| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
| |
| |
| |
| |
| | |
If the app has the CSP disabled globally allow a controller action
to enable the policy for that request.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We use inline style and script for the view held inside Rails like
welcome page and mailer preview.
Therefore, if inline is prohibited by CSP, they will not work properly.
I think that this is not as expected.
For that reason, I have made it possible to use inline style and script
regardless of application settings.
|
| | |
|
|\ \
| | |
| | |
| | |
| | | |
bogdanvlviv/remove-extra-passing-arg-to-run_routes_command
Remove extra arg passed to `Rails::Command::RoutesTest#run_routes_command`
|
| |/
| |
| |
| | |
Related to 6bd33d66dde015a55912af20b469788ba20ddb4e
|
|\ \
| |/
|/| |
Deprecate safe_level of `ERB.new` in Ruby 2.6
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
### Summary
In a Rails application using Ruby 2.6.0-dev, when running `bin/rails g migration`
with `RUBYOPT=-w`, an ERB deprecation warnings will be displayed.
```console
% ruby -v
ruby 2.6.0dev (2018-03-03 trunk 62644) [x86_64-darwin17]
% bin/rails -v
Rails 6.0.0.alpha
% RUBYOPT=-w bin/rails g migration create_foos
(snip)
/Users/koic/src/github.com/rails/rails/railties/lib/rails/generators/migration.rb:66:
warning: Passing safe_level with the 2nd argument of ERB.new is
deprecated. Do not use it, and specify other arguments as keyword
arguments.
/Users/koic/src/github.com/rails/rails/railties/lib/rails/generators/migration.rb:66:
warning: Passing trim_mode with the 3rd argument of ERB.new is
deprecated. Use keyword argument like ERB.new(str, trim_mode: ...)
instead.
/Users/koic/src/github.com/rails/rails/railties/lib/rails/generators/migration.rb:66:
warning: Passing eoutvar with the 4th argument of ERB.new is
deprecated. Use keyword argument like ERB.new(str, eoutvar: ...)
instead.
create db/migrate/20180304002144_create_foos.rb
```
This PR suppresses the above deprecation warnings in Ruby 2.6.0-dev.
This warning is due to the interface of `ERB.new` will change from Ruby 2.6.
> Add :trim_mode and :eoutvar keyword arguments to ERB.new.
> Now non-keyword arguments other than first one are softly deprecated
> and will be removed when Ruby 2.5 becomes EOL. [Feature #14256]
https://github.com/ruby/ruby/blob/2311087b685e8dc0f21f4a89875f25c22f5c39a9/NEWS#stdlib-updates-outstanding-ones-only
The following addresses are related Ruby's commit.
https://github.com/ruby/ruby/commit/cc777d0
Also this PR will change `ERB.new` used in `tasks/release.rb`.
### Other Information
This PR uses `ERB.version` to switch `ERB.new` interface. Because Rails 6
supports multiple Ruby versions (Ruby 2.4.1 or higher), it need to
use the appropriate interface.
Using `ERB.version` instead of `RUBY_VERSON` is based on the following patch.
https://github.com/ruby/ruby/pull/1826
This patch is built into Ruby.
https://github.com/ruby/ruby/commit/40db89c0934c23d7464d47946bb682b9035411f9
|
| |
| |
| |
| | |
The `host` and `port` can't use this context.
|
|\ \
| | |
| | | |
Introduce explicit rails server handler option
|
| | | |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I mistype `rails server production` instead of `rails server -e
production` expecting to lunch a server in the production environment
all the time. However, the signature of `rails server --help` is:
```
Usage:
rails server [puma, thin etc] [options]
```
This means that the `production` argument is being interpreted as a Rack
server handler like Puma, Thin or Unicorn.
Should we argue for the `rails server production`? I'm not sure of the
reasons, but the `rails console production` behavior was deprecated in:
https://github.com/rails/rails/pull/29358, so parity with the existing
`rails console production` usage may not hold anymore.
In any case, this PR introduces an explicit option for the Rack servers
configuration. The option is called `--using` (or `-u` for short) to
avoid the `rails server --server` tantrum.
The new interface of `rails server` is:
```
Usage:
rails server [using] [options]
Options:
-p, [--port=port] # Runs Rails on the specified port - defaults to 3000.
-b, [--binding=IP] # Binds Rails to the specified IP - defaults to 'localhost' in development and '0.0.0.0' in other environments'.
-c, [--config=file] # Uses a custom rackup configuration.
# Default: config.ru
-d, [--daemon], [--no-daemon] # Runs server as a Daemon.
-e, [--environment=name] # Specifies the environment to run this server under (development/test/production).
-u, [--using=name] # Specifies the Rack server used to run the application (thin/puma/webrick).
-P, [--pid=PID] # Specifies the PID file.
# Default: tmp/pids/server.pid
-C, [--dev-caching], [--no-dev-caching] # Specifies whether to perform caching in development.
[--early-hints], [--no-early-hints] # Enables HTTP/2 early hints.
```
As a bonus, if you mistype the server to use, you'll get an
auto-correction message:
```
$ rails s tin
Could not find handler "tin". Maybe you meant "thin" or "cgi"?
Run `rails server --help` for more options.
```
|
|/ |
|
|
|
|
|
|
| |
* Remove unused require
* Remove redundant `test`
* Change `rake` to `rails`
|
|\
| |
| | |
Add "rails routes --expanded" mode
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When using rails routes with small terminal or complicated routes it can be
very difficult to understand where is the element listed in header. psql
had the same issue, that's why they created "expanded mode" you can
switch using `\x` or by starting psql with
```
-x
--expanded
Turn on the expanded table formatting mode. This is equivalent to the \x command.
```
The output is similar to one implemented here for rails routes:
db_user-# \du
List of roles
-[ RECORD 1 ]----------------------------------------------
Role name | super
Attributes | Superuser, Create role, Create DB
Member of | {}
-[ RECORD 2 ]----------------------------------------------
Role name | role
Attributes | Superuser, Create role, Create DB, Replication
Member of | {}
|
|/
|
|
|
|
|
|
|
| |
`default_enforce_utf8` belongs to `config.action_view`
Update info about `:skip_enforcing_utf8` since we can change default
behavior via `config.action_controller.default_enforce_utf8`
Related to #32125
|
|\
| |
| | |
Move rake routes task to rails command
|
| |
| |
| |
| |
| |
| | |
After a discussion with matthewd. It was mentioned that rake tasks need
to be moved to rails command.
See: https://github.com/rails/rails/issues/32117
|
|/
|
|
|
|
| |
With the disabling of TLS 1.0 by most major websites, continuing to run
IE8 or lower becomes increasingly difficult so default to not enforcing
UTF-8 encoding as it's not relevant to other browsers.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove railties' changelog added by 7340596de45dc4c0f62a287b6acc4e71d8ee6c60
since it was backported to `5-2-stable` via ac99916fcf7bf27bb1519d4f7387c6b4c5f0463d
Remove activesupport's changelog added by 1077ae96b34b5a1dfbf10ee0c40b1ceb1eb6b30b
since it was backported to `5-2-stable` via a2b97e4ffef971607a1be8fc7909f099b6840f36
Remove activesupport's changelog added by 0d41a76d0c693000005d79456dee7f9299f5e8d4
since it was backported to `5-2-stable` via cdce6a709e1cbc98fff009effc3b1b3ce4c7e8db
Remove activestorage's changelog added by d57c52a385eb57c6ce8c6d124ab5e186f931d142
since it was backported to `5-2-stable` via 5292cdf59a2052c453d6016c69b90b790cbf2547
Follow up c113bdc9d0c2cffd535ca97aff85c4bdc46b11f6
|
|
|
|
|
|
|
|
|
| |
`to_prepare` callbacks are run during initialization; using one here
meant that `ActiveStorage::Blob` would be loaded when the app boots,
which would in turn load `ActiveRecord::Base`.
By using a lazy load hook to configure `ActiveStorage::Blob` instead,
we can avoid loading `ActiveRecord::Base` unnecessarily.
|
| |
|
|
|
|
|
|
|
| |
`content_security_policy_nonce_generator` specifies request as an argument when calling.
https://github.com/rails/rails/blob/ddb7da8535b07f51b7a8f5e3062cc8ffbd4ff23b/actionpack/lib/action_dispatch/http/content_security_policy.rb#L100
So without this fix, will raise `ArgumentError` when start server.
|
|
|
|
|
|
| |
Add `//= require rails-ujs`
Closes #32094
|
|\
| |
| | |
Fix plugin generated files
|
| |
| |
| |
| |
| | |
- Do not generate `javascript_include_tag` if `--skip-javascript`
- Generate `<%= csp_meta_tag %>`. Related to #32018.
|
| |
| |
| |
| | |
`--skip-active-storage`
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 16f279ebd474626577ced858e3626ac4535a33df, reversing
changes made to 6c6a30a7c357ce1eafa093d77d2b08684fe50887.
The config can be named anything, not just default (although all
generated apps will be named default). We can't just delete configs that
don't have a database because that will break three-tier configs. Oh
well.
|
|/
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 0979713abe2e22083e1beca01a1d113408c9ab36.
I originally wanted to delete the default config but found out it can
be called anything which means the code would blow up in unexpected
ways.
I thought "cool ill just delete the configs without dbs" and realized
that totally 100% breaks the three-tier config. So I'm reverting this
and the other commit.
|
|\
| |
| | |
Add support for automatic nonce generation for Rails UJS
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.
To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.
Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.
It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g
<%= javascript_tag nonce: true do %>
alert('Hello, World!');
<% end %>
Fixes #31689.
|
| |
| |
| |
| |
| |
| |
| |
| | |
In #32075 I deleted the default configuration since that's what's
generated with the Rails app. Since someone could change the default
name instead delete any config that doesn't have a database so we can
avoid peppering our Rails tasks with conditionals to deal with invalid
database configs.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since #30241, if namepsace is specified, routes will be generated even
if there is no actions.
However, it seems that this behavior is not intentionally added behavior.
As with 5.1, routes should not be generated if actions are not specified.
Fixes #32072.
|
|\ \
| | |
| | | |
Delete default configuration
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Because of this default configuration we're constantly checking if the
database exists when looping through configurations. This is unnecessary
and we should just delete it before we need to loop through
configurations.
|
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| | |
`--skip-active-storage`
Remove redundant assertions of an absence of `mini_magick` in `Gemfile`
since `bin/rails app:update` does not update Gemfile.
This assertions was added by 4a835aa3236eedb135ccf8b59ed3c03e040b8b01,
after reviewing of https://github.com/rails/rails/pull/32049 i realized
that assertions are redundant.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Although the spec[1] is defined in such a way that a trailing semi-colon
is valid it also doesn't allow a semi-colon by itself to indicate an
empty policy. Therefore it's easier (and valid) just to omit it rather
than to detect whether the policy is empty or not.
[1]: https://www.w3.org/TR/CSP2/#policy-syntax
|
| |
| |
| |
| |
| |
| | |
Setting up the request environment was accidentally creating a CSP
as a consequence of accessing the option - only set the instance
variable if a block is passed.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 86f7c269073a3a9e6ddec9b957deaa2716f2627d, reversing
changes made to 5ece2e4a4459065b5efd976aebd209bbf0cab89b.
If a policy is set then we should generate it even if it's empty.
However what is happening is that we're accidentally generating an
empty policy when the initializer is commented out by default.
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| | |
are used together
The purpose of keeping app/views folder in API apps is that it's used for
mailer views so doesn't makes sense to keep it when Action Mailer is skipped.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Don't use :: for class methods, we don't do that elsewhere.
* Don't install a needless method on minitest. Prefer assigning the
reporter anyway as that's what minitest does internally.
* Don't bother opting out when the reporter ain't a Minitest::CompositeReporter.
It's hardcoded: https://github.com/seattlerb/minitest/blob/005a3ba42c07d04797e2d00ac2c53e3be127c12f/lib/minitest.rb#L125
And overrides have to create delegate reporters:
https://github.com/kern/minitest-reporters/blob/1018b1b42f34b01d4de179c8aad2fa06771fe9b0/lib/minitest/minitest_reporter_plugin.rb#L72
|
| |
| |
| |
| |
| |
| |
| |
| | |
`Rails.application.config.content_security_policy` is configured with no
policies by default. In this case, Content-Security-Policy header should
not be generated instead of generating the header with no directives.
Firefox also warns "Content Security Policy: Couldn't process unknown
directive ''".
|
| |
| |
| |
| |
| |
| | |
Skipping over 2.4.0 to sidestep the `"symbol_from_string".to_sym.dup` bug.
References #32028
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Global ignores at toplevel .gitignore
* Component-specific ignores in each toplevel directory
* Remove `actionview/test/tmp/.keep` for JRuby
```
rm actionview/test/tmp/ -fr
cd actionview/
bundle exec jruby -Itest test/template/digestor_test.rb
```
Related to #11743, #30392.
Closes #29978.
|
| |
| |
| |
| | |
Rack::TemfileReaper in default middleware stack for API only apps
|
| | |
|