From c7820d8124c854760a4d288334f185de2fb99446 Mon Sep 17 00:00:00 2001
From: John Hawthorn <john@hawthorn.email>
Date: Mon, 18 Mar 2019 17:17:11 -0700
Subject: Introduce Template::File as new render file:

The previous behaviour of render file: was essentially the same as
render template:, except that templates can be specified as an absolute
path on the filesystem.

This makes sense for historic reasons, but now render file: is almost
exclusively used to render raw files (not .erb) like public/404.html. In
addition to complicating the code in template/resolver.rb, I think the
current behaviour is surprising to developers.

This commit deprecates the existing "lookup a template from anywhere"
behaviour and replaces it with "render this file exactly as it is on
disk". Handlers will no longer be used (it will render the same as if
the :raw handler was used), but formats (.html, .xml, etc) will still be
detected (and will default to :plain).

The existing render file: behaviour was the path through which Rails
apps were vulnerable in the recent CVE-2019-5418. Although the
vulnerability has been patched in a fully backwards-compatible way, I
think it's a strong hint that we should drop the existing
previously-vulnerable behaviour if it isn't a benefit to developers.
---
 .../test/controller/new_base/render_file_test.rb   | 24 ++++++++++++++++------
 actionpack/test/controller/render_test.rb          |  4 ++--
 actionpack/test/controller/renderer_test.rb        |  2 +-
 3 files changed, 21 insertions(+), 9 deletions(-)

(limited to 'actionpack/test/controller')

diff --git a/actionpack/test/controller/new_base/render_file_test.rb b/actionpack/test/controller/new_base/render_file_test.rb
index de8af029e0..82325c5bb2 100644
--- a/actionpack/test/controller/new_base/render_file_test.rb
+++ b/actionpack/test/controller/new_base/render_file_test.rb
@@ -40,32 +40,44 @@ module RenderFile
     testing RenderFile::BasicController
 
     test "rendering simple template" do
-      get :index
+      assert_deprecated do
+        get :index
+      end
       assert_response "Hello world!"
     end
 
     test "rendering template with ivar" do
-      get :with_instance_variables
+      assert_deprecated do
+        get :with_instance_variables
+      end
       assert_response "The secret is in the sauce\n"
     end
 
     test "rendering a relative path" do
-      get :relative_path
+      assert_deprecated do
+        get :relative_path
+      end
       assert_response "The secret is in the sauce\n"
     end
 
     test "rendering a relative path with dot" do
-      get :relative_path_with_dot
+      assert_deprecated do
+        get :relative_path_with_dot
+      end
       assert_response "The secret is in the sauce\n"
     end
 
     test "rendering a Pathname" do
-      get :pathname
+      assert_deprecated do
+        get :pathname
+      end
       assert_response "The secret is in the sauce\n"
     end
 
     test "rendering file with locals" do
-      get :with_locals
+      assert_deprecated do
+        get :with_locals
+      end
       assert_response "The secret is in the sauce\n"
     end
   end
diff --git a/actionpack/test/controller/render_test.rb b/actionpack/test/controller/render_test.rb
index 4750093c5c..6d198ca42f 100644
--- a/actionpack/test/controller/render_test.rb
+++ b/actionpack/test/controller/render_test.rb
@@ -325,7 +325,7 @@ class ExpiresInRenderTest < ActionController::TestCase
   def test_dynamic_render_with_file
     # This is extremely bad, but should be possible to do.
     assert File.exist?(File.expand_path("../../test/abstract_unit.rb", __dir__))
-    response = get :dynamic_render_with_file, params: { id: '../\\../test/abstract_unit.rb' }
+    response = assert_deprecated { get :dynamic_render_with_file, params: { id: '../\\../test/abstract_unit.rb' } }
     assert_equal File.read(File.expand_path("../../test/abstract_unit.rb", __dir__)),
       response.body
   end
@@ -351,7 +351,7 @@ class ExpiresInRenderTest < ActionController::TestCase
 
   def test_permitted_dynamic_render_file_hash
     assert File.exist?(File.expand_path("../../test/abstract_unit.rb", __dir__))
-    response = get :dynamic_render_permit, params: { id: { file: '../\\../test/abstract_unit.rb' } }
+    response = assert_deprecated { get :dynamic_render_permit, params: { id: { file: '../\\../test/abstract_unit.rb' } } }
     assert_equal File.read(File.expand_path("../../test/abstract_unit.rb", __dir__)),
       response.body
   end
diff --git a/actionpack/test/controller/renderer_test.rb b/actionpack/test/controller/renderer_test.rb
index ae8330e029..3d5161f207 100644
--- a/actionpack/test/controller/renderer_test.rb
+++ b/actionpack/test/controller/renderer_test.rb
@@ -40,7 +40,7 @@ class RendererTest < ActiveSupport::TestCase
 
   test "rendering with an instance renderer" do
     renderer = ApplicationController.renderer.new
-    content  = renderer.render file: "test/hello_world"
+    content  = assert_deprecated { renderer.render file: "test/hello_world" }
 
     assert_equal "Hello world!", content
   end
-- 
cgit v1.2.3