aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-tokenJeremy Kemper2014-08-191-3/+65
|\ | | | | CSRF token mask from breach-mitigation-rails gem
| * Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-191-3/+65
| | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* | Protect against error when parsing parameters with Bad RequestRafael Mendonça França2014-08-191-2/+2
| | | | | | | | Related with #11795.
* | Merge pull request #16299 from sikachu/ps-safer-ac-paramsJeremy Kemper2014-08-191-3/+84
|\ \ | | | | | | Update `ActionController::Parameters` to be more secure on parameters handling
| * | User `#to_hash` instead of calling `super`Prem Sichanugrist2014-08-181-1/+1
| | | | | | | | | | | | Ruby 1.9.3 does not implement Hash#to_h, so we can't call `super` on it.
| * | Fix failing test on several methods on ParameterPrem Sichanugrist2014-08-181-1/+25
| | | | | | | | | | | | | | | | | | | | | * `each` * `each_pair` * `delete` * `select!`
| * | Refactor code to reduce duplicate `self.class.new`Prem Sichanugrist2014-08-181-12/+10
| | |
| * | Add missing `Hash` methods to `AC::Parameters`Prem Sichanugrist2014-08-181-0/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is to make sure that `permitted` status is maintained on the resulting object. I found these methods that needs to be redefined by looking for `self.class.new` in the code. * extract! * transform_keys * transform_values
| * | Make `AC::Params#to_h` return Hash with safe keysPrem Sichanugrist2014-08-181-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `ActionController::Parameters#to_h` now returns a `Hash` with unpermitted keys removed. This change is to reflect on a security concern where some method performed on an `ActionController::Parameters` may yield a `Hash` object which does not maintain `permitted?` status. If you would like to get a `Hash` with all the keys intact, duplicate and mark it as permitted before calling `#to_h`. params = ActionController::Parameters.new(name: 'Senjougahara Hitagi') params.to_h # => {} unsafe_params = params.dup.permit! unsafe_params.to_h # => {"name"=>"Senjougahara Hitagi"} safe_params = params.permit(:name) safe_params.to_h # => {"name"=>"Senjougahara Hitagi"} This change is consider a stopgap as we cannot chage the code to stop `ActionController::Parameters` to inherit from `HashWithIndifferentAccess` in the next minor release. Also, adding a CHANGELOG entry to mention that `ActionController::Parameters` will not inheriting from `HashWithIndifferentAccess` in the next major version.
* | | Merge branch 'master' of github.com:rails/docrailsVijay Dev2014-08-193-2/+31
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/lib/action_controller/metal/mime_responds.rb actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb activerecord/lib/active_record/type/value.rb
| * | | Uppercase HTML in docs.Hendy Tanata2014-08-083-10/+10
| | | | | | | | | | | | | | | | [skip ci]
| * | | [ci skip] Document ActionDispatch::Staticschneems2014-08-051-0/+9
| | | |
| * | | [ci skip] document ActionDispatch::FileHandlerschneems2014-08-051-0/+10
| | | |
| * | | [ci skip] Document PublicExceptions middlewareschneems2014-08-051-0/+10
| | | |
* | | | Add missing requireGodfrey Chan2014-08-181-0/+2
| |/ / |/| |
* | | Deprecate TagAssertion instead of removingRafael Mendonça França2014-08-181-0/+1
| | |
* | | Merge pull request #15889 from carnesmedia/model-nameRafael Mendonça França2014-08-172-6/+6
|\ \ \ | | | | | | | | | | | | Use #model_name on instances instead of classes
| * | | Use #model_name on instances instead of classesAmiel Martin2014-06-242-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | This allows rails code to be more confdent when asking for a model name, instead of having to ask for the class. Rails core discussion here: https://groups.google.com/forum/#!topic/rubyonrails-core/ThSaXw9y1F8
* | | | Merge branch 'loofah'Rafael Mendonça França2014-08-176-597/+27
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | Conflicts: Gemfile
| * \ \ \ Merge branch 'master' into loofahRafael Mendonça França2014-08-1713-607/+218
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * \ \ \ \ Merge branch 'master' into loofahRafael Mendonça França2014-08-1236-402/+512
| |\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionpack/CHANGELOG.md actionpack/test/controller/integration_test.rb actionview/CHANGELOG.md
| * | | | | | We don't need loofah for the assertionsRafael Mendonça França2014-07-152-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | We can just use nokogiri
| * | | | | | Merge pull request #11218 from kaspth/loofah-integrationRafael Mendonça França2014-07-106-597/+29
| |\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Loofah-integration Conflicts: actionpack/CHANGELOG.md actionview/CHANGELOG.md
| | * | | | | | Add document_root_element to ActionDispatch::IntegrationTest so ↵Timm2014-06-161-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | assert_select can be called without specifying a root.
| | * | | | | | Moved html_document to ActionDispatch::Assertions. Included the ↵Timm2014-06-162-7/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rails::Dom::Testing::Assertions there as well.
| | * | | | | | Support for changes in SelectorAssertions.Timm2014-06-161-0/+14
| | | | | | | |
| | * | | | | | Changed deprecation message in dom and selector assertions in Action Dispatch.Timm2014-06-162-2/+2
| | | | | | | |
| | * | | | | | Removed tag.rb, since it is actually removed, not just deprecated. [ci skip]Timm2014-06-161-3/+0
| | | | | | | |
| | * | | | | | Moved ActionView::Assertions dependency from Action Pack's lib to ↵Timm2014-06-162-4/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | abstract_unit.rb.
| | * | | | | | Added deprecation warning to ActionDispatch::Assertions::TagAssertions.Timm2014-06-161-0/+3
| | | | | | | |
| | * | | | | | Trimmed deprecation message for ActionDispatch::Assertions::SelectorAssertions.Timm2014-06-161-1/+1
| | | | | | | |
| | * | | | | | Require ActionView::Assertions in ActionController test_case.rb.Timm2014-06-161-0/+1
| | | | | | | |
| | * | | | | | Moved Dom and Selector assertions from ActionDispatch to ActionView.Timm2014-06-165-544/+7
| | | | | | | |
| | * | | | | | Fixed: assert_select_encoded finds the right content. No longer uses a ↵Timm2014-06-161-5/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | <encoded> wrapper. Updated tests to reflect this.
| | * | | | | | Removed mention of css_select supporting substitution values. It is not ↵Timm2014-06-161-7/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | tested anywhere.
| | * | | | | | Updated documentation to state more things about css selectors with ↵Timm2014-06-161-3/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | substitution values.
| | * | | | | | Reworked the wrapping root in NodeSet implementation in css_select.Timm2014-06-161-3/+5
| | | | | | | |
| | * | | | | | Wrapped element to search in NodeSet. Changed selectors to selector.Timm2014-06-161-3/+5
| | | | | | | |
| | * | | | | | Moved around alias line.Timm2014-06-161-2/+2
| | | | | | | |
| | * | | | | | Returning from filter if matches are empty.Timm2014-06-161-1/+1
| | | | | | | |
| | * | | | | | Fixed: no longer wrapped @selected in fragment, since .css works fine ↵Timm2014-06-161-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | without it.
| | * | | | | | Reverted to using documents instead of document fragments, since searching ↵Timm2014-06-161-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | via default xml namespaces didn't work.
| | * | | | | | add_regex returns inspected value for non Regexp objects. Workaround, so ↵Timm2014-06-161-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | users don't have to care about enclosing values in double quotes.
| | * | | | | | Fixed: inadvertently called message method in MiniTest instead of ↵Timm2014-06-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | selector.message.
| | * | | | | | Cleaned up SubstitutionContext class.Timm2014-06-161-10/+8
| | | | | | | |
| | * | | | | | Simplified assert_select further by moving match filtering into HTMLSelector ↵Timm2014-06-161-32/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | select.
| | * | | | | | Fixed: now only compares html of children in filter_matches.Timm2014-06-161-1/+1
| | | | | | | |
| | * | | | | | Added NodeSet comparison to possible root element in determine_root_from.Timm2014-06-161-1/+1
| | | | | | | |
| | * | | | | | Changed html_document to use fragments. Changed response_from_page to be an ↵Timm2014-06-161-6/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | alias of html_document.
| | * | | | | | Fixed bug by switching to Loofah fragment instead of document.Timm2014-06-161-2/+2
| | | | | | | |