TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
3e2552db89
rails/actionpack/lib/action_dispatch.rb

120 lines
3.5 KiB
Ruby
Raw Normal View History

Use frozen string literal in actionpack/
2017-07-24 20:20:53 +00:00
# frozen_string_literal: true
Move HTTP libs and middleware into ActionDispatch component
2009-01-28 00:54:01 +00:00
#--
Bump license years from 2019 to 2020 [ci skip]
2019-12-31 15:31:11 +00:00
# Copyright (c) 2004-2020 David Heinemeier Hansson
Move HTTP libs and middleware into ActionDispatch component
2009-01-28 00:54:01 +00:00
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so, subject to
# the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#++
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
2016-08-06 16:51:43 +00:00
require "active_support"
require "active_support/rails"
require "active_support/core_ext/module/attribute_accessors"
Fully expand relative rails framework paths and make sure we aren't adding any to the load path more than once.
2009-12-16 17:56:51 +00:00
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
2016-08-06 16:51:43 +00:00
require "action_pack"
require "rack"
Move HTTP libs and middleware into ActionDispatch component
2009-01-28 00:54:01 +00:00
Switch over to rack-test gem
2009-08-31 19:27:10 +00:00
module Rack
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
2016-08-06 16:51:43 +00:00
autoload :Test, "rack/test"
Switch over to rack-test gem
2009-08-31 19:27:10 +00:00
end
Temporarily bundle rack-test while MockSession is baking
2009-05-20 03:42:59 +00:00
Move HTTP libs and middleware into ActionDispatch component
2009-01-28 00:54:01 +00:00
module ActionDispatch
Reorganize autoloads: * A new module (ActiveSupport::Autoload) is provide that extends autoloading with new behavior. * All autoloads in modules that have extended ActiveSupport::Autoload will be eagerly required in threadsafe environments * Autoloads can optionally leave off the path if the path is the same as full_constant_name.underscore * It is possible to specify that a group of autoloads live under an additional path. For instance, all of ActionDispatch's middlewares are ActionDispatch::MiddlewareName, but they live under "action_dispatch/middlewares/middleware_name" * It is possible to specify that a group of autoloads are all found at the same path. For instance, a number of exceptions might all be declared there. * One consequence of this is that testing-related constants are not autoloaded. To get the testing helpers for a given component, require "component_name/test_case". For instance, "action_controller/test_case". * test_help.rb, which is automatically required by a Rails application's test helper, requires the test_case.rb for all active components, so this change will not be disruptive in existing or new applications.
2009-12-03 04:01:01 +00:00
extend ActiveSupport::Autoload
Move HTTP libs and middleware into ActionDispatch component
2009-01-28 00:54:01 +00:00
raise exceptions on header set after response committed
2012-07-30 00:55:39 +00:00
class IllegalStateError < StandardError
end
Distinguish missing controller exceptions from unrelated NameError Fix: https://github.com/rails/rails/issues/37650 The classic autoloader used to totally unregister any constant that failed midway. Which mean `"SomeConst".constantize` was idempotent. However Zeitwerk rely on normal `Kernel#require` behavior, which mean that if an exception is raised during a class/module definition, it will be left incompletely defined. For instance: ```ruby class FooController ::DoesNotExist def index end end ``` Will leave `FooController` defined, but without its `index` method. Because of this, when silencing a NameError, it's important to make sure the missing constant is really the one we were trying to load.
2019-11-29 12:30:18 +00:00
class MissingController < NameError
end
Get rid of config.preload_frameworks in favor of config.eager_load_namespaces The new option allows any Ruby namespace to be registered and set up for eager load. We are effectively exposing the structure existing in Rails since v3.0 for all developers in order to make their applications thread-safe and CoW friendly.
2012-08-01 18:54:22 +00:00
eager_autoload do
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
2016-08-06 16:51:43 +00:00
autoload_under "http" do
Add DSL for configuring Content-Security-Policy header https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
2017-11-15 21:07:28 +00:00
autoload :ContentSecurityPolicy
Adds support for configuring HTTP Feature Policy (#33439) A HTTP feature policy is Yet Another HTTP header for instructing the browser about which features the application intends to make use of and to lock down access to others. This is a new security mechanism that ensures that should an application become compromised or a third party attempts an unexpected action, the browser will override it and maintain the intended UX. WICG specification: https://wicg.github.io/feature-policy/ The end result is a HTTP header that looks like the following: ``` Feature-Policy: geolocation 'none'; autoplay https://example.com ``` This will prevent the browser from using geolocation and only allow autoplay on `https://example.com`. Full feature list can be found over in the WICG repository[1]. As of today Chrome and Safari have public support[2] for this functionality with Firefox working on support[3] and Edge still pending acceptance of the suggestion[4]. #### Examples Using an initializer ```rb # config/initializers/feature_policy.rb Rails.application.config.feature_policy do |f| f.geolocation :none f.camera :none f.payment "https://secure.example.com" f.fullscreen :self end ``` In a controller ```rb class SampleController < ApplicationController def index feature_policy do |f| f.geolocation "https://example.com" end end end ``` Some of you might realise that the HTTP feature policy looks pretty close to that of a Content Security Policy; and you're right. So much so that I used the Content Security Policy DSL from #31162 as the starting point for this change. This change *doesn't* introduce support for defining a feature policy on an iframe and this has been intentionally done to split the HTTP header and the HTML element (`iframe`) support. If this is successful, I'll look to add that on it's own. Full documentation on HTTP feature policies can be found at https://wicg.github.io/feature-policy/. Google have also published[5] a great in-depth write up of this functionality. [1]: https://github.com/WICG/feature-policy/blob/master/features.md [2]: https://www.chromestatus.com/feature/5694225681219584 [3]: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801 [4]: https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/33507907-support-feature-policy [5]: https://developers.google.com/web/updates/2018/06/feature-policy
2019-07-10 22:33:16 +00:00
autoload :FeaturePolicy
Get rid of config.preload_frameworks in favor of config.eager_load_namespaces The new option allows any Ruby namespace to be registered and set up for eager load. We are effectively exposing the structure existing in Rails since v3.0 for all developers in order to make their applications thread-safe and CoW friendly.
2012-08-01 18:54:22 +00:00
autoload :Request
autoload :Response
end
Flip deferrable autoload convention
2009-12-22 23:27:37 +00:00
end
All AD modules are "deferrable"
2009-12-22 23:11:21 +00:00
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
2016-08-06 16:51:43 +00:00
autoload_under "middleware" do
Introduce a guard against DNS rebinding attacks The ActionDispatch::HostAuthorization is a new middleware that prevent against DNS rebinding and other Host header attacks. By default it is included only in the development environment with the following configuration: Rails.application.config.hosts = [ IPAddr.new("0.0.0.0/0"), # All IPv4 addresses. IPAddr.new("::/0"), # All IPv6 addresses. "localhost" # The localhost reserved domain. ] In other environments, `Rails.application.config.hosts` is empty and no Host header checks will be done. If you want to guard against header attacks on production, you have to manually permit the allowed hosts with: Rails.application.config.hosts << "product.com" The host of a request is checked against the hosts entries with the case operator (#===), which lets hosts support entries of type RegExp, Proc and IPAddr to name a few. Here is an example with a regexp. # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << /.*\.product\.com/ A special case is supported that allows you to permit all sub-domains: # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << ".product.com"
2018-06-14 08:09:00 +00:00
autoload :HostAuthorization
Added X-Request-Id tracking and TaggedLogging to easily log that and other production concerns
2011-10-19 17:59:33 +00:00
autoload :RequestId
Flip deferrable autoload convention
2009-12-22 23:27:37 +00:00
autoload :Callbacks
Cookies middleware
2010-01-16 23:21:46 +00:00
autoload :Cookies
Introduce Actionable Errors Actionable errors let's you dispatch actions from Rails' error pages. This can help you save time if you have a clear action for the resolution of common development errors. The de-facto example are pending migrations. Every time pending migrations are found, a middleware raises an error. With actionable errors, you can run the migrations right from the error page. Other examples include Rails plugins that need to run a rake task to setup themselves. They can now raise actionable errors to run the setup straight from the error pages. Here is how to define an actionable error: ```ruby class PendingMigrationError < MigrationError #:nodoc: include ActiveSupport::ActionableError action "Run pending migrations" do ActiveRecord::Tasks::DatabaseTasks.migrate end end ``` To make an error actionable, include the `ActiveSupport::ActionableError` module and invoke the `action` class macro to define the action. An action needs a name and a procedure to execute. The name is shown as the name of a button on the error pages. Once clicked, it will invoke the given procedure.
2018-12-25 14:35:15 +00:00
autoload :ActionableExceptions
Split ShowExceptions responsibilities in two middlewares.
2011-12-01 19:46:18 +00:00
autoload :DebugExceptions
Provide a middleware to debug misbehaving locks Only intended to be enabled when in use; by necessity, it sits above any reasonable access control.
2016-06-10 09:55:40 +00:00
autoload :DebugLocks
Introduce a guard against DNS rebinding attacks The ActionDispatch::HostAuthorization is a new middleware that prevent against DNS rebinding and other Host header attacks. By default it is included only in the development environment with the following configuration: Rails.application.config.hosts = [ IPAddr.new("0.0.0.0/0"), # All IPv4 addresses. IPAddr.new("::/0"), # All IPv6 addresses. "localhost" # The localhost reserved domain. ] In other environments, `Rails.application.config.hosts` is empty and no Host header checks will be done. If you want to guard against header attacks on production, you have to manually permit the allowed hosts with: Rails.application.config.hosts << "product.com" The host of a request is checked against the hosts entries with the case operator (#===), which lets hosts support entries of type RegExp, Proc and IPAddr to name a few. Here is an example with a regexp. # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << /.*\.product\.com/ A special case is supported that allows you to permit all sub-domains: # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << ".product.com"
2018-06-14 08:09:00 +00:00
autoload :DebugView
Add an ExceptionWrapper that wraps an exception and provide convenience helpers.
2011-12-01 19:02:00 +00:00
autoload :ExceptionWrapper
Publish AS::Executor and AS::Reloader APIs These should allow external code to run blocks of user code to do "work", at a similar unit size to a web request, without needing to get intimate with ActionDipatch.
2016-02-22 01:25:52 +00:00
autoload :Executor
Move Flash into middleware
2010-01-15 20:44:27 +00:00
autoload :Flash
Extract the rendering of public exceptions pages into a Rack app.
2011-12-16 08:29:37 +00:00
autoload :PublicExceptions
Introduce ActionDispatch::Reloader Based on the implementation on the 2-3-stable branch, patches by Hongli Lai <hongli@phusion.nl>, and helpful suggestions from José Valim. Hongli Lai's patches included locking around the request cycle; this is now handled by Rack::Lock (https://github.com/rack/rack/issues/issue/87/). [#2873] Signed-off-by: José Valim <jose.valim@gmail.com>
2010-11-24 02:04:05 +00:00
autoload :Reloader
Move remote_ip to a middleware: * ActionController::Base.ip_spoofing_check deprecated => config.action_dispatch.ip_spoofing_check * ActionController::Base.trusted_proxies deprecated => config.action_dispatch.trusted_proxies
2010-03-04 00:22:30 +00:00
autoload :RemoteIp
Flip deferrable autoload convention
2009-12-22 23:27:37 +00:00
autoload :ShowExceptions
Rack::SSL -> ActionDispatch::SSL
2012-03-17 02:22:25 +00:00
autoload :SSL
Flip deferrable autoload convention
2009-12-22 23:27:37 +00:00
autoload :Static
end
Move Routing into AD
2009-10-20 15:14:46 +00:00
Integrate Journey into Action Dispatch Move the Journey code underneath the ActionDispatch namespace so that we don't pollute the global namespace with names that may be used for models. Fixes rails/journey#49.
2012-12-19 20:54:47 +00:00
autoload :Journey
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
2016-08-06 16:51:43 +00:00
autoload :MiddlewareStack, "action_dispatch/middleware/stack"
Flip deferrable autoload convention
2009-12-22 23:27:37 +00:00
autoload :Routing
Move generic assertions into ActionDispatch
2009-04-30 16:55:53 +00:00
Flip deferrable autoload convention
2009-12-22 23:27:37 +00:00
module Http
Split ActionDispatch http in smaller chunks.
2010-01-16 12:17:03 +00:00
extend ActiveSupport::Autoload
autoload :Cache
autoload :Headers
autoload :MimeNegotiation
autoload :Parameters
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
2016-08-06 16:51:43 +00:00
autoload :UploadedFile, "action_dispatch/http/upload"
Split ActionDispatch http in smaller chunks.
2010-01-16 12:17:03 +00:00
autoload :URL
Flip deferrable autoload convention
2009-12-22 23:27:37 +00:00
end
Move integration test runner into ActionDispatch
2009-09-24 03:37:52 +00:00
Flip deferrable autoload convention
2009-12-22 23:27:37 +00:00
module Session
Fix possible information leak / session hijacking vulnerability. The `ActionDispatch::Session::MemcacheStore` is still vulnerable given it requires the gem dalli to be updated as well. CVE-2019-16782
2019-12-17 21:44:59 +00:00
autoload :AbstractStore, "action_dispatch/middleware/session/abstract_store"
autoload :AbstractSecureStore, "action_dispatch/middleware/session/abstract_store"
autoload :CookieStore, "action_dispatch/middleware/session/cookie_store"
autoload :MemCacheStore, "action_dispatch/middleware/session/mem_cache_store"
autoload :CacheStore, "action_dispatch/middleware/session/cache_store"
Flip deferrable autoload convention
2009-12-22 23:27:37 +00:00
end
Reorganize autoloads: * A new module (ActiveSupport::Autoload) is provide that extends autoloading with new behavior. * All autoloads in modules that have extended ActiveSupport::Autoload will be eagerly required in threadsafe environments * Autoloads can optionally leave off the path if the path is the same as full_constant_name.underscore * It is possible to specify that a group of autoloads live under an additional path. For instance, all of ActionDispatch's middlewares are ActionDispatch::MiddlewareName, but they live under "action_dispatch/middlewares/middleware_name" * It is possible to specify that a group of autoloads are all found at the same path. For instance, a number of exceptions might all be declared there. * One consequence of this is that testing-related constants are not autoloaded. To get the testing helpers for a given component, require "component_name/test_case". For instance, "action_controller/test_case". * test_help.rb, which is automatically required by a Rails application's test helper, requires the test_case.rb for all active components, so this change will not be disruptive in existing or new applications.
2009-12-03 04:01:01 +00:00
remove Rails application fallback from AD::IntegrationTest set AD::IntegrationTest.app in railtie initializer
2011-12-23 16:56:49 +00:00
mattr_accessor :test_app
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
2016-08-06 16:51:43 +00:00
autoload_under "testing" do
Flip deferrable autoload convention
2009-12-22 23:27:37 +00:00
autoload :Assertions
autoload :Integration
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
2016-08-06 16:51:43 +00:00
autoload :IntegrationTest, "action_dispatch/testing/integration"
Flip deferrable autoload convention
2009-12-22 23:27:37 +00:00
autoload :TestProcess
autoload :TestRequest
autoload :TestResponse
Add both HTTP Response Code and Type to assertion messages Also, refactor logic to convert between symbol and response code, via the AssertionResponse class
2016-01-05 21:08:17 +00:00
autoload :AssertionResponse
Move HTTP libs and middleware into ActionDispatch component
2009-01-28 00:54:01 +00:00
end
Move and rename system tests * Move system tests back into Action Pack * Rename `ActionSystemTest` to `ActionDispatch::SystemTestCase` * Remove private base module and only make file for public `SystemTestCase` class, name private module `SystemTesting` * Rename `ActionSystemTestCase` to `ApplicationSystemTestCase` * Update corresponding documentation and guides * Delete old `ActionSystemTest` files
2017-02-19 16:50:42 +00:00
autoload :SystemTestCase, "action_dispatch/system_test_case"
Move HTTP libs and middleware into ActionDispatch component
2009-01-28 00:54:01 +00:00
end
applies new string literal convention in actionpack/lib The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
2016-08-06 16:51:43 +00:00
autoload :Mime, "action_dispatch/http/mime_type"
Add ActionView::Base.default_formats default_formats array is used by LookupContext in order to allow rendering templates when :formats option is not passed. Previously it was always set to Mime::SET, which created dependency on Action Pack. In order to remove this dependency, Mime::SET is used only if ActionController is loaded.
2012-06-15 18:36:09 +00:00
ActiveSupport.on_load(:action_view) do
ActionView::Base.default_formats ||= Mime::SET.symbols
Implement ActionView::Template::Types AV::Template::Types is a small abstraction to allow to specify template types that can be used in ActionView. When Action Pack is loaded it's replaced with Mime::Type.
2012-07-05 20:02:11 +00:00
ActionView::Template::Types.delegate_to Mime
Clear cache after setting Template::Types delegate details_cache_key already references Template::Types.symbols and view resolvers cache based on default_formats and other values. This previously wasn't an issue because no views had been looked up before this was set. Now that we are building a regex from the values of Template::Types.symbols we need to clear cache after changing this setting.
2020-05-21 01:38:00 +00:00
ActionView::LookupContext::DetailsKey.clear
Add ActionView::Base.default_formats default_formats array is used by LookupContext in order to allow rendering templates when :formats option is not passed. Previously it was always set to Mime::SET, which created dependency on Action Pack. In order to remove this dependency, Mime::SET is used only if ActionController is loaded.
2012-06-15 18:36:09 +00:00
end
Reference in New Issue Copy Permalink