| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
|
|
|
|
|
|
|
| |
`content_security_policy_nonce_generator` specifies request as an argument when calling.
https://github.com/rails/rails/blob/ddb7da8535b07f51b7a8f5e3062cc8ffbd4ff23b/actionpack/lib/action_dispatch/http/content_security_policy.rb#L100
So without this fix, will raise `ArgumentError` when start server.
|
|
|
|
|
|
| |
Add `//= require rails-ujs`
Closes #32094
|
|\
| |
| | |
Fix plugin generated files
|
| |
| |
| |
| |
| | |
- Do not generate `javascript_include_tag` if `--skip-javascript`
- Generate `<%= csp_meta_tag %>`. Related to #32018.
|
| |
| |
| |
| | |
`--skip-active-storage`
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 16f279ebd474626577ced858e3626ac4535a33df, reversing
changes made to 6c6a30a7c357ce1eafa093d77d2b08684fe50887.
The config can be named anything, not just default (although all
generated apps will be named default). We can't just delete configs that
don't have a database because that will break three-tier configs. Oh
well.
|
|/
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 0979713abe2e22083e1beca01a1d113408c9ab36.
I originally wanted to delete the default config but found out it can
be called anything which means the code would blow up in unexpected
ways.
I thought "cool ill just delete the configs without dbs" and realized
that totally 100% breaks the three-tier config. So I'm reverting this
and the other commit.
|
|\
| |
| | |
Add support for automatic nonce generation for Rails UJS
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.
To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.
Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.
It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g
<%= javascript_tag nonce: true do %>
alert('Hello, World!');
<% end %>
Fixes #31689.
|
| |
| |
| |
| |
| |
| |
| |
| | |
In #32075 I deleted the default configuration since that's what's
generated with the Rails app. Since someone could change the default
name instead delete any config that doesn't have a database so we can
avoid peppering our Rails tasks with conditionals to deal with invalid
database configs.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since #30241, if namepsace is specified, routes will be generated even
if there is no actions.
However, it seems that this behavior is not intentionally added behavior.
As with 5.1, routes should not be generated if actions are not specified.
Fixes #32072.
|
|\ \
| | |
| | | |
Delete default configuration
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Because of this default configuration we're constantly checking if the
database exists when looping through configurations. This is unnecessary
and we should just delete it before we need to loop through
configurations.
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| | |
`--skip-active-storage`
Remove redundant assertions of an absence of `mini_magick` in `Gemfile`
since `bin/rails app:update` does not update Gemfile.
This assertions was added by 4a835aa3236eedb135ccf8b59ed3c03e040b8b01,
after reviewing of https://github.com/rails/rails/pull/32049 i realized
that assertions are redundant.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Although the spec[1] is defined in such a way that a trailing semi-colon
is valid it also doesn't allow a semi-colon by itself to indicate an
empty policy. Therefore it's easier (and valid) just to omit it rather
than to detect whether the policy is empty or not.
[1]: https://www.w3.org/TR/CSP2/#policy-syntax
|
| |
| |
| |
| |
| |
| | |
Setting up the request environment was accidentally creating a CSP
as a consequence of accessing the option - only set the instance
variable if a block is passed.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 86f7c269073a3a9e6ddec9b957deaa2716f2627d, reversing
changes made to 5ece2e4a4459065b5efd976aebd209bbf0cab89b.
If a policy is set then we should generate it even if it's empty.
However what is happening is that we're accidentally generating an
empty policy when the initializer is commented out by default.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
are used together
The purpose of keeping app/views folder in API apps is that it's used for
mailer views so doesn't makes sense to keep it when Action Mailer is skipped.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Don't use :: for class methods, we don't do that elsewhere.
* Don't install a needless method on minitest. Prefer assigning the
reporter anyway as that's what minitest does internally.
* Don't bother opting out when the reporter ain't a Minitest::CompositeReporter.
It's hardcoded: https://github.com/seattlerb/minitest/blob/005a3ba42c07d04797e2d00ac2c53e3be127c12f/lib/minitest.rb#L125
And overrides have to create delegate reporters:
https://github.com/kern/minitest-reporters/blob/1018b1b42f34b01d4de179c8aad2fa06771fe9b0/lib/minitest/minitest_reporter_plugin.rb#L72
|
| |
| |
| |
| |
| |
| |
| |
| | |
`Rails.application.config.content_security_policy` is configured with no
policies by default. In this case, Content-Security-Policy header should
not be generated instead of generating the header with no directives.
Firefox also warns "Content Security Policy: Couldn't process unknown
directive ''".
|
| |
| |
| |
| |
| |
| | |
Skipping over 2.4.0 to sidestep the `"symbol_from_string".to_sym.dup` bug.
References #32028
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Global ignores at toplevel .gitignore
* Component-specific ignores in each toplevel directory
* Remove `actionview/test/tmp/.keep` for JRuby
```
rm actionview/test/tmp/ -fr
cd actionview/
bundle exec jruby -Itest test/template/digestor_test.rb
```
Related to #11743, #30392.
Closes #29978.
|
| |
| |
| |
| | |
Rack::TemfileReaper in default middleware stack for API only apps
|
| | |
|
|\ \
| | |
| | | |
Fix custome serializer setting
|
| |/
| |
| |
| |
| |
| |
| |
| | |
The serializer should be set up in `after_initialize` so that it work
properly even if the user specifies serializer with initializers.
Also, since `custom_serializers` is `Array`, it needs to be flattened
before setting the value.
|
| | |
|
|\ \
| | |
| | | |
Use SuppressedSummaryReporter and Rails::TestUnitReporter only if needed
|
| |/ |
|
| | |
|
| |
| |
| |
| | |
It seems to debug print.
|
| |
| |
| |
| |
| | |
Some places we can't remove because Ruby still don't have a method
equivalent to strip_heredoc to be called in an already existent string.
|
| |
| |
| |
| | |
Rails 6 will only support Ruby >= 2.3.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provides both a forked process and threaded parallelization options. To
use add `parallelize` to your test suite.
Takes a `workers` argument that controls how many times the process
is forked. For each process a new database will be created suffixed
with the worker number; test-database-0 and test-database-1
respectively.
If `ENV["PARALLEL_WORKERS"]` is set the workers argument will be ignored
and the environment variable will be used instead. This is useful for CI
environments, or other environments where you may need more workers than
you do for local testing.
If the number of workers is set to `1` or fewer, the tests will not be
parallelized.
The default parallelization method is to fork processes. If you'd like to
use threads instead you can pass `with: :threads` to the `parallelize`
method. Note the threaded parallelization does not create multiple
database and will not work with system tests at this time.
parallelize(workers: 2, with: :threads)
The threaded parallelization uses Minitest's parallel exector directly.
The processes paralleliztion uses a Ruby Drb server.
For parallelization via threads a setup hook and cleanup hook are
provided.
```
class ActiveSupport::TestCase
parallelize_setup do |worker|
# setup databases
end
parallelize_teardown do |worker|
# cleanup database
end
parallelize(workers: 2)
end
```
[Eileen M. Uchitelle, Aaron Patterson]
|
|
|
|
|
|
|
|
|
|
|
|
| |
See https://github.com/rails/rails/pull/31957#issuecomment-364817423
The purpose of `--force` is not to have any prompt whether a file should
be kept or overwritten. In general, all existing files should be overwritten.
However, `config/master.key` is special because it is git-ignored, and
overwriting it will cause the app not to run (since there won't be a way
to decrypt the credentials).
As a result, it's probably better to keep the existing config/master.key.
|
|
|
|
|
| |
Incompatible settings are included in the settings set by `load_defaults`.
So, I think that target version should be updated by a user when becomes
available, and should not be updated with `app:update`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is similar to #30700 which ensures the `--quiet` option of `rails new`
is respected by the `MasterKeyGenerator` (missing from #30067).
Before this commit, running `rails new app --force` would still prompt the
user what to do with the conflict in `config/master.key`:
```
…
identical config/locales/en.yml
conflict config/master.key
Overwrite /Users/claudiob/Desktop/pizza/config/master.key? (enter "h" for help) [Ynaqdh]
```
After this commit, `config/master.key` is overwritten:
```
…
identical config/locales/en.yml
force config/master.key
append .gitignore
```
The newly added test generates an app and then generates it again with
`--force`. Without this commit, the test would just wait forever for user
input.
|
|\
| |
| | |
Remove warning from 4 years ago [ci skip]
|
| |
| |
| |
| |
| | |
`config/initializers/assets.rb` has been a part of Rails apps since
Rails 4.2 (30b56084). This comment is probably unnecessary by now.
|
|/
|
|
|
| |
* Use heredoc with credentials template.
* Fix indentation for aws config
|
|
|
| |
Fixes #31917
|
|
|
|
| |
These classes are internally used only.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Appropriate way to handle encrypted command is by `bin/rails credentials` and
`bin/rails encrypted`
It was displayed on `bin/rails generate` command:
```
Please choose a generator below.
Rails:
application_record
assets
channel
controller
encrypted_file
encryption_key_file
generator
...
```
|
| |
|
|
|
|
| |
:tada::tada::tada:
|