activesupport 7.1.6 → 8.1.1

data/lib/active_support/isolated_execution_state.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "fiber"
-
 module ActiveSupport
   module IsolatedExecutionState # :nodoc:
     @isolation_level = nil
@@ -30,45 +28,42 @@ module ActiveSupport
         @isolation_level = level
       end
 
-      def unique_id
-        self[:__id__] ||= Object.new
-      end
-
       def [](key)
-        state[key]
+        if state = @scope.current.active_support_execution_state
+          state[key]
+        end
       end
 
       def []=(key, value)
+        state = (@scope.current.active_support_execution_state ||= {})
         state[key] = value
       end
 
       def key?(key)
-        state.key?(key)
+        @scope.current.active_support_execution_state&.key?(key)
       end
 
       def delete(key)
-        state.delete(key)
+        @scope.current.active_support_execution_state&.delete(key)
       end
 
       def clear
-        state.clear
+        @scope.current.active_support_execution_state&.clear
       end
 
       def context
         scope.current
       end
 
-      def share_with(other)
+      def share_with(other, &block)
         # Action Controller streaming spawns a new thread and copy thread locals.
         # We do the same here for backward compatibility, but this is very much a hack
         # and streaming should be rethought.
-        context.active_support_execution_state = other.active_support_execution_state.dup
+        old_state, context.active_support_execution_state = context.active_support_execution_state, other.active_support_execution_state.dup
+        block.call
+      ensure
+        context.active_support_execution_state = old_state
       end
-
-      private
-        def state
-          context.active_support_execution_state ||= {}
-        end
     end
 
     self.isolation_level = :thread

data/lib/active_support/json/decoding.rb

@@ -14,13 +14,15 @@ module ActiveSupport
     DATETIME_REGEX = /\A(?:\d{4}-\d{2}-\d{2}|\d{4}-\d{1,2}-\d{1,2}[T \t]+\d{1,2}:\d{2}:\d{2}(\.[0-9]*)?(([ \t]*)Z|[-+]\d{2}?(:\d{2})?)?)\z/
 
     class << self
-      # Parses a JSON string (JavaScript Object Notation) into a hash.
+      # Parses a JSON string (JavaScript Object Notation) into a Ruby object.
       # See http://www.json.org for more info.
       #
       #   ActiveSupport::JSON.decode("{\"team\":\"rails\",\"players\":\"36\"}")
-      #   => {"team" => "rails", "players" => "36"}
-      def decode(json)
-        data = ::JSON.parse(json, quirks_mode: true)
+      #   # => {"team" => "rails", "players" => "36"}
+      #   ActiveSupport::JSON.decode("2.39")
+      #   # => 2.39
+      def decode(json, options = {})
+        data = ::JSON.parse(json, options)
 
         if ActiveSupport.parse_json_times
           convert_dates_from(data)

data/lib/active_support/json/encoding.rb

@@ -8,24 +8,70 @@ module ActiveSupport
     delegate :use_standard_json_time_format, :use_standard_json_time_format=,
       :time_precision, :time_precision=,
       :escape_html_entities_in_json, :escape_html_entities_in_json=,
+      :escape_js_separators_in_json, :escape_js_separators_in_json=,
       :json_encoder, :json_encoder=,
       to: :'ActiveSupport::JSON::Encoding'
   end
 
   module JSON
-    # Dumps objects in JSON (JavaScript Object Notation).
-    # See http://www.json.org for more info.
-    #
-    #   ActiveSupport::JSON.encode({ team: 'rails', players: '36' })
-    #   # => "{\"team\":\"rails\",\"players\":\"36\"}"
     class << self
+      # Dumps objects in JSON (JavaScript Object Notation).
+      # See http://www.json.org for more info.
+      #
+      #   ActiveSupport::JSON.encode({ team: 'rails', players: '36' })
+      #   # => "{\"team\":\"rails\",\"players\":\"36\"}"
+      #
+      # By default, it generates JSON that is safe to include in JavaScript, as
+      # it escapes U+2028 (Line Separator) and U+2029 (Paragraph Separator):
+      #
+      #   ActiveSupport::JSON.encode({ key: "\u2028" })
+      #   # => "{\"key\":\"\\u2028\"}"
+      #
+      # By default, it also generates JSON that is safe to include in HTML, as
+      # it escapes <tt><</tt>, <tt>></tt>, and <tt>&</tt>:
+      #
+      #   ActiveSupport::JSON.encode({ key: "<>&" })
+      #   # => "{\"key\":\"\\u003c\\u003e\\u0026\"}"
+      #
+      # This behavior can be changed with the +escape_html_entities+ option, or the
+      # global escape_html_entities_in_json configuration option.
+      #
+      #   ActiveSupport::JSON.encode({ key: "<>&" }, escape_html_entities: false)
+      #   # => "{\"key\":\"<>&\"}"
+      #
+      # For performance reasons, you can set the +escape+ option to false,
+      # which will skip all escaping:
+      #
+      #   ActiveSupport::JSON.encode({ key: "\u2028<>&" }, escape: false)
+      #   # => "{\"key\":\"\u2028<>&\"}"
       def encode(value, options = nil)
-        Encoding.json_encoder.new(options).encode(value)
+        if options.nil? || options.empty?
+          Encoding.encode_without_options(value)
+        elsif options == { escape: false }.freeze
+          Encoding.encode_without_escape(value)
+        else
+          Encoding.json_encoder.new(options).encode(value)
+        end
       end
       alias_method :dump, :encode
     end
 
     module Encoding # :nodoc:
+      U2028 = -"\u2028".b
+      U2029 = -"\u2029".b
+
+      ESCAPED_CHARS = {
+        U2028 => '\u2028'.b,
+        U2029 => '\u2029'.b,
+        ">".b => '\u003e'.b,
+        "<".b => '\u003c'.b,
+        "&".b => '\u0026'.b,
+      }
+
+      HTML_ENTITIES_REGEX = Regexp.union(*(ESCAPED_CHARS.keys - [U2028, U2029]))
+      FULL_ESCAPE_REGEX = Regexp.union(*ESCAPED_CHARS.keys)
+      JS_SEPARATORS_REGEX = Regexp.union(U2028, U2029)
+
       class JSONGemEncoder # :nodoc:
         attr_reader :options
 
@@ -36,21 +82,23 @@ module ActiveSupport
         # Encode the given object into a JSON string
         def encode(value)
           unless options.empty?
-            value = value.as_json(options.dup)
+            value = value.as_json(options.dup.freeze)
           end
           json = stringify(jsonify(value))
 
-          # Rails does more escaping than the JSON gem natively does (we
-          # escape \u2028 and \u2029 and optionally >, <, & to work around
-          # certain browser problems).
-          if Encoding.escape_html_entities_in_json
-            json.gsub!(">", '\u003e')
-            json.gsub!("<", '\u003c')
-            json.gsub!("&", '\u0026')
+          return json unless @options.fetch(:escape, true)
+
+          json.force_encoding(::Encoding::BINARY)
+          if @options.fetch(:escape_html_entities, Encoding.escape_html_entities_in_json)
+            if Encoding.escape_js_separators_in_json
+              json.gsub!(FULL_ESCAPE_REGEX, ESCAPED_CHARS)
+            else
+              json.gsub!(HTML_ENTITIES_REGEX, ESCAPED_CHARS)
+            end
+          elsif Encoding.escape_js_separators_in_json
+            json.gsub!(JS_SEPARATORS_REGEX, ESCAPED_CHARS)
           end
-          json.gsub!("\u2028", '\u2028')
-          json.gsub!("\u2029", '\u2029')
-          json
+          json.force_encoding(::Encoding::UTF_8)
         end
 
         private
@@ -83,14 +131,75 @@ module ActiveSupport
             when Array
               value.map { |v| jsonify(v) }
             else
-              jsonify value.as_json
+              if defined?(::JSON::Fragment) && ::JSON::Fragment === value
+                value
+              else
+                jsonify value.as_json
+              end
             end
           end
 
           # Encode a "jsonified" Ruby data structure using the JSON gem
           def stringify(jsonified)
-            ::JSON.generate(jsonified, quirks_mode: true, max_nesting: false)
+            ::JSON.generate(jsonified)
+          end
+      end
+
+      # ruby/json 2.14.x yields non-String keys but doesn't let us know it's a key
+      if defined?(::JSON::Coder) && Gem::Version.new(::JSON::VERSION) >= Gem::Version.new("2.15.2")
+        class JSONGemCoderEncoder # :nodoc:
+          JSON_NATIVE_TYPES = [Hash, Array, Float, String, Symbol, Integer, NilClass, TrueClass, FalseClass, ::JSON::Fragment].freeze
+          CODER = ::JSON::Coder.new do |value, is_key|
+            json_value = value.as_json
+            # Keep compatibility by calling to_s on non-String keys
+            next json_value.to_s if is_key
+            # Handle objects returning self from as_json
+            if json_value.equal?(value)
+              next ::JSON::Fragment.new(::JSON.generate(json_value))
+            end
+            # Handle objects not returning JSON-native types from as_json
+            count = 5
+            until JSON_NATIVE_TYPES.include?(json_value.class)
+              raise SystemStackError if count == 0
+              json_value = json_value.as_json
+              count -= 1
+            end
+            json_value
+          end
+
+
+          def initialize(options = nil)
+            if options
+              options = options.dup
+              @escape = options.delete(:escape) { true }
+              @options = options.freeze
+            else
+              @escape = true
+              @options = {}.freeze
+            end
           end
+
+          # Encode the given object into a JSON string
+          def encode(value)
+            value = value.as_json(@options) unless @options.empty?
+
+            json = CODER.dump(value)
+
+            return json unless @escape
+
+            json.force_encoding(::Encoding::BINARY)
+            if @options.fetch(:escape_html_entities, Encoding.escape_html_entities_in_json)
+              if Encoding.escape_js_separators_in_json
+                json.gsub!(FULL_ESCAPE_REGEX, ESCAPED_CHARS)
+              else
+                json.gsub!(HTML_ENTITIES_REGEX, ESCAPED_CHARS)
+              end
+            elsif Encoding.escape_js_separators_in_json
+              json.gsub!(JS_SEPARATORS_REGEX, ESCAPED_CHARS)
+            end
+            json.force_encoding(::Encoding::UTF_8)
+          end
+        end
       end
 
       class << self
@@ -102,18 +211,45 @@ module ActiveSupport
         # as a safety measure.
         attr_accessor :escape_html_entities_in_json
 
+        # If true, encode LINE SEPARATOR (U+2028) and PARAGRAPH SEPARATOR (U+2029)
+        # as escaped unicode sequences ('\u2028' and '\u2029').
+        # Historically these characters were not valid inside JavaScript strings
+        # but that changed in ECMAScript 2019. As such it's no longer a concern in
+        # modern browsers: https://caniuse.com/mdn-javascript_builtins_json_json_superset.
+        attr_accessor :escape_js_separators_in_json
+
         # Sets the precision of encoded time values.
         # Defaults to 3 (equivalent to millisecond precision)
         attr_accessor :time_precision
 
         # Sets the encoder used by \Rails to encode Ruby objects into JSON strings
         # in +Object#to_json+ and +ActiveSupport::JSON.encode+.
-        attr_accessor :json_encoder
+        attr_reader :json_encoder
+
+        def json_encoder=(encoder)
+          @json_encoder = encoder
+          @encoder_without_options = encoder.new
+          @encoder_without_escape = encoder.new(escape: false)
+        end
+
+        def encode_without_options(value) # :nodoc:
+          @encoder_without_options.encode(value)
+        end
+
+        def encode_without_escape(value) # :nodoc:
+          @encoder_without_escape.encode(value)
+        end
       end
 
       self.use_standard_json_time_format = true
       self.escape_html_entities_in_json  = true
-      self.json_encoder = JSONGemEncoder
+      self.escape_js_separators_in_json = true
+      self.json_encoder =
+        if defined?(JSONGemCoderEncoder)
+          JSONGemCoderEncoder
+        else
+          JSONGemEncoder
+        end
       self.time_precision = 3
     end
   end

data/lib/active_support/lazy_load_hooks.rb

@@ -53,7 +53,7 @@ module ActiveSupport
     # loaded. If the component has already loaded, the block is executed
     # immediately.
     #
-    # Options:
+    # ==== Options
     #
     # * <tt>:yield</tt> - Yields the object that run_load_hooks to +block+.
     # * <tt>:run_once</tt> - Given +block+ will run only once.

data/lib/active_support/log_subscriber.rb

@@ -62,10 +62,6 @@ module ActiveSupport
   # that all logs are flushed, and it is called in Rails::Rack::Logger after a
   # request finishes.
   class LogSubscriber < Subscriber
-    # Embed in a String to clear all previous ANSI sequences.
-    CLEAR = ActiveSupport::Deprecation::DeprecatedObjectProxy.new("\e[0m", "CLEAR is deprecated! Use MODES[:clear] instead.", ActiveSupport.deprecator)
-    BOLD  = ActiveSupport::Deprecation::DeprecatedObjectProxy.new("\e[1m", "BOLD is deprecated! Use MODES[:bold] instead.", ActiveSupport.deprecator)
-
     # ANSI sequence modes
     MODES = {
       clear:     0,
@@ -153,12 +149,6 @@ module ActiveSupport
       log_exception(event.name, e)
     end
 
-    def publish_event(event)
-      super if logger
-    rescue => e
-      log_exception(event.name, e)
-    end
-
     attr_writer :event_levels # :nodoc:
 
   private
@@ -182,20 +172,14 @@ module ActiveSupport
     end
 
     def mode_from(options)
-      if options.is_a?(TrueClass) || options.is_a?(FalseClass)
-        ActiveSupport.deprecator.warn(<<~MSG.squish)
-          Bolding log text with a positional boolean is deprecated and will be removed
-          in Rails 7.2. Use an option hash instead (eg. `color("my text", :red, bold: true)`).
-        MSG
-        options = { bold: options }
-      end
-
       modes = MODES.values_at(*options.compact_blank.keys)
 
       "\e[#{modes.join(";")}m" if modes.any?
     end
 
     def log_exception(name, e)
+      ActiveSupport.error_reporter.report(e, source: name)
+
       if logger
         logger.error "Could not log #{name.inspect} event. #{e.class}: #{e.message} #{e.backtrace}"
       end

data/lib/active_support/logger.rb

@@ -13,6 +13,10 @@ module ActiveSupport
     #   logger = Logger.new(STDOUT)
     #   ActiveSupport::Logger.logger_outputs_to?(logger, STDOUT)
     #   # => true
+    #
+    #   logger = Logger.new('/var/log/rails.log')
+    #   ActiveSupport::Logger.logger_outputs_to?(logger, '/var/log/rails.log')
+    #   # => true
     def self.logger_outputs_to?(logger, *sources)
       loggers = if logger.is_a?(BroadcastLogger)
         logger.broadcasts
@@ -21,9 +25,9 @@ module ActiveSupport
       end
 
       logdevs = loggers.map { |logger| logger.instance_variable_get(:@logdev) }
-      logger_sources = logdevs.filter_map { |logdev| logdev.dev if logdev.respond_to?(:dev) }
+      logger_sources = logdevs.filter_map { |logdev| logdev.try(:filename) || logdev.try(:dev) }
 
-      (sources & logger_sources).any?
+      normalize_sources(sources).intersect?(normalize_sources(logger_sources))
     end
 
     def initialize(*args, **kwargs)
@@ -38,5 +42,14 @@ module ActiveSupport
         "#{String === msg ? msg : msg.inspect}\n"
       end
     end
+
+    private
+      def self.normalize_sources(sources)
+        sources.map do |source|
+          source = source.path if source.respond_to?(:path)
+          source = File.realpath(source) if source.is_a?(String) && File.exist?(source)
+          source
+        end
+      end
   end
 end

data/lib/active_support/logger_thread_safe_level.rb

@@ -7,12 +7,9 @@ module ActiveSupport
   module LoggerThreadSafeLevel # :nodoc:
     extend ActiveSupport::Concern
 
-    Logger::Severity.constants.each do |severity|
-      class_eval(<<-EOT, __FILE__, __LINE__ + 1)
-        def #{severity.downcase}?                # def debug?
-          Logger::#{severity} >= level           #   DEBUG >= level
-        end                                      # end
-      EOT
+    def initialize(...)
+      super
+      @local_level_key = :"logger_thread_safe_level_#{object_id}"
     end
 
     def local_level
@@ -48,8 +45,6 @@ module ActiveSupport
     end
 
     private
-      def local_level_key
-        @local_level_key ||= :"logger_thread_safe_level_#{object_id}"
-      end
+      attr_reader :local_level_key
   end
 end

data/lib/active_support/message_encryptors.rb

@@ -26,10 +26,13 @@ module ActiveSupport
     # as the first rotation and <tt>transitional = true</tt>. Then, after all
     # servers have been updated, perform a second rolling deploy with
     # <tt>transitional = false</tt>.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#transitional
 
     ##
-    # :method: initialize
-    # :call-seq: initialize(&secret_generator)
+    # :singleton-method: new
+    # :call-seq: new(&secret_generator)
     #
     # Initializes a new instance. +secret_generator+ must accept a salt and a
     # +secret_length+ kwarg, and return a suitable secret (string) or secrets
@@ -43,6 +46,9 @@ module ActiveSupport
     #   end
     #
     #   encryptors.rotate(base: "...")
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#initialize
 
     ##
     # :method: []
@@ -51,12 +57,18 @@ module ActiveSupport
     # Returns a MessageEncryptor configured with a secret derived from the
     # given +salt+, and options from #rotate. MessageEncryptor instances will
     # be memoized, so the same +salt+ will return the same instance.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#[]
 
     ##
     # :method: []=
     # :call-seq: []=(salt, encryptor)
     #
     # Overrides a MessageEncryptor instance associated with a given +salt+.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#[]=
 
     ##
     # :method: rotate
@@ -106,18 +118,55 @@ module ActiveSupport
     #
     #   # Uses `serializer: Marshal, url_safe: false`.
     #   encryptors[:baz]
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#rotate
+
+    ##
+    # :method: prepend
+    # :call-seq:
+    #   prepend(**options)
+    #   prepend(&block)
+    #
+    # Just like #rotate, but prepends the given options or block to the list of
+    # option sets.
+    #
+    # This can be useful when you have an already-configured +MessageEncryptors+
+    # instance, but you want to override the way messages are encrypted.
+    #
+    #   module ThirdParty
+    #     ENCRYPTORS = ActiveSupport::MessageEncryptors.new { ... }.
+    #       rotate(serializer: Marshal, url_safe: true).
+    #       rotate(serializer: Marshal, url_safe: false)
+    #   end
+    #
+    #   ThirdParty.ENCRYPTORS.prepend(serializer: JSON, url_safe: true)
+    #
+    #   # Uses `serializer: JSON, url_safe: true`.
+    #   # Falls back to `serializer: Marshal, url_safe: true` or
+    #   # `serializer: Marshal, url_safe: false`.
+    #   ThirdParty.ENCRYPTORS[:foo]
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#prepend
 
     ##
     # :method: rotate_defaults
     # :call-seq: rotate_defaults
     #
     # Invokes #rotate with the default options.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#rotate_defaults
 
     ##
     # :method: clear_rotations
     # :call-seq: clear_rotations
     #
     # Clears the list of option sets.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#clear_rotations
 
     ##
     # :method: on_rotation
@@ -129,6 +178,9 @@ module ActiveSupport
     # For example, this callback could log each time it is called, and thus
     # indicate whether old option sets are still in use or can be removed from
     # rotation.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#on_rotation
 
     ##
     private

data/lib/active_support/message_pack/extensions.rb

@@ -7,6 +7,7 @@ require "pathname"
 require "uri/generic"
 require "msgpack/bigint"
 require "active_support/hash_with_indifferent_access"
+require "active_support/core_ext/string/output_safety"
 require "active_support/time"
 
 module ActiveSupport
@@ -86,8 +87,9 @@ module ActiveSupport
           unpacker: URI.method(:parse)
 
         registry.register_type 14, IPAddr,
-          packer: :to_s,
-          unpacker: :new
+          packer: method(:write_ipaddr),
+          unpacker: method(:read_ipaddr),
+          recursive: true
 
         registry.register_type 15, Pathname,
           packer: :to_s,
@@ -101,6 +103,10 @@ module ActiveSupport
           packer: method(:write_hash_with_indifferent_access),
           unpacker: method(:read_hash_with_indifferent_access),
           recursive: true
+
+        registry.register_type 18, ActiveSupport::SafeBuffer,
+          packer: :to_s,
+          unpacker: :new
       end
 
       def install_unregistered_type_error(registry)
@@ -221,6 +227,18 @@ module ActiveSupport
         Set.new(unpacker.read)
       end
 
+      def write_ipaddr(ipaddr, packer)
+        if ipaddr.prefix < 32 || (ipaddr.ipv6? && ipaddr.prefix < 128)
+          packer.write("#{ipaddr}/#{ipaddr.prefix}")
+        else
+          packer.write(ipaddr.to_s)
+        end
+      end
+
+      def read_ipaddr(unpacker)
+        IPAddr.new(unpacker.read)
+      end
+
       def write_hash_with_indifferent_access(hwia, packer)
         packer.write(hwia.to_h)
       end

data/lib/active_support/message_verifier.rb

@@ -30,6 +30,18 @@ module ActiveSupport
   #     self.current_user = User.find(id)
   #   end
   #
+  # === Signing is not encryption
+  #
+  # The signed messages are not encrypted. The payload is merely encoded (Base64 by default) and can be decoded by
+  # anyone. The signature is just assuring that the message wasn't tampered with. For example:
+  #
+  #     message = Rails.application.message_verifier('my_purpose').generate('never put secrets here')
+  #     # => "BAhJIhtuZXZlciBwdXQgc2VjcmV0cyBoZXJlBjoGRVQ=--a0c1c0827919da5e949e989c971249355735e140"
+  #     Base64.decode64(message.split("--").first) # no key needed
+  #     # => 'never put secrets here'
+  #
+  # If you also need to encrypt the contents, you must use ActiveSupport::MessageEncryptor instead.
+  #
   # === Confine messages to a specific purpose
   #
   # It's not recommended to use the same verifier for different purposes in your application.
@@ -142,6 +154,8 @@ module ActiveSupport
     #   not URL-safe. In other words, they can contain "+" and "/". If you want to
     #   generate URL-safe strings (in compliance with "Base 64 Encoding with URL
     #   and Filename Safe Alphabet" in RFC 4648), you can pass +true+.
+    #   Note that MessageVerifier will always accept both URL-safe and URL-unsafe
+    #   encoded messages, to allow a smooth transition between the two settings.
     #
     # [+:force_legacy_metadata_serializer+]
     #   Whether to use the legacy metadata serializer, which serializes the
@@ -306,6 +320,13 @@ module ActiveSupport
     end
 
     private
+      def decode(encoded, url_safe: @url_safe)
+        catch :invalid_message_format do
+          return super
+        end
+        super(encoded, url_safe: !url_safe)
+      end
+
       def sign_encoded(encoded)
         digest = generate_digest(encoded)
         encoded << SEPARATOR << digest