railties 6.0.0.beta2 → 6.0.2.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a90a9035f3be11b2b2a4c4fa8a020b201755e135aaf581420eee30d622f9f6d7
-  data.tar.gz: bcbfff6e2dedab7895b46c3befe8209ff0768d67dcc2047636f79883765cef5e
+  metadata.gz: e53c51805ad9598e809632f5a35694017eb3645b5336f995221397f9598cd286
+  data.tar.gz: 7b93225441e1614af60280d10e506ce4497a6cf7b356b1598c13fe3f7224d335
 SHA512:
-  metadata.gz: e2fadeee30a37cd2b47d48fd3cce775c1351195446850888075d2b0540b9a2120fb939e24a5fc5121fe4d0a9188a7daf3c4383af9b9f111f3065a21a83b37544
-  data.tar.gz: 7d5aec204ddc86f793f5dffb7b91b3e95c39e078cf5dd477e8ad0652550cad52be8f3ceada7e6507d612f9a5161a91756a59e2394cf4683f51d13365e2b178ab
+  metadata.gz: 0c191ad259fc9ba7231edbf23c1381a270972b3b337355079200b19a7ba2399c7801a0db92bb8c286130c6c9f3ef0b19840a5a8aef1f7a8cf58f086e0421fd99
+  data.tar.gz: b00314a37fd0c76357e5c5bf5cc1306bb146f8a7944b65ca1f56a4beda0b30a42a0c42219f3dc12411a585e87fb4bf34d79d3662045b74185de5a8000f3bf943

data/CHANGELOG.md

@@ -1,3 +1,144 @@
+## Rails 6.0.2.rc1 (November 27, 2019) ##
+
+*   Fix the collision check for the scaffold generator.
+
+    *Ryan Robeson*
+
+*   Configuration files for environments (`config/environments/*.rb`) are
+    now able to modify `autoload_paths`, `autoload_once_paths`, and
+    `eager_load_paths`.
+
+    *Allen Hsu* & *Xavier Noria*
+
+
+## Rails 6.0.1 (November 5, 2019) ##
+
+*   The `zeitwerk:check` Rake task reports files outside the app's root
+    directory, as in engines loaded from gems.
+
+    *Xavier Noria*
+
+*   Fixed a possible error when using the evented file update checker.
+
+    *Yuji Yaginuma*
+
+*   The sqlite3 database files created by the parallel testing feature are
+    included in the default `.gitignore` file for newly-generated apps.
+
+    *Yasuo Honda*
+
+*   `rails new` generates a `.keep` file in `tmp/pids`. This fixes starting
+    a server via `rackup` instead of `rails server`.
+
+    *Rafael Mendonça França*
+
+
+## Rails 6.0.0 (August 16, 2019) ##
+
+*   `Rails.autoloaders.log!` is a logging shortcut to get the activity of the
+    loaders printed to standard output. May be handy for troubleshooting.
+
+    *Xavier Noria*
+
+
+## Rails 6.0.0.rc2 (July 22, 2019) ##
+
+*   The new configuration point `config.add_autoload_paths_to_load_path` allows
+    users to opt-out from adding autoload paths to `$LOAD_PATH`. This flag is
+    `true` by default, but it is recommended to be set to `false` in `:zeitwerk`
+    mode early, in `config/application.rb`.
+
+    Zeitwerk uses only absolute paths internally, and applications running in
+    `:zeitwerk` mode do not need `require_dependency`, so models, controllers,
+    jobs, etc. do not need to be in `$LOAD_PATH`. Setting this to `false` saves
+    Ruby from checking these directories when resolving `require` calls with
+    relative paths, and saves Bootsnap work and RAM, since it does not need to
+    build an index for them.
+
+    *Xavier Noria*
+
+## Rails 6.0.0.rc1 (April 24, 2019) ##
+
+*   Applications upgrading to Rails 6 can run the command
+
+    ```
+    bin/rails zeitwerk:check
+    ```
+
+    to check if the project structure they were using with the classic
+    autoloader is compatible with `:zeitwerk` mode.
+
+    *Matilda Smeds* & *Xavier Noria*
+
+*   Allow loading seeds without ActiveJob.
+
+    Fixes #35782
+
+    *Jeremy Weathers*
+
+*   `null: false` is set in the migrations by default for column pointed by
+    `belongs_to` / `references` association generated by model generator.
+
+    Also deprecate passing {required} to the model generator.
+
+    *Prathamesh Sonpatki*
+
+*   New applications get `config.cache_classes = false` in `config/environments/test.rb`
+    unless `--skip-spring`.
+
+    *Xavier Noria*
+
+*   Autoloading during initialization is deprecated.
+
+    *Xavier Noria*
+
+*   Only force `:async` ActiveJob adapter to `:inline` during seeding.
+
+    *BatedUrGonnaDie*
+
+*   The `connection` option of `rails dbconsole` command is deprecated in
+    favor of `database` option.
+
+    *Yuji Yaginuma*
+
+*   Replace `chromedriver-helper` gem with `webdrivers` in default Gemfile.
+    `chromedriver-helper` is deprecated as of March 31, 2019 and won't
+    receive any further updates.
+
+    *Guillermo Iguaran‮*
+
+*   Applications running in `:zeitwerk` mode that use `bootsnap` need
+    to upgrade `bootsnap` to at least 1.4.2.
+
+    *Xavier Noria*
+
+*   Add `config.disable_sandbox` option to Rails console.
+
+    This setting will disable `rails console --sandbox` mode, preventing
+    developer from accidentally starting a sandbox console,
+    which when left inactive, can cause the database server to run out of memory.
+
+    *Prem Sichanugrist*
+
+*   Add `-e/--environment` option to `rails initializers`.
+
+    *Yuji Yaginuma*
+
+
+## Rails 6.0.0.beta3 (March 11, 2019) ##
+
+*   Generate random development secrets
+
+    A random development secret is now generated to tmp/development_secret.txt
+
+    This avoids an issue where development mode servers were vulnerable to
+    remote code execution.
+
+    Fixes CVE-2019-5420
+
+    *Eileen M. Uchitelle*, *Aaron Patterson*, *John Hawthorn*
+
+
 ## Rails 6.0.0.beta2 (February 25, 2019) ##
 
 *   Fix non-symbol access to nested hashes returned from `Rails::Application.config_for`
@@ -44,7 +185,9 @@
         gsub  Gemfile
     ```
 
-    The change command copies a template `config/database.yml` with the target database adapter into your app, and replaces your database gem with the target database gem.
+    The change command copies a template `config/database.yml` with
+    the target database adapter into your app, and replaces your database gem
+    with the target database gem.
 
     *Gannon McGibbon*
 
@@ -68,9 +211,9 @@
 
     *George Claghorn*
 
-*   Introduce guard against DNS rebinding attacks
+*   Introduce guard against DNS rebinding attacks.
 
-    The `ActionDispatch::HostAuthorization` is a new middleware that prevent
+    The `ActionDispatch::HostAuthorization` is a new middleware that prevents
     against DNS rebinding and other `Host` header attacks. It is included in
     the development environment by default with the following configuration:
 
@@ -88,7 +231,7 @@
         Rails.application.config.hosts << "product.com"
 
     The host of a request is checked against the `hosts` entries with the case
-    operator (`#===`), which lets `hosts` support entries of type `RegExp`,
+    operator (`#===`), which lets `hosts` support entries of type `Regexp`,
     `Proc` and `IPAddr` to name a few. Here is an example with a regexp.
 
         # Allow requests from subdomains like `www.product.com` and
@@ -178,7 +321,7 @@
     The encryption key can be in `ENV["RAILS_MASTER_KEY"]` or `config/credentials/production.key`.
 
     Environment credentials overrides can be edited with `rails credentials:edit --environment production`.
-    If no override is setup for the passed environment, it will be created.
+    If no override is set up for the passed environment, it will be created.
 
     Additionally, the default lookup paths can be overwritten with these configs:
 
@@ -268,9 +411,9 @@
 
     *Jose Luis Duran*
 
-*   Deprecate support for using the `HOST` environment to specify the server IP.
+*   Deprecate support for using the `HOST` environment variable to specify the server IP.
 
-    The `BINDING` environment should be used instead.
+    The `BINDING` environment variable should be used instead.
 
     Fixes #29516.
 

data/RDOC_MAIN.rdoc

@@ -4,7 +4,7 @@
 
 \Rails is a web-application framework that includes everything needed to
 create database-backed web applications according to the
-{Model-View-Controller (MVC)}[http://en.wikipedia.org/wiki/Model-view-controller]
+{Model-View-Controller (MVC)}[https://en.wikipedia.org/wiki/Model-view-controller]
 pattern.
 
 Understanding the MVC pattern is key to understanding \Rails. MVC divides your
@@ -79,7 +79,7 @@ and may also be used independently outside \Rails.
    * The \README file created within your application.
    * {Getting Started with \Rails}[https://guides.rubyonrails.org/getting_started.html].
    * {Ruby on \Rails Guides}[https://guides.rubyonrails.org].
-   * {The API Documentation}[http://api.rubyonrails.org].
+   * {The API Documentation}[https://api.rubyonrails.org].
    * {Ruby on \Rails Tutorial}[https://www.railstutorial.org/book].
 
 == Contributing
@@ -88,7 +88,7 @@ We encourage you to contribute to Ruby on \Rails! Please check out the
 {Contributing to Ruby on \Rails guide}[https://guides.rubyonrails.org/contributing_to_ruby_on_rails.html] for guidelines about how to proceed. {Join us!}[http://contributors.rubyonrails.org]
 
 Trying to report a possible security vulnerability in \Rails? Please
-check out our {security policy}[http://rubyonrails.org/security/] for
+check out our {security policy}[https://rubyonrails.org/security/] for
 guidelines about how to proceed.
 
 Everyone interacting in \Rails and its sub-projects' codebases, issue trackers, chat rooms, and mailing lists is expected to follow the \Rails {code of conduct}[http://rubyonrails.org/conduct/].

data/README.rdoc

@@ -29,7 +29,7 @@ Railties is released under the MIT license:
 
 API documentation is at
 
-* http://api.rubyonrails.org
+* https://api.rubyonrails.org
 
 Bug reports can be filed for the Ruby on Rails project here:
 

data/lib/rails/api/task.rb

@@ -18,6 +18,7 @@ module Rails
           include: %w(
             README.rdoc
             lib/active_record/**/*.rb
+            lib/arel.rb
           )
         },
 

data/lib/rails/application.rb

@@ -270,7 +270,8 @@ module Rails
           "action_dispatch.use_cookies_with_metadata" => config.action_dispatch.use_cookies_with_metadata,
           "action_dispatch.content_security_policy" => config.content_security_policy,
           "action_dispatch.content_security_policy_report_only" => config.content_security_policy_report_only,
-          "action_dispatch.content_security_policy_nonce_generator" => config.content_security_policy_nonce_generator
+          "action_dispatch.content_security_policy_nonce_generator" => config.content_security_policy_nonce_generator,
+          "action_dispatch.content_security_policy_nonce_directives" => config.content_security_policy_nonce_directives
         )
       end
     end
@@ -349,7 +350,7 @@ module Rails
       files, dirs = config.watchable_files.dup, config.watchable_dirs.dup
 
       ActiveSupport::Dependencies.autoload_paths.each do |path|
-        dirs[path.to_s] = [:rb]
+        File.file?(path) ? files << path.to_s : dirs[path.to_s] = [:rb]
       end
 
       [files, dirs]
@@ -409,14 +410,15 @@ module Rails
     # The secret_key_base is used as the input secret to the application's key generator, which in turn
     # is used to create all MessageVerifiers/MessageEncryptors, including the ones that sign and encrypt cookies.
     #
-    # In test and development, this is simply derived as a MD5 hash of the application's name.
+    # In development and test, this is randomly generated and stored in a
+    # temporary file in <tt>tmp/development_secret.txt</tt>.
     #
     # In all other environments, we look for it first in ENV["SECRET_KEY_BASE"],
     # then credentials.secret_key_base, and finally secrets.secret_key_base. For most applications,
     # the correct place to store it is in the encrypted credentials file.
     def secret_key_base
-      if Rails.env.test? || Rails.env.development?
-        secrets.secret_key_base || Digest::MD5.hexdigest(self.class.name)
+      if Rails.env.development? || Rails.env.test?
+        secrets.secret_key_base ||= generate_development_secret
       else
         validate_secret_key_base(
           ENV["SECRET_KEY_BASE"] || credentials.secret_key_base || secrets.secret_key_base
@@ -581,6 +583,22 @@ module Rails
 
     private
 
+      def generate_development_secret
+        if secrets.secret_key_base.nil?
+          key_file = Rails.root.join("tmp/development_secret.txt")
+
+          if !File.exist?(key_file)
+            random_key = SecureRandom.hex(64)
+            FileUtils.mkdir_p(key_file.dirname)
+            File.binwrite(key_file, random_key)
+          end
+
+          secrets.secret_key_base = File.binread(key_file)
+        end
+
+        secrets.secret_key_base
+      end
+
       def build_request(env)
         req = super
         env["ORIGINAL_FULLPATH"] = req.fullpath

data/lib/rails/application/bootstrap.rb

@@ -34,20 +34,12 @@ INFO
       # Initialize the logger early in the stack in case we need to log some deprecation.
       initializer :initialize_logger, group: :all do
         Rails.logger ||= config.logger || begin
-          path = config.paths["log"].first
-          unless File.exist? File.dirname path
-            FileUtils.mkdir_p File.dirname path
-          end
-
-          f = File.open path, "a"
-          f.binmode
-          f.sync = config.autoflush_log # if true make sure every write flushes
-
-          logger = ActiveSupport::Logger.new f
+          logger = ActiveSupport::Logger.new(config.default_log_file)
           logger.formatter = config.log_formatter
           logger = ActiveSupport::TaggedLogging.new(logger)
           logger
         rescue StandardError
+          path = config.paths["log"].first
           logger = ActiveSupport::TaggedLogging.new(ActiveSupport::Logger.new(STDERR))
           logger.level = ActiveSupport::Logger::WARN
           logger.warn(

data/lib/rails/application/configuration.rb

@@ -18,7 +18,8 @@ module Rails
                     :session_options, :time_zone, :reload_classes_only_on_change,
                     :beginning_of_week, :filter_redirect, :x, :enable_dependency_loading,
                     :read_encrypted_secrets, :log_level, :content_security_policy_report_only,
-                    :content_security_policy_nonce_generator, :require_master_key, :credentials
+                    :content_security_policy_nonce_generator, :content_security_policy_nonce_directives,
+                    :require_master_key, :credentials, :disable_sandbox, :add_autoload_paths_to_load_path
 
       attr_reader :encoding, :api_only, :loaded_config_version, :autoloader
 
@@ -59,14 +60,18 @@ module Rails
         @content_security_policy                 = nil
         @content_security_policy_report_only     = false
         @content_security_policy_nonce_generator = nil
+        @content_security_policy_nonce_directives = nil
         @require_master_key                      = false
         @loaded_config_version                   = nil
         @credentials                             = ActiveSupport::OrderedOptions.new
         @credentials.content_path                = default_credentials_content_path
         @credentials.key_path                    = default_credentials_key_path
         @autoloader                              = :classic
+        @disable_sandbox                         = false
+        @add_autoload_paths_to_load_path         = true
       end
 
+      # Loads default configurations. See {the result of the method for each version}[https://guides.rubyonrails.org/configuring.html#results-of-config-load-defaults].
       def load_defaults(target_version)
         case target_version.to_s
         when "5.0"
@@ -126,6 +131,7 @@ module Rails
 
           if respond_to?(:action_dispatch)
             action_dispatch.use_cookies_with_metadata = true
+            action_dispatch.return_only_media_type_on_content_type = false
           end
 
           if respond_to?(:action_mailer)
@@ -139,6 +145,12 @@ module Rails
           if respond_to?(:active_storage)
             active_storage.queues.analysis = :active_storage_analysis
             active_storage.queues.purge    = :active_storage_purge
+
+            active_storage.replace_on_assign_to_many = true
+          end
+
+          if respond_to?(:active_record)
+            active_record.collection_cache_versioning = true
           end
         else
           raise "Unknown version #{target_version.to_s.inspect}"
@@ -184,6 +196,26 @@ module Rails
         end
       end
 
+      # Load the database YAML without evaluating ERB. This allows us to
+      # create the rake tasks for multiple databases without filling in the
+      # configuration values or loading the environment. Do not use this
+      # method.
+      #
+      # This uses a DummyERB custom compiler so YAML can ignore the ERB
+      # tags and load the database.yml for the rake tasks.
+      def load_database_yaml # :nodoc:
+        if path = paths["config/database"].existent.first
+          require "rails/application/dummy_erb_compiler"
+
+          yaml = Pathname.new(path)
+          erb = DummyERB.new(yaml.read)
+
+          YAML.load(erb.result) || {}
+        else
+          {}
+        end
+      end
+
       # Loads and returns the entire raw configuration of database from
       # values stored in <tt>config/database.yml</tt>.
       def database_configuration
@@ -282,6 +314,18 @@ module Rails
         end
       end
 
+      def default_log_file
+        path = paths["log"].first
+        unless File.exist? File.dirname path
+          FileUtils.mkdir_p File.dirname path
+        end
+
+        f = File.open path, "a"
+        f.binmode
+        f.sync = autoflush_log # if true make sure every write flushes
+        f
+      end
+
       class Custom #:nodoc:
         def initialize
           @configurations = Hash.new

data/lib/rails/application/default_middleware_stack.rb

@@ -49,6 +49,7 @@ module Rails
           middleware.use ::Rails::Rack::Logger, config.log_tags
           middleware.use ::ActionDispatch::ShowExceptions, show_exceptions_app
           middleware.use ::ActionDispatch::DebugExceptions, app, config.debug_exception_response_format
+          middleware.use ::ActionDispatch::ActionableExceptions
 
           unless config.cache_classes
             middleware.use ::ActionDispatch::Reloader, app.reloader

data/lib/rails/application/dummy_erb_compiler.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+# These classes are used to strip out the ERB configuration
+# values so we can evaluate the database.yml without evaluating
+# the ERB values.
+class DummyERB < ERB # :nodoc:
+  def make_compiler(trim_mode)
+    DummyCompiler.new trim_mode
+  end
+end
+
+class DummyCompiler < ERB::Compiler # :nodoc:
+  def compile_content(stag, out)
+    if stag == "<%="
+      out.push "_erbout << ''"
+    end
+  end
+end