| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
Include default headers by default in API mode
|
| |
| |
| |
| | |
ActionDispatch's default headers are now moved into their own module that are by default included in both Base and API. This allows API-mode applications to take advantage of the default security headers, as well as providing an easy way to add more.
|
|/ |
|
| |
|
|\
| |
| | |
Make mutating params#dig return value mutate underlying params
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When #dig was called on a params object and return either a Hash or an
Array, and that value was subsquently mutated, it would not modify the
containing params object. That means that the behavior of
`params.dig(:a, :b)[:c] = 1` did not match either `params[:a][:b][:c] =
1` nor `hash.dig(:a, :b)[:c] = 1`. Similarly to
`ActionController::Parameters#[]`, use `#convert_hashes_to_parameters`
to pre-convert values and insert them in the receiving params object
prior to returning them.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Today there are two common ways for Rails developers to force their
applications to communicate over HTTPS:
* `config.force_ssl` is a setting in environment configurations that
enables the `ActionDispatch::SSL` middleware. With this middleware
enabled, all HTTP communication to your application will be redirected
to HTTPS. The middleware also takes care of other best practices by
setting HSTS headers, upgrading all cookies to secure only, etc.
* The `force_ssl` controller method redirects HTTP requests to certain
controllers to HTTPS.
As a consultant, I've seen many applications with misconfigured HTTPS
setups due to developers adding `force_ssl` to `ApplicationController`
and not enabling `config.force_ssl`. With this configuration, many
application requests can be served over HTTP such as assets, requests
that hit mounted engines, etc. In addition, because cookies are not
upgraded to secure only in this configuration and HSTS headers are not
set, it's possible for cookies that are meant to be secure to be sent
over HTTP.
The confusion between these two methods of forcing HTTPS is compounded
by the fact that they share an identical name. This makes finding
documentation on the "right" method confusing.
HTTPS throughout is quickly becomming table stakes for all web sites.
Sites are expected to operate over HTTPS for all communication,
sensitive or otherwise. Let's encourage use of the broader-reaching
`ActionDispatch::SSL` middleware and elminate this source of user
confusion. If, for some reason, applications need to expose certain
endpoints over HTTP they can do so by properly configuring
`config.ssl_options`.
|
|
|
|
| |
Since Rails 6 requires Ruby 2.4.1+.
|
|
|
|
|
| |
If the app has the CSP disabled globally allow a controller action
to enable the policy for that request.
|
|
|
|
|
|
|
|
| |
e.g:
class LegacyPagesController < ApplicationController
content_security_policy false, only: :index
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.
To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.
Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.
It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g
<%= javascript_tag nonce: true do %>
alert('Hello, World!');
<% end %>
Fixes #31689.
|
|
|
|
|
|
| |
Skipping over 2.4.0 to sidestep the `"symbol_from_string".to_sym.dup` bug.
References #32028
|
|
|
|
|
| |
Some places we can't remove because Ruby still don't have a method
equivalent to strip_heredoc to be called in an already existent string.
|
|
|
|
| |
Fixes #31823.
|
| |
|
|
|
|
| |
[ci skip]
|
| |
|
| |
|
| |
|
|\
| |
| |
| |
| | |
JackMc/fix-chrome-referrer-invalidauthenticitytoken
Fix issue #30658 by checking explicitly for 'null' referrer
|
| | |
|
| |
| |
| |
| | |
Matches Hash#each behaviour as used in Rails 4.
|
| |
| |
| |
| | |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
|\ \
| | |
| | |
| | |
| | |
| | | |
vipulnsward/make-variable_size_secure_compare-public
Make variable_size_secure_compare public
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
to make it not leak length information even for variable length string.
Renamed old `ActiveSupport::SecurityUtils.secure_compare` to `fixed_length_secure_compare`,
and started raising `ArgumentError` in case of length mismatch of passed strings.
|
| | |
| | |
| | | |
[ci skip]
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
## Summary
RuboCop 0.51.0 was released.
https://github.com/bbatsov/rubocop/releases/tag/v0.51.0
And rubocop-0-51 channel is available in Code Climate.
https://github.com/codeclimate/codeclimate-rubocop/issues/109
This PR will bump RuboCop to 0.51.0 and fixes the following new
offenses.
```console
% bundle exec rubocop
Inspecting 2358 files
(snip)
Offenses:
actionpack/lib/action_controller/metal/http_authentication.rb:251:59: C:
Prefer double-quoted strings unless you need single quotes to avoid
extra backslashes for escaping.
[key.strip, value.to_s.gsub(/^"|"$/, "").delete('\'')]
^^^^
activesupport/test/core_ext/load_error_test.rb:8:39: C: Prefer
double-quoted strings unless you need single quotes to avoid extra
backslashes for escaping.
assert_raise(LoadError) { require 'no_this_file_don\'t_exist' }
^^^^^^^^^^^^^^^^^^^^^^^^^^^
2358 files inspected, 2 offenses detected
```
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Several methods of `RequestForgeryProtection` are not showed in the api
doc even though `:doc:` is specified.
(e.g. `form_authenticity_param`)
http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
These methods are listed in the doc of v4.1.
http://api.rubyonrails.org/v4.1/classes/ActionController/RequestForgeryProtection.html
This is due to the influence of `:nodoc:` added in #18102, methods after
`CROSS_ORIGIN_JAVASCRIPT_WARNING` not showed from the doc.
Therefore, in order to show the method like originally, added `startdoc`
after `CROSS_ORIGIN_JAVASCRIPT_WARNING`.
|
| |
| |
| |
| | |
as well
|
| |
| |
| |
| | |
to properly wrap all attributes, including those which are nested.
|
| |
| |
| |
| |
| | |
This basically reverts e9fca7668b9eba82bcc832cb0061459703368397, d08da958b9ae17d4bbe4c9d7db497ece2450db5f,
d1fe1dcf8ab1c0210a37c2a78c1ee52cf199a66d, and 68eaf7b4d5f2bb56d939f71c5ece2d61cf6680a3
|
| |
| |
| |
| |
| |
| |
| | |
`:api:` tag was removed in 5349f231 since RDoc doesn't support `:api:`
tag. But those methods are not private API, they are public API for
renderers. The renderers should be able to know that they can override
this method.
|
| |
| |
| |
| | |
`UnknownController` was added in b1999be, but it is not used anywhere.
|
| |
| |
| |
| |
| | |
This method added by 1008511. It is unnecessary because it is no longer called
by 19c3495.
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently `:api:` tag has leaked on the doc directly since RDoc doesn't
support `:api:` tag directive.
http://api.rubyonrails.org/v5.1/classes/AbstractController/Rendering.html
So `:api: private` doesn't work as expected. We are using `:nodoc:` for
the purpose.
Related #13989.
|
|\ \
| | |
| | |
| | |
| | | |
koic/fix_cant_modify_frozen_string_error_in_ac_rendering
Fix `can't modify frozen String` error in AC::Rendering
|
| | | |
|
| | |
| | |
| | |
| | | |
This is no longer used since 79a5ea9eadb4d43b62afacedc0706cbe88c54496.
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
Don't use remove_method or remove_possible_method just before a new
definition: at best the purpose is unclear, and at worst it creates a
race condition.
Instead, prefer redefine_method when practical, and
silence_redefinition_of_method otherwise.
|
| | |
|
| | |
|
| |
| |
| |
| | |
Fixes regression ActionController::UnpermittedParameters not raised. The inner hook was being executed twice, once when ActionController::Base was loaded and again when ActionController::API was loaded. As options.delete operations inside the block are not idempotent, the second time it was run there was no configuration option available
|
|\ \
| | |
| | | |
Eager load controller actions to reduce response time of the first request
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
On the first request, ActionController::Base#action_methods computes
and memoized the list of available actions [1]. With this PR we move
this expensive operation into eager load step to reduce response time
of the first request served in production.
This also reduces the memory footprint when running on forking server
like Unicorn.
[1] https://github.com/rails/rails/blob/a3813dce9a0c950a4af7909111fa730a2622b1db/actionpack/lib/abstract_controller/base.rb#L66-L77
|
|/ / |
|
|\ \
| | |
| | | |
Make actionpack frozen string friendly
|
| | | |
|
| | | |
|