diff options
Diffstat (limited to 'actionpack')
12 files changed, 137 insertions, 16 deletions
diff --git a/actionpack/lib/action_controller/base.rb b/actionpack/lib/action_controller/base.rb index 0fe0853da3..b420e00c78 100644 --- a/actionpack/lib/action_controller/base.rb +++ b/actionpack/lib/action_controller/base.rb @@ -261,6 +261,12 @@ module ActionController PROTECTED_IVARS end + def self.make_response!(request) + ActionDispatch::Response.create.tap do |res| + res.request = request + end + end + ActiveSupport.run_load_hooks(:action_controller, self) end end diff --git a/actionpack/lib/action_controller/metal.rb b/actionpack/lib/action_controller/metal.rb index 74c4153cd2..246644dcbd 100644 --- a/actionpack/lib/action_controller/metal.rb +++ b/actionpack/lib/action_controller/metal.rb @@ -129,7 +129,7 @@ module ActionController end def self.make_response!(request) - ActionDispatch::Response.create.tap do |res| + ActionDispatch::Response.new.tap do |res| res.request = request end end diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index d9a8b9c12d..5051c02a62 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -213,7 +213,11 @@ module ActionController #:nodoc: if !verified_request? if logger && log_warning_on_csrf_failure - logger.warn "Can't verify CSRF token authenticity." + if valid_request_origin? + logger.warn "Can't verify CSRF token authenticity." + else + logger.warn "HTTP Origin header (#{request.origin}) didn't match request.base_url (#{request.base_url})" + end end handle_unverified_request end diff --git a/actionpack/lib/action_controller/metal/strong_parameters.rb b/actionpack/lib/action_controller/metal/strong_parameters.rb index 1190e0ed69..baf15570d5 100644 --- a/actionpack/lib/action_controller/metal/strong_parameters.rb +++ b/actionpack/lib/action_controller/metal/strong_parameters.rb @@ -667,6 +667,7 @@ module ActionController other_hash.to_h.merge(@parameters) ) end + alias_method :with_defaults, :reverse_merge # Returns current <tt>ActionController::Parameters</tt> instance with # current hash merged into +other_hash+. @@ -674,6 +675,7 @@ module ActionController @parameters.merge!(other_hash.to_h) { |key, left, right| left } self end + alias_method :with_defaults!, :reverse_merge! # This is required by ActiveModel attribute assignment, so that user can # pass +Parameters+ to a mass assignment methods in a model. It should not diff --git a/actionpack/lib/action_dispatch/system_test_case.rb b/actionpack/lib/action_dispatch/system_test_case.rb index 9cc3d0757f..98fdb36c91 100644 --- a/actionpack/lib/action_dispatch/system_test_case.rb +++ b/actionpack/lib/action_dispatch/system_test_case.rb @@ -87,7 +87,7 @@ module ActionDispatch def initialize(*) # :nodoc: super - self.class.superclass.driver.use + self.class.driver.use end def self.start_application # :nodoc: @@ -100,6 +100,8 @@ module ActionDispatch SystemTesting::Server.new.run end + class_attribute :driver, instance_accessor: false + # System Test configuration options # # The default settings are Selenium, using Chrome, with a screen size @@ -113,13 +115,10 @@ module ActionDispatch # # driven_by :selenium, screen_size: [800, 800] def self.driven_by(driver, using: :chrome, screen_size: [1400, 1400], options: {}) - @driver = SystemTesting::Driver.new(driver, using: using, screen_size: screen_size, options: options) + self.driver = SystemTesting::Driver.new(driver, using: using, screen_size: screen_size, options: options) end - # Returns the driver object for the initialized system test - def self.driver - @driver ||= SystemTestCase.driven_by(:selenium) - end + driven_by :selenium end SystemTestCase.start_application diff --git a/actionpack/test/controller/api/with_helpers_test.rb b/actionpack/test/controller/api/with_helpers_test.rb index 9882a25ae1..06db949153 100644 --- a/actionpack/test/controller/api/with_helpers_test.rb +++ b/actionpack/test/controller/api/with_helpers_test.rb @@ -15,6 +15,12 @@ class WithHelpersController < ActionController::API end end +class SubclassWithHelpersController < WithHelpersController + def with_helpers + render plain: self.class.helpers.my_helper + end +end + class WithHelpersTest < ActionController::TestCase tests WithHelpersController @@ -24,3 +30,13 @@ class WithHelpersTest < ActionController::TestCase assert_equal "helper", response.body end end + +class SubclassWithHelpersTest < ActionController::TestCase + tests WithHelpersController + + def test_with_helpers + get :with_helpers + + assert_equal "helper", response.body + end +end diff --git a/actionpack/test/controller/base_test.rb b/actionpack/test/controller/base_test.rb index 42a5157010..4e969fac07 100644 --- a/actionpack/test/controller/base_test.rb +++ b/actionpack/test/controller/base_test.rb @@ -11,6 +11,12 @@ end class EmptyController < ActionController::Base end +class SimpleController < ActionController::Base + def hello + self.response_body = "hello" + end +end + class NonEmptyController < ActionController::Base def public_action head :ok @@ -118,6 +124,27 @@ class ControllerInstanceTests < ActiveSupport::TestCase controller = klass.new assert_equal "examples", controller.controller_path end + + def test_response_has_default_headers + original_default_headers = ActionDispatch::Response.default_headers + + ActionDispatch::Response.default_headers = { + "X-Frame-Options" => "DENY", + "X-Content-Type-Options" => "nosniff", + "X-XSS-Protection" => "1;" + } + + response_headers = SimpleController.action("hello").call( + "REQUEST_METHOD" => "GET", + "rack.input" => -> {} + )[1] + + assert response_headers.key?("X-Frame-Options") + assert response_headers.key?("X-Content-Type-Options") + assert response_headers.key?("X-XSS-Protection") + ensure + ActionDispatch::Response.default_headers = original_default_headers + end end class PerformActionTest < ActionController::TestCase diff --git a/actionpack/test/controller/metal_test.rb b/actionpack/test/controller/metal_test.rb new file mode 100644 index 0000000000..e16452ed6f --- /dev/null +++ b/actionpack/test/controller/metal_test.rb @@ -0,0 +1,30 @@ +require "abstract_unit" + +class MetalControllerInstanceTests < ActiveSupport::TestCase + class SimpleController < ActionController::Metal + def hello + self.response_body = "hello" + end + end + + def test_response_has_default_headers + original_default_headers = ActionDispatch::Response.default_headers + + ActionDispatch::Response.default_headers = { + "X-Frame-Options" => "DENY", + "X-Content-Type-Options" => "nosniff", + "X-XSS-Protection" => "1;" + } + + response_headers = SimpleController.action("hello").call( + "REQUEST_METHOD" => "GET", + "rack.input" => -> {} + )[1] + + refute response_headers.key?("X-Frame-Options") + refute response_headers.key?("X-Content-Type-Options") + refute response_headers.key?("X-XSS-Protection") + ensure + ActionDispatch::Response.default_headers = original_default_headers + end +end diff --git a/actionpack/test/controller/parameters/parameters_permit_test.rb b/actionpack/test/controller/parameters/parameters_permit_test.rb index 9f3025587e..3e067314d6 100644 --- a/actionpack/test/controller/parameters/parameters_permit_test.rb +++ b/actionpack/test/controller/parameters/parameters_permit_test.rb @@ -310,6 +310,14 @@ class ParametersPermitTest < ActiveSupport::TestCase refute_predicate merged_params[:person], :empty? end + test "#with_defaults is an alias of reverse_merge" do + default_params = ActionController::Parameters.new(id: "1234", person: {}).permit! + merged_params = @params.with_defaults(default_params) + + assert_equal "1234", merged_params[:id] + refute_predicate merged_params[:person], :empty? + end + test "not permitted is sticky beyond reverse_merge" do refute_predicate @params.reverse_merge(a: "b"), :permitted? end @@ -327,6 +335,14 @@ class ParametersPermitTest < ActiveSupport::TestCase refute_predicate @params[:person], :empty? end + test "#with_defaults! is an alias of reverse_merge!" do + default_params = ActionController::Parameters.new(id: "1234", person: {}).permit! + @params.with_defaults!(default_params) + + assert_equal "1234", @params[:id] + refute_predicate @params[:person], :empty? + end + test "modifying the parameters" do @params[:person][:hometown] = "Chicago" @params[:person][:family] = { brother: "Jonas" } diff --git a/actionpack/test/controller/params_wrapper_test.rb b/actionpack/test/controller/params_wrapper_test.rb index 1eb92abae4..2a41d57b26 100644 --- a/actionpack/test/controller/params_wrapper_test.rb +++ b/actionpack/test/controller/params_wrapper_test.rb @@ -32,13 +32,13 @@ class ParamsWrapperTest < ActionController::TestCase def self.attribute_names [] end - end - class Person - def self.stores_attributes + def self.stored_attributes { settings: [:color, :size] } end + end + class Person def self.attribute_names [] end @@ -67,11 +67,13 @@ class ParamsWrapperTest < ActionController::TestCase end def test_store_accessors_wrapped - with_default_wrapper_options do - @request.env["CONTENT_TYPE"] = "application/json" - post :parse, params: { "username" => "sikachu", "color" => "blue", "size" => "large" } - assert_parameters("username" => "sikachu", "color" => "blue", "size" => "large", - "user" => { "username" => "sikachu", "color" => "blue", "size" => "large" }) + assert_called(User, :attribute_names, times: 2, returns: ["username"]) do + with_default_wrapper_options do + @request.env["CONTENT_TYPE"] = "application/json" + post :parse, params: { "username" => "sikachu", "color" => "blue", "size" => "large" } + assert_parameters("username" => "sikachu", "color" => "blue", "size" => "large", + "user" => { "username" => "sikachu", "color" => "blue", "size" => "large" }) + end end end diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index d645ddfdbe..794e057b85 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -347,6 +347,10 @@ module RequestForgeryProtectionTests end def test_should_block_post_with_origin_checking_and_wrong_origin + old_logger = ActionController::Base.logger + logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new + ActionController::Base.logger = logger + forgery_protection_origin_check do session[:_csrf_token] = @token @controller.stub :form_authenticity_token, @token do @@ -356,6 +360,13 @@ module RequestForgeryProtectionTests end end end + + assert_match( + "HTTP Origin header (http://bad.host) didn't match request.base_url (http://test.host)", + logger.logged(:warn).last + ) + ensure + ActionController::Base.logger = old_logger end def test_should_warn_on_missing_csrf_token diff --git a/actionpack/test/dispatch/system_testing/system_test_case_test.rb b/actionpack/test/dispatch/system_testing/system_test_case_test.rb index 1a9421c098..33d98f924f 100644 --- a/actionpack/test/dispatch/system_testing/system_test_case_test.rb +++ b/actionpack/test/dispatch/system_testing/system_test_case_test.rb @@ -6,6 +6,14 @@ class SetDriverToRackTestTest < DrivenByRackTest end end +class OverrideSeleniumSubclassToRackTestTest < DrivenBySeleniumWithChrome + driven_by :rack_test + + test "uses rack_test" do + assert_equal :rack_test, Capybara.current_driver + end +end + class SetDriverToSeleniumTest < DrivenBySeleniumWithChrome test "uses selenium" do assert_equal :selenium, Capybara.current_driver |