aboutsummaryrefslogtreecommitdiffstats
path: root/railties/test/application/middleware_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* Adds support for configuring HTTP Feature Policy (#33439)Jacob Bednarz2019-07-101-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do |f| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do |f| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change *doesn't* introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy
* Enable `Layout/EmptyLinesAroundAccessModifier` copRyuta Kamizono2019-06-131-1/+0
| | | | | | | | | | | We sometimes say "✂️ newline after `private`" in a code review (e.g. https://github.com/rails/rails/pull/18546#discussion_r23188776, https://github.com/rails/rails/pull/34832#discussion_r244847195). Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style `EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059). That cop and enforced style will reduce the our code review cost.
* Manage ActionDispatch::ActionableExceptions from the default middleware stackGenadi Samokovarov2019-04-191-0/+2
|
* No need to handle if FrozenError is availableYasuo Honda2018-12-231-1/+1
| | | | | | | Rails 6 requires Ruby 2.5, which introduces `FrozenError` https://docs.ruby-lang.org/en/2.5.0/NEWS.html Related to #31520
* Introduce a guard against DNS rebinding attacksGenadi Samokovarov2018-12-151-6/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ActionDispatch::HostAuthorization is a new middleware that prevent against DNS rebinding and other Host header attacks. By default it is included only in the development environment with the following configuration: Rails.application.config.hosts = [ IPAddr.new("0.0.0.0/0"), # All IPv4 addresses. IPAddr.new("::/0"), # All IPv6 addresses. "localhost" # The localhost reserved domain. ] In other environments, `Rails.application.config.hosts` is empty and no Host header checks will be done. If you want to guard against header attacks on production, you have to manually permit the allowed hosts with: Rails.application.config.hosts << "product.com" The host of a request is checked against the hosts entries with the case operator (#===), which lets hosts support entries of type RegExp, Proc and IPAddr to name a few. Here is an example with a regexp. # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << /.*\.product\.com/ A special case is supported that allows you to permit all sub-domains: # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << ".product.com"
* Make Webpacker the default JavaScript compiler for Rails 6 (#33079)David Heinemeier Hansson2018-09-301-6/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Use Webpacker by default on new apps * Stop including coffee-rails by default * Drop using a js_compressor by default * Drop extra test for coffeescript inclusion by default * Stick with skip_javascript to signify skipping webpack * Don't install a JS runtime by default any more * app/javascript will be the new default directory for JS * Make it clear that this is just for configuring the default Webpack framework setup now * Start using the Webpack tag in the default layout * Irrelevant test * jQuery is long gone * Stop having asset pipeline compile default application.js * Add rails-ujs by default to the Webpack setup * Add Active Storage JavaScript to application.js pack by default * Consistent quoting * Add Turbolinks to default pack * Add Action Cable to default pack Need some work on how to set the global consumer that channels will work with. @javan? * Require all channels by default and use a separate consumer stub * Channel generator now targets Webpack style * Update task docs to match new generator style * Use uniform import style * Drop the JS assets generator It was barely helpful as it was. It’s no longer helpful in a Webpacked world. Sayonara! * Add app/javascript to the stats directories * Simpler import style Which match the other imports. * Address test failures from dropping JS compilation (and compression) * webpacker-default: Modify `AssetsGeneratorTest` Before: ``` $ bin/test test/generators/assets_generator_test.rb Run options: --seed 46201 F Failure: AssetsGeneratorTest#test_assets [/Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/assets_generator_test.rb:12]: Expected file "app/assets/javascripts/posts.js" to exist, but does not bin/test /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/assets_generator_test.rb:10 . Finished in 0.031343s, 63.8101 runs/s, 95.7152 assertions/s. 2 runs, 3 assertions, 1 failures, 0 errors, 0 skips ``` After: ``` $ bin/test test/generators/assets_generator_test.rb Run options: --seed 43571 .. Finished in 0.030370s, 65.8545 runs/s, 65.8545 assertions/s. 2 runs, 2 assertions, 0 failures, 0 errors, 0 skips ``` * webpacker-default: Modify `ChannelGeneratorTest` Before: ``` $ bin/test test/generators/channel_generator_test.rb Run options: --seed 8986 .F Failure: ChannelGeneratorTest#test_channel_with_multiple_actions_is_created [/Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:43]: Expected file "app/assets/javascripts/channels/chat.js" to exist, but does not bin/test /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:34 .F Failure: ChannelGeneratorTest#test_channel_is_created [/Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:29]: Expected file "app/assets/javascripts/channels/chat.js" to exist, but does not bin/test /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:22 E Error: ChannelGeneratorTest#test_cable_js_is_created_if_not_present_already: Errno::ENOENT: No such file or directory @ apply2files - /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/fixtures/tmp/app/assets/javascripts/cable.js bin/test /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:60 F Failure: ChannelGeneratorTest#test_channel_suffix_is_not_duplicated [/Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:87]: Expected file "app/assets/javascripts/channels/chat.js" to exist, but does not bin/test /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:80 F Failure: ChannelGeneratorTest#test_channel_on_revoke [/Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:77]: Expected file "app/assets/javascripts/cable.js" to exist, but does not bin/test /Users/ttanimichi/ghq/github.com/ttanimichi/rails/railties/test/generators/channel_generator_test.rb:68 Finished in 0.064384s, 108.7227 runs/s, 481.4861 assertions/s. 7 runs, 31 assertions, 4 failures, 1 errors, 0 skips ``` After: ``` $ bin/test test/generators/channel_generator_test.rb Run options: --seed 44857 ....... Finished in 0.060243s, 116.1961 runs/s, 697.1764 assertions/s. 7 runs, 42 assertions, 0 failures, 0 errors, 0 skips ``` * Fix shared generator tests. * webpacker-default: Modify `ControllerGeneratorTest` The JS assets generator was dropped. ref. https://github.com/rails/rails/commit/46215b179483d3e4d264555f5a4952f43eb8142a * Revert "Simpler import style". It's currently failing with an error of "TypeError: undefined is not an object (evaluating '__WEBPACK_IMPORTED_MODULE_2_activestorage___default.a.start')". Waiting for @javan to have a look. This reverts commit 5d3ebb71059f635d3756cbda4ab9752027e09256. * require webpacker in test app * Add webpacker without making the build hang/timeout. (#33640) * use yarn workspaces to allow for installing unreleased packages and only generate js/bootsnap when required * no longer need to have webpacker in env templates as webpacker moved this config to yml file * Fix rubocop violation * Got the test passing for the running scaffold * update expected lines of code * update middleware tests to account for webpacker * disable js in plugins be default to get the tests passing (#34009) * clear codeclimate report issues * Anything newer than currently released is good * Use Webpacker development version during development of Rails * Edge should get development webpacker as well * Add changelog entry for Webpacker change
* Multipart file uploads are very rare in API only apps so don't include ↵Guillermo Iguaran2018-02-171-2/+1
| | | | Rack::TemfileReaper in default middleware stack for API only apps
* Add Rack::TempfileReaper to tests and docsGeorge Claghorn2018-01-301-2/+4
|
* Handle `FrozenError` if it is availableYasuo Honda2017-12-201-1/+1
| | | | | | | | | | | | | | | This pull request handles `FrozenError` introduced by Ruby 2.5. Refer https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/61131 Since `FrozenError` is a subclass of `RuntimeError` minitest used by master branch can handle it, though it would be better to handle `FrozenError` explicitly if possible. `FrozenError` does not exist in Ruby 2.4 or lower, `frozen_error_class` handles which exception is expected to be raised. This pull request is intended to be merged to master, then backported to `5-1-stable` to address #31508
* Add DSL for configuring Content-Security-Policy headerAndrew White2017-11-271-0/+1
| | | | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
* Fix RuboCop offensesKoichi ITO2017-08-161-1/+1
| | | | And enable `context_dependent` of Style/BracesAroundHashParameters cop.
* Adding frozen_string_literal pragma to Railties.Pat Allan2017-08-141-0/+2
|
* Revert "Merge pull request #29540 from kirs/rubocop-frozen-string"Matthew Draper2017-07-021-1/+0
| | | | | This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
* Enforce frozen string in RubocopKir Shatrov2017-07-011-0/+1
|
* Enforce middleware ordering with a test, instead of commentsMatthew Draper2016-12-311-3/+34
| | | | | | | | | We want the actual order to be very predictable, so it's rightly defined in code -- not with an on-the-fly tsort. But we can do the tsort here, and then verify that it matches the implemented ordering. This way we don't leave future readers guessing which parts of the ordering are deliberate and which are arbitrary.
* Merge pull request #27515 from ↵Matthew Draper2016-12-311-2/+2
|\ | | | | | | | | | | kbrock/fix_log_remote_ip_before_dispatcher_ips_settings Allow log remote ip addres when config.action_dispatch.trusted_proxie…
| * Allow log remote ip addres when config.action_dispatch.trusted_proxies passedLeonid Batizhevsky2016-12-301-1/+1
|/
* "Use assert_nil if expecting nil. This will fail in minitest 6."Akira Matsuda2016-12-251-2/+2
|
* Remove deprecated code in ssl middlewareRafael Mendonça França2016-10-101-2/+2
|
* Remove deprecated support to :text in renderRafael Mendonça França2016-10-101-4/+4
|
* improve error message when include assertions failMichael Grosser2016-09-161-12/+12
| | | | | | assert [1, 3].includes?(2) fails with unhelpful "Asserting failed" message assert_includes [1, 3], 2 fails with "Expected [1, 3] to include 2" which makes it easier to debug and more obvious what went wrong
* Add three new rubocop rulesRafael Mendonça França2016-08-161-1/+1
| | | | | | | | Style/SpaceBeforeBlockBraces Style/SpaceInsideBlockBraces Style/SpaceInsideHashLiteralBraces Fix all violations in the repository.
* applies new string literal convention in railties/testXavier Noria2016-08-061-5/+5
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Remove unused boot_rails method and it's usagePrathamesh Sonpatki2016-07-041-1/+0
| | | | | - The `boot_rails` method from abstract_unit.rb is empty after 2abcdfd978fdcd491576a237e8c6b. - So let's remove it and its usage.
* Fix etag expectation to work with the SHA256Rafael Mendonça França2016-05-061-1/+1
| | | | It is related with https://github.com/rack/rack/commit/7b66d2cdb80a4d6b44fa8c61d92e25fbbda1f152
* Publish AS::Executor and AS::Reloader APIsMatthew Draper2016-03-021-22/+4
| | | | | | These should allow external code to run blocks of user code to do "work", at a similar unit size to a web request, without needing to get intimate with ActionDipatch.
* Replace `serve_static_files` in tests with `public_file_server.enabled`.Kasper Timm Hansen2015-11-041-2/+2
| | | | Forgot to do it in 748b2f9, when deprecating `serve_static_files`.
* Revert "removing Rack::Runtime from the default stack."Aaron Patterson2015-10-031-9/+11
| | | | | | | | | | | | | | | | | | This reverts commit 37423e4ff883ad5584bab983aceb4b2b759a1fd8. Jeremy is right that we shouldn't remove this. The fact is that many engines are depending on this middleware to be in the default stack. This ties our hands and forces us to keep the middleware in the stack so that engines will work. To be extremely clear, I think this is another smell of "the rack stack" that we have in place. When manipulating middleware, we should have meaningful names for places in the req / res lifecycle **not** have engines depend on a particular constant be in a particular place in the stack. This is a weakness of the API that we have to figure out a way to address before removing the constant. As far as timing attacks are concerned, we can reduce the granularity such that it isn't useful information for hackers, but is still useful for developers.
* removing Rack::Runtime from the default stack.Aaron Patterson2015-10-021-11/+9
| | | | | | | | | | | | The runtime header is a potential target for timing attacks since it returns the amount of time spent on the server (eliminating network speed). Total time is also not accurate for streaming responses. The middleware can be added back via: ```ruby config.middleware.ues ::Rack::Runtime ```
* mostly remove the ParamsParser middlewareAaron Patterson2015-09-181-2/+0
| | | | | This can still be added to the middleware stack, but is really not necessary. I'll follow up with a commit that deprecates the constant
* Rely on the load interlock for non-caching reloads, tooMatthew Draper2015-07-091-7/+7
|
* Soften the lock requirements when eager_load is disabledMatthew Draper2015-07-091-4/+21
| | | | | We don't need to fully disable concurrent requests: just ensure that loads are performed in isolation.
* Add config.api_only option to application and remove appropriate middleware ↵Santiago Pastorino2015-06-111-0/+27
| | | | when true
* Allow Rack::Runtime to be deleted from middleware stack.Guo Xiang Tan2015-02-191-0/+16
| | | | Fixes: https://github.com/rails/rails/issues/16433.
* Merge pull request #18100 from chancancode/serve_static_filesGodfrey Chan2014-12-191-2/+2
| | | | | | Allow static asset serving from env variable (enhanced!) Conflicts: railties/CHANGELOG.md
* inject Rack::Lock if config.eager_load is falseXavier Noria2014-09-181-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | If code is not eager loaded constants are loaded on demand. Constant autoloading is not thread-safe, so if eager loading is not enabled multi-threading should not be allowed. This showed up in certain Capybara scenarios: Most Capybara drivers other than Rack::Test need a web server. In particular, drivers for JavaScript support. Capybara launches WEBrick in its own thread for those but that per se is fine, because the spec thread and the server thread are coordinated. Problem comes if the page being served in the spec makes Ajax calls. Those may hit WEBrick in parallel, and since WEBrick is multi-threaded and allow_concurrency? returns true in the test environment before this patch, threads are spawned to serve those parallel requests. On the other hand, since eager_load is false by default in the test environment, constants are not preloaded. So the suite is autoloading constants in a multi-threaded set. That's a receipt for paracetamol. The symptom is random obscure errors whose messages point somehow to constant autoloading. As a consequence of this fix for allow_concurrency? WEBrick in Capybara scenarios no longer runs in multi-threaded mode. Fixes #15089.
* Expectations firstAkira Matsuda2014-08-281-1/+1
|
* We don't need parenthesis for thisGuillermo Iguaran2014-08-051-1/+1
|
* Fix digest ETAG test.Arthur Neves2014-08-051-1/+1
| | | | | | After https://github.com/rack/rack/commit/12528d4567d8e6c1c7e9422fee6cd8b43c4389bf ETag will include a `W/` before the digest.
* Merge pull request #12365 from jbaudanza/reorderGuillermo Iguaran2013-12-011-1/+1
|\ | | | | Move Rack::Cache after ActionDispatch::Static in the middleware stack
| * Move Rack::Cache after AD::Static in the stackJonathan Baudanza2013-09-251-1/+1
| |
* | Expose MiddlewareStack#unshift to environment configuration.Ben Pickles2013-10-091-0/+6
|/
* Added CheckPending middleware in defaultArun Agrawal2013-07-151-0/+4
| | | | | | | | | As this middleware comes by default in a new rails app Added test to check omit for CheckPending when Active Record is not included.
* No need to add config for x_sendfile_headerArun Agrawal2013-07-151-2/+0
| | | | Rack::Sendfile is loaded by default now
* Rack::Sendfile is now included in middleware by default, change tests to ↵Guillermo Iguaran2013-07-151-10/+4
| | | | reflect that
* Calls to the application constant have been refactored to usewangjohn2013-06-101-2/+2
| | | | | Rails.application when drawing routes and creating other configurations on the application.
* Testing CheckPending middlewareArun Agrawal2013-06-081-0/+8
|
* Bring config.allow_concurrency backJosé Valim2013-03-031-0/+6
| | | | | Since the Rack::Lock still exists in development, let's provide a way to disable it explicitly.
* Remove BestStandardsSupport middlewareGuillermo Iguaran2013-01-291-2/+1
|
* Don't use action_controller.perform_caching to enable rack-rack.Rafael Mendonça França2012-10-181-4/+1
| | | | | Setting the action_dispatch.rack_cache options to true or a hash should be the way to enable it.
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-13 00:56:40 +0000