rails.git - Mirror of official rails repo with custom fixes.

	Commit message (Collapse)	Author	Age	Files	Lines
*	Enable `Layout/EmptyLinesAroundAccessModifier` cop	Ryuta Kamizono	2019-06-13	1	-2/+0
\| \| \| \| \| \| \| \| \| \| \|	We sometimes say "✂️ newline after `private`" in a code review (e.g. https://github.com/rails/rails/pull/18546#discussion_r23188776, https://github.com/rails/rails/pull/34832#discussion_r244847195). Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style `EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059). That cop and enforced style will reduce the our code review cost.
*	Cleanup the whitelisting references after #33145	Genadi Samokovarov	2019-02-03	1	-2/+2
\| \| \| \| \| \| \| \| \| \| \| \|	During the development of #33145, I have named a few concepts in the code as `whitelisted`. We decided to stay away from the term and I adjusted most of the code afterwards, but here are the cases I forgot to change. I also found a case in the API guide that we could have cleaned up as well. [ci skip]
*	Enable `Style/RedundantBegin` cop to avoid newly adding redundant begin block	Ryuta Kamizono	2018-12-21	1	-7/+5
\| \| \| \| \| \| \| \| \| \|	Currently we sometimes find a redundant begin block in code review (e.g. https://github.com/rails/rails/pull/33604#discussion_r209784205). I'd like to enable `Style/RedundantBegin` cop to avoid that, since rescue/else/ensure are allowed inside do/end blocks in Ruby 2.5 (https://bugs.ruby-lang.org/issues/12906), so we'd probably meets with that situation than before.
*	Introduce a guard against DNS rebinding attacks	Genadi Samokovarov	2018-12-15	1	-0/+105
	The ActionDispatch::HostAuthorization is a new middleware that prevent against DNS rebinding and other Host header attacks. By default it is included only in the development environment with the following configuration: Rails.application.config.hosts = [ IPAddr.new("0.0.0.0/0"), # All IPv4 addresses. IPAddr.new("::/0"), # All IPv6 addresses. "localhost" # The localhost reserved domain. ] In other environments, `Rails.application.config.hosts` is empty and no Host header checks will be done. If you want to guard against header attacks on production, you have to manually permit the allowed hosts with: Rails.application.config.hosts << "product.com" The host of a request is checked against the hosts entries with the case operator (#===), which lets hosts support entries of type RegExp, Proc and IPAddr to name a few. Here is an example with a regexp. # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << /.*\.product\.com/ A special case is supported that allows you to permit all sub-domains: # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << ".product.com"