| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since Rails 6.0 will support Ruby 2.4.1 or higher
`# frozen_string_literal: true` magic comment is enough to make string object frozen.
This magic comment is enabled by `Style/FrozenStringLiteralComment` cop.
* Exclude these files not to auto correct false positive `Regexp#freeze`
- 'actionpack/lib/action_dispatch/journey/router/utils.rb'
- 'activerecord/lib/active_record/connection_adapters/sqlite3_adapter.rb'
It has been fixed by https://github.com/rubocop-hq/rubocop/pull/6333
Once the newer version of RuboCop released and available at Code Climate these exclude entries should be removed.
* Replace `String#freeze` with `String#-@` manually if explicit frozen string objects are required
- 'actionpack/test/controller/test_case_test.rb'
- 'activemodel/test/cases/type/string_test.rb'
- 'activesupport/lib/active_support/core_ext/string/strip.rb'
- 'activesupport/test/core_ext/string_ext_test.rb'
- 'railties/test/generators/actions_test.rb'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Ruby 2.3 or later, `String#+@` is available and `+@` is faster than `dup`.
```ruby
# frozen_string_literal: true
require "bundler/inline"
gemfile(true) do
source "https://rubygems.org"
gem "benchmark-ips"
end
Benchmark.ips do |x|
x.report('+@') { +"" }
x.report('dup') { "".dup }
x.compare!
end
```
```
$ ruby -v benchmark.rb
ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
Warming up --------------------------------------
+@ 282.289k i/100ms
dup 187.638k i/100ms
Calculating -------------------------------------
+@ 6.775M (± 3.6%) i/s - 33.875M in 5.006253s
dup 3.320M (± 2.2%) i/s - 16.700M in 5.032125s
Comparison:
+@: 6775299.3 i/s
dup: 3320400.7 i/s - 2.04x slower
```
|
|
|
|
|
|
| |
[ci skip]
Follow up #33401, 5491f8115711d8b34d52f8ba5e52ba39a49b08fe.
|
|
|
|
| |
Follow up to 9f152a606
|
| |
|
|\
| |
| |
| |
| |
| | |
vipulnsward/make-variable_size_secure_compare-public
Make variable_size_secure_compare public
|
| |
| |
| |
| |
| |
| |
| | |
to make it not leak length information even for variable length string.
Renamed old `ActiveSupport::SecurityUtils.secure_compare` to `fixed_length_secure_compare`,
and started raising `ArgumentError` in case of length mismatch of passed strings.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
## Summary
RuboCop 0.51.0 was released.
https://github.com/bbatsov/rubocop/releases/tag/v0.51.0
And rubocop-0-51 channel is available in Code Climate.
https://github.com/codeclimate/codeclimate-rubocop/issues/109
This PR will bump RuboCop to 0.51.0 and fixes the following new
offenses.
```console
% bundle exec rubocop
Inspecting 2358 files
(snip)
Offenses:
actionpack/lib/action_controller/metal/http_authentication.rb:251:59: C:
Prefer double-quoted strings unless you need single quotes to avoid
extra backslashes for escaping.
[key.strip, value.to_s.gsub(/^"|"$/, "").delete('\'')]
^^^^
activesupport/test/core_ext/load_error_test.rb:8:39: C: Prefer
double-quoted strings unless you need single quotes to avoid extra
backslashes for escaping.
assert_raise(LoadError) { require 'no_this_file_don\'t_exist' }
^^^^^^^^^^^^^^^^^^^^^^^^^^^
2358 files inspected, 2 offenses detected
```
|
| | |
|
| |
| |
| |
| |
| | |
This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing
changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
|
|/ |
|
|
|
|
| |
[ci skip]
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Style/SpaceBeforeBlockBraces
Style/SpaceInsideBlockBraces
Style/SpaceInsideHashLiteralBraces
Fix all violations in the repository.
|
| |
|
|
|
|
|
| |
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
|
| |
|
|
|
|
| |
`authenticate` method, to use the `secure_compare` method with two constant-length strings. This defends against timing attacks, and is best practice. Using `==` for sensitive actions is not recommended, and this was the source of a CVE fixed in October 2015: https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbda
|
|
|
|
|
|
| |
this will avoid timing attacks against applications that use basic auth.
CVE-2015-7576
|
|\
| |
| |
| | |
Handle tab in token authentication header.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The HTTP spec allows for LWS to precede the header content, which
could include multiple SP and HT characters. Update the regex used to
match the Token authorization header to account for this, instead of
matching on a single SP.
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html and
http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html for the relevant
parts of the specification.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Rails 4.x and earlier didn't support `Mime::Type[:FOO]`, so libraries
that support multiple Rails versions would've had to feature-detect
whether to use `Mime::Type[:FOO]` or `Mime::FOO`.
`Mime[:foo]` has been around for ages to look up registered MIME types
by symbol / extension, though, so libraries and plugins can safely
switch to that without breaking backward- or forward-compatibility.
Note: `Mime::ALL` isn't a real MIME type and isn't registered for lookup
by type or extension, so it's not available as `Mime[:all]`. We use it
internally as a wildcard for `respond_to` negotiation. If you use this
internal constant, continue to reference it with `Mime::ALL`.
Ref. efc6dd550ee49e7e443f9d72785caa0f240def53
|
| | |
|
| |
| |
| | |
As we all know that Accessing mime types via constants is deprecated. Now, we are using `Mime::Type[:JSON]` instead of `Mime::JSON`
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This will silence deprecation warnings.
Most of the test can be changed from `render :text` to render `:plain`
or `render :body` right away. However, there are some tests that needed
to be fixed by hand as they actually assert the default Content-Type
returned from `render :body`.
|
| |
| |
| |
| | |
[ci skip]
|
| | |
|
| |
| |
| |
| | |
Digest allowed the messages.
Add the same feature to basic and token
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
https://github.com/ruby/ruby/pull/579 - there is a new optimization
since ruby 2.2
Previously regexp patterns were faster (since a string was converted to
regexp underneath anyway). But now string patterns are faster and
better reflect the purpose.
Benchmark.ips do |bm|
bm.report('regexp') { 'this is ::a random string'.gsub(/::/, '/') }
bm.report('string') { 'this is ::a random string'.gsub('::', '/') }
bm.compare!
end
# string: 753724.4 i/s
# regexp: 501443.1 i/s - 1.50x slower
|
| | |
|
| | |
|
| | |
|
| |
| |
| | |
Example does not work with session headers, should use request headers. [ci skip]
|
|\ \
| | |
| | |
| | | |
Allow authentication header to not have to specify 'token=' key.
|
| | |
| | |
| | |
| | | |
Fixes: https://github.com/rails/rails/issues/17108.
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
I grepped the source code for code snippets wrapped in backticks in the comments
and replaced the backticks with plus signs so they are correctly displayed in
the Rails documentation.
[ci skip]
|
| |
| |
| |
| | |
add a test case to test the regex for the helper method raw_params
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
The 401 status should be set first because setting the response body in
a live controller also closes the response to further changes.
Fixes #14229.
|
|\ \
| | |
| | | |
Check authentication scheme in Basic auth
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`authenticate_with_http_basic` and its families should check the authentication
schema is "Basic".
Different schema, such as OAuth2 Bearer should be rejected by basic auth, but
it was passing as the test shows.
This fixes #10257.
|
| |/
|/| |
|
|/
|
|
| |
ref #14062
|