railties 6.0.0.beta3 → 6.0.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a4b78369d9f271572d3a302573c3074369e2d00f9507ade58f17667c9dda5476
-  data.tar.gz: b3afe11e12e754306480173cfa772222d9b998d27a232d209a64624604a91341
+  metadata.gz: b79bdc57812a1581d826a6c2740a48f6392063b58797ca663c86864391fe2a22
+  data.tar.gz: 7f2f54e3166b8ce85e685ca97272a68423fce112b4f66b98c4fbd5e057264d0a
 SHA512:
-  metadata.gz: fc7ff12025bd5ae53ee9db3a985bbc6fc661d9f11aef9fdcd243e26a7dcd4c7186c12dd888479ebbd9f1da1204c031c9cdfaf34eab2e6411e81b63130a8167d3
-  data.tar.gz: 612e651ac16761224f2de33b9ee6829309aaa685935d576a935e782762ef5be87b111e585df6741eefe67c5937819b15c3c5be856eae8c74afb3a3185928c6cb
+  metadata.gz: e597f918a385dce73903379a335656b1312ca20fdcaaf6414764a056188cf53f6f53c5966fe9623afb1fbf0e021df87fe6fbcf3d3f4cd45e15960717f77ecea5
+  data.tar.gz: 8e9e498390107f6903c372e0e4e1d5c34975c1a1375bc4dbb9ba7ed801d76afb3e35d1b54a3b46b596c7b9919b58b75fb06b60866118440cc008f0ef0c3170b0

data/CHANGELOG.md

@@ -1,6 +1,83 @@
+## Rails 6.0.0.rc1 (April 24, 2019) ##
+
+*   Applications upgrading to Rails 6 can run the command
+
+    ```
+    bin/rails zeitwerk:check
+    ```
+
+    to check if the project structure they were using with the classic
+    autoloader is compatible with `:zeitwerk` mode.
+
+    *Matilda Smeds* & *Xavier Noria*
+
+*   Allow loading seeds without ActiveJob.
+
+    Fixes #35782
+
+    *Jeremy Weathers*
+
+*   `null: false` is set in the migrations by default for column pointed by
+    `belongs_to` / `references` association generated by model generator.
+
+    Also deprecate passing {required} to the model generator.
+
+    *Prathamesh Sonpatki*
+
+*   New applications get `config.cache_classes = false` in `config/environments/test.rb`
+    unless `--skip-spring`.
+
+    *Xavier Noria*
+
+*   Autoloading during initialization is deprecated.
+
+    *Xavier Noria*
+
+*   Only force `:async` ActiveJob adapter to `:inline` during seeding.
+
+    *BatedUrGonnaDie*
+
+*   The `connection` option of `rails dbconsole` command is deprecated in
+    favor of `database` option.
+
+    *Yuji Yaginuma*
+
+*   Replace `chromedriver-helper` gem with `webdrivers` in default Gemfile.
+    `chromedriver-helper` is deprecated as of March 31, 2019 and won't
+    receive any further updates.
+
+    *Guillermo Iguaran‮*
+
+*   Applications running in `:zeitwerk` mode that use `bootsnap` need
+    to upgrade `bootsnap` to at least 1.4.2.
+
+    *Xavier Noria*
+
+*   Add `config.disable_sandbox` option to Rails console.
+
+    This setting will disable `rails console --sandbox` mode, preventing
+    developer from accidentally starting a sandbox console,
+    which when left inactive, can cause the database server to run out of memory.
+
+    *Prem Sichanugrist*
+
+*   Add `-e/--environment` option to `rails initializers`.
+
+    *Yuji Yaginuma*
+
+
 ## Rails 6.0.0.beta3 (March 11, 2019) ##
 
-*   No changes.
+*   Generate random development secrets
+
+    A random development secret is now generated to tmp/development_secret.txt
+
+    This avoids an issue where development mode servers were vulnerable to
+    remote code execution.
+
+    Fixes CVE-2019-5420
+
+    *Eileen M. Uchitelle*, *Aaron Patterson*, *John Hawthorn*
 
 
 ## Rails 6.0.0.beta2 (February 25, 2019) ##
@@ -49,7 +126,9 @@
         gsub  Gemfile
     ```
 
-    The change command copies a template `config/database.yml` with the target database adapter into your app, and replaces your database gem with the target database gem.
+    The change command copies a template `config/database.yml` with
+    the target database adapter into your app, and replaces your database gem
+    with the target database gem.
 
     *Gannon McGibbon*
 
@@ -73,9 +152,9 @@
 
     *George Claghorn*
 
-*   Introduce guard against DNS rebinding attacks
+*   Introduce guard against DNS rebinding attacks.
 
-    The `ActionDispatch::HostAuthorization` is a new middleware that prevent
+    The `ActionDispatch::HostAuthorization` is a new middleware that prevents
     against DNS rebinding and other `Host` header attacks. It is included in
     the development environment by default with the following configuration:
 
@@ -183,7 +262,7 @@
     The encryption key can be in `ENV["RAILS_MASTER_KEY"]` or `config/credentials/production.key`.
 
     Environment credentials overrides can be edited with `rails credentials:edit --environment production`.
-    If no override is setup for the passed environment, it will be created.
+    If no override is set up for the passed environment, it will be created.
 
     Additionally, the default lookup paths can be overwritten with these configs:
 
@@ -273,9 +352,9 @@
 
     *Jose Luis Duran*
 
-*   Deprecate support for using the `HOST` environment to specify the server IP.
+*   Deprecate support for using the `HOST` environment variable to specify the server IP.
 
-    The `BINDING` environment should be used instead.
+    The `BINDING` environment variable should be used instead.
 
     Fixes #29516.
 

data/RDOC_MAIN.rdoc

@@ -4,7 +4,7 @@
 
 \Rails is a web-application framework that includes everything needed to
 create database-backed web applications according to the
-{Model-View-Controller (MVC)}[http://en.wikipedia.org/wiki/Model-view-controller]
+{Model-View-Controller (MVC)}[https://en.wikipedia.org/wiki/Model-view-controller]
 pattern.
 
 Understanding the MVC pattern is key to understanding \Rails. MVC divides your
@@ -79,7 +79,7 @@ and may also be used independently outside \Rails.
    * The \README file created within your application.
    * {Getting Started with \Rails}[https://guides.rubyonrails.org/getting_started.html].
    * {Ruby on \Rails Guides}[https://guides.rubyonrails.org].
-   * {The API Documentation}[http://api.rubyonrails.org].
+   * {The API Documentation}[https://api.rubyonrails.org].
    * {Ruby on \Rails Tutorial}[https://www.railstutorial.org/book].
 
 == Contributing
@@ -88,7 +88,7 @@ We encourage you to contribute to Ruby on \Rails! Please check out the
 {Contributing to Ruby on \Rails guide}[https://guides.rubyonrails.org/contributing_to_ruby_on_rails.html] for guidelines about how to proceed. {Join us!}[http://contributors.rubyonrails.org]
 
 Trying to report a possible security vulnerability in \Rails? Please
-check out our {security policy}[http://rubyonrails.org/security/] for
+check out our {security policy}[https://rubyonrails.org/security/] for
 guidelines about how to proceed.
 
 Everyone interacting in \Rails and its sub-projects' codebases, issue trackers, chat rooms, and mailing lists is expected to follow the \Rails {code of conduct}[http://rubyonrails.org/conduct/].

data/README.rdoc

@@ -29,7 +29,7 @@ Railties is released under the MIT license:
 
 API documentation is at
 
-* http://api.rubyonrails.org
+* https://api.rubyonrails.org
 
 Bug reports can be filed for the Ruby on Rails project here:
 

data/lib/rails/application.rb

@@ -409,7 +409,8 @@ module Rails
     # The secret_key_base is used as the input secret to the application's key generator, which in turn
     # is used to create all MessageVerifiers/MessageEncryptors, including the ones that sign and encrypt cookies.
     #
-    # In test and development, this is simply derived as a MD5 hash of the application's name.
+    # In development and test, this is randomly generated and stored in a
+    # temporary file in <tt>tmp/development_secret.txt</tt>.
     #
     # In all other environments, we look for it first in ENV["SECRET_KEY_BASE"],
     # then credentials.secret_key_base, and finally secrets.secret_key_base. For most applications,
@@ -587,6 +588,7 @@ module Rails
 
           if !File.exist?(key_file)
             random_key = SecureRandom.hex(64)
+            FileUtils.mkdir_p(key_file.dirname)
             File.binwrite(key_file, random_key)
           end
 

data/lib/rails/application/configuration.rb

@@ -18,7 +18,8 @@ module Rails
                     :session_options, :time_zone, :reload_classes_only_on_change,
                     :beginning_of_week, :filter_redirect, :x, :enable_dependency_loading,
                     :read_encrypted_secrets, :log_level, :content_security_policy_report_only,
-                    :content_security_policy_nonce_generator, :require_master_key, :credentials
+                    :content_security_policy_nonce_generator, :require_master_key, :credentials,
+                    :disable_sandbox
 
       attr_reader :encoding, :api_only, :loaded_config_version, :autoloader
 
@@ -65,6 +66,7 @@ module Rails
         @credentials.content_path                = default_credentials_content_path
         @credentials.key_path                    = default_credentials_key_path
         @autoloader                              = :classic
+        @disable_sandbox                         = false
       end
 
       def load_defaults(target_version)
@@ -140,6 +142,10 @@ module Rails
             active_storage.queues.analysis = :active_storage_analysis
             active_storage.queues.purge    = :active_storage_purge
           end
+
+          if respond_to?(:active_record)
+            active_record.collection_cache_versioning = true
+          end
         else
           raise "Unknown version #{target_version.to_s.inspect}"
         end
@@ -184,6 +190,26 @@ module Rails
         end
       end
 
+      # Load the database YAML without evaluating ERB. This allows us to
+      # create the rake tasks for multiple databases without filling in the
+      # configuration values or loading the environment. Do not use this
+      # method.
+      #
+      # This uses a DummyERB custom compiler so YAML can ignore the ERB
+      # tags and load the database.yml for the rake tasks.
+      def load_database_yaml # :nodoc:
+        if path = paths["config/database"].existent.first
+          require "rails/application/dummy_erb_compiler"
+
+          yaml = Pathname.new(path)
+          erb = DummyERB.new(yaml.read)
+
+          YAML.load(erb.result)
+        else
+          {}
+        end
+      end
+
       # Loads and returns the entire raw configuration of database from
       # values stored in <tt>config/database.yml</tt>.
       def database_configuration

data/lib/rails/application/default_middleware_stack.rb

@@ -49,6 +49,7 @@ module Rails
           middleware.use ::Rails::Rack::Logger, config.log_tags
           middleware.use ::ActionDispatch::ShowExceptions, show_exceptions_app
           middleware.use ::ActionDispatch::DebugExceptions, app, config.debug_exception_response_format
+          middleware.use ::ActionDispatch::ActionableExceptions
 
           unless config.cache_classes
             middleware.use ::ActionDispatch::Reloader, app.reloader

data/lib/rails/application/dummy_erb_compiler.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# These classes are used to strip out the ERB configuration
+# values so we can evaluate the database.yml without evaluating
+# the ERB values.
+class DummyERB < ERB # :nodoc:
+  def make_compiler(trim_mode)
+    DummyCompiler.new trim_mode
+  end
+end
+
+class DummyCompiler < ERB::Compiler # :nodoc:
+  def compile_content(stag, out)
+    case stag
+    when "<%="
+      out.push "_erbout << 'dummy_compiler'"
+    end
+  end
+end

data/lib/rails/application/finisher.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "active_support/core_ext/string/inflections"
+require "active_support/core_ext/array/conversions"
+
 module Rails
   class Application
     module Finisher
@@ -21,10 +24,44 @@ module Rails
         end
       end
 
+      # This will become an error if/when we remove classic mode. The plan is
+      # autoloaders won't be configured up to this point in the finisher, so
+      # constants just won't be found, raising regular NameError exceptions.
+      initializer :warn_if_autoloaded, before: :let_zeitwerk_take_over do
+        next if config.cache_classes
+        next if ActiveSupport::Dependencies.autoloaded_constants.empty?
+
+        autoloaded    = ActiveSupport::Dependencies.autoloaded_constants
+        constants     = "constant".pluralize(autoloaded.size)
+        enum          = autoloaded.to_sentence
+        have          = autoloaded.size == 1 ? "has" : "have"
+        these         = autoloaded.size == 1 ? "This" : "These"
+        example       = autoloaded.first
+        example_klass = example.constantize.class
+
+        ActiveSupport::DescendantsTracker.clear
+        ActiveSupport::Dependencies.clear
+
+        ActiveSupport::Deprecation.warn(<<~WARNING)
+          Initialization autoloaded the #{constants} #{enum}.
+
+          Being able to do this is deprecated. Autoloading during initialization is going
+          to be an error condition in future versions of Rails.
+
+          Reloading does not reboot the application, and therefore code executed during
+          initialization does not run again. So, if you reload #{example}, for example,
+          the expected changes won't be reflected in that stale #{example_klass} object.
+
+          #{these} autoloaded #{constants} #{have} been unloaded.
+
+          Please, check the "Autoloading and Reloading Constants" guide for solutions.
+        WARNING
+      end
+
       initializer :let_zeitwerk_take_over do
         if config.autoloader == :zeitwerk
           require "active_support/dependencies/zeitwerk_integration"
-          ActiveSupport::Dependencies::ZeitwerkIntegration.take_over
+          ActiveSupport::Dependencies::ZeitwerkIntegration.take_over(enable_reloading: !config.cache_classes)
         end
       end
 

data/lib/rails/autoloaders.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "active_support/dependencies/zeitwerk_integration"
+
 module Rails
   module Autoloaders # :nodoc:
     class << self
@@ -7,13 +9,19 @@ module Rails
 
       def main
         if zeitwerk_enabled?
-          @main ||= Zeitwerk::Loader.new.tap { |loader| loader.tag = "rails.main" }
+          @main ||= Zeitwerk::Loader.new.tap do |loader|
+            loader.tag = "rails.main"
+            loader.inflector = ActiveSupport::Dependencies::ZeitwerkIntegration::Inflector
+          end
         end
       end
 
       def once
         if zeitwerk_enabled?
-          @once ||= Zeitwerk::Loader.new.tap { |loader| loader.tag = "rails.once" }
+          @once ||= Zeitwerk::Loader.new.tap do |loader|
+            loader.tag = "rails.once"
+            loader.inflector = ActiveSupport::Dependencies::ZeitwerkIntegration::Inflector
+          end
         end
       end
 

data/lib/rails/command/environment_argument.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "active_support"
+require "active_support/core_ext/class/attribute"
 
 module Rails
   module Command
@@ -8,16 +9,18 @@ module Rails
       extend ActiveSupport::Concern
 
       included do
-        class_option :environment, aliases: "-e", type: :string,
-          desc: "Specifies the environment to run this console under (test/development/production)."
+        no_commands do
+          class_attribute :environment_desc, default: "Specifies the environment to run this #{self.command_name} under (test/development/production)."
+        end
+        class_option :environment, aliases: "-e", type: :string, desc: environment_desc
       end
 
       private
-        def extract_environment_option_from_argument
+        def extract_environment_option_from_argument(default_environment: Rails::Command.environment)
           if options[:environment]
             self.options = options.merge(environment: acceptable_environment(options[:environment]))
           else
-            self.options = options.merge(environment: Rails::Command.environment)
+            self.options = options.merge(environment: default_environment)
           end
         end
 

data/lib/rails/commands/console/console_command.rb

@@ -26,6 +26,12 @@ module Rails
       @options = options
 
       app.sandbox = sandbox?
+
+      if sandbox? && app.config.disable_sandbox
+        puts "Error: Unable to start console in sandbox mode as sandbox mode is disabled (config.disable_sandbox is true)."
+        exit 1
+      end
+
       app.load_console
 
       @console = app.config.console || IRB

data/lib/rails/commands/credentials/USAGE

@@ -42,7 +42,7 @@ from leaking.
 === Environment Specific Credentials
 
 The `credentials` command supports passing an `--environment` option to create an
-environment specific override. That override will takes precedence over the
+environment specific override. That override will take precedence over the
 global `config/credentials.yml.enc` file when running in that environment. So:
 
    rails credentials:edit --environment development

data/lib/rails/commands/credentials/credentials_command.rb

@@ -2,14 +2,15 @@
 
 require "active_support"
 require "rails/command/helpers/editor"
+require "rails/command/environment_argument"
 
 module Rails
   module Command
     class CredentialsCommand < Rails::Command::Base # :nodoc:
       include Helpers::Editor
+      include EnvironmentArgument
 
-      class_option :environment, aliases: "-e", type: :string,
-        desc: "Uses credentials from config/credentials/:environment.yml.enc encrypted by config/credentials/:environment.key key"
+      self.environment_desc = "Uses credentials from config/credentials/:environment.yml.enc encrypted by config/credentials/:environment.key key"
 
       no_commands do
         def help
@@ -20,6 +21,7 @@ module Rails
       end
 
       def edit
+        extract_environment_option_from_argument(default_environment: nil)
         require_application!
 
         ensure_editor_available(command: "bin/rails credentials:edit") || (return)
@@ -37,6 +39,7 @@ module Rails
       end
 
       def show
+        extract_environment_option_from_argument(default_environment: nil)
         require_application!
 
         say credentials.read.presence || missing_credentials_message
@@ -53,7 +56,11 @@ module Rails
         end
 
         def ensure_credentials_have_been_added
-          encrypted_file_generator.add_encrypted_file_silently(content_path, key_path)
+          if options[:environment]
+            encrypted_file_generator.add_encrypted_file_silently(content_path, key_path)
+          else
+            credentials_generator.add_credentials_file_silently
+          end
         end
 
         def change_credentials_in_system_editor
@@ -93,6 +100,13 @@ module Rails
 
           Rails::Generators::EncryptedFileGenerator.new
         end
+
+        def credentials_generator
+          require "rails/generators"
+          require "rails/generators/rails/credentials/credentials_generator"
+
+          Rails::Generators::CredentialsGenerator.new
+        end
     end
   end
 end