omg-actionpack 8.0.0.alpha1

data/lib/action_controller/metal/params_wrapper.rb

@@ -0,0 +1,312 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+require "active_support/core_ext/hash/slice"
+require "active_support/core_ext/hash/except"
+require "active_support/core_ext/module/anonymous"
+require "action_dispatch/http/mime_type"
+
+module ActionController
+  # # Action Controller Params Wrapper
+  #
+  # Wraps the parameters hash into a nested hash. This will allow clients to
+  # submit requests without having to specify any root elements.
+  #
+  # This functionality is enabled by default for JSON, and can be customized by
+  # setting the format array:
+  #
+  #     class ApplicationController < ActionController::Base
+  #       wrap_parameters format: [:json, :xml]
+  #     end
+  #
+  # You could also turn it on per controller:
+  #
+  #     class UsersController < ApplicationController
+  #       wrap_parameters format: [:json, :xml, :url_encoded_form, :multipart_form]
+  #     end
+  #
+  # If you enable `ParamsWrapper` for `:json` format, instead of having to send
+  # JSON parameters like this:
+  #
+  #     {"user": {"name": "Konata"}}
+  #
+  # You can send parameters like this:
+  #
+  #     {"name": "Konata"}
+  #
+  # And it will be wrapped into a nested hash with the key name matching the
+  # controller's name. For example, if you're posting to `UsersController`, your
+  # new `params` hash will look like this:
+  #
+  #     {"name" => "Konata", "user" => {"name" => "Konata"}}
+  #
+  # You can also specify the key in which the parameters should be wrapped to, and
+  # also the list of attributes it should wrap by using either `:include` or
+  # `:exclude` options like this:
+  #
+  #     class UsersController < ApplicationController
+  #       wrap_parameters :person, include: [:username, :password]
+  #     end
+  #
+  # On Active Record models with no `:include` or `:exclude` option set, it will
+  # only wrap the parameters returned by the class method `attribute_names`.
+  #
+  # If you're going to pass the parameters to an `ActiveModel` object (such as
+  # `User.new(params[:user])`), you might consider passing the model class to the
+  # method instead. The `ParamsWrapper` will actually try to determine the list of
+  # attribute names from the model and only wrap those attributes:
+  #
+  #     class UsersController < ApplicationController
+  #       wrap_parameters Person
+  #     end
+  #
+  # You still could pass `:include` and `:exclude` to set the list of attributes
+  # you want to wrap.
+  #
+  # By default, if you don't specify the key in which the parameters would be
+  # wrapped to, `ParamsWrapper` will actually try to determine if there's a model
+  # related to it or not. This controller, for example:
+  #
+  #     class Admin::UsersController < ApplicationController
+  #     end
+  #
+  # will try to check if `Admin::User` or `User` model exists, and use it to
+  # determine the wrapper key respectively. If both models don't exist, it will
+  # then fall back to use `user` as the key.
+  #
+  # To disable this functionality for a controller:
+  #
+  #     class UsersController < ApplicationController
+  #       wrap_parameters false
+  #     end
+  module ParamsWrapper
+    extend ActiveSupport::Concern
+
+    EXCLUDE_PARAMETERS = %w(authenticity_token _method utf8)
+
+    class Options < Struct.new(:name, :format, :include, :exclude, :klass, :model) # :nodoc:
+      def self.from_hash(hash)
+        name    = hash[:name]
+        format  = Array(hash[:format])
+        include = hash[:include] && Array(hash[:include]).collect(&:to_s)
+        exclude = hash[:exclude] && Array(hash[:exclude]).collect(&:to_s)
+        new name, format, include, exclude, nil, nil
+      end
+
+      def initialize(name, format, include, exclude, klass, model) # :nodoc:
+        super
+        @mutex = Mutex.new
+        @include_set = include
+        @name_set    = name
+      end
+
+      def model
+        super || self.model = _default_wrap_model
+      end
+
+      def include
+        return super if @include_set
+
+        m = model
+        @mutex.synchronize do
+          return super if @include_set
+
+          @include_set = true
+
+          unless super || exclude
+            if m.respond_to?(:attribute_names) && m.attribute_names.any?
+              self.include = m.attribute_names
+
+              if m.respond_to?(:stored_attributes) && !m.stored_attributes.empty?
+                self.include += m.stored_attributes.values.flatten.map(&:to_s)
+              end
+
+              if m.respond_to?(:attribute_aliases) && m.attribute_aliases.any?
+                self.include += m.attribute_aliases.keys
+              end
+
+              if m.respond_to?(:nested_attributes_options) && m.nested_attributes_options.keys.any?
+                self.include += m.nested_attributes_options.keys.map do |key|
+                  (+key.to_s).concat("_attributes")
+                end
+              end
+
+              self.include
+            end
+          end
+        end
+      end
+
+      def name
+        return super if @name_set
+
+        m = model
+        @mutex.synchronize do
+          return super if @name_set
+
+          @name_set = true
+
+          unless super || klass.anonymous?
+            self.name = m ? m.to_s.demodulize.underscore :
+              klass.controller_name.singularize
+          end
+        end
+      end
+
+      private
+        # Determine the wrapper model from the controller's name. By convention, this
+        # could be done by trying to find the defined model that has the same singular
+        # name as the controller. For example, `UsersController` will try to find if the
+        # `User` model exists.
+        #
+        # This method also does namespace lookup. Foo::Bar::UsersController will try to
+        # find Foo::Bar::User, Foo::User and finally User.
+        def _default_wrap_model
+          return nil if klass.anonymous?
+          model_name = klass.name.delete_suffix("Controller").classify
+
+          begin
+            if model_klass = model_name.safe_constantize
+              model_klass
+            else
+              namespaces = model_name.split("::")
+              namespaces.delete_at(-2)
+              break if namespaces.last == model_name
+              model_name = namespaces.join("::")
+            end
+          end until model_klass
+
+          model_klass
+        end
+    end
+
+    included do
+      class_attribute :_wrapper_options, default: Options.from_hash(format: [])
+    end
+
+    module ClassMethods
+      def _set_wrapper_options(options)
+        self._wrapper_options = Options.from_hash(options)
+      end
+
+      # Sets the name of the wrapper key, or the model which `ParamsWrapper` would use
+      # to determine the attribute names from.
+      #
+      # #### Examples
+      #     wrap_parameters format: :xml
+      #       # enables the parameter wrapper for XML format
+      #
+      #     wrap_parameters :person
+      #       # wraps parameters into +params[:person]+ hash
+      #
+      #     wrap_parameters Person
+      #       # wraps parameters by determining the wrapper key from Person class
+      #       # (+person+, in this case) and the list of attribute names
+      #
+      #     wrap_parameters include: [:username, :title]
+      #       # wraps only +:username+ and +:title+ attributes from parameters.
+      #
+      #     wrap_parameters false
+      #       # disables parameters wrapping for this controller altogether.
+      #
+      # #### Options
+      # *   `:format` - The list of formats in which the parameters wrapper will be
+      #     enabled.
+      # *   `:include` - The list of attribute names which parameters wrapper will
+      #     wrap into a nested hash.
+      # *   `:exclude` - The list of attribute names which parameters wrapper will
+      #     exclude from a nested hash.
+      #
+      def wrap_parameters(name_or_model_or_options, options = {})
+        model = nil
+
+        case name_or_model_or_options
+        when Hash
+          options = name_or_model_or_options
+        when false
+          options = options.merge(format: [])
+        when Symbol, String
+          options = options.merge(name: name_or_model_or_options)
+        else
+          model = name_or_model_or_options
+        end
+
+        opts = Options.from_hash _wrapper_options.to_h.slice(:format).merge(options)
+        opts.model = model
+        opts.klass = self
+
+        self._wrapper_options = opts
+      end
+
+      # Sets the default wrapper key or model which will be used to determine wrapper
+      # key and attribute names. Called automatically when the module is inherited.
+      def inherited(klass)
+        if klass._wrapper_options.format.any?
+          params = klass._wrapper_options.dup
+          params.klass = klass
+          klass._wrapper_options = params
+        end
+        super
+      end
+    end
+
+    private
+      # Performs parameters wrapping upon the request. Called automatically by the
+      # metal call stack.
+      def process_action(*)
+        _perform_parameter_wrapping if _wrapper_enabled?
+        super
+      end
+
+      # Returns the wrapper key which will be used to store wrapped parameters.
+      def _wrapper_key
+        _wrapper_options.name
+      end
+
+      # Returns the list of enabled formats.
+      def _wrapper_formats
+        _wrapper_options.format
+      end
+
+      # Returns the list of parameters which will be selected for wrapped.
+      def _wrap_parameters(parameters)
+        { _wrapper_key => _extract_parameters(parameters) }
+      end
+
+      def _extract_parameters(parameters)
+        if include_only = _wrapper_options.include
+          parameters.slice(*include_only)
+        elsif _wrapper_options.exclude
+          exclude = _wrapper_options.exclude + EXCLUDE_PARAMETERS
+          parameters.except(*exclude)
+        else
+          parameters.except(*EXCLUDE_PARAMETERS)
+        end
+      end
+
+      # Checks if we should perform parameters wrapping.
+      def _wrapper_enabled?
+        return false unless request.has_content_type?
+
+        ref = request.content_mime_type.ref
+
+        _wrapper_formats.include?(ref) && _wrapper_key && !request.parameters.key?(_wrapper_key)
+      rescue ActionDispatch::Http::Parameters::ParseError
+        false
+      end
+
+      def _perform_parameter_wrapping
+        wrapped_hash = _wrap_parameters request.request_parameters
+        wrapped_keys = request.request_parameters.keys
+        wrapped_filtered_hash = _wrap_parameters request.filtered_parameters.slice(*wrapped_keys)
+
+        # This will make the wrapped hash accessible from controller and view.
+        request.parameters.merge! wrapped_hash
+        request.request_parameters.merge! wrapped_hash
+
+        # This will display the wrapped hash in the log file.
+        request.filtered_parameters.merge! wrapped_filtered_hash
+      end
+  end
+end

data/lib/action_controller/metal/permissions_policy.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController # :nodoc:
+  module PermissionsPolicy
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      # Overrides parts of the globally configured `Feature-Policy` header:
+      #
+      #     class PagesController < ApplicationController
+      #       permissions_policy do |policy|
+      #         policy.geolocation "https://example.com"
+      #       end
+      #     end
+      #
+      # Options can be passed similar to `before_action`. For example, pass `only:
+      # :index` to override the header on the index action only:
+      #
+      #     class PagesController < ApplicationController
+      #       permissions_policy(only: :index) do |policy|
+      #         policy.camera :self
+      #       end
+      #     end
+      #
+      def permissions_policy(**options, &block)
+        before_action(options) do
+          if block_given?
+            policy = request.permissions_policy.clone
+            instance_exec(policy, &block)
+            request.permissions_policy = policy
+          end
+        end
+      end
+    end
+  end
+end

data/lib/action_controller/metal/rate_limiting.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController # :nodoc:
+  module RateLimiting
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      # Applies a rate limit to all actions or those specified by the normal
+      # `before_action` filters with `only:` and `except:`.
+      #
+      # The maximum number of requests allowed is specified `to:` and constrained to
+      # the window of time given by `within:`.
+      #
+      # Rate limits are by default unique to the ip address making the request, but
+      # you can provide your own identity function by passing a callable in the `by:`
+      # parameter. It's evaluated within the context of the controller processing the
+      # request.
+      #
+      # Requests that exceed the rate limit are refused with a `429 Too Many Requests`
+      # response. You can specialize this by passing a callable in the `with:`
+      # parameter. It's evaluated within the context of the controller processing the
+      # request.
+      #
+      # Rate limiting relies on a backing `ActiveSupport::Cache` store and defaults to
+      # `config.action_controller.cache_store`, which itself defaults to the global
+      # `config.cache_store`. If you don't want to store rate limits in the same
+      # datastore as your general caches, you can pass a custom store in the `store`
+      # parameter.
+      #
+      # Examples:
+      #
+      #     class SessionsController < ApplicationController
+      #       rate_limit to: 10, within: 3.minutes, only: :create
+      #     end
+      #
+      #     class SignupsController < ApplicationController
+      #       rate_limit to: 1000, within: 10.seconds,
+      #         by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups on domain!" }, only: :new
+      #     end
+      #
+      #     class APIController < ApplicationController
+      #       RATE_LIMIT_STORE = ActiveSupport::Cache::RedisCacheStore.new(url: ENV["REDIS_URL"])
+      #       rate_limit to: 10, within: 3.minutes, store: RATE_LIMIT_STORE
+      #     end
+      def rate_limit(to:, within:, by: -> { request.remote_ip }, with: -> { head :too_many_requests }, store: cache_store, **options)
+        before_action -> { rate_limiting(to: to, within: within, by: by, with: with, store: store) }, **options
+      end
+    end
+
+    private
+      def rate_limiting(to:, within:, by:, with:, store:)
+        count = store.increment("rate-limit:#{controller_path}:#{instance_exec(&by)}", 1, expires_in: within)
+        if count && count > to
+          ActiveSupport::Notifications.instrument("rate_limit.action_controller", request: request) do
+            instance_exec(&with)
+          end
+        end
+      end
+  end
+end

data/lib/action_controller/metal/redirecting.rb

@@ -0,0 +1,251 @@
+# frozen_string_literal: true
+
+# :markup: markdown
+
+module ActionController
+  module Redirecting
+    extend ActiveSupport::Concern
+
+    include AbstractController::Logger
+    include ActionController::UrlFor
+
+    class UnsafeRedirectError < StandardError; end
+
+    ILLEGAL_HEADER_VALUE_REGEX = /[\x00-\x08\x0A-\x1F]/
+
+    included do
+      mattr_accessor :raise_on_open_redirects, default: false
+    end
+
+    # Redirects the browser to the target specified in `options`. This parameter can
+    # be any one of:
+    #
+    # *   `Hash` - The URL will be generated by calling url_for with the `options`.
+    # *   `Record` - The URL will be generated by calling url_for with the
+    #     `options`, which will reference a named URL for that record.
+    # *   `String` starting with `protocol://` (like `http://`) or a protocol
+    #     relative reference (like `//`) - Is passed straight through as the target
+    #     for redirection.
+    # *   `String` not containing a protocol - The current protocol and host is
+    #     prepended to the string.
+    # *   `Proc` - A block that will be executed in the controller's context. Should
+    #     return any option accepted by `redirect_to`.
+    #
+    #
+    # ### Examples
+    #
+    #     redirect_to action: "show", id: 5
+    #     redirect_to @post
+    #     redirect_to "http://www.rubyonrails.org"
+    #     redirect_to "/images/screenshot.jpg"
+    #     redirect_to posts_url
+    #     redirect_to proc { edit_post_url(@post) }
+    #
+    # The redirection happens as a `302 Found` header unless otherwise specified
+    # using the `:status` option:
+    #
+    #     redirect_to post_url(@post), status: :found
+    #     redirect_to action: 'atom', status: :moved_permanently
+    #     redirect_to post_url(@post), status: 301
+    #     redirect_to action: 'atom', status: 302
+    #
+    # The status code can either be a standard [HTTP Status
+    # code](https://www.iana.org/assignments/http-status-codes) as an integer, or a
+    # symbol representing the downcased, underscored and symbolized description.
+    # Note that the status code must be a 3xx HTTP code, or redirection will not
+    # occur.
+    #
+    # If you are using XHR requests other than GET or POST and redirecting after the
+    # request then some browsers will follow the redirect using the original request
+    # method. This may lead to undesirable behavior such as a double DELETE. To work
+    # around this you can return a `303 See Other` status code which will be
+    # followed using a GET request.
+    #
+    #     redirect_to posts_url, status: :see_other
+    #     redirect_to action: 'index', status: 303
+    #
+    # It is also possible to assign a flash message as part of the redirection.
+    # There are two special accessors for the commonly used flash names `alert` and
+    # `notice` as well as a general purpose `flash` bucket.
+    #
+    #     redirect_to post_url(@post), alert: "Watch it, mister!"
+    #     redirect_to post_url(@post), status: :found, notice: "Pay attention to the road"
+    #     redirect_to post_url(@post), status: 301, flash: { updated_post_id: @post.id }
+    #     redirect_to({ action: 'atom' }, alert: "Something serious happened")
+    #
+    # Statements after `redirect_to` in our controller get executed, so
+    # `redirect_to` doesn't stop the execution of the function. To terminate the
+    # execution of the function immediately after the `redirect_to`, use return.
+    #
+    #     redirect_to post_url(@post) and return
+    #
+    # ### Open Redirect protection
+    #
+    # By default, Rails protects against redirecting to external hosts for your
+    # app's safety, so called open redirects. Note: this was a new default in Rails
+    # 7.0, after upgrading opt-in by uncommenting the line with
+    # `raise_on_open_redirects` in
+    # `config/initializers/new_framework_defaults_7_0.rb`
+    #
+    # Here #redirect_to automatically validates the potentially-unsafe URL:
+    #
+    #     redirect_to params[:redirect_url]
+    #
+    # Raises UnsafeRedirectError in the case of an unsafe redirect.
+    #
+    # To allow any external redirects pass `allow_other_host: true`, though using a
+    # user-provided param in that case is unsafe.
+    #
+    #     redirect_to "https://rubyonrails.org", allow_other_host: true
+    #
+    # See #url_from for more information on what an internal and safe URL is, or how
+    # to fall back to an alternate redirect URL in the unsafe case.
+    def redirect_to(options = {}, response_options = {})
+      raise ActionControllerError.new("Cannot redirect to nil!") unless options
+      raise AbstractController::DoubleRenderError if response_body
+
+      allow_other_host = response_options.delete(:allow_other_host) { _allow_other_host }
+
+      self.status = _extract_redirect_to_status(options, response_options)
+
+      redirect_to_location = _compute_redirect_to_location(request, options)
+      _ensure_url_is_http_header_safe(redirect_to_location)
+
+      self.location      = _enforce_open_redirect_protection(redirect_to_location, allow_other_host: allow_other_host)
+      self.response_body = ""
+    end
+
+    # Soft deprecated alias for #redirect_back_or_to where the `fallback_location`
+    # location is supplied as a keyword argument instead of the first positional
+    # argument.
+    def redirect_back(fallback_location:, allow_other_host: _allow_other_host, **args)
+      redirect_back_or_to fallback_location, allow_other_host: allow_other_host, **args
+    end
+
+    # Redirects the browser to the page that issued the request (the referrer) if
+    # possible, otherwise redirects to the provided default fallback location.
+    #
+    # The referrer information is pulled from the HTTP `Referer` (sic) header on the
+    # request. This is an optional header and its presence on the request is subject
+    # to browser security settings and user preferences. If the request is missing
+    # this header, the `fallback_location` will be used.
+    #
+    #     redirect_back_or_to({ action: "show", id: 5 })
+    #     redirect_back_or_to @post
+    #     redirect_back_or_to "http://www.rubyonrails.org"
+    #     redirect_back_or_to "/images/screenshot.jpg"
+    #     redirect_back_or_to posts_url
+    #     redirect_back_or_to proc { edit_post_url(@post) }
+    #     redirect_back_or_to '/', allow_other_host: false
+    #
+    # #### Options
+    # *   `:allow_other_host` - Allow or disallow redirection to the host that is
+    #     different to the current host, defaults to true.
+    #
+    #
+    # All other options that can be passed to #redirect_to are accepted as options,
+    # and the behavior is identical.
+    def redirect_back_or_to(fallback_location, allow_other_host: _allow_other_host, **options)
+      if request.referer && (allow_other_host || _url_host_allowed?(request.referer))
+        redirect_to request.referer, allow_other_host: allow_other_host, **options
+      else
+        # The method level `allow_other_host` doesn't apply in the fallback case, omit
+        # and let the `redirect_to` handling take over.
+        redirect_to fallback_location, **options
+      end
+    end
+
+    def _compute_redirect_to_location(request, options) # :nodoc:
+      case options
+      # The scheme name consist of a letter followed by any combination of letters,
+      # digits, and the plus ("+"), period ("."), or hyphen ("-") characters; and is
+      # terminated by a colon (":"). See
+      # https://tools.ietf.org/html/rfc3986#section-3.1 The protocol relative scheme
+      # starts with a double slash "//".
+      when /\A([a-z][a-z\d\-+.]*:|\/\/).*/i
+        options.to_str
+      when String
+        request.protocol + request.host_with_port + options
+      when Proc
+        _compute_redirect_to_location request, instance_eval(&options)
+      else
+        url_for(options)
+      end.delete("\0\r\n")
+    end
+    module_function :_compute_redirect_to_location
+    public :_compute_redirect_to_location
+
+    # Verifies the passed `location` is an internal URL that's safe to redirect to
+    # and returns it, or nil if not. Useful to wrap a params provided redirect URL
+    # and fall back to an alternate URL to redirect to:
+    #
+    #     redirect_to url_from(params[:redirect_url]) || root_url
+    #
+    # The `location` is considered internal, and safe, if it's on the same host as
+    # `request.host`:
+    #
+    #     # If request.host is example.com:
+    #     url_from("https://example.com/profile") # => "https://example.com/profile"
+    #     url_from("http://example.com/profile")  # => "http://example.com/profile"
+    #     url_from("http://evil.com/profile")     # => nil
+    #
+    # Subdomains are considered part of the host:
+    #
+    #     # If request.host is on https://example.com or https://app.example.com, you'd get:
+    #     url_from("https://dev.example.com/profile") # => nil
+    #
+    # NOTE: there's a similarity with
+    # [url_for](rdoc-ref:ActionDispatch::Routing::UrlFor#url_for), which generates
+    # an internal URL from various options from within the app, e.g.
+    # `url_for(@post)`. However, #url_from is meant to take an external parameter to
+    # verify as in `url_from(params[:redirect_url])`.
+    def url_from(location)
+      location = location.presence
+      location if location && _url_host_allowed?(location)
+    end
+
+    private
+      def _allow_other_host
+        !raise_on_open_redirects
+      end
+
+      def _extract_redirect_to_status(options, response_options)
+        if options.is_a?(Hash) && options.key?(:status)
+          Rack::Utils.status_code(options.delete(:status))
+        elsif response_options.key?(:status)
+          Rack::Utils.status_code(response_options[:status])
+        else
+          302
+        end
+      end
+
+      def _enforce_open_redirect_protection(location, allow_other_host:)
+        if allow_other_host || _url_host_allowed?(location)
+          location
+        else
+          raise UnsafeRedirectError, "Unsafe redirect to #{location.truncate(100).inspect}, pass allow_other_host: true to redirect anyway."
+        end
+      end
+
+      def _url_host_allowed?(url)
+        host = URI(url.to_s).host
+
+        return true if host == request.host
+        return false unless host.nil?
+        return false unless url.to_s.start_with?("/")
+        !url.to_s.start_with?("//")
+      rescue ArgumentError, URI::Error
+        false
+      end
+
+      def _ensure_url_is_http_header_safe(url)
+        # Attempt to comply with the set of valid token characters defined for an HTTP
+        # header value in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6
+        if url.match?(ILLEGAL_HEADER_VALUE_REGEX)
+          msg = "The redirect URL #{url} contains one or more illegal HTTP header field character. " \
+            "Set of legal characters defined in https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6"
+          raise UnsafeRedirectError, msg
+        end
+      end
+  end
+end