Currently, we are using dynamic inclusions to
guarantee that the list of MODULES is always up to
date with what gets included into Base. However,
that prevents static analysis tools from
understanding the ancestors of controllers, which
prevents completion and other editor features from
working correctly. We can instead use a unit test
to verify that both lists are synchronized, which
retains the original behavior while allowing for
more accurate static analysis.
References https://github.com/rails/rails/pull/52012#issuecomment-2183415161
Revert "Merge pull request #52033 from Shopify/amend_lazy_routes_changelog"
This reverts commit 743128b2307b6e1bd59acb9dc8358592d264c573, reversing
changes made to 6622075802bdcca22ab3e32ef6e3f6d2b9a881f8.
Revert "Merge pull request #52012 from Shopify/defer_route_drawing"
This reverts commit 6622075802bdcca22ab3e32ef6e3f6d2b9a881f8, reversing
changes made to 5dabff4b7bf4cc5e2e552efb78c6a3f3e44bed37.
In Rack 3.1, using invalid cookie keys was deprecated and in Rack 3.2,
using an invalid cookie key will raise an exception.
Escaping cookie keys is non-standard behaviour and is not understood by
clients, e.g. `document.cookies` will contain escaped keys. It also
doesn't round-trip correctly, as in, setting a header with a given name
won't have the same name in subsequent requests. In addition, the
escaping / unescaping behaviour in previous versions of Rack
[caused a security issue](https://github.com/advisories/GHSA-j6w9-fv6q-3q52).
[CVE-2024-28103]
The application configurable Permissions-Policy is only
served on responses with an HTML related Content-Type.
This change allows all Content-Types to serve the
configured Permissions-Policy as there are many non-HTML
Content-Types that would benefit from this header.
(examples include image/svg+xml and application/xml)
Executes the first routes reload in middleware, or when the route set
url_helpers is called. Previously, this was executed unconditionally on
boot, which can slow down boot time unnecessarily for larger apps with
lots of routes.
The `'wasm-unsafe-eval'` keyword for the Content Security Policy allows the
loading and execution of WebAssembly modules without the need to allow unsafe
JavaScript execution via `'unsafe-eval'`. A mapping is added so that the symbol
`:wasm_unsafe_evel` can be used for this keyword in the policy configuration in
`config/initializers/content_security_policy.rb`.
This reverts commit e97db3b3957781c781a61fb01265feb2b57688bb, reversing
changes made to a27a1751cfd499f69499e943f12e3400b55a323e.
This is breaking application routes when running without eager load enabled.
* Lookup route from requirements
* Add docs
* Strings instead of symbols
S
* Update actionpack/lib/action_dispatch/routing/route_set.rb
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
* Update actionpack/lib/action_dispatch/routing/route_set.rb
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
* Update actionpack/lib/action_dispatch/routing/route_set.rb
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
* Update actionpack/lib/action_dispatch/routing/route_set.rb
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
---------
Co-authored-by: Andy Waite <andyw8@users.noreply.github.com>
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
This will prevent issues like be0cb4e8f9, which would have resulted in:
```
guides/rails_guides/generator.rb:16:1: W: Lint/Debugger: Remove debugger entry point require "debug".
require "debug"
^^^^^^^^^^^^^^^
```
Disabled the cop in actionpack tests for screenshot_helper and page_dump_helper:
```
actionpack/test/controller/integration_test.rb:1369:9: W: Lint/Debugger: Remove debugger entry point save_and_open_page.
save_and_open_page
^^^^^^^^^^^^^^^^^^
actionpack/test/controller/integration_test.rb:1381:11: W: Lint/Debugger: Remove debugger entry point save_and_open_page.
save_and_open_page
^^^^^^^^^^^^^^^^^^
actionpack/test/controller/integration_test.rb:1391:39: W: Lint/Debugger: Remove debugger entry point save_and_open_page.
assert_raise(InvalidResponse) { save_and_open_page }
^^^^^^^^^^^^^^^^^^
```
```
actionpack/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb:111:13: W: Lint/Debugger: Remove debugger entry point page.save_page(absolute_html_path).
page.save_page(absolute_html_path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
actionpack/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb:115:13: W: Lint/Debugger: Remove debugger entry point page.save_screenshot(absolute_image
_path).
page.save_screenshot(absolute_image_path)
```
The DebuggerRequires option was first available in rubocop v1.63.0, in rubocop/rubocop#12766.
Executes the first routes reload in middleware, or when the route set
url_helpers is called. Previously, this was executed unconditionally on
boot, which can slow down boot time unnecessarily for larger apps with
lots of routes.
```
2024-04-26 09:36:45 INFO Selenium [:logger_info] Details on how to use and modify Selenium logger:
https://selenium.dev/documentation/webdriver/troubleshooting/logging
2024-04-26 09:36:45 WARN Selenium [DEPRECATION] DriverFinder.path(options, service_class) is deprecated. Use DriverFinder.new(options, service).driver_path instead.
```
Fixes MIME parsing raising errors on valid parameters #51594.
Mime type lookups were updated to handle custom registered types as part of #48397.
This fix the strips out custom media range parameters before falling back to the default type creation.
Ref: https://bugs.ruby-lang.org/issues/15554
A couple are harmless, but another couple found actual problems
in the test suite where we passed blocks to `assert_*` methods that
didn't expect one.
`save_and_open_page` is a capybara helper that lets developers
inspect the status of the page at any given point in their
test. This is helpful when trying to keep a short feedback loop while
working on a test.
This change adds a similar helper with matching signature to
integration tests.
The `:to` option for routes can once again be a String without a
controller if the controller is implicitly provided by a nesting
`controller` or `resources` call.
This commit addresses the following Rails Nightly CI error since https://github.com/ruby/ruby/pull/10262 .
https://buildkite.com/rails/rails-nightly/builds/310#018e5929-ff70-4397-b978-9a0a03cd4706/1255-1265
- Without this commit:
```ruby
$ ruby -v
ruby 3.4.0dev (2024-03-19T08:26:49Z master 12be40ae6b) [x86_64-linux]
$ cd actionpack
$ RAILS_STRICT_WARNINGS=true bin/test test/controller/renderer_test.rb:37
Running 25 tests in a single process (parallelization threshold is 50)
Run options: --seed 14013
/home/yahonda/src/github.com/rails/rails/actionpack/test/fixtures/ruby_template.ruby:2: warning: literal string will be frozen in the future
E
Error:
RendererTest#test_rendering_with_a_class_renderer:
RuntimeError: Neutered Exception ActionView::Template::Error: /home/yahonda/src/github.com/rails/rails/actionpack/test/fixtures/ruby_template.ruby:2: warning: literal string will be frozen in the future
/home/yahonda/src/github.com/rails/rails/activesupport/lib/active_support/testing/strict_warnings.rb:33:in 'ActiveSupport::RaiseWarnings#warn'
test/fixtures/ruby_template.ruby:2:in '_home_yahonda_src_github_com_rails_rails_actionpack_test_fixtures_ruby_template_ruby__3648742137162546161_6360'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/base.rb:282:in 'Kernel#public_send'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/base.rb:282:in 'ActionView::Base#_run'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/template.rb:275:in 'block in ActionView::Template#render'
/home/yahonda/src/github.com/rails/rails/activesupport/lib/active_support/notifications.rb:212:in 'ActiveSupport::Notifications.instrument'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/template.rb:567:in 'ActionView::Template#instrument_render_template'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/template.rb:263:in 'ActionView::Template#render'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/renderer/template_renderer.rb:66:in 'block (2 levels) in ActionView::TemplateRenderer#render_template'
/home/yahonda/src/github.com/rails/rails/activesupport/lib/active_support/notifications.rb:212:in 'ActiveSupport::Notifications.instrument'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/renderer/template_renderer.rb:60:in 'block in ActionView::TemplateRenderer#render_template'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/renderer/template_renderer.rb:80:in 'ActionView::TemplateRenderer#render_with_layout'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/renderer/template_renderer.rb:59:in 'ActionView::TemplateRenderer#render_template'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/renderer/template_renderer.rb:11:in 'ActionView::TemplateRenderer#render'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/renderer/renderer.rb:58:in 'ActionView::Renderer#render_template_to_object'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/renderer/renderer.rb:31:in 'ActionView::Renderer#render_to_object'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/rendering.rb:135:in 'block in ActionView::Rendering#_render_template'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/base.rb:309:in 'ActionView::Base#in_rendering_context'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/rendering.rb:134:in 'ActionView::Rendering#_render_template'
lib/action_controller/metal/streaming.rb:258:in 'ActionController::Streaming#_render_template'
/home/yahonda/src/github.com/rails/rails/actionview/lib/action_view/rendering.rb:121:in 'ActionView::Rendering#render_to_body'
lib/action_controller/metal/rendering.rb:186:in 'ActionController::Rendering#render_to_body'
lib/action_controller/metal/renderers.rb:142:in 'ActionController::Renderers#render_to_body'
lib/abstract_controller/rendering.rb:47:in 'AbstractController::Rendering#render_to_string'
lib/action_controller/metal/rendering.rb:175:in 'ActionController::Rendering#render_to_string'
lib/action_controller/renderer.rb:136:in 'ActionController::Renderer#render'
test/controller/renderer_test.rb:37:in 'block in <class:RendererTest>'
bin/test test/controller/renderer_test.rb:35
Finished in 0.294798s, 3.3921 runs/s, 0.0000 assertions/s.
1 runs, 0 assertions, 0 failures, 1 errors, 0 skips
$
```
Refer to these Ruby issue and pull request for this change:
https://bugs.ruby-lang.org/issues/20205https://github.com/ruby/ruby/pull/10262
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
rails/rails#51131 introduced parameter filtering for redirects. We
didn't account for invalid URIs though, and it changes the behaviour of
redirect_to to raise URI errors when we try to filter a bad URI.
Instead, we should fallback to filtering bad URIs entirely to preserve behaviour.
* Fix inconsistent results of params.deep_transform_keys
* fix: specs
* fix: implements own deep_transform methods to ActionController::Parameters
Co-authored-by: Rafael Mendonça França <rafael@rubyonrails.org>
Passing relative paths into form_for and related helpers led to invalid
token generations, as the tokens did not match the request.path on the
POST endpoint. Variants, such as:
form_for url:
* ""
* "./"
* "./post_one"
* "post_one"
are now handled according to [RFC 3986 5.2 - 5.4](https://tools.ietf.org/html/rfc3986#section-5.2)
Limitations: double dots are not handled (../../path)
relevant issue: #31191
In `4067c9565a5da78a72e375a2d959000147f02c34` `ActionDispatch::Executor`
started to report all errors, even the ones that were "handled" by the application.
This leads to errors like `ActionController::RoutingError` polluting error trackers
while not being actionable since they do not represent an exceptional situation.
This commit changes the behavior to only report errors that are not
considered "handled" based on the `ActionDispatch::ExceptionWrapper.rescue_responses` list.
Fix: https://github.com/rails/rails/issues/51002
In the default middleware stack, the `ShowExceptions` middleware is
lower than `ActionDispatch::Execturor` and will handle most exceptions
causing `Executor` not to witness any.
Instead we need to rely on `action_dispatch.exception` being added
into the request env.
Given that the limiter implementation provided by Kredis is a simple
increment with a limit, all `ActiveSupport::Cache` already provide that
same capability, with a wide range of backing stores, and not just Redis.
This even allow to use SolidCache has a backend if you so desire.
If we feel particularly fancy, we could also accept a more generic
limiter interface to better allow users to swap the implementation
for better algorithms such as leaky-bucket etc.