activesupport 7.2.2.2 → 8.1.2

data/lib/active_support/json/encoding.rb

@@ -8,24 +8,70 @@ module ActiveSupport
     delegate :use_standard_json_time_format, :use_standard_json_time_format=,
       :time_precision, :time_precision=,
       :escape_html_entities_in_json, :escape_html_entities_in_json=,
+      :escape_js_separators_in_json, :escape_js_separators_in_json=,
       :json_encoder, :json_encoder=,
       to: :'ActiveSupport::JSON::Encoding'
   end
 
   module JSON
-    # Dumps objects in JSON (JavaScript Object Notation).
-    # See http://www.json.org for more info.
-    #
-    #   ActiveSupport::JSON.encode({ team: 'rails', players: '36' })
-    #   # => "{\"team\":\"rails\",\"players\":\"36\"}"
     class << self
+      # Dumps objects in JSON (JavaScript Object Notation).
+      # See http://www.json.org for more info.
+      #
+      #   ActiveSupport::JSON.encode({ team: 'rails', players: '36' })
+      #   # => "{\"team\":\"rails\",\"players\":\"36\"}"
+      #
+      # By default, it generates JSON that is safe to include in JavaScript, as
+      # it escapes U+2028 (Line Separator) and U+2029 (Paragraph Separator):
+      #
+      #   ActiveSupport::JSON.encode({ key: "\u2028" })
+      #   # => "{\"key\":\"\\u2028\"}"
+      #
+      # By default, it also generates JSON that is safe to include in HTML, as
+      # it escapes <tt><</tt>, <tt>></tt>, and <tt>&</tt>:
+      #
+      #   ActiveSupport::JSON.encode({ key: "<>&" })
+      #   # => "{\"key\":\"\\u003c\\u003e\\u0026\"}"
+      #
+      # This behavior can be changed with the +escape_html_entities+ option, or the
+      # global escape_html_entities_in_json configuration option.
+      #
+      #   ActiveSupport::JSON.encode({ key: "<>&" }, escape_html_entities: false)
+      #   # => "{\"key\":\"<>&\"}"
+      #
+      # For performance reasons, you can set the +escape+ option to false,
+      # which will skip all escaping:
+      #
+      #   ActiveSupport::JSON.encode({ key: "\u2028<>&" }, escape: false)
+      #   # => "{\"key\":\"\u2028<>&\"}"
       def encode(value, options = nil)
-        Encoding.json_encoder.new(options).encode(value)
+        if options.nil? || options.empty?
+          Encoding.encode_without_options(value)
+        elsif options == { escape: false }.freeze
+          Encoding.encode_without_escape(value)
+        else
+          Encoding.json_encoder.new(options).encode(value)
+        end
       end
       alias_method :dump, :encode
     end
 
     module Encoding # :nodoc:
+      U2028 = -"\u2028".b
+      U2029 = -"\u2029".b
+
+      ESCAPED_CHARS = {
+        U2028 => '\u2028'.b,
+        U2029 => '\u2029'.b,
+        ">".b => '\u003e'.b,
+        "<".b => '\u003c'.b,
+        "&".b => '\u0026'.b,
+      }
+
+      HTML_ENTITIES_REGEX = Regexp.union(*(ESCAPED_CHARS.keys - [U2028, U2029]))
+      FULL_ESCAPE_REGEX = Regexp.union(*ESCAPED_CHARS.keys)
+      JS_SEPARATORS_REGEX = Regexp.union(U2028, U2029)
+
       class JSONGemEncoder # :nodoc:
         attr_reader :options
 
@@ -36,21 +82,23 @@ module ActiveSupport
         # Encode the given object into a JSON string
         def encode(value)
           unless options.empty?
-            value = value.as_json(options.dup)
+            value = value.as_json(options.dup.freeze)
           end
           json = stringify(jsonify(value))
 
-          # Rails does more escaping than the JSON gem natively does (we
-          # escape \u2028 and \u2029 and optionally >, <, & to work around
-          # certain browser problems).
-          if Encoding.escape_html_entities_in_json
-            json.gsub!(">", '\u003e')
-            json.gsub!("<", '\u003c')
-            json.gsub!("&", '\u0026')
+          return json unless @options.fetch(:escape, true)
+
+          json.force_encoding(::Encoding::BINARY)
+          if @options.fetch(:escape_html_entities, Encoding.escape_html_entities_in_json)
+            if Encoding.escape_js_separators_in_json
+              json.gsub!(FULL_ESCAPE_REGEX, ESCAPED_CHARS)
+            else
+              json.gsub!(HTML_ENTITIES_REGEX, ESCAPED_CHARS)
+            end
+          elsif Encoding.escape_js_separators_in_json
+            json.gsub!(JS_SEPARATORS_REGEX, ESCAPED_CHARS)
           end
-          json.gsub!("\u2028", '\u2028')
-          json.gsub!("\u2029", '\u2029')
-          json
+          json.force_encoding(::Encoding::UTF_8)
         end
 
         private
@@ -83,14 +131,75 @@ module ActiveSupport
             when Array
               value.map { |v| jsonify(v) }
             else
-              jsonify value.as_json
+              if defined?(::JSON::Fragment) && ::JSON::Fragment === value
+                value
+              else
+                jsonify value.as_json
+              end
             end
           end
 
           # Encode a "jsonified" Ruby data structure using the JSON gem
           def stringify(jsonified)
-            ::JSON.generate(jsonified, quirks_mode: true, max_nesting: false)
+            ::JSON.generate(jsonified)
+          end
+      end
+
+      # ruby/json 2.14.x yields non-String keys but doesn't let us know it's a key
+      if defined?(::JSON::Coder) && Gem::Version.new(::JSON::VERSION) >= Gem::Version.new("2.15.2")
+        class JSONGemCoderEncoder # :nodoc:
+          JSON_NATIVE_TYPES = [Hash, Array, Float, String, Symbol, Integer, NilClass, TrueClass, FalseClass, ::JSON::Fragment].freeze
+          CODER = ::JSON::Coder.new do |value, is_key|
+            json_value = value.as_json
+            # Keep compatibility by calling to_s on non-String keys
+            next json_value.to_s if is_key
+            # Handle objects returning self from as_json
+            if json_value.equal?(value)
+              next ::JSON::Fragment.new(::JSON.generate(json_value))
+            end
+            # Handle objects not returning JSON-native types from as_json
+            count = 5
+            until JSON_NATIVE_TYPES.include?(json_value.class)
+              raise SystemStackError if count == 0
+              json_value = json_value.as_json
+              count -= 1
+            end
+            json_value
+          end
+
+
+          def initialize(options = nil)
+            if options
+              options = options.dup
+              @escape = options.delete(:escape) { true }
+              @options = options.freeze
+            else
+              @escape = true
+              @options = {}.freeze
+            end
           end
+
+          # Encode the given object into a JSON string
+          def encode(value)
+            value = value.as_json(@options) unless @options.empty?
+
+            json = CODER.dump(value)
+
+            return json unless @escape
+
+            json.force_encoding(::Encoding::BINARY)
+            if @options.fetch(:escape_html_entities, Encoding.escape_html_entities_in_json)
+              if Encoding.escape_js_separators_in_json
+                json.gsub!(FULL_ESCAPE_REGEX, ESCAPED_CHARS)
+              else
+                json.gsub!(HTML_ENTITIES_REGEX, ESCAPED_CHARS)
+              end
+            elsif Encoding.escape_js_separators_in_json
+              json.gsub!(JS_SEPARATORS_REGEX, ESCAPED_CHARS)
+            end
+            json.force_encoding(::Encoding::UTF_8)
+          end
+        end
       end
 
       class << self
@@ -102,18 +211,45 @@ module ActiveSupport
         # as a safety measure.
         attr_accessor :escape_html_entities_in_json
 
+        # If true, encode LINE SEPARATOR (U+2028) and PARAGRAPH SEPARATOR (U+2029)
+        # as escaped unicode sequences ('\u2028' and '\u2029').
+        # Historically these characters were not valid inside JavaScript strings
+        # but that changed in ECMAScript 2019. As such it's no longer a concern in
+        # modern browsers: https://caniuse.com/mdn-javascript_builtins_json_json_superset.
+        attr_accessor :escape_js_separators_in_json
+
         # Sets the precision of encoded time values.
         # Defaults to 3 (equivalent to millisecond precision)
         attr_accessor :time_precision
 
         # Sets the encoder used by \Rails to encode Ruby objects into JSON strings
         # in +Object#to_json+ and +ActiveSupport::JSON.encode+.
-        attr_accessor :json_encoder
+        attr_reader :json_encoder
+
+        def json_encoder=(encoder)
+          @json_encoder = encoder
+          @encoder_without_options = encoder.new
+          @encoder_without_escape = encoder.new(escape: false)
+        end
+
+        def encode_without_options(value) # :nodoc:
+          @encoder_without_options.encode(value)
+        end
+
+        def encode_without_escape(value) # :nodoc:
+          @encoder_without_escape.encode(value)
+        end
       end
 
       self.use_standard_json_time_format = true
       self.escape_html_entities_in_json  = true
-      self.json_encoder = JSONGemEncoder
+      self.escape_js_separators_in_json = true
+      self.json_encoder =
+        if defined?(JSONGemCoderEncoder)
+          JSONGemCoderEncoder
+        else
+          JSONGemEncoder
+        end
       self.time_precision = 3
     end
   end

data/lib/active_support/lazy_load_hooks.rb

@@ -53,7 +53,7 @@ module ActiveSupport
     # loaded. If the component has already loaded, the block is executed
     # immediately.
     #
-    # Options:
+    # ==== Options
     #
     # * <tt>:yield</tt> - Yields the object that run_load_hooks to +block+.
     # * <tt>:run_once</tt> - Given +block+ will run only once.

data/lib/active_support/log_subscriber.rb

@@ -149,12 +149,6 @@ module ActiveSupport
       log_exception(event.name, e)
     end
 
-    def publish_event(event)
-      super if logger
-    rescue => e
-      log_exception(event.name, e)
-    end
-
     attr_writer :event_levels # :nodoc:
 
   private
@@ -184,6 +178,8 @@ module ActiveSupport
     end
 
     def log_exception(name, e)
+      ActiveSupport.error_reporter.report(e, source: name)
+
       if logger
         logger.error "Could not log #{name.inspect} event. #{e.class}: #{e.message} #{e.backtrace}"
       end

data/lib/active_support/logger_thread_safe_level.rb

@@ -7,6 +7,11 @@ module ActiveSupport
   module LoggerThreadSafeLevel # :nodoc:
     extend ActiveSupport::Concern
 
+    def initialize(...)
+      super
+      @local_level_key = :"logger_thread_safe_level_#{object_id}"
+    end
+
     def local_level
       IsolatedExecutionState[local_level_key]
     end
@@ -40,8 +45,6 @@ module ActiveSupport
     end
 
     private
-      def local_level_key
-        @local_level_key ||= :"logger_thread_safe_level_#{object_id}"
-      end
+      attr_reader :local_level_key
   end
 end

data/lib/active_support/message_encryptors.rb

@@ -26,10 +26,13 @@ module ActiveSupport
     # as the first rotation and <tt>transitional = true</tt>. Then, after all
     # servers have been updated, perform a second rolling deploy with
     # <tt>transitional = false</tt>.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#transitional
 
     ##
-    # :method: initialize
-    # :call-seq: initialize(&secret_generator)
+    # :singleton-method: new
+    # :call-seq: new(&secret_generator)
     #
     # Initializes a new instance. +secret_generator+ must accept a salt and a
     # +secret_length+ kwarg, and return a suitable secret (string) or secrets
@@ -43,6 +46,9 @@ module ActiveSupport
     #   end
     #
     #   encryptors.rotate(base: "...")
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#initialize
 
     ##
     # :method: []
@@ -51,12 +57,18 @@ module ActiveSupport
     # Returns a MessageEncryptor configured with a secret derived from the
     # given +salt+, and options from #rotate. MessageEncryptor instances will
     # be memoized, so the same +salt+ will return the same instance.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#[]
 
     ##
     # :method: []=
     # :call-seq: []=(salt, encryptor)
     #
     # Overrides a MessageEncryptor instance associated with a given +salt+.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#[]=
 
     ##
     # :method: rotate
@@ -106,18 +118,55 @@ module ActiveSupport
     #
     #   # Uses `serializer: Marshal, url_safe: false`.
     #   encryptors[:baz]
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#rotate
+
+    ##
+    # :method: prepend
+    # :call-seq:
+    #   prepend(**options)
+    #   prepend(&block)
+    #
+    # Just like #rotate, but prepends the given options or block to the list of
+    # option sets.
+    #
+    # This can be useful when you have an already-configured +MessageEncryptors+
+    # instance, but you want to override the way messages are encrypted.
+    #
+    #   module ThirdParty
+    #     ENCRYPTORS = ActiveSupport::MessageEncryptors.new { ... }.
+    #       rotate(serializer: Marshal, url_safe: true).
+    #       rotate(serializer: Marshal, url_safe: false)
+    #   end
+    #
+    #   ThirdParty.ENCRYPTORS.prepend(serializer: JSON, url_safe: true)
+    #
+    #   # Uses `serializer: JSON, url_safe: true`.
+    #   # Falls back to `serializer: Marshal, url_safe: true` or
+    #   # `serializer: Marshal, url_safe: false`.
+    #   ThirdParty.ENCRYPTORS[:foo]
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#prepend
 
     ##
     # :method: rotate_defaults
     # :call-seq: rotate_defaults
     #
     # Invokes #rotate with the default options.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#rotate_defaults
 
     ##
     # :method: clear_rotations
     # :call-seq: clear_rotations
     #
     # Clears the list of option sets.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#clear_rotations
 
     ##
     # :method: on_rotation
@@ -129,6 +178,9 @@ module ActiveSupport
     # For example, this callback could log each time it is called, and thus
     # indicate whether old option sets are still in use or can be removed from
     # rotation.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#on_rotation
 
     ##
     private

data/lib/active_support/message_pack/extensions.rb

@@ -4,9 +4,10 @@ require "bigdecimal"
 require "date"
 require "ipaddr"
 require "pathname"
-require "uri/generic"
+require "uri"
 require "msgpack/bigint"
 require "active_support/hash_with_indifferent_access"
+require "active_support/core_ext/string/output_safety"
 require "active_support/time"
 
 module ActiveSupport
@@ -102,6 +103,10 @@ module ActiveSupport
           packer: method(:write_hash_with_indifferent_access),
           unpacker: method(:read_hash_with_indifferent_access),
           recursive: true
+
+        registry.register_type 18, ActiveSupport::SafeBuffer,
+          packer: :to_s,
+          unpacker: :new
       end
 
       def install_unregistered_type_error(registry)

data/lib/active_support/message_verifier.rb

@@ -154,6 +154,8 @@ module ActiveSupport
     #   not URL-safe. In other words, they can contain "+" and "/". If you want to
     #   generate URL-safe strings (in compliance with "Base 64 Encoding with URL
     #   and Filename Safe Alphabet" in RFC 4648), you can pass +true+.
+    #   Note that MessageVerifier will always accept both URL-safe and URL-unsafe
+    #   encoded messages, to allow a smooth transition between the two settings.
     #
     # [+:force_legacy_metadata_serializer+]
     #   Whether to use the legacy metadata serializer, which serializes the
@@ -318,6 +320,13 @@ module ActiveSupport
     end
 
     private
+      def decode(encoded, url_safe: @url_safe)
+        catch :invalid_message_format do
+          return super
+        end
+        super(encoded, url_safe: !url_safe)
+      end
+
       def sign_encoded(encoded)
         digest = generate_digest(encoded)
         encoded << SEPARATOR << digest

data/lib/active_support/message_verifiers.rb

@@ -26,10 +26,13 @@ module ActiveSupport
     # as the first rotation and <tt>transitional = true</tt>. Then, after all
     # servers have been updated, perform a second rolling deploy with
     # <tt>transitional = false</tt>.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#transitional
 
     ##
-    # :method: initialize
-    # :call-seq: initialize(&secret_generator)
+    # :singleton-method: new
+    # :call-seq: new(&secret_generator)
     #
     # Initializes a new instance. +secret_generator+ must accept a salt, and
     # return a suitable secret (string). +secret_generator+ may also accept
@@ -42,6 +45,9 @@ module ActiveSupport
     #   end
     #
     #   verifiers.rotate(base: "...")
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#initialize
 
     ##
     # :method: []
@@ -50,16 +56,24 @@ module ActiveSupport
     # Returns a MessageVerifier configured with a secret derived from the
     # given +salt+, and options from #rotate. MessageVerifier instances will
     # be memoized, so the same +salt+ will return the same instance.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#[]
 
     ##
     # :method: []=
     # :call-seq: []=(salt, verifier)
     #
     # Overrides a MessageVerifier instance associated with a given +salt+.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#[]=
 
     ##
     # :method: rotate
-    # :call-seq: rotate(**options)
+    # :call-seq:
+    #   rotate(**options)
+    #   rotate(&block)
     #
     # Adds +options+ to the list of option sets. Messages will be signed using
     # the first set in the list. When verifying, however, each set will be
@@ -102,18 +116,55 @@ module ActiveSupport
     #
     #   # Uses `serializer: Marshal, url_safe: false`.
     #   verifiers[:baz]
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#rotate
+
+    ##
+    # :method: prepend
+    # :call-seq:
+    #   prepend(**options)
+    #   prepend(&block)
+    #
+    # Just like #rotate, but prepends the given options or block to the list of
+    # option sets.
+    #
+    # This can be useful when you have an already-configured +MessageVerifiers+
+    # instance, but you want to override the way messages are signed.
+    #
+    #   module ThirdParty
+    #     VERIFIERS = ActiveSupport::MessageVerifiers.new { ... }.
+    #       rotate(serializer: Marshal, url_safe: true).
+    #       rotate(serializer: Marshal, url_safe: false)
+    #   end
+    #
+    #   ThirdParty.VERIFIERS.prepend(serializer: JSON, url_safe: true)
+    #
+    #   # Uses `serializer: JSON, url_safe: true`.
+    #   # Falls back to `serializer: Marshal, url_safe: true` or
+    #   # `serializer: Marshal, url_safe: false`.
+    #   ThirdParty.VERIFIERS[:foo]
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#prepend
 
     ##
     # :method: rotate_defaults
     # :call-seq: rotate_defaults
     #
     # Invokes #rotate with the default options.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#rotate_defaults
 
     ##
     # :method: clear_rotations
     # :call-seq: clear_rotations
     #
     # Clears the list of option sets.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#clear_rotations
 
     ##
     # :method: on_rotation
@@ -125,6 +176,9 @@ module ActiveSupport
     # For example, this callback could log each time it is called, and thus
     # indicate whether old option sets are still in use or can be removed from
     # rotation.
+    #
+    #--
+    # Implemented by ActiveSupport::Messages::RotationCoordinator#on_rotation
 
     ##
     private

data/lib/active_support/messages/rotation_coordinator.rb

@@ -32,6 +32,15 @@ module ActiveSupport
         self
       end
 
+      def prepend(**options, &block)
+        raise ArgumentError, "Options cannot be specified when using a block" if block && !options.empty?
+        changing_configuration!
+
+        @rotate_options.unshift(block || options)
+
+        self
+      end
+
       def rotate_defaults
         rotate()
       end

data/lib/active_support/messages/rotator.rb

@@ -15,6 +15,11 @@ module ActiveSupport
         fall_back_to build_rotation(*args, **options)
       end
 
+      def on_rotation(&on_rotation)
+        @on_rotation = on_rotation
+        self
+      end
+
       def fall_back_to(fallback)
         @rotations << fallback
         self
@@ -40,6 +45,11 @@ module ActiveSupport
         end
       end
 
+      def initialize_dup(*)
+        super
+        @rotations = @rotations.dup
+      end
+
       private
         def build_rotation(*args, **options)
           self.class.new(*args, *@args.drop(args.length), **@options, **options)

data/lib/active_support/multibyte/chars.rb

@@ -53,9 +53,19 @@ module ActiveSupport # :nodoc:
       delegate :<=>, :=~, :match?, :acts_like_string?, to: :wrapped_string
 
       # Creates a new Chars instance by wrapping _string_.
-      def initialize(string)
+      def initialize(string, deprecation: true)
+        if deprecation
+          ActiveSupport.deprecator.warn(
+            "ActiveSupport::Multibyte::Chars is deprecated and will be removed in Rails 8.2. " \
+            "Use normal string methods instead."
+          )
+        end
+
         @wrapped_string = string
-        @wrapped_string.force_encoding(Encoding::UTF_8) unless @wrapped_string.frozen?
+        if string.encoding != Encoding::UTF_8
+          @wrapped_string = @wrapped_string.dup
+          @wrapped_string.force_encoding(Encoding::UTF_8)
+        end
       end
 
       # Forward all undefined methods to the wrapped string.

data/lib/active_support/multibyte.rb

@@ -12,6 +12,10 @@ module ActiveSupport # :nodoc:
     #
     #   ActiveSupport::Multibyte.proxy_class = CharsForUTF32
     def self.proxy_class=(klass)
+      ActiveSupport.deprecator.warn(
+        "ActiveSupport::Multibyte.proxy_class= is deprecated and will be removed in Rails 8.2. " \
+        "Use normal string methods instead."
+      )
       @proxy_class = klass
     end