railties 6.0.0.beta1 → 6.0.1.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 66f8f350ddf521a8fb2a51bddda33e6afc57c6e239ea0fe8bd23bea476d12c8f
-  data.tar.gz: e647293ffdbc4bbc4beddbde230d567e90de69183b5498729717f1bfda0b2890
+  metadata.gz: d6572c25a1151fa7278fbf9a16f9a74550fa0a9ddc415ccfc79a1974a75ed96f
+  data.tar.gz: d689161b04f03c42b54b544cd70aa50c66d7977f928956d8a85d6de7f12652f5
 SHA512:
-  metadata.gz: f62d369e32f4e40ef7d5f08af230bc70967627c5db1f68c4ab295c7942ac152f33af09bb1012a2d239fb260f411328d3cf78daf70e6d08329079b031ed2f453c
-  data.tar.gz: 786ff80d0075f5ff9adefe82ce44c249aa436c8a62f663c2c10d62bef204b84ed9b1a743b7866314756eb3ea86172f3468822736d01333d0cd04cd224fc1a46d
+  metadata.gz: 94e43137bb2e2bc8bc71e960f25850cb04d67ae61ca5bb298f11319be5b48e10b5c0e84f6235be55e03c228026b59e4d2e182fe1e6abfdc51e1ed2511e363eb7
+  data.tar.gz: cacc3d9e85bca3b48590429d72f58c0c1be2c6050a2d726512e5a967c61ab8027fc6ff2da6fd0e6d0d796d5910194ffcbb8fe270cb31859eaaa4e6ca55d04940

data/CHANGELOG.md

@@ -1,3 +1,143 @@
+## Rails 6.0.1.rc1 (October 31, 2019) ##
+
+*   The `zeitwerk:check` Rake task reports files outside the app's root
+    directory, as in engines loaded from gems.
+
+    *Xavier Noria*
+
+*   Fixed a possible error when using the evented file update checker.
+
+    *Yuji Yaginuma*
+
+*   The sqlite3 database files created by the parallel testing feature are
+    included in the default `.gitignore` file for newly-generated apps.
+
+    *Yasuo Honda*
+
+*   `rails new` generates a `.keep` file in `tmp/pids`. This fixes starting
+    a server via `rackup` instead of `rails server`.
+
+    *Rafael Mendonça França*
+
+
+## Rails 6.0.0 (August 16, 2019) ##
+
+*   `Rails.autoloaders.log!` is a logging shortcut to get the activity of the
+    loaders printed to standard output. May be handy for troubleshooting.
+
+    *Xavier Noria*
+
+
+## Rails 6.0.0.rc2 (July 22, 2019) ##
+
+*   The new configuration point `config.add_autoload_paths_to_load_path` allows
+    users to opt-out from adding autoload paths to `$LOAD_PATH`. This flag is
+    `true` by default, but it is recommended to be set to `false` in `:zeitwerk`
+    mode early, in `config/application.rb`.
+
+    Zeitwerk uses only absolute paths internally, and applications running in
+    `:zeitwerk` mode do not need `require_dependency`, so models, controllers,
+    jobs, etc. do not need to be in `$LOAD_PATH`. Setting this to `false` saves
+    Ruby from checking these directories when resolving `require` calls with
+    relative paths, and saves Bootsnap work and RAM, since it does not need to
+    build an index for them.
+
+    *Xavier Noria*
+
+## Rails 6.0.0.rc1 (April 24, 2019) ##
+
+*   Applications upgrading to Rails 6 can run the command
+
+    ```
+    bin/rails zeitwerk:check
+    ```
+
+    to check if the project structure they were using with the classic
+    autoloader is compatible with `:zeitwerk` mode.
+
+    *Matilda Smeds* & *Xavier Noria*
+
+*   Allow loading seeds without ActiveJob.
+
+    Fixes #35782
+
+    *Jeremy Weathers*
+
+*   `null: false` is set in the migrations by default for column pointed by
+    `belongs_to` / `references` association generated by model generator.
+
+    Also deprecate passing {required} to the model generator.
+
+    *Prathamesh Sonpatki*
+
+*   New applications get `config.cache_classes = false` in `config/environments/test.rb`
+    unless `--skip-spring`.
+
+    *Xavier Noria*
+
+*   Autoloading during initialization is deprecated.
+
+    *Xavier Noria*
+
+*   Only force `:async` ActiveJob adapter to `:inline` during seeding.
+
+    *BatedUrGonnaDie*
+
+*   The `connection` option of `rails dbconsole` command is deprecated in
+    favor of `database` option.
+
+    *Yuji Yaginuma*
+
+*   Replace `chromedriver-helper` gem with `webdrivers` in default Gemfile.
+    `chromedriver-helper` is deprecated as of March 31, 2019 and won't
+    receive any further updates.
+
+    *Guillermo Iguaran‮*
+
+*   Applications running in `:zeitwerk` mode that use `bootsnap` need
+    to upgrade `bootsnap` to at least 1.4.2.
+
+    *Xavier Noria*
+
+*   Add `config.disable_sandbox` option to Rails console.
+
+    This setting will disable `rails console --sandbox` mode, preventing
+    developer from accidentally starting a sandbox console,
+    which when left inactive, can cause the database server to run out of memory.
+
+    *Prem Sichanugrist*
+
+*   Add `-e/--environment` option to `rails initializers`.
+
+    *Yuji Yaginuma*
+
+
+## Rails 6.0.0.beta3 (March 11, 2019) ##
+
+*   Generate random development secrets
+
+    A random development secret is now generated to tmp/development_secret.txt
+
+    This avoids an issue where development mode servers were vulnerable to
+    remote code execution.
+
+    Fixes CVE-2019-5420
+
+    *Eileen M. Uchitelle*, *Aaron Patterson*, *John Hawthorn*
+
+
+## Rails 6.0.0.beta2 (February 25, 2019) ##
+
+*   Fix non-symbol access to nested hashes returned from `Rails::Application.config_for`
+    being broken by allowing non-symbol access with a deprecation notice.
+
+    *Ufuk Kayserilioglu*
+
+*   Fix deeply nested namespace command printing.
+
+    *Gannon McGibbon*
+
+
 ## Rails 6.0.0.beta1 (January 18, 2019) ##
 
 *   Remove deprecated `after_bundle` helper inside plugins templates.
@@ -32,7 +172,9 @@
         gsub  Gemfile
     ```
 
-    The change command copies a template `config/database.yml` with the target database adapter into your app, and replaces your database gem with the target database gem.
+    The change command copies a template `config/database.yml` with
+    the target database adapter into your app, and replaces your database gem
+    with the target database gem.
 
     *Gannon McGibbon*
 
@@ -56,9 +198,9 @@
 
     *George Claghorn*
 
-*   Introduce guard against DNS rebinding attacks
+*   Introduce guard against DNS rebinding attacks.
 
-    The `ActionDispatch::HostAuthorization` is a new middleware that prevent
+    The `ActionDispatch::HostAuthorization` is a new middleware that prevents
     against DNS rebinding and other `Host` header attacks. It is included in
     the development environment by default with the following configuration:
 
@@ -70,20 +212,20 @@
 
     In other environments `Rails.application.config.hosts` is empty and no
     `Host` header checks will be done. If you want to guard against header
-    attacks on production, you have to manually whitelist the allowed hosts
+    attacks on production, you have to manually permit the allowed hosts
     with:
 
         Rails.application.config.hosts << "product.com"
 
     The host of a request is checked against the `hosts` entries with the case
-    operator (`#===`), which lets `hosts` support entries of type `RegExp`,
+    operator (`#===`), which lets `hosts` support entries of type `Regexp`,
     `Proc` and `IPAddr` to name a few. Here is an example with a regexp.
 
         # Allow requests from subdomains like `www.product.com` and
         # `beta1.product.com`.
         Rails.application.config.hosts << /.*\.product\.com/
 
-    A special case is supported that allows you to whitelist all sub-domains:
+    A special case is supported that allows you to permit all sub-domains:
 
         # Allow requests from subdomains like `www.product.com` and
         # `beta1.product.com`.
@@ -166,7 +308,7 @@
     The encryption key can be in `ENV["RAILS_MASTER_KEY"]` or `config/credentials/production.key`.
 
     Environment credentials overrides can be edited with `rails credentials:edit --environment production`.
-    If no override is setup for the passed environment, it will be created.
+    If no override is set up for the passed environment, it will be created.
 
     Additionally, the default lookup paths can be overwritten with these configs:
 
@@ -256,9 +398,9 @@
 
     *Jose Luis Duran*
 
-*   Deprecate support for using the `HOST` environment to specify the server IP.
+*   Deprecate support for using the `HOST` environment variable to specify the server IP.
 
-    The `BINDING` environment should be used instead.
+    The `BINDING` environment variable should be used instead.
 
     Fixes #29516.
 

data/RDOC_MAIN.rdoc

@@ -4,7 +4,7 @@
 
 \Rails is a web-application framework that includes everything needed to
 create database-backed web applications according to the
-{Model-View-Controller (MVC)}[http://en.wikipedia.org/wiki/Model-view-controller]
+{Model-View-Controller (MVC)}[https://en.wikipedia.org/wiki/Model-view-controller]
 pattern.
 
 Understanding the MVC pattern is key to understanding \Rails. MVC divides your
@@ -79,7 +79,7 @@ and may also be used independently outside \Rails.
    * The \README file created within your application.
    * {Getting Started with \Rails}[https://guides.rubyonrails.org/getting_started.html].
    * {Ruby on \Rails Guides}[https://guides.rubyonrails.org].
-   * {The API Documentation}[http://api.rubyonrails.org].
+   * {The API Documentation}[https://api.rubyonrails.org].
    * {Ruby on \Rails Tutorial}[https://www.railstutorial.org/book].
 
 == Contributing
@@ -88,7 +88,7 @@ We encourage you to contribute to Ruby on \Rails! Please check out the
 {Contributing to Ruby on \Rails guide}[https://guides.rubyonrails.org/contributing_to_ruby_on_rails.html] for guidelines about how to proceed. {Join us!}[http://contributors.rubyonrails.org]
 
 Trying to report a possible security vulnerability in \Rails? Please
-check out our {security policy}[http://rubyonrails.org/security/] for
+check out our {security policy}[https://rubyonrails.org/security/] for
 guidelines about how to proceed.
 
 Everyone interacting in \Rails and its sub-projects' codebases, issue trackers, chat rooms, and mailing lists is expected to follow the \Rails {code of conduct}[http://rubyonrails.org/conduct/].

data/README.rdoc

@@ -29,7 +29,7 @@ Railties is released under the MIT license:
 
 API documentation is at
 
-* http://api.rubyonrails.org
+* https://api.rubyonrails.org
 
 Bug reports can be filed for the Ruby on Rails project here:
 

data/lib/minitest/rails_plugin.rb

@@ -54,6 +54,6 @@ module Minitest
     end
   end
 
-  # Backwardscompatibility with Rails 5.0 generated plugin test scripts
+  # Backwards compatibility with Rails 5.0 generated plugin test scripts
   mattr_reader :run_via, default: {}
 end

data/lib/rails.rb

@@ -13,6 +13,7 @@ require "active_support/core_ext/object/blank"
 
 require "rails/application"
 require "rails/version"
+require "rails/autoloaders"
 
 require "active_support/railtie"
 require "action_dispatch/railtie"
@@ -110,5 +111,9 @@ module Rails
     def public_path
       application && Pathname.new(application.paths["public"].first)
     end
+
+    def autoloaders
+      Autoloaders
+    end
   end
 end

data/lib/rails/api/task.rb

@@ -18,6 +18,7 @@ module Rails
           include: %w(
             README.rdoc
             lib/active_record/**/*.rb
+            lib/arel.rb
           )
         },
 

data/lib/rails/app_loader.rb

@@ -23,7 +23,7 @@ control:
                                 # too that you may or may not want (like yarn)
 
 If you already have Rails binstubs in source control, you might be
-inadverently overwriting them during deployment by using bundle install
+inadvertently overwriting them during deployment by using bundle install
 with the --binstubs option.
 
 If your application was created prior to Rails 4, here's how to upgrade:

data/lib/rails/application.rb

@@ -7,6 +7,7 @@ require "active_support/key_generator"
 require "active_support/message_verifier"
 require "active_support/encrypted_configuration"
 require "active_support/deprecation"
+require "active_support/hash_with_indifferent_access"
 require "rails/engine"
 require "rails/secrets"
 
@@ -230,8 +231,8 @@ module Rails
         config = YAML.load(ERB.new(yaml.read).result) || {}
         config = (config["shared"] || {}).merge(config[env] || {})
 
-        ActiveSupport::OrderedOptions.new.tap do |config_as_ordered_options|
-          config_as_ordered_options.update(config.deep_symbolize_keys)
+        ActiveSupport::OrderedOptions.new.tap do |options|
+          options.update(NonSymbolAccessDeprecatedHash.new(config))
         end
       else
         raise "Could not load configuration. No such file - #{yaml}"
@@ -269,7 +270,8 @@ module Rails
           "action_dispatch.use_cookies_with_metadata" => config.action_dispatch.use_cookies_with_metadata,
           "action_dispatch.content_security_policy" => config.content_security_policy,
           "action_dispatch.content_security_policy_report_only" => config.content_security_policy_report_only,
-          "action_dispatch.content_security_policy_nonce_generator" => config.content_security_policy_nonce_generator
+          "action_dispatch.content_security_policy_nonce_generator" => config.content_security_policy_nonce_generator,
+          "action_dispatch.content_security_policy_nonce_directives" => config.content_security_policy_nonce_directives
         )
       end
     end
@@ -348,7 +350,7 @@ module Rails
       files, dirs = config.watchable_files.dup, config.watchable_dirs.dup
 
       ActiveSupport::Dependencies.autoload_paths.each do |path|
-        dirs[path.to_s] = [:rb]
+        File.file?(path) ? files << path.to_s : dirs[path.to_s] = [:rb]
       end
 
       [files, dirs]
@@ -408,14 +410,15 @@ module Rails
     # The secret_key_base is used as the input secret to the application's key generator, which in turn
     # is used to create all MessageVerifiers/MessageEncryptors, including the ones that sign and encrypt cookies.
     #
-    # In test and development, this is simply derived as a MD5 hash of the application's name.
+    # In development and test, this is randomly generated and stored in a
+    # temporary file in <tt>tmp/development_secret.txt</tt>.
     #
     # In all other environments, we look for it first in ENV["SECRET_KEY_BASE"],
     # then credentials.secret_key_base, and finally secrets.secret_key_base. For most applications,
     # the correct place to store it is in the encrypted credentials file.
     def secret_key_base
-      if Rails.env.test? || Rails.env.development?
-        secrets.secret_key_base || Digest::MD5.hexdigest(self.class.name)
+      if Rails.env.development? || Rails.env.test?
+        secrets.secret_key_base ||= generate_development_secret
       else
         validate_secret_key_base(
           ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || secrets.secret_key_base
@@ -580,6 +583,22 @@ module Rails
 
     private
 
+      def generate_development_secret
+        if secrets.secret_key_base.nil?
+          key_file = Rails.root.join("tmp/development_secret.txt")
+
+          if !File.exist?(key_file)
+            random_key = SecureRandom.hex(64)
+            FileUtils.mkdir_p(key_file.dirname)
+            File.binwrite(key_file, random_key)
+          end
+
+          secrets.secret_key_base = File.binread(key_file)
+        end
+
+        secrets.secret_key_base
+      end
+
       def build_request(env)
         req = super
         env["ORIGINAL_FULLPATH"] = req.fullpath
@@ -590,5 +609,52 @@ module Rails
       def build_middleware
         config.app_middleware + super
       end
+
+      class NonSymbolAccessDeprecatedHash < HashWithIndifferentAccess # :nodoc:
+        def initialize(value = nil)
+          if value.is_a?(Hash)
+            value.each_pair { |k, v| self[k] = v }
+          else
+            super
+          end
+        end
+
+        def []=(key, value)
+          regular_writer(key.to_sym, convert_value(value, for: :assignment))
+        end
+
+        private
+
+          def convert_key(key)
+            unless key.kind_of?(Symbol)
+              ActiveSupport::Deprecation.warn(<<~MESSAGE.squish)
+                Accessing hashes returned from config_for by non-symbol keys
+                is deprecated and will be removed in Rails 6.1.
+                Use symbols for access instead.
+              MESSAGE
+
+              key = key.to_sym
+            end
+
+            key
+          end
+
+          def convert_value(value, options = {}) # :doc:
+            if value.is_a? Hash
+              if options[:for] == :to_hash
+                value.to_hash
+              else
+                self.class.new(value)
+              end
+            elsif value.is_a?(Array)
+              if options[:for] != :assignment || value.frozen?
+                value = value.dup
+              end
+              value.map! { |e| convert_value(e, options) }
+            else
+              value
+            end
+          end
+      end
   end
 end

data/lib/rails/application/bootstrap.rb

@@ -34,20 +34,12 @@ INFO
       # Initialize the logger early in the stack in case we need to log some deprecation.
       initializer :initialize_logger, group: :all do
         Rails.logger ||= config.logger || begin
-          path = config.paths["log"].first
-          unless File.exist? File.dirname path
-            FileUtils.mkdir_p File.dirname path
-          end
-
-          f = File.open path, "a"
-          f.binmode
-          f.sync = config.autoflush_log # if true make sure every write flushes
-
-          logger = ActiveSupport::Logger.new f
+          logger = ActiveSupport::Logger.new(config.default_log_file)
           logger.formatter = config.log_formatter
           logger = ActiveSupport::TaggedLogging.new(logger)
           logger
         rescue StandardError
+          path = config.paths["log"].first
           logger = ActiveSupport::TaggedLogging.new(ActiveSupport::Logger.new(STDERR))
           logger.level = ActiveSupport::Logger::WARN
           logger.warn(