railties 7.0.8 → 7.2.0

data/lib/rails/application/configuration.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "ipaddr"
+require "active_support/core_ext/array/wrap"
 require "active_support/core_ext/kernel/reporting"
 require "active_support/file_update_checker"
 require "active_support/configuration_file"
@@ -10,20 +11,21 @@ require "rails/source_annotation_extractor"
 module Rails
   class Application
     class Configuration < ::Rails::Engine::Configuration
-      attr_accessor :allow_concurrency, :asset_host, :autoflush_log,
+      attr_accessor :allow_concurrency, :asset_host, :assume_ssl, :autoflush_log,
                     :cache_classes, :cache_store, :consider_all_requests_local, :console,
-                    :eager_load, :exceptions_app, :file_watcher, :filter_parameters,
+                    :eager_load, :exceptions_app, :file_watcher, :filter_parameters, :precompile_filter_parameters,
                     :force_ssl, :helpers_paths, :hosts, :host_authorization, :logger, :log_formatter,
-                    :log_tags, :railties_order, :relative_url_root, :secret_key_base,
+                    :log_tags, :railties_order, :relative_url_root,
                     :ssl_options, :public_file_server,
                     :session_options, :time_zone, :reload_classes_only_on_change,
-                    :beginning_of_week, :filter_redirect, :x, :enable_dependency_loading,
-                    :read_encrypted_secrets, :log_level, :content_security_policy_report_only,
+                    :beginning_of_week, :filter_redirect, :x,
+                    :content_security_policy_report_only,
                     :content_security_policy_nonce_generator, :content_security_policy_nonce_directives,
-                    :require_master_key, :credentials, :disable_sandbox, :add_autoload_paths_to_load_path,
-                    :rake_eager_load, :server_timing
+                    :require_master_key, :credentials, :disable_sandbox, :sandbox_by_default,
+                    :add_autoload_paths_to_load_path, :rake_eager_load, :server_timing, :log_file_size,
+                    :dom_testing_default_html_version, :yjit
 
-      attr_reader :encoding, :api_only, :loaded_config_version
+      attr_reader :encoding, :api_only, :loaded_config_version, :log_level
 
       def initialize(*)
         super
@@ -43,12 +45,14 @@ module Rails
         @public_file_server                      = ActiveSupport::OrderedOptions.new
         @public_file_server.enabled              = true
         @public_file_server.index_name           = "index"
+        @assume_ssl                              = false
         @force_ssl                               = false
         @ssl_options                             = {}
         @session_store                           = nil
         @time_zone                               = "UTC"
         @beginning_of_week                       = :monday
         @log_level                               = :debug
+        @log_file_size                           = nil
         @generators                              = app_generators
         @cache_store                             = [ :file_store, "#{root}/tmp/cache/" ]
         @railties_order                          = [:all]
@@ -63,35 +67,51 @@ module Rails
         @api_only                                = false
         @debug_exception_response_format         = nil
         @x                                       = Custom.new
-        @enable_dependency_loading               = false
-        @read_encrypted_secrets                  = false
         @content_security_policy                 = nil
         @content_security_policy_report_only     = false
         @content_security_policy_nonce_generator = nil
         @content_security_policy_nonce_directives = nil
         @require_master_key                      = false
         @loaded_config_version                   = nil
-        @credentials                             = ActiveSupport::OrderedOptions.new
-        @credentials.content_path                = default_credentials_content_path
-        @credentials.key_path                    = default_credentials_key_path
+        @credentials                             = ActiveSupport::InheritableOptions.new(credentials_defaults)
         @disable_sandbox                         = false
+        @sandbox_by_default                      = false
         @add_autoload_paths_to_load_path         = true
         @permissions_policy                      = nil
         @rake_eager_load                         = false
         @server_timing                           = false
+        @dom_testing_default_html_version        = :html4
+        @yjit                                    = false
       end
 
       # Loads default configuration values for a target version. This includes
       # defaults for versions prior to the target version. See the
-      # {configuration guide}[https://guides.rubyonrails.org/configuring.html]
+      # {configuration guide}[https://guides.rubyonrails.org/configuring.html#versioned-default-values]
       # for the default values associated with a particular version.
       def load_defaults(target_version)
+        # To introduce a change in behavior, follow these steps:
+        # 1. Add an accessor on the target object (e.g. the ActiveJob class for
+        #    global Active Job config).
+        # 2. Set a default value there preserving existing behavior for existing
+        #    applications.
+        # 3. Implement the behavior change based on the config value.
+        # 4. In the section below corresponding to the next release of Rails,
+        #    configure the default value.
+        # 5. Add a commented out section in the `new_framework_defaults` to
+        #    configure the default value again.
+        # 6. Update the guide in `configuring.md`.
+
+        # To remove configurable deprecated behavior, follow these steps:
+        # 1. Update or remove the entry in the guides.
+        # 2. Remove the references below.
+        # 3. Remove the legacy code paths and config check.
+        # 4. Remove the config accessor.
+
         case target_version.to_s
         when "5.0"
           if respond_to?(:action_controller)
             action_controller.per_form_csrf_tokens = true
             action_controller.forgery_protection_origin_check = true
-            action_controller.urlsafe_csrf_tokens = false
           end
 
           ActiveSupport.to_time_preserves_timezone = true
@@ -152,8 +172,6 @@ module Rails
           if respond_to?(:active_storage)
             active_storage.queues.analysis = :active_storage_analysis
             active_storage.queues.purge    = :active_storage_purge
-
-            active_storage.replace_on_assign_to_many = true
           end
 
           if respond_to?(:active_record)
@@ -164,7 +182,6 @@ module Rails
 
           if respond_to?(:active_record)
             active_record.has_many_inversing = true
-            active_record.legacy_connection_handling = false
           end
 
           if respond_to?(:active_job)
@@ -176,10 +193,6 @@ module Rails
             action_dispatch.ssl_default_redirect_status = 308
           end
 
-          if respond_to?(:action_controller)
-            action_controller.delete(:urlsafe_csrf_tokens)
-          end
-
           if respond_to?(:action_view)
             action_view.form_with_generates_remote_forms = false
             action_view.preload_links_header = true
@@ -214,7 +227,6 @@ module Rails
               "X-Permitted-Cross-Domain-Policies" => "none",
               "Referrer-Policy" => "strict-origin-when-cross-origin"
             }
-            action_dispatch.return_only_request_media_type_on_content_type = false
             action_dispatch.cookies_serializer = :json
           end
 
@@ -226,11 +238,8 @@ module Rails
           if respond_to?(:active_support)
             active_support.hash_digest_class = OpenSSL::Digest::SHA256
             active_support.key_generator_hash_digest_class = OpenSSL::Digest::SHA256
-            active_support.remove_deprecated_time_with_zone_name = true
             active_support.cache_format_version = 7.0
-            active_support.use_rfc4122_namespaced_uuids = true
             active_support.executor_around_test_case = true
-            active_support.disable_to_s_conversion = true
           end
 
           if respond_to?(:action_mailer)
@@ -254,9 +263,78 @@ module Rails
 
           if respond_to?(:action_controller)
             action_controller.raise_on_open_redirects = true
-
             action_controller.wrap_parameters_by_default = true
           end
+        when "7.1"
+          load_defaults "7.0"
+
+          self.add_autoload_paths_to_load_path = false
+          self.precompile_filter_parameters = true
+          self.dom_testing_default_html_version = defined?(Nokogiri::HTML5) ? :html5 : :html4
+
+          if Rails.env.local?
+            self.log_file_size = 100 * 1024 * 1024
+          end
+
+          if respond_to?(:active_record)
+            active_record.run_commit_callbacks_on_first_saved_instances_in_transaction = false
+            active_record.sqlite3_adapter_strict_strings_by_default = true
+            active_record.query_log_tags_format = :sqlcommenter
+            active_record.raise_on_assign_to_attr_readonly = true
+            active_record.belongs_to_required_validates_foreign_key = false
+            active_record.before_committed_on_all_records = true
+            active_record.default_column_serializer = nil
+            active_record.encryption.hash_digest_class = OpenSSL::Digest::SHA256
+            active_record.encryption.support_sha1_for_non_deterministic_encryption = false
+            active_record.marshalling_format_version = 7.1
+            active_record.run_after_transaction_callbacks_in_order_defined = true
+            active_record.generate_secure_token_on = :initialize
+          end
+
+          if respond_to?(:action_dispatch)
+            action_dispatch.default_headers = {
+              "X-Frame-Options" => "SAMEORIGIN",
+              "X-XSS-Protection" => "0",
+              "X-Content-Type-Options" => "nosniff",
+              "X-Permitted-Cross-Domain-Policies" => "none",
+              "Referrer-Policy" => "strict-origin-when-cross-origin"
+            }
+            action_dispatch.debug_exception_log_level = :error
+          end
+
+          if respond_to?(:active_support)
+            active_support.cache_format_version = 7.1
+            active_support.message_serializer = :json_allow_marshal
+            active_support.use_message_serializer_for_metadata = true
+            active_support.raise_on_invalid_cache_expiration_time = true
+          end
+
+          if respond_to?(:action_view)
+            require "action_view/helpers"
+            action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
+          end
+
+          if respond_to?(:action_text)
+            require "action_view/helpers"
+            action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
+          end
+        when "7.2"
+          load_defaults "7.1"
+
+          self.yjit = true
+
+          if respond_to?(:active_job)
+            active_job.enqueue_after_transaction_commit = :default
+          end
+
+          if respond_to?(:active_storage)
+            active_storage.web_image_content_types = %w( image/png image/jpeg image/gif image/webp )
+          end
+
+          if respond_to?(:active_record)
+            active_record.postgresql_adapter_decode_dates = true
+            active_record.validate_migration_timestamps = true
+          end
         else
           raise "Unknown version #{target_version.to_s.inspect}"
         end
@@ -264,6 +342,26 @@ module Rails
         @loaded_config_version = target_version
       end
 
+      def reloading_enabled?
+        enable_reloading
+      end
+
+      def enable_reloading
+        !cache_classes
+      end
+
+      def enable_reloading=(value)
+        self.cache_classes = !value
+      end
+
+      def read_encrypted_secrets
+        Rails.deprecator.warn("'config.read_encrypted_secrets' is deprecated and will be removed in Rails 8.0.")
+      end
+
+      def read_encrypted_secrets=(value)
+        Rails.deprecator.warn("'config.read_encrypted_secrets=' is deprecated and will be removed in Rails 8.0.")
+      end
+
       def encoding=(value)
         @encoding = value
         silence_warnings do
@@ -279,6 +377,13 @@ module Rails
         @debug_exception_response_format ||= :api
       end
 
+      def log_level=(level)
+        @log_level = level
+        @broadcast_log_level = level
+      end
+
+      attr_reader :broadcast_log_level # :nodoc:
+
       def debug_exception_response_format
         @debug_exception_response_format || :default
       end
@@ -289,7 +394,6 @@ module Rails
         @paths ||= begin
           paths = super
           paths.add "config/database",    with: "config/database.yml"
-          paths.add "config/secrets",     with: "config", glob: "secrets.yml{,.enc}"
           paths.add "config/environment", with: "config/environment.rb"
           paths.add "lib/templates"
           paths.add "log",                with: "log/#{Rails.env}.log"
@@ -301,23 +405,21 @@ module Rails
         end
       end
 
-      # Load the database YAML without evaluating ERB. This allows us to
-      # create the rake tasks for multiple databases without filling in the
-      # configuration values or loading the environment. Do not use this
-      # method.
+      # Load the <tt>config/database.yml</tt> to create the Rake tasks for
+      # multiple databases without loading the environment and filling in the
+      # environment specific configuration values.
       #
-      # This uses a DummyERB custom compiler so YAML can ignore the ERB
-      # tags and load the database.yml for the rake tasks.
+      # Do not use this method, use #database_configuration instead.
       def load_database_yaml # :nodoc:
         if path = paths["config/database"].existent.first
-          require "rails/application/dummy_erb_compiler"
-
-          yaml = DummyERB.new(Pathname.new(path).read).result
+          require "rails/application/dummy_config"
+          original_rails_config = Rails.application.config
 
-          if YAML.respond_to?(:unsafe_load)
-            YAML.unsafe_load(yaml) || {}
-          else
-            YAML.load(yaml) || {}
+          begin
+            Rails.application.config = DummyConfig.new(original_rails_config)
+            ActiveSupport::ConfigurationFile.parse(Pathname.new(path))
+          ensure
+            Rails.application.config = original_rails_config
           end
         else
           {}
@@ -335,8 +437,14 @@ module Rails
           if (shared = loaded_yaml.delete("shared"))
             loaded_yaml.each do |env, config|
               if config.is_a?(Hash) && config.values.all?(Hash)
-                config.map do |name, sub_config|
-                  sub_config.reverse_merge!(shared)
+                if shared.is_a?(Hash) && shared.values.all?(Hash)
+                  config.map do |name, sub_config|
+                    sub_config.reverse_merge!(shared[name])
+                  end
+                else
+                  config.map do |name, sub_config|
+                    sub_config.reverse_merge!(shared)
+                  end
                 end
               else
                 config.reverse_merge!(shared)
@@ -357,6 +465,30 @@ module Rails
         raise e, "Cannot load database configuration:\n#{e.message}", e.backtrace
       end
 
+      def autoload_lib(ignore:)
+        lib = root.join("lib")
+
+        # Set as a string to have the same type as default autoload paths, for
+        # consistency.
+        autoload_paths << lib.to_s
+        eager_load_paths << lib.to_s
+
+        ignored_abspaths = Array.wrap(ignore).map { lib.join(_1) }
+        Rails.autoloaders.main.ignore(ignored_abspaths)
+      end
+
+      def autoload_lib_once(ignore:)
+        lib = root.join("lib")
+
+        # Set as a string to have the same type as default autoload paths, for
+        # consistency.
+        autoload_once_paths << lib.to_s
+        eager_load_paths << lib.to_s
+
+        ignored_abspaths = Array.wrap(ignore).map { lib.join(_1) }
+        Rails.autoloaders.once.ignore(ignored_abspaths)
+      end
+
       def colorize_logging
         ActiveSupport::LogSubscriber.colorize_logging
       end
@@ -366,9 +498,32 @@ module Rails
         generators.colorize_logging = val
       end
 
+      def secret_key_base
+        @secret_key_base || begin
+          self.secret_key_base = if generate_local_secret?
+            generate_local_secret
+          else
+            ENV["SECRET_KEY_BASE"] || Rails.application.credentials.secret_key_base
+          end
+        end
+      end
+
+      def secret_key_base=(new_secret_key_base)
+        if new_secret_key_base.nil? && generate_local_secret?
+          @secret_key_base = generate_local_secret
+        elsif new_secret_key_base.is_a?(String) && new_secret_key_base.present?
+          @secret_key_base = new_secret_key_base
+        elsif new_secret_key_base
+          raise ArgumentError, "`secret_key_base` for #{Rails.env} environment must be a type of String`"
+        else
+          raise ArgumentError, "Missing `secret_key_base` for '#{Rails.env}' environment, set this string with `bin/rails credentials:edit`"
+        end
+      end
+
       # Specifies what class to use to store the session. Possible values
-      # are +:cookie_store+, +:mem_cache_store+, a custom store, or
-      # +:disabled+. +:disabled+ tells Rails not to deal with sessions.
+      # are +:cache_store+, +:cookie_store+, +:mem_cache_store+, a custom
+      # store, or +:disabled+. +:disabled+ tells \Rails not to deal with
+      # sessions.
       #
       # Additional options will be set as +session_options+:
       #
@@ -382,25 +537,14 @@ module Rails
       #   config.session_store :my_custom_store
       def session_store(new_session_store = nil, **options)
         if new_session_store
-          if new_session_store == :active_record_store
-            begin
-              ActionDispatch::Session::ActiveRecordStore
-            rescue NameError
-              raise "`ActiveRecord::SessionStore` is extracted out of Rails into a gem. " \
-                "Please add `activerecord-session_store` to your Gemfile to use it."
-            end
-          end
-
           @session_store = new_session_store
           @session_options = options || {}
         else
           case @session_store
           when :disabled
             nil
-          when :active_record_store
-            ActionDispatch::Session::ActiveRecordStore
           when Symbol
-            ActionDispatch::Session.const_get(@session_store.to_s.camelize)
+            ActionDispatch::Session.resolve_store(@session_store)
           else
             @session_store
           end
@@ -445,6 +589,10 @@ module Rails
         f
       end
 
+      def inspect # :nodoc:
+        "#<#{self.class.name}:#{'%#016x' % (object_id << 1)}>"
+      end
+
       class Custom # :nodoc:
         def initialize
           @configurations = Hash.new
@@ -453,37 +601,45 @@ module Rails
         def method_missing(method, *args)
           if method.end_with?("=")
             @configurations[:"#{method[0..-2]}"] = args.first
-          else
+          elsif args.empty?
             @configurations.fetch(method) {
               @configurations[method] = ActiveSupport::OrderedOptions.new
             }
+          else
+            raise ArgumentError, "wrong number of arguments (given #{args.length}, expected 0) when reading configuration `#{method}`"
           end
         end
 
-        def respond_to_missing?(symbol, *)
+        def respond_to_missing?(symbol, _)
           true
         end
       end
 
       private
-        def default_credentials_content_path
-          if credentials_available_for_current_env?
-            root.join("config", "credentials", "#{Rails.env}.yml.enc")
-          else
-            root.join("config", "credentials.yml.enc")
-          end
+        def credentials_defaults
+          content_path = root.join("config/credentials/#{Rails.env}.yml.enc")
+          content_path = root.join("config/credentials.yml.enc") if !content_path.exist?
+
+          key_path = root.join("config/credentials/#{Rails.env}.key")
+          key_path = root.join("config/master.key") if !key_path.exist?
+
+          { content_path: content_path, key_path: key_path }
         end
 
-        def default_credentials_key_path
-          if credentials_available_for_current_env?
-            root.join("config", "credentials", "#{Rails.env}.key")
-          else
-            root.join("config", "master.key")
+        def generate_local_secret
+          key_file = root.join("tmp/local_secret.txt")
+
+          unless File.exist?(key_file)
+            random_key = SecureRandom.hex(64)
+            FileUtils.mkdir_p(key_file.dirname)
+            File.binwrite(key_file, random_key)
           end
+
+          File.binread(key_file)
         end
 
-        def credentials_available_for_current_env?
-          File.exist?(root.join("config", "credentials", "#{Rails.env}.yml.enc"))
+        def generate_local_secret?
+          Rails.env.local? || ENV["SECRET_KEY_BASE_DUMMY"]
         end
     end
   end

data/lib/rails/application/default_middleware_stack.rb

@@ -13,7 +13,13 @@ module Rails
 
       def build_stack
         ActionDispatch::MiddlewareStack.new do |middleware|
-          middleware.use ::ActionDispatch::HostAuthorization, config.hosts, **config.host_authorization
+          unless Array(config.hosts).empty?
+            middleware.use ::ActionDispatch::HostAuthorization, config.hosts, **config.host_authorization
+          end
+
+          if config.assume_ssl
+            middleware.use ::ActionDispatch::AssumeSSL
+          end
 
           if config.force_ssl
             middleware.use ::ActionDispatch::SSL, **config.ssl_options,
@@ -56,7 +62,7 @@ module Rails
             middleware.use ::ActionDispatch::ActionableExceptions
           end
 
-          unless config.cache_classes
+          if config.reloading_enabled?
             middleware.use ::ActionDispatch::Reloader, app.reloader
           end
 

data/lib/rails/application/dummy_config.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class DummyConfig # :nodoc:
+  def initialize(config)
+    @config = config
+  end
+
+  def to_s
+    "DummyConfig"
+  end
+
+  def method_missing(selector, ...)
+    if @config.respond_to?(selector)
+      @config.send(selector, ...)
+    else
+      self
+    end
+  end
+end