aboutsummaryrefslogtreecommitdiffstats
path: root/railties
Commit message (Collapse)AuthorAgeFilesLines
...
* | | Introduce a guard against DNS rebinding attacksGenadi Samokovarov2018-12-157-9/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ActionDispatch::HostAuthorization is a new middleware that prevent against DNS rebinding and other Host header attacks. By default it is included only in the development environment with the following configuration: Rails.application.config.hosts = [ IPAddr.new("0.0.0.0/0"), # All IPv4 addresses. IPAddr.new("::/0"), # All IPv6 addresses. "localhost" # The localhost reserved domain. ] In other environments, `Rails.application.config.hosts` is empty and no Host header checks will be done. If you want to guard against header attacks on production, you have to manually permit the allowed hosts with: Rails.application.config.hosts << "product.com" The host of a request is checked against the hosts entries with the case operator (#===), which lets hosts support entries of type RegExp, Proc and IPAddr to name a few. Here is an example with a regexp. # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << /.*\.product\.com/ A special case is supported that allows you to permit all sub-domains: # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << ".product.com"
* | | Ruby can show a little bit more detailed info in shorter codeAkira Matsuda2018-12-151-1/+1
| | | | | | | | | | | | This follows up adb0c7bc5116e0f6020a4ec32b7e19ea8b26f1ec
* | | http://localhost:3000/rails/info/properties shows more details for ease of ↵ujihisa2018-12-141-1/+1
| | | | | | | | | | | | | | | | | | bug reporting Hand-merging @ujihisa's ancient patch at https://lighthouseapp.com/projects/8994/tickets/3644
* | | Do not show post install message on rails newRafael Mendonça França2018-12-132-5/+5
| | |
* | | Use string for arguments in server testyuuji.yaginuma2018-12-131-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When actually execute from the command, the value of ARGV is passed to the server. So they are String. So let's use the same type in the test. Also, this removes the following warning in Ruby 2.6. ``` lib/rails/commands/server/server_command.rb:195: warning: deprecated Object#=~ is called on Integer; it always returns nil ```
* | | Fix warning: shadowing outer local variable - attributeRyuta Kamizono2018-12-131-1/+1
| | |
* | | Merge pull request #34691 from gmcgibbon/rm_helper_generator_suffixRyuta Kamizono2018-12-133-0/+16
|\ \ \ | | | | | | | | | | | | Remove redundant suffixes on generated helpers.
| * | | Remove redundant suffixes on generated helpers.Gannon McGibbon2018-12-123-0/+16
| | | |
* | | | Remove redundant suffixes on generated integration tests.Gannon McGibbon2018-12-123-0/+17
|/ / /
* | | Fix boolean interaction in scaffold system testsGannon McGibbon2018-12-124-3/+22
| | |
* | | Remove redundant suffixes on generated system tests.Gannon McGibbon2018-12-113-0/+23
| | |
* | | Upgrade Rubocop to 0.61.1 and fix offensesVinicius Stock2018-12-101-16/+16
| | |
* | | Add test for reads environment credential file with environment variable keyyuuji.yaginuma2018-12-091-1/+17
| | |
* | | Abort early if generator command fails (#34420)David Rodríguez2018-12-074-4/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * No need to go through ruby * Abort early if a generator command fails * Reuse `rails_command` method * Bump thor minimum dependency to 0.20.3 * Add some minimal docs * Add a changelog entry * Restore original logging
* | | Improve deprecation message for enqueue returning falseRafael Mendonça França2018-12-052-0/+31
| | | | | | | | | | | | | | | | | | And make sure new applications in Rails 6.0 has this config enabled. Also, improve test coverage and add a CHANGELOG entry.
* | | Merge pull request #33992 from kirs/enqueue-return-falseRafael França2018-12-051-0/+3
|\ \ \ | | | | | | | | Make AJ::Base#enqueue return false if the job wasn't enqueued
| * | | Make AJ::Base#enqueue return false if the job wasn't enqueuedKir Shatrov2018-10-281-0/+3
| | | |
* | | | Merge pull request #33882 from ↵Rafael França2018-11-302-29/+59
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | mberlanda/mberlanda/as-inheritable-options-intialization [Realties] config_for as ActiveSupport::OrderedOptions
| * | | | chore: implement config_for as ActiveSupport::OrderedOptionsMauro Berlanda2018-10-192-29/+59
| | | | |
* | | | | Bump the minimum version of PostgreSQL to 9.3Yasuo Honda2018-11-252-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://www.postgresql.org/support/versioning/ - 9.1 EOLed on September 2016. - 9.2 EOLed on September 2017. 9.3 is also not supported since Nov 8, 2018. https://www.postgresql.org/about/news/1905/ I think it may be a little bit early to drop PostgreSQL 9.3 yet. * Deprecated `supports_ranges?` since no other databases support range data type * Add `supports_materialized_views?` to abstract adapter Materialized views itself is supported by other databases, other connection adapters may support them * Remove `with_manual_interventions` It was only necessary for PostgreSQL 9.1 or earlier * Drop CI against PostgreSQL 9.2
* | | | | Compile packs before run testyuuji.yaginuma2018-11-221-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Sometimes `test_scaffold_tests_pass_by_default` test fails in CI. https://travis-ci.org/rails/rails/jobs/457621750#L2095-L2120 It seems `manifest.json` was broken. `webpacker` will compile automatically if packs is not compiled. If parallel test is enabled, it seems that this compilation process is executed simultaneously in multiple processes, and it may become an inconsistent state. In order to avoid this, compile before running the test.
* | | | | Homogenize rails help outputAlberto Almagro2018-11-191-9/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In commit 6567464bedd1e39ee7390da9484ba0caa7eb3e07 we homogenized rails commands with former rake tasks. We decided to display all commands at the same level and merged the list of commands displayed by `rails help`. We however forgot to actually merge the output in the command itself. This commit fixes that.
* | | | | Merge pull request #34410 from gmcgibbon/test_support_windowsEileen M. Uchitelle2018-11-191-1/+1
|\ \ \ \ \ | | | | | | | | | | | | Windows support for parallelization and instrumenter
| * | | | | Windows support for parallelization and instrumenterGannon McGibbon2018-11-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add Windows support for `ActiveSupport::Testing::Parallelization` and `ActiveSupport::Notifications::Instrumenter`.
* | | | | | Merge pull request #34476 from y-yagi/fix_no_method_error_in_parallelizationEileen M. Uchitelle2018-11-191-0/+14
|\ \ \ \ \ \ | | | | | | | | | | | | | | Correctly handle unknown object in parallel tests
| * | | | | | Correctly handle unknown object in parallel testsyuuji.yaginuma2018-11-171-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | DRb wraps in `DRbUnknown` if the data contains a type that can not be resolved locally. This can happen if an error occurs in the test and the error class can not be resolved on the server side. When this happens, an instance of `DRbUnknown` is passed to the `result` of `Server#record`. This causes another error(undefined method assertions for #<DRb::DRbUnknown:> (NoMethodError)) in `reporter.record`. This can confirm by the following steps. ``` $ rails new app -B --dev; cd app $ rails g scaffold user name:string $ edit `config.action_controller.allow_forgery_protection = true` in environments/test.rb $ bin/rails t ``` In the case of `DRbUnknown` occurs, can't resolve error exception. So wrap exception with `DRbRemoteError` in the same way as an unmarshalled object.
* | | | | | | Fix test name to match the test behavioryuuji.yaginuma2018-11-181-4/+4
|/ / / / / / | | | | | | | | | | | | | | | | | | These tests are for testing the `rake` method.
* | | | | | Fix a method call in bin/setup fileNihad Abbasov2018-11-151-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Follow up to a725539de677adbea0ced19d65647e975dbd3f84
* | | | | | Merge pull request #34400 from gmcgibbon/rm_autoload_app_javascriptsRafael França2018-11-134-10/+34
|\ \ \ \ \ \ | | | | | | | | | | | | | | Remove asset paths from autoload_paths
| * | | | | | Remove asset paths from eager_load_paths and autoload_pathsGannon McGibbon2018-11-094-10/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove `app/assets` and `app/javascript` from `eager_load_paths` and `autoload_paths`.
* | | | | | | Merge pull request #34411 from N0xFF/masterRafael França2018-11-131-0/+25
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | Reset Capybara sessions if failed system test screenshot raising an exception
| * | | | | | | Reset sessions on failed system test screenshotMaxim Perepelitsa2018-11-131-0/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reset Capybara sessions if `take_failed_screenshot` raise exception in system test `after_teardown`.
* | | | | | | | add a nice alias for the --webpack optionAlessandro Rodi2018-11-131-2/+2
| | | | | | | |
* | | | | | | | Ignore warnings such as `Psych.safe_load is deprecated`Yasuo Honda2018-11-131-0/+2
| |/ / / / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Addressing warnings are important but it should be out of this test scope. https://travis-ci.org/rails/rails/jobs/454145524#L4122-L4131 ``` .F Failure: ApplicationTests::BinSetupTest#test_bin_setup_output [test/application/bin_setup_test.rb:49]: --- expected +++ actual @@ -1,4 +1,5 @@ "== Installing dependencies == +warning: Passing permitted_classes with the 2nd argument of Psych.safe_load is deprecated. Use keyword argument like Psych.safe_load(yaml, permitted_classes: ...) instead. The Gemfile's dependencies are satisfied == Preparing database == rails test test/application/bin_setup_test.rb:38 ```
* | | | | | | Add test for parallel tests with unmarshable exceptionyuuji.yaginuma2018-11-091-0/+24
|/ / / / / / | | | | | | | | | | | | | | | | | | Follow up #34131.
* | | | | | Remove unused argument `expected_database`bogdanvlviv2018-11-081-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | This argument was added in fa5a028ed9f, and #34137 but hasn't been used.
* | | | | | Compile packs for testyuuji.yaginuma2018-11-081-2/+4
|/ / / / / | | | | | | | | | | | | | | | | | | | | `Webpacker` handles testing / development packs separately by default. If do not specify `RAILS_ENV`, there is no merit to precompile.
* | | | | Add multi-db support to schema cache dump and clearGannon McGibbon2018-11-071-0/+31
| | | | | | | | | | | | | | | | | | | | | | | | | Adds support for multiple databases to `rails db:schema:cache:dump` and `rails db:schema:cache:clear`.
* | | | | Merge pull request #34387 from yhirano55/rails_info_properties_jsonRyuta Kamizono2018-11-075-2/+37
|\ \ \ \ \ | | | | | | | | | | | | Respond /rails/info/properties.json
| * | | | | Add JSON support to rails properties route (`/rails/info/properties`).Yoshiyuki Hirano2018-11-075-2/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Added json format, like this: { "Rails version": "6.0.0.alpha", "Ruby version": "2.5.1-p57 (x86_64-darwin17)", "RubyGems version": "2.7.6", "Rack version": "2.0.6", "JavaScript Runtime": "Node.js (V8)", "Middleware": ["Rack::Sendfile", "ActionDispatch::Static", "ActionDispatch::Executor", "ActiveSupport::Cache::Strategy::LocalCache::Middleware", "Rack::Runtime", "Rack::MethodOverride", "ActionDispatch::RequestId", "ActionDispatch::RemoteIp", "Sprockets::Rails::QuietAssets", "Rails::Rack::Logger", "ActionDispatch::ShowExceptions", "WebConsole::Middleware", "ActionDispatch::DebugExceptions", "ActionDispatch::Reloader", "ActionDispatch::Callbacks", "ActiveRecord::Migration::CheckPending", "ActionDispatch::Cookies", "ActionDispatch::Session::CookieStore", "ActionDispatch::Flash", "ActionDispatch::ContentSecurityPolicy::Middleware", "Rack::Head", "Rack::ConditionalGet", "Rack::ETag", "Rack::TempfileReaper"], "Application root": "/path/to/app", "Environment": "development", "Database adapter": "sqlite3", "Database schema version": 0 }
* | | | | | Merge pull request #34392 from gmcgibbon/gem_security_note_amendRafael França2018-11-061-3/+3
|\ \ \ \ \ \ | | | | | | | | | | | | | | Amend CVE note and security guide section wordings
| * | | | | | Amend CVE note and security guide section wordingsGannon McGibbon2018-11-061-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reword first sentence of dep management and CVE section of security guide. Also, reword and move gemspec notes above deps. [ci skip]
* | | | | | | Merge pull request #34375 from y-yagi/add_connect_src_to_default_csp_initializerGuillermo Iguaran2018-11-062-0/+15
|\ \ \ \ \ \ \ | |/ / / / / / |/| | | | | | Add `connect_src` example to content security policy initializer
| * | | | | | Add `connect_src` example to content security policy initializeryuuji.yaginuma2018-11-042-0/+15
| |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If want to use `webpack-dev-server` with CSP enabled, need to specify `connect-src`. Related to: https://github.com/rails/webpacker/commit/cd7ecf4d48496341aecd81c0c2f69fe4e50a7cd4 This is a matter of `webpacker`. But since `webpacker` is now used by default, to prevent user confusion, I think that better to include an example of `connect-src.`
* / / / / / Add CVE note to security guide and gemspecsGannon McGibbon2018-11-061-0/+3
|/ / / / / | | | | | | | | | | | | | | | [ci skip]
* | | | | Keep new line after the last dependencyyuuji.yaginuma2018-11-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | If add a package with `yarn`, it will have a newline after the last dependency so let's match with that.
* | | | | Restore `encoding: utf8mb4` in database.ymlYasuo Honda2018-10-301-0/+1
| |/ / / |/| | | | | | | | | | | | | | | | | | | | | | | rails/rails#33853 and rails/rails#33929 removed `encoding: utf8mb4` from database.yml since at that time MySQL 5.1 is supported with the master branch. Since MySQL 5.1 has been dropped, we can restore `encoding: utf8mb4` in database.yml
* | | | Merge pull request #34208 from yskkin/inspect_with_parameter_filterRyuta Kamizono2018-10-261-1/+1
|\ \ \ \ | | | | | | | | | | Implement AR#inspect using ParameterFilter
| * | | | Implement AR#inspect using ParamterFilter.Yoshiyuki Kinjo2018-10-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | AR instance support `filter_parameters` since #33756. Though Regex or Proc is valid as `filter_parameters`, they are not supported as AR#inspect. I also add :mask option and #filter_params to `ActiveSupport::ParameterFilter#new` to implement this.
* | | | | Do not need to mention the method that is being called in the exceptionRafael Mendonça França2018-10-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | What is important to tell is that the database configuration could not be loaded. Fixes #34296.