| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
- Do not generate `javascript_include_tag` if `--skip-javascript`
- Generate `<%= csp_meta_tag %>`. Related to #32018.
|
|
|
|
| |
`--skip-active-storage`
|
|\
| |
| | |
Add support for timezones to Active Job
|
| |
| |
| |
| |
| |
| | |
Record what was the current timezone in effect when the job was
enqueued and then restore when the job is executed in same way
that the current locale is recorded and restored.
|
|\ \
| | |
| | | |
Add support for automatic nonce generation for Rails UJS
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.
To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.
Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.
It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g
<%= javascript_tag nonce: true do %>
alert('Hello, World!');
<% end %>
Fixes #31689.
|
|\ \ \
| | | |
| | | | |
Properly escape column name embedded into regexp
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
SQLServerAdapter (gem `activerecord-sqlserver-adapter`) uses square
brackets for quoting column names (e.g. `[id]`). Those brackets must not
be misinterpreted in regular expressions.
Failure:
Expected /SELECT [developers].[id].* FROM developers/ to match "SELECT [developers].[id], [developers].[name], [developers].[salary], [developers].[firm_id], [developers].[mentor_id], [developers].[created_at], [developers].[updated_at], [developers].[created_on], [developers].[updated_on] FROM developers".
|
| |/
|/|
| |
| |
| |
| |
| |
| | |
In #32075 I deleted the default configuration since that's what's
generated with the Rails app. Since someone could change the default
name instead delete any config that doesn't have a database so we can
avoid peppering our Rails tasks with conditionals to deal with invalid
database configs.
|
| | |
|
|\ \
| | |
| | | |
Call methods with .method_name not ::method_name
|
| | |
| | |
| | |
| | |
| | |
| | | |
Found several instances.
Follow up on 63d530c5e68a8cf53603744789f53ccbc7ac1a0e
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since #30241, if namepsace is specified, routes will be generated even
if there is no actions.
However, it seems that this behavior is not intentionally added behavior.
As with 5.1, routes should not be generated if actions are not specified.
Fixes #32072.
|
| |
| |
| |
| |
| | |
We should call methods with `.method_name` not `::method_name`. Fix two
instances of `YAML::load` I found in favor of `YAML.load`.
|
|\ \
| | |
| | | |
Delete default configuration
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Because of this default configuration we're constantly checking if the
database exists when looping through configurations. This is unnecessary
and we should just delete it before we need to loop through
configurations.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Although not a direct dependency, it's pulled in by Resque for
Active Job integration tests so we need to update because the
rack-protection gem has a security vulnerability[1].
[1]: https://nvd.nist.gov/vuln/detail/CVE-2018-7212
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
Only us-east-1 gives URLs like bucket.s3.amazonaws.com whereas other
regions have URLs like s3-eu-west-1.amazonaws.com/ubxd-rails
|
|\ \ \
| | | |
| | | | |
CI with `jruby-head` compatible with Ruby 2.4.1
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Since #32034 Rails 6 requires Ruby 2.4.1 or higher.
Two CI jobs configured with the latest version of`jruby-9.1.15.0`
compatibile with Ruby 2.3.3 are getting errors:
https://travis-ci.org/rails/rails/jobs/343519339
```
Bundler could not find compatible versions for gem "ruby":
In Gemfile:
ruby java
rails java was resolved to 6.0.0.alpha, which depends on
ruby (>= 2.4.1) java
Could not find gem 'ruby (>= 2.4.1)', which is required by gem 'rails', in any
of the relevant sources:
```
|
| | | |
|
| | | |
|
| | | |
|
|\ \ \
| | | |
| | | | |
Improve ActiveJob custom argument serializers #30941
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add `:nodoc:` to `ActiveJob::Serializers`
Add `:doc:` to `ActiveJob::Serializers::ObjectSerializer#klass`
Express `ActiveJob::Serializers::ObjectSerializer#klass` as private method
|
| | | |
| | | |
| | | |
| | | |
| | | | |
The serializer serializes an instance of `ActiveSupport::TimeWithZone`.
The serializer deserializes value to `ActiveSupport::TimeWithZone` if possible.
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
bogdanvlviv/test_mini_magick_gem_when_skip_active_storage_is_given
Ensure that `mini_magick` is absent after `rails new` with `--skip-active-storage`
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
`--skip-active-storage`
Remove redundant assertions of an absence of `mini_magick` in `Gemfile`
since `bin/rails app:update` does not update Gemfile.
This assertions was added by 4a835aa3236eedb135ccf8b59ed3c03e040b8b01,
after reviewing of https://github.com/rails/rails/pull/32049 i realized
that assertions are redundant.
|
|\ \ \ \
| | | | |
| | | | | |
Remove `AS::Multibyte`'s unicode table
|
|/ / / / |
|
|\ \ \ \
| |_|_|/
|/| | | |
Avoid method_redefined warnings in RouteSet::NamedRouteCollection
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Before:
```
~/.rbenv/versions/2.5.0/bin/ruby -w -Itest -Ilib -I../activesupport/lib -I../actionpack/lib -I../actionview/lib -I../activemodel/lib test/application/routing_test.rb
Run options: --seed 5851
.......~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:156: warning: method redefined; discarding old custom_path
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:321: warning: previous definition of custom_path was here
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:162: warning: method redefined; discarding old custom_url
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:321: warning: previous definition of custom_url was here
....~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:156: warning: method redefined; discarding old custom_path
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:321: warning: previous definition of custom_path was here
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:162: warning: method redefined; discarding old custom_url
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:321: warning: previous definition of custom_url was here
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:156: warning: method redefined; discarding old custom_path
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:321: warning: previous definition of custom_path was here
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:162: warning: method redefined; discarding old custom_url
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:321: warning: previous definition of custom_url was here
..........~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:156: warning: method redefined; discarding old custom_path
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:321: warning: previous definition of custom_path was here
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:162: warning: method redefined; discarding old custom_url
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:321: warning: previous definition of custom_url was here
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:156: warning: method redefined; discarding old custom_path
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:321: warning: previous definition of custom_path was here
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:162: warning: method redefined; discarding old custom_url
~/code/rails/actionpack/lib/action_dispatch/routing/route_set.rb:321: warning: previous definition of custom_url was here
.....
Finished in 13.233638s, 1.9647 runs/s, 5.8185 assertions/s.
26 runs, 77 assertions, 0 failures, 0 errors, 0 skips
```
After:
```
~/.rbenv/versions/2.5.0/bin/ruby -w -Itest -Ilib -I../activesupport/lib -I../actionpack/lib -I../actionview/lib -I../activemodel/lib test/application/routing_test.rb
Run options: --seed 38072
..........................
Finished in 12.009632s, 2.1649 runs/s, 6.4115 assertions/s.
26 runs, 77 assertions, 0 failures, 0 errors, 0 skips
```
|
|\ \ \ \
| |/ / /
|/| | | |
Fix generation of empty content security policy
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Although the spec[1] is defined in such a way that a trailing semi-colon
is valid it also doesn't allow a semi-colon by itself to indicate an
empty policy. Therefore it's easier (and valid) just to omit it rather
than to detect whether the policy is empty or not.
[1]: https://www.w3.org/TR/CSP2/#policy-syntax
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Setting up the request environment was accidentally creating a CSP
as a consequence of accessing the option - only set the instance
variable if a block is passed.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This reverts commit 86f7c269073a3a9e6ddec9b957deaa2716f2627d, reversing
changes made to 5ece2e4a4459065b5efd976aebd209bbf0cab89b.
If a policy is set then we should generate it even if it's empty.
However what is happening is that we're accidentally generating an
empty policy when the initializer is commented out by default.
|
|\ \ \ \
| |/ / /
|/| | | |
Return all mappings for a timezone id in country_zones
|
|/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Some timezones like `Europe/London` have multiple mappings in
`ActiveSupport::TimeZone::MAPPING` so return all of them instead
of the first one found by using `Hash#value`. e.g:
# Before
ActiveSupport::TimeZone.country_zones("GB") # => ["Edinburgh"]
# After
ActiveSupport::TimeZone.country_zones("GB") # => ["Edinburgh", "London"]
Fixes #31668.
|
|\ \ \
| | | |
| | | | |
rubocop single space after assignment
|
|/ / / |
|
| | |
| | |
| | |
| | | |
Fixes #32021.
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
are used together
The purpose of keeping app/views folder in API apps is that it's used for
mailer views so doesn't makes sense to keep it when Action Mailer is skipped.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* Don't use :: for class methods, we don't do that elsewhere.
* Don't install a needless method on minitest. Prefer assigning the
reporter anyway as that's what minitest does internally.
* Don't bother opting out when the reporter ain't a Minitest::CompositeReporter.
It's hardcoded: https://github.com/seattlerb/minitest/blob/005a3ba42c07d04797e2d00ac2c53e3be127c12f/lib/minitest.rb#L125
And overrides have to create delegate reporters:
https://github.com/kern/minitest-reporters/blob/1018b1b42f34b01d4de179c8aad2fa06771fe9b0/lib/minitest/minitest_reporter_plugin.rb#L72
|
|\ \ \
| | | |
| | | | |
Skip generating empty CSP header when no policy is configured
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
`Rails.application.config.content_security_policy` is configured with no
policies by default. In this case, Content-Security-Policy header should
not be generated instead of generating the header with no directives.
Firefox also warns "Content Security Policy: Couldn't process unknown
directive ''".
|
| | | | |
|