eactionpack 2.1.2

data/lib/action_controller/request_forgery_protection.rb

@@ -0,0 +1,140 @@
+module ActionController #:nodoc:
+  class InvalidAuthenticityToken < ActionControllerError #:nodoc:
+  end
+
+  module RequestForgeryProtection
+    def self.included(base)
+      base.class_eval do
+        class_inheritable_accessor :request_forgery_protection_options
+        self.request_forgery_protection_options = {}
+        helper_method :form_authenticity_token
+        helper_method :protect_against_forgery?
+      end
+      base.extend(ClassMethods)
+    end
+    
+    # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current web application, not a
+    # forged link from another site, is done by embedding a token based on the session (which an attacker wouldn't know) in all
+    # forms and Ajax requests generated by Rails and then verifying the authenticity of that token in the controller.  Only
+    # HTML/JavaScript requests are checked, so this will not protect your XML API (presumably you'll have a different authentication
+    # scheme there anyway).  Also, GET requests are not protected as these should be indempotent anyway.
+    #
+    # This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an
+    # ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the error message in
+    # production by editing public/422.html.  A call to this method in ApplicationController is generated by default in post-Rails 2.0
+    # applications.
+    #
+    # The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form manually (without the
+    # use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to include a hidden field named like that and
+    # set its value to what is returned by <tt>form_authenticity_token</tt>. Same applies to manually constructed Ajax requests. To
+    # make the token available through a global variable to scripts on a certain page, you could add something like this to a view:
+    #
+    #   <%= javascript_tag "window._token = '#{form_authenticity_token}'" %>
+    #
+    # Request forgery protection is disabled by default in test environment.  If you are upgrading from Rails 1.x, add this to
+    # config/environments/test.rb:
+    #
+    #   # Disable request forgery protection in test environment
+    #   config.action_controller.allow_forgery_protection = false
+    # 
+    # == Learn more about CSRF (Cross-Site Request Forgery) attacks
+    #
+    # Here are some resources:
+    # * http://isc.sans.org/diary.html?storyid=1750
+    # * http://en.wikipedia.org/wiki/Cross-site_request_forgery
+    #
+    # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
+    # There are a few guidelines you should follow:
+    # 
+    # * Keep your GET requests safe and idempotent.  More reading material:
+    #   * http://www.xml.com/pub/a/2002/04/24/deviant.html
+    #   * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
+    # * Make sure the session cookies that Rails creates are non-persistent.  Check in Firefox and look for "Expires: at end of session"
+    #
+    module ClassMethods
+      # Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
+      #
+      # Example:
+      #
+      #   class FooController < ApplicationController
+      #     # uses the cookie session store (then you don't need a separate :secret)
+      #     protect_from_forgery :except => :index
+      #
+      #     # uses one of the other session stores that uses a session_id value.
+      #     protect_from_forgery :secret => 'my-little-pony', :except => :index
+      #
+      #     # you can disable csrf protection on controller-by-controller basis:
+      #     skip_before_filter :verify_authenticity_token
+      #   end
+      #
+      # Valid Options:
+      #
+      # * <tt>:only/:except</tt> - Passed to the <tt>before_filter</tt> call.  Set which actions are verified.
+      # * <tt>:secret</tt> - Custom salt used to generate the <tt>form_authenticity_token</tt>.
+      #   Leave this off if you are using the cookie session store.
+      # * <tt>:digest</tt> - Message digest used for hashing.  Defaults to 'SHA1'.
+      def protect_from_forgery(options = {})
+        self.request_forgery_protection_token ||= :authenticity_token
+        before_filter :verify_authenticity_token, :only => options.delete(:only), :except => options.delete(:except)
+        request_forgery_protection_options.update(options)
+      end
+    end
+
+    protected
+      # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
+      def verify_authenticity_token
+        verified_request? || raise(ActionController::InvalidAuthenticityToken)
+      end
+      
+      # Returns true or false if a request is verified.  Checks:
+      #
+      # * is the format restricted?  By default, only HTML and AJAX requests are checked.
+      # * is it a GET request?  Gets should be safe and idempotent
+      # * Does the form_authenticity_token match the given _token value from the params?
+      def verified_request?
+        !protect_against_forgery?     ||
+          request.method == :get      ||
+          !verifiable_request_format? ||
+          form_authenticity_token == params[request_forgery_protection_token]
+      end
+    
+      def verifiable_request_format?
+        request.content_type.nil? || request.content_type.verify_request?
+      end
+    
+      # Sets the token value for the current session.  Pass a <tt>:secret</tt> option
+      # in +protect_from_forgery+ to add a custom salt to the hash.
+      def form_authenticity_token
+        @form_authenticity_token ||= if !session.respond_to?(:session_id)
+          raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session."
+        elsif request_forgery_protection_options[:secret]
+          authenticity_token_from_session_id
+        elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest)
+          authenticity_token_from_cookie_session
+        else
+          raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call.  Set that or use a session store capable of generating its own keys (Cookie Session Store)."
+        end
+      end
+      
+      # Generates a unique digest using the session_id and the CSRF secret.
+      def authenticity_token_from_session_id
+        key = if request_forgery_protection_options[:secret].respond_to?(:call)
+          request_forgery_protection_options[:secret].call(@session)
+        else
+          request_forgery_protection_options[:secret]
+        end
+        digest = request_forgery_protection_options[:digest] ||= 'SHA1'
+        OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(digest), key.to_s, session.session_id.to_s)
+      end
+      
+      # No secret was given, so assume this is a cookie session store.
+      def authenticity_token_from_cookie_session
+        session[:csrf_id] ||= CGI::Session.generate_unique_id
+        session.dbman.generate_digest(session[:csrf_id])
+      end
+      
+      def protect_against_forgery?
+        allow_forgery_protection && request_forgery_protection_token
+      end
+  end
+end

data/lib/action_controller/request_profiler.rb

@@ -0,0 +1,169 @@
+require 'optparse'
+require 'action_controller/integration'
+
+module ActionController
+  class RequestProfiler
+    # Wrap up the integration session runner.
+    class Sandbox
+      include Integration::Runner
+
+      def self.benchmark(n, script)
+        new(script).benchmark(n)
+      end
+
+      def initialize(script_path)
+        @quiet = false
+        define_run_method(script_path)
+        reset!
+      end
+
+      def benchmark(n, profiling = false)
+        @quiet = true
+        print '  '
+
+        result = Benchmark.realtime do
+          n.times do |i|
+            run(profiling)
+            print_progress(i)
+          end
+        end
+
+        puts
+        result
+      ensure
+        @quiet = false
+      end
+
+      def say(message)
+        puts "  #{message}" unless @quiet
+      end
+
+      private
+        def define_run_method(script_path)
+          script = File.read(script_path)
+
+          source = <<-end_source
+            def run(profiling = false)
+              if profiling
+                RubyProf.resume do
+                  #{script}
+                end
+              else
+                #{script}
+              end
+
+              old_request_count = request_count
+              reset!
+              self.request_count = old_request_count
+            end
+          end_source
+
+          instance_eval source, script_path, 1
+        end
+
+        def print_progress(i)
+          print "\n  " if i % 60 == 0
+          print ' ' if i % 10 == 0
+          print '.'
+          $stdout.flush
+        end
+    end
+
+
+    attr_reader :options
+
+    def initialize(options = {})
+      @options = default_options.merge(options)
+    end
+
+
+    def self.run(args = nil, options = {})
+      profiler = new(options)
+      profiler.parse_options(args) if args
+      profiler.run
+    end
+
+    def run
+      sandbox = Sandbox.new(options[:script])
+
+      puts 'Warming up once'
+
+      elapsed = warmup(sandbox)
+      puts '%.2f sec, %d requests, %d req/sec' % [elapsed, sandbox.request_count, sandbox.request_count / elapsed]
+      puts "\n#{options[:benchmark] ? 'Benchmarking' : 'Profiling'} #{options[:n]}x"
+
+      options[:benchmark] ? benchmark(sandbox) : profile(sandbox)
+    end
+
+    def profile(sandbox)
+      load_ruby_prof
+
+      benchmark(sandbox, true)
+      results = RubyProf.stop
+
+      show_profile_results results
+      results
+    end
+
+    def benchmark(sandbox, profiling = false)
+      sandbox.request_count = 0
+      elapsed = sandbox.benchmark(options[:n], profiling).to_f
+      count = sandbox.request_count.to_i
+      puts '%.2f sec, %d requests, %d req/sec' % [elapsed, count, count / elapsed]
+    end
+
+    def warmup(sandbox)
+      Benchmark.realtime { sandbox.run(false) }
+    end
+
+    def default_options
+      { :n => 100, :open => 'open %s &' }
+    end
+
+    # Parse command-line options
+    def parse_options(args)
+      OptionParser.new do |opt|
+        opt.banner = "USAGE: #{$0} [options] [session script path]"
+
+        opt.on('-n', '--times [100]', 'How many requests to process. Defaults to 100.') { |v| options[:n] = v.to_i if v }
+        opt.on('-b', '--benchmark', 'Benchmark instead of profiling') { |v| options[:benchmark] = v }
+        opt.on('-m', '--measure [mode]', 'Which ruby-prof measure mode to use: process_time, wall_time, cpu_time, allocations, or memory. Defaults to process_time.') { |v| options[:measure] = v }
+        opt.on('--open [CMD]', 'Command to open profile results. Defaults to "open %s &"') { |v| options[:open] = v }
+        opt.on('-h', '--help', 'Show this help') { puts opt; exit }
+
+        opt.parse args
+
+        if args.empty?
+          puts opt
+          exit
+        end
+        options[:script] = args.pop
+      end
+    end
+
+    protected
+      def load_ruby_prof
+        begin
+          gem 'ruby-prof', '>= 0.6.1'
+          require 'ruby-prof'
+          if mode = options[:measure]
+            RubyProf.measure_mode = RubyProf.const_get(mode.upcase)
+          end
+        rescue LoadError
+          abort '`gem install ruby-prof` to use the profiler'
+        end
+      end
+
+      def show_profile_results(results)
+        File.open "#{RAILS_ROOT}/tmp/profile-graph.html", 'w' do |file|
+          RubyProf::GraphHtmlPrinter.new(results).print(file)
+          `#{options[:open] % file.path}` if options[:open]
+        end
+
+        File.open "#{RAILS_ROOT}/tmp/profile-flat.txt", 'w' do |file|
+          RubyProf::FlatPrinter.new(results).print(file)
+          `#{options[:open] % file.path}` if options[:open]
+        end
+      end
+  end
+end

data/lib/action_controller/rescue.rb

@@ -0,0 +1,258 @@
+module ActionController #:nodoc:
+  # Actions that fail to perform as expected throw exceptions. These exceptions can either be rescued for the public view
+  # (with a nice user-friendly explanation) or for the developers view (with tons of debugging information). The developers view
+  # is already implemented by the Action Controller, but the public view should be tailored to your specific application. 
+  # 
+  # The default behavior for public exceptions is to render a static html file with the name of the error code thrown.  If no such 
+  # file exists, an empty response is sent with the correct status code.
+  #
+  # You can override what constitutes a local request by overriding the <tt>local_request?</tt> method in your own controller.
+  # Custom rescue behavior is achieved by overriding the <tt>rescue_action_in_public</tt> and <tt>rescue_action_locally</tt> methods.
+  module Rescue
+    LOCALHOST = '127.0.0.1'.freeze
+
+    DEFAULT_RESCUE_RESPONSE = :internal_server_error
+    DEFAULT_RESCUE_RESPONSES = {
+      'ActionController::RoutingError'             => :not_found,
+      'ActionController::UnknownAction'            => :not_found,
+      'ActiveRecord::RecordNotFound'               => :not_found,
+      'ActiveRecord::StaleObjectError'             => :conflict,
+      'ActiveRecord::RecordInvalid'                => :unprocessable_entity,
+      'ActiveRecord::RecordNotSaved'               => :unprocessable_entity,
+      'ActionController::MethodNotAllowed'         => :method_not_allowed,
+      'ActionController::NotImplemented'           => :not_implemented,
+      'ActionController::InvalidAuthenticityToken' => :unprocessable_entity
+    }
+
+    DEFAULT_RESCUE_TEMPLATE = 'diagnostics'
+    DEFAULT_RESCUE_TEMPLATES = {
+      'ActionView::MissingTemplate'       => 'missing_template',
+      'ActionController::RoutingError'    => 'routing_error',
+      'ActionController::UnknownAction'   => 'unknown_action',
+      'ActionView::TemplateError'         => 'template_error'
+    }
+
+    def self.included(base) #:nodoc:
+      base.cattr_accessor :rescue_responses
+      base.rescue_responses = Hash.new(DEFAULT_RESCUE_RESPONSE)
+      base.rescue_responses.update DEFAULT_RESCUE_RESPONSES
+
+      base.cattr_accessor :rescue_templates
+      base.rescue_templates = Hash.new(DEFAULT_RESCUE_TEMPLATE)
+      base.rescue_templates.update DEFAULT_RESCUE_TEMPLATES
+
+      base.class_inheritable_array :rescue_handlers
+      base.rescue_handlers = []
+
+      base.extend(ClassMethods)
+      base.class_eval do
+        alias_method_chain :perform_action, :rescue
+      end
+    end
+
+    module ClassMethods
+      def process_with_exception(request, response, exception) #:nodoc:
+        new.process(request, response, :rescue_action, exception)
+      end
+
+      # Rescue exceptions raised in controller actions.
+      #
+      # <tt>rescue_from</tt> receives a series of exception classes or class
+      # names, and a trailing <tt>:with</tt> option with the name of a method
+      # or a Proc object to be called to handle them. Alternatively a block can
+      # be given.
+      #
+      # Handlers that take one argument will be called with the exception, so
+      # that the exception can be inspected when dealing with it.
+      #
+      # Handlers are inherited. They are searched from right to left, from
+      # bottom to top, and up the hierarchy. The handler of the first class for
+      # which <tt>exception.is_a?(klass)</tt> holds true is the one invoked, if
+      # any.
+      #
+      #   class ApplicationController < ActionController::Base
+      #     rescue_from User::NotAuthorized, :with => :deny_access # self defined exception
+      #     rescue_from ActiveRecord::RecordInvalid, :with => :show_errors
+      #
+      #     rescue_from 'MyAppError::Base' do |exception|
+      #       render :xml => exception, :status => 500
+      #     end
+      #
+      #     protected
+      #       def deny_access
+      #         ...
+      #       end
+      #
+      #       def show_errors(exception)
+      #         exception.record.new_record? ? ...
+      #       end
+      #   end
+      def rescue_from(*klasses, &block)
+        options = klasses.extract_options!
+        unless options.has_key?(:with)
+          block_given? ? options[:with] = block : raise(ArgumentError, "Need a handler. Supply an options hash that has a :with key as the last argument.")
+        end
+
+        klasses.each do |klass|
+          key = if klass.is_a?(Class) && klass <= Exception
+            klass.name
+          elsif klass.is_a?(String)
+            klass
+          else
+            raise(ArgumentError, "#{klass} is neither an Exception nor a String")
+          end
+
+          # Order is important, we put the pair at the end. When dealing with an
+          # exception we will follow the documented order going from right to left.
+          rescue_handlers << [key, options[:with]]
+        end
+      end
+    end
+
+    protected
+      # Exception handler called when the performance of an action raises an exception.
+      def rescue_action(exception)
+        log_error(exception) if logger
+        erase_results if performed?
+
+        # Let the exception alter the response if it wants.
+        # For example, MethodNotAllowed sets the Allow header.
+        if exception.respond_to?(:handle_response!)
+          exception.handle_response!(response)
+        end
+
+        if consider_all_requests_local || local_request?
+          rescue_action_locally(exception)
+        else
+          rescue_action_in_public(exception)
+        end
+      end
+
+      # Overwrite to implement custom logging of errors. By default logs as fatal.
+      def log_error(exception) #:doc:
+        ActiveSupport::Deprecation.silence do
+          if ActionView::TemplateError === exception
+            logger.fatal(exception.to_s)
+          else
+            logger.fatal(
+              "\n\n#{exception.class} (#{exception.message}):\n    " +
+              clean_backtrace(exception).join("\n    ") +
+              "\n\n"
+            )
+          end
+        end
+      end
+
+      # Overwrite to implement public exception handling (for requests answering false to <tt>local_request?</tt>).  By
+      # default will call render_optional_error_file.  Override this method to provide more user friendly error messages.s
+      def rescue_action_in_public(exception) #:doc:
+        render_optional_error_file response_code_for_rescue(exception)
+      end
+      
+      # Attempts to render a static error page based on the <tt>status_code</tt> thrown,
+      # or just return headers if no such file exists. For example, if a 500 error is 
+      # being handled Rails will first attempt to render the file at <tt>public/500.html</tt>. 
+      # If the file doesn't exist, the body of the response will be left empty.
+      def render_optional_error_file(status_code)
+        status = interpret_status(status_code)
+        path = "#{Rails.public_path}/#{status[0,3]}.html"
+        if File.exist?(path)
+          render :file => path, :status => status
+        else
+          head status
+        end
+      end
+
+      # True if the request came from localhost, 127.0.0.1. Override this
+      # method if you wish to redefine the meaning of a local request to
+      # include remote IP addresses or other criteria.
+      def local_request? #:doc:
+        request.remote_addr == LOCALHOST && request.remote_ip == LOCALHOST
+      end
+
+      # Render detailed diagnostics for unhandled exceptions rescued from
+      # a controller action.
+      def rescue_action_locally(exception)
+        add_variables_to_assigns
+        @template.instance_variable_set("@exception", exception)
+        @template.instance_variable_set("@rescues_path", File.dirname(rescues_path("stub")))
+        @template.send!(:assign_variables_from_controller)
+
+        @template.instance_variable_set("@contents", @template.render_file(template_path_for_local_rescue(exception), false))
+
+        response.content_type = Mime::HTML
+        render_for_file(rescues_path("layout"), response_code_for_rescue(exception))
+      end
+
+      # Tries to rescue the exception by looking up and calling a registered handler.
+      def rescue_action_with_handler(exception)
+        if handler = handler_for_rescue(exception)
+          if handler.arity != 0
+            handler.call(exception)
+          else
+            handler.call
+          end
+          true # don't rely on the return value of the handler
+        end
+      end
+
+    private
+      def perform_action_with_rescue #:nodoc:
+        perform_action_without_rescue
+      rescue Exception => exception
+        rescue_action_with_handler(exception) || rescue_action(exception)
+      end
+
+      def rescues_path(template_name)
+        "#{File.dirname(__FILE__)}/templates/rescues/#{template_name}.erb"
+      end
+
+      def template_path_for_local_rescue(exception)
+        rescues_path(rescue_templates[exception.class.name])
+      end
+
+      def response_code_for_rescue(exception)
+        rescue_responses[exception.class.name]
+      end
+
+      def handler_for_rescue(exception)
+        # We go from right to left because pairs are pushed onto rescue_handlers
+        # as rescue_from declarations are found.
+        _, handler = *rescue_handlers.reverse.detect do |klass_name, handler|
+          # The purpose of allowing strings in rescue_from is to support the
+          # declaration of handler associations for exception classes whose
+          # definition is yet unknown.
+          #
+          # Since this loop needs the constants it would be inconsistent to
+          # assume they should exist at this point. An early raised exception
+          # could trigger some other handler and the array could include
+          # precisely a string whose corresponding constant has not yet been
+          # seen. This is why we are tolerant to unknown constants.
+          #
+          # Note that this tolerance only matters if the exception was given as
+          # a string, otherwise a NameError will be raised by the interpreter
+          # itself when rescue_from CONSTANT is executed.
+          klass = self.class.const_get(klass_name) rescue nil
+          klass ||= klass_name.constantize rescue nil
+          exception.is_a?(klass) if klass
+        end
+
+        case handler
+        when Symbol
+          method(handler)
+        when Proc
+          handler.bind(self)
+        end
+      end
+
+      def clean_backtrace(exception)
+        if backtrace = exception.backtrace
+          if defined?(RAILS_ROOT)
+            backtrace.map { |line| line.sub RAILS_ROOT, '' }
+          else
+            backtrace
+          end
+        end
+      end
+  end
+end