprecation_warnings
+        ActiveSupport::Deprecation.disallowed_warnings = disallowed_warnings
+      end
     end
 
     # Sets the default value for Time.zone
@@ -65,15 +78,24 @@ module ActiveSupport
     initializer "active_support.set_configs" do |app|
       app.config.active_support.each do |k, v|
         k = "#{k}="
-        ActiveSupport.send(k, v) if ActiveSupport.respond_to? k
+        ActiveSupport.public_send(k, v) if ActiveSupport.respond_to? k
       end
     end
 
     initializer "active_support.set_hash_digest_class" do |app|
       config.after_initialize do
         if app.config.active_support.use_sha1_digests
+          ActiveSupport::Deprecation.warn(<<-MSG.squish)
+            config.active_support.use_sha1_digests is deprecated and will
+            be removed from Rails 6.2. Use
+            config.active_support.hash_digest_class = ::Digest::SHA1 instead.
+          MSG
           ActiveSupport::Digest.hash_digest_class = ::Digest::SHA1
         end
+
+        if klass = app.config.active_support.hash_digest_class
+          ActiveSupport::Digest.hash_digest_class = klass
+        end
       end
     end
   end

data/lib/active_support/reloader.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "active_support/execution_wrapper"
+require "active_support/executor"
 
 module ActiveSupport
   #--
@@ -49,11 +50,9 @@ module ActiveSupport
     def self.reload!
       executor.wrap do
         new.tap do |instance|
-          begin
-            instance.run!
-          ensure
-            instance.complete!
-          end
+          instance.run!
+        ensure
+          instance.complete!
         end
       end
       prepare!

data/lib/active_support/rescuable.rb

@@ -14,12 +14,12 @@ module ActiveSupport
     end
 
     module ClassMethods
-      # Rescue exceptions raised in controller actions.
+      # Registers exception classes with a handler to be called by <tt>rescue_with_handler</tt>.
       #
       # <tt>rescue_from</tt> receives a series of exception classes or class
-      # names, and a trailing <tt>:with</tt> option with the name of a method
-      # or a Proc object to be called to handle them. Alternatively a block can
-      # be given.
+      # names, and an exception handler specified by a trailing <tt>:with</tt>
+      # option containing the name of a method or a Proc object. Alternatively, a block
+      # can be given as the handler.
       #
       # Handlers that take one argument will be called with the exception, so
       # that the exception can be inspected when dealing with it.

data/lib/active_support/secure_compare_rotator.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require "active_support/security_utils"
+require "active_support/messages/rotator"
+
+module ActiveSupport
+  # The ActiveSupport::SecureCompareRotator is a wrapper around +ActiveSupport::SecurityUtils.secure_compare+
+  # and allows you to rotate a previously defined value to a new one.
+  #
+  # It can be used as follow:
+  #
+  #   rotator = ActiveSupport::SecureCompareRotator.new('new_production_value')
+  #   rotator.rotate('previous_production_value')
+  #   rotator.secure_compare!('previous_production_value')
+  #
+  # One real use case example would be to rotate a basic auth credentials:
+  #
+  #   class MyController < ApplicationController
+  #     def authenticate_request
+  #       rotator = ActiveSupport::SecureComparerotator.new('new_password')
+  #       rotator.rotate('old_password')
+  #
+  #       authenticate_or_request_with_http_basic do |username, password|
+  #         rotator.secure_compare!(password)
+  #       rescue ActiveSupport::SecureCompareRotator::InvalidMatch
+  #         false
+  #       end
+  #     end
+  #   end
+  class SecureCompareRotator
+    include SecurityUtils
+    prepend Messages::Rotator
+
+    InvalidMatch = Class.new(StandardError)
+
+    def initialize(value, **_options)
+      @value = value
+    end
+
+    def secure_compare!(other_value, on_rotation: @on_rotation)
+      secure_compare(@value, other_value) ||
+        run_rotations(on_rotation) { |wrapper| wrapper.secure_compare!(other_value) } ||
+        raise(InvalidMatch)
+    end
+
+    private
+      def build_rotation(previous_value, _options)
+        self.class.new(previous_value)
+      end
+  end
+end

data/lib/active_support/security_utils.rb

@@ -1,30 +1,37 @@
 # frozen_string_literal: true
 
-require "digest/sha2"
-
 module ActiveSupport
   module SecurityUtils
     # Constant time string comparison, for fixed length strings.
     #
     # The values compared should be of fixed length, such as strings
     # that have already been processed by HMAC. Raises in case of length mismatch.
-    def fixed_length_secure_compare(a, b)
-      raise ArgumentError, "string length mismatch." unless a.bytesize == b.bytesize
 
-      l = a.unpack "C#{a.bytesize}"
+    if defined?(OpenSSL.fixed_length_secure_compare)
+      def fixed_length_secure_compare(a, b)
+        OpenSSL.fixed_length_secure_compare(a, b)
+      end
+    else
+      def fixed_length_secure_compare(a, b)
+        raise ArgumentError, "string length mismatch." unless a.bytesize == b.bytesize
+
+        l = a.unpack "C#{a.bytesize}"
 
-      res = 0
-      b.each_byte { |byte| res |= byte ^ l.shift }
-      res == 0
+        res = 0
+        b.each_byte { |byte| res |= byte ^ l.shift }
+        res == 0
+      end
     end
     module_function :fixed_length_secure_compare
 
-    # Constant time string comparison, for variable length strings.
+    # Secure string comparison for strings of variable length.
     #
-    # The values are first processed by SHA256, so that we don't leak length info
-    # via timing attacks.
+    # While a timing attack would not be able to discern the content of
+    # a secret compared via secure_compare, it is possible to determine
+    # the secret length. This should be considered when using secure_compare
+    # to compare weak, short secrets to user input.
     def secure_compare(a, b)
-      fixed_length_secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) && a == b
+      a.bytesize == b.bytesize && fixed_length_secure_compare(a, b)
     end
     module_function :secure_compare
   end

data/lib/active_support/string_inquirer.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "active_support/core_ext/symbol/starts_ends_with"
+
 module ActiveSupport
   # Wrapping a string in this class gives you a prettier way to test
   # for equality. The value returned by <tt>Rails.env</tt> is wrapped
@@ -18,13 +20,12 @@ module ActiveSupport
   #   vehicle.bike?  # => false
   class StringInquirer < String
     private
-
       def respond_to_missing?(method_name, include_private = false)
-        (method_name[-1] == "?") || super
+        method_name.end_with?("?") || super
       end
 
       def method_missing(method_name, *arguments)
-        if method_name[-1] == "?"
+        if method_name.end_with?("?")
           self == method_name[0..-2]
         else
           super