| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
Cookie doesn't expire anymore unless a flag is set:
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- There is a regression in 6.0 introduced by #32937 where cookie
doesn't expire anymore unless the new `use_cookies_with_metadata`
configuration is set to `true`.
This causes issue for app migration from 5.2 to 6.0 because the
`use_cookies_with_metadata` flag can't be set to true until all
servers are running on 6.0.
Here is a small reproduction script that you can run in the console
```ruby
ActionDispatch::Cookies
request = ActionDispatch::Request.empty
request.env["action_dispatch.key_generator"] = ActiveSupport::KeyGenerator.new('1234567890')
request.env["action_dispatch.signed_cookie_salt"] = 'signed cookie'
request.env["action_dispatch.cookies_rotations"] = ActiveSupport::Messages::RotationConfiguration.new
request.env["action_dispatch.use_authenticated_cookie_encryption"] = true
signed_cookie = request.cookie_jar.signed
signed_cookie[:foobar] = { value: '123', expires: 1.day.ago }
p signed_cookie[:foobar]
```
|
|\ \
| |/
|/| |
Cleanup the whitelisting references after #33145
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
During the development of #33145, I have named a few concepts in the
code as `whitelisted`. We decided to stay away from the term and I
adjusted most of the code afterwards, but here are the cases I forgot to
change.
I also found a case in the API guide that we could have cleaned up as
well.
[ci skip]
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
https://travis-ci.org/rails/rails/jobs/486285170#L1349-L1366
```
% git grep -n DrivenBySeleniumWith
test/abstract_unit.rb:374:class DrivenBySeleniumWithChrome < ActionDispatch::SystemTestCase
test/abstract_unit.rb:378:class DrivenBySeleniumWithHeadlessChrome < ActionDispatch::SystemTestCase
test/abstract_unit.rb:382:class DrivenBySeleniumWithHeadlessFirefox < ActionDispatch::SystemTestCase
test/dispatch/system_testing/screenshot_helper_test.rb:10: new_test = DrivenBySeleniumWithChrome.new("x")
test/dispatch/system_testing/screenshot_helper_test.rb:18: new_test = DrivenBySeleniumWithChrome.new("x")
test/dispatch/system_testing/screenshot_helper_test.rb:28: new_test = DrivenBySeleniumWithChrome.new("x")
test/dispatch/system_testing/screenshot_helper_test.rb:40: new_test = DrivenBySeleniumWithChrome.new("x")
test/dispatch/system_testing/screenshot_helper_test.rb:48: new_test = DrivenBySeleniumWithChrome.new("x")
test/dispatch/system_testing/screenshot_helper_test.rb:62: new_test = DrivenBySeleniumWithChrome.new("x")
test/dispatch/system_testing/screenshot_helper_test.rb:76:class SeleniumScreenshotsTest < DrivenBySeleniumWithChrome
test/dispatch/system_testing/system_test_case_test.rb:11:class OverrideSeleniumSubclassToRackTestTest < DrivenBySeleniumWithChrome
test/dispatch/system_testing/system_test_case_test.rb:19:class SetDriverToSeleniumTest < DrivenBySeleniumWithChrome
test/dispatch/system_testing/system_test_case_test.rb:25:class SetDriverToSeleniumHeadlessChromeTest < DrivenBySeleniumWithHeadlessChrome
test/dispatch/system_testing/system_test_case_test.rb:31:class SetDriverToSeleniumHeadlessFirefoxTest < DrivenBySeleniumWithHeadlessFirefox
test/dispatch/system_testing/system_test_case_test.rb:49:class UndefMethodsTest < DrivenBySeleniumWithChrome
```
|
| |
| |
| |
| |
| |
| | |
But `NameError: uninitialized constant ActionDispatch::SystemTesting::Browser::Selenium`
is pretty confused. I've little improved missing constant error to
`NameError: uninitialized constant Selenium`.
|
| |
| |
| |
| | |
https://travis-ci.org/rails/rails/jobs/486155626#L1317-L1335
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* There is currently no way to define specific browser capabilities since our SystemTest driver override the `option` key [Ref](https://github.com/rails/rails/blob/a07d0680787ced3c04b362fa7a238c918211ac70/actionpack/lib/action_dispatch/system_testing/driver.rb#L35)
This option key is used internally by selenium to add custom capabilities on the browser.
Depending on the Browser, some option are allowed to be passed inside a hash, the driver takes care of setting whatever you passed on the driver option. An example [here](https://github.com/rails/rails/blob/a07d0680787ced3c04b362fa7a238c918211ac70/actionpack/lib/action_dispatch/system_testing/driver.rb#L35) where you are allowed to pass args such as `--no-sandbox` etc
However this behavior was only meant for backward compatibility and as you can see it's deprecated.
The non-deprecated behavior is to create a `<Driver>::Option` object containing all the capabilities we want. This is what we [currently do](https://github.com/rails/rails/blob/a07d0680787ced3c04b362fa7a238c918211ac70/actionpack/lib/action_dispatch/system_testing/browser.rb#L34-L36) when chrome or firefox are in headless mode.
This PR allows to pass a block when calling `driven_by`, the block will be pased a `<Driver>::Option` instance. You can modify this object the way you want by adding any capabilities. The option object will be then passed to selenium.
```ruby
driven_by :selenium, using: :chrome do |driver_option|
driver_option.add_argument('--no-sandbox')
driver_option.add_emulation(device: 'iphone 4')
end
```
|
|
|
|
|
| |
Since "actionpack" is not included in isolation test.
Ref: https://travis-ci.org/rails/rails/jobs/484514392#L2715
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two cases where the debug view does not show the error details
properly:
* When the cause is mapped to an HTTP status code the last exception is
unexpectedly uwrapped
* When the last error is thrown from a view template the debug view is
not using the `rescues/template_error.html.erb` to generate the view
Both the cases could be fixed by not unwrapping the exception. The only
case where the exception should be unwrapped is when the last error is
an `ActionView::Template::Error` object. In this case the HTTP status
code is determined based on the cause.
There are actually more wrapper exceptions that are intentionally
thrown. However, there is a consistent pattern of setting the original
message and original backtrace to the wrapper exception implemented, so
the debug view will not lose the information about what went wrong
eariler.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In this case statement, there are two patterns that start with the same
line:
when %r{/not_found}
...
when %r{/not_found_original_exception}
...
Because the string "/not_found_original_exception" does match the first
one, it is never routed to what it is supposed to be routed, causing one
of the tests for DebugExceptions to happen to be passing.
After changing the regex expressions back to strings, I noticed that the
test setup is not complete (the template object needs to be a proper
template object). Once I fixed it all the tests started padding.
|
|
|
|
| |
2. Typo fixes.
|
| |
|
|
|
|
| |
Now that secret_token was removed all this code is now dead.
|
| |
|
|
|
|
|
| |
`#success?`, `missing?` and `error?` were deprecated in Rails 5.2 in favor of
`#successful?`, `not_found?` and `server_error?`.
|
|
|
|
| |
Ref: https://travis-ci.org/rails/rails/jobs/469956825#L1694
|
|
|
|
|
|
|
|
|
|
| |
Currently we sometimes find a redundant begin block in code review
(e.g. https://github.com/rails/rails/pull/33604#discussion_r209784205).
I'd like to enable `Style/RedundantBegin` cop to avoid that, since
rescue/else/ensure are allowed inside do/end blocks in Ruby 2.5
(https://bugs.ruby-lang.org/issues/12906), so we'd probably meets with
that situation than before.
|
|
|
|
|
|
| |
since Ruby 2.5
https://bugs.ruby-lang.org/issues/14133
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ActionDispatch::HostAuthorization is a new middleware that prevent
against DNS rebinding and other Host header attacks. By default it is
included only in the development environment with the following
configuration:
Rails.application.config.hosts = [
IPAddr.new("0.0.0.0/0"), # All IPv4 addresses.
IPAddr.new("::/0"), # All IPv6 addresses.
"localhost" # The localhost reserved domain.
]
In other environments, `Rails.application.config.hosts` is empty and no
Host header checks will be done. If you want to guard against header
attacks on production, you have to manually permit the allowed hosts
with:
Rails.application.config.hosts << "product.com"
The host of a request is checked against the hosts entries with the case
operator (#===), which lets hosts support entries of type RegExp,
Proc and IPAddr to name a few. Here is an example with a regexp.
# Allow requests from subdomains like `www.product.com` and
# `beta1.product.com`.
Rails.application.config.hosts << /.*\.product\.com/
A special case is supported that allows you to permit all sub-domains:
# Allow requests from subdomains like `www.product.com` and
# `beta1.product.com`.
Rails.application.config.hosts << ".product.com"
|
|
|
|
|
| |
We are dealing with the rack env so it is better to specify it in the
tests.
|
|
|
|
|
| |
Raises an ArgumentError when multiple root routes are defined in the
same context instead of assigning nil names to subsequent roots.
|
|
|
|
|
|
|
|
| |
There is no controller instance when using a redirect route or a
mounted rack application so pass the request object as the context
when resolving dynamic CSP sources in this scenario.
Fixes #34200.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously if a dynamic source returned a symbol such as :self it
would be converted to a string implicity, e.g:
policy.default_src -> { :self }
would generate the header:
Content-Security-Policy: default-src self
and now it generates:
Content-Security-Policy: default-src 'self'
|
|
|
|
| |
ActiveSupport::ParameterFilter
|
|
|
|
|
|
|
| |
Until #34050 can be resolved
This reverts commit 7f870a5ba2aa9177aa4a0e03a9d027928ba60e49, reversing
changes made to 6556898884d636c59baae008e42783b8d3e16440.
|
|\
| |
| | |
Fix optionally scoped root route unscoped access
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This PR fixes an issue when the following situation occurs.
If you define a class like this
class MyConstraint
def call(*args)
# for some reason this is defined
end
def matches?(*args)
# checking the args
end
end
and try to use it as a constraint
get "/", to: "home#show", constraints: MyConstraint.new
if its `matches?` method returns `false` there will be an error for the
mapper will ask for the constraint arity, thinking it is a proc, lambda
or method.
This PR checks for the presence of the `arity` method on the constraint
calling it only if present, preventing the error while keeping the basic
behavior.
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* master:
Remove force parent loading when counter cache child is created/destroyed
Raise an error when loading all fixtures from nil fixture_path
Revert "Remove `counter_cache_target` which is no longer called"
Update counter cache in memory if parent target is existed
If association is a hash-like object preloading fails
Use the same option for create database statements between Raketask and travis.rb
Fix "warning: shadowing outer local variable - config"
Remove `counter_cache_target` which is no longer called
Fix more offences
Change the empty block style to have space inside of the block
Fix a content_for test description
Stringify database configurations
Improve error message when assign wrong attributes to model
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit eagerly builds the route helper module after the routes have
been drawn and finalized. This allows us to cache the helper module but
not have to worry about people accessing the module while route
definition is "in-flight", and automatically deals with cache
invalidation as the module is regenerated anytime someone redraws the
routes.
The restriction this commit introduces is that the url helper module can
only be accessed *after* the routes are done being drawn.
Refs #24554 and #32892
|
|\
| |
| | |
Encode Content-Disposition filenames on send_data and send_file
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In Ruby 2.3 or later, `String#+@` is available and `+@` is faster than `dup`.
```ruby
# frozen_string_literal: true
require "bundler/inline"
gemfile(true) do
source "https://rubygems.org"
gem "benchmark-ips"
end
Benchmark.ips do |x|
x.report('+@') { +"" }
x.report('dup') { "".dup }
x.compare!
end
```
```
$ ruby -v benchmark.rb
ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
Warming up --------------------------------------
+@ 282.289k i/100ms
dup 187.638k i/100ms
Calculating -------------------------------------
+@ 6.775M (± 3.6%) i/s - 33.875M in 5.006253s
dup 3.320M (± 2.2%) i/s - 16.700M in 5.032125s
Comparison:
+@: 6775299.3 i/s
dup: 3320400.7 i/s - 2.04x slower
```
|
|\ \
| |/
|/| |
Add CSP nonce to `style-src` directive
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For nonce, only `script-src` and` style-src` are meaningful in the
definition of Content Security Policy Level 2.
https://www.w3.org/TR/CSP2/#script-src-nonce-usage
https://www.w3.org/TR/CSP2/#style-src-nonce-usage
Therefore, I think that customization function not needs and it is enough
to enable both directives inside the framework.
Fixes #32920
|
| | |
|
|\ \
| | |
| | | |
use BacktraceCleaner for ActiveRecord verbose logging
|
| | | |
|
|/ / |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Purpose metadata prevents cookie values from being
copy-pasted and ensures that the cookie is used only
for its originally intended purpose.
The Purpose and Expiry metadata are embedded inside signed/encrypted
cookies and will not be readable on previous versions of Rails.
We can switch off purpose and expiry metadata embedded in
signed and encrypted cookies using
config.action_dispatch.use_cookies_with_metadata = false
if you want your cookies to be readable on older versions of Rails.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
PR#32381 added Rubocop's comments to some tests files in order to
exclude `Performance/RedundantMerge`.
Turn off `Performance` cops for tests files via `Exclude`
in `.rubocop.yml`.
Context https://github.com/rails/rails/pull/32381#discussion_r205212331
|
|\ \
| | |
| | | |
Turn on performance based cops
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use attr_reader/attr_writer instead of methods
method is 12% slower
Use flat_map over map.flatten(1)
flatten is 66% slower
Use hash[]= instead of hash.merge! with single arguments
merge! is 166% slower
See https://github.com/rails/rails/pull/32337 for more conversation
|
|/ /
| |
| |
| |
| | |
http links will be redirected to the https version, but still better to
just directly link to the https version.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Add implicit to path conversion to uploaded file
Ruby has a few implicit conversion protocols (e.g. `to_hash`, `to_str`,
`to_path`, etc.). These are considered implicit conversion protocols
because in certain instances Ruby (MRI core objects) will check if an
argument responds to the appropriate protocol and automatically convert
it when it does; this is why you can provide a `Pathname` instance into
`File.read` without having to explicitly call `to_s`.
```ruby
a_file_path = 'some/path/file.ext'
File.write a_file_path, 'String Path Content'
File.read a_file_path
a_pathname = Pathname(a_file_path)
File.write core_file, 'Pathname Content'
File.read a_file_path
core_file = File.new(a_pathname)
File.write core_file, 'File Content'
File.read core_file
tmp_file = Tempfile.new('example')
File.write tmp_file, 'Tempfile Content'
File.read tmp_file
```
So how does an uploaded file work in such cases?
```ruby
tmp_file = Tempfile.new('example')
File.write tmp_file, 'Uploaded Content'
uploaded_file = ActionDispatch::Http::UploadedFile.new(tempfile: tmp_file)
File.read uploaded_file
```
It fails with a `TypeError`:
no implicit conversion of ActionDispatch::Http::UploadedFile into String
In order to make an uploaded file work it must be explicitly converted
to a file path using `path`.
```ruby
File.read uploaded_file.path
```
This requires any code that expects path/file like objects to either
special case an uploaded file, re-implement the path conversion protocol
to use `path`, or forces the developer to explicitly cast uploaded files
to paths. This last option can sometimes be difficult to do when such
calls are deep within the inner workings of libraries.
Since an uploaded file already has a path it makes sense to implement
the implicit "path" conversion protocol (just like `File` and
`Tempfile`). This change allows uploaded file content to be treated more
closely to regular file content, without requiring any special case
handling or explicit conversion for common file utilities.
* Note uploaded file path delegation in CHANGELOG
|
|/ |
|
|
|
|
| |
Follow up of #32605.
|
|
|
|
|
|
|
| |
Specification: https://w3c.github.io/webappsec-csp/#directive-prefetch-src
This directive can already be used as an experimental feature in Chrome.
Ref: https://bugs.chromium.org/p/chromium/issues/detail?id=801561
|