[CVE-2024-28103]
The application configurable Permissions-Policy is only
served on responses with an HTML related Content-Type.
This change allows all Content-Types to serve the
configured Permissions-Policy as there are many non-HTML
Content-Types that would benefit from this header.
(examples include image/svg+xml and application/xml)
Executes the first routes reload in middleware, or when the route set
url_helpers is called. Previously, this was executed unconditionally on
boot, which can slow down boot time unnecessarily for larger apps with
lots of routes.
An action can _contain_ multiple renders/redirects, but only one can be _performed_.
"Attempting to try to" is redundant.
Also removes the `and return` recommendation in order to be consistent with the documentation updates from https://github.com/rails/rails/pull/45927
The `'wasm-unsafe-eval'` keyword for the Content Security Policy allows the
loading and execution of WebAssembly modules without the need to allow unsafe
JavaScript execution via `'unsafe-eval'`. A mapping is added so that the symbol
`:wasm_unsafe_evel` can be used for this keyword in the policy configuration in
`config/initializers/content_security_policy.rb`.
This reverts commit e97db3b3957781c781a61fb01265feb2b57688bb, reversing
changes made to a27a1751cfd499f69499e943f12e3400b55a323e.
This is breaking application routes when running without eager load enabled.
* Lookup route from requirements
* Add docs
* Strings instead of symbols
S
* Update actionpack/lib/action_dispatch/routing/route_set.rb
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
* Update actionpack/lib/action_dispatch/routing/route_set.rb
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
* Update actionpack/lib/action_dispatch/routing/route_set.rb
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
* Update actionpack/lib/action_dispatch/routing/route_set.rb
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
---------
Co-authored-by: Andy Waite <andyw8@users.noreply.github.com>
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
The rdoc markdown parser does not currently parse multi-paragraph
definition lists correctly. Instead of putting both paragraphs inside
a single definition, only the first paragraph ends up in the definition
and the second paragraph is rendered after the definition list as a code
block.
Since 7.2 appears to be coming soon, this commit fixes the second
paragraph rendering as a code block by turning it into a second
definition. This doesn't strictly seem like the "correct" fix (compared
to fixing the rdoc markdown parser) but it gives us the visual result
that we want until rdoc is fixed.
This will prevent issues like be0cb4e8f9, which would have resulted in:
```
guides/rails_guides/generator.rb:16:1: W: Lint/Debugger: Remove debugger entry point require "debug".
require "debug"
^^^^^^^^^^^^^^^
```
Disabled the cop in actionpack tests for screenshot_helper and page_dump_helper:
```
actionpack/test/controller/integration_test.rb:1369:9: W: Lint/Debugger: Remove debugger entry point save_and_open_page.
save_and_open_page
^^^^^^^^^^^^^^^^^^
actionpack/test/controller/integration_test.rb:1381:11: W: Lint/Debugger: Remove debugger entry point save_and_open_page.
save_and_open_page
^^^^^^^^^^^^^^^^^^
actionpack/test/controller/integration_test.rb:1391:39: W: Lint/Debugger: Remove debugger entry point save_and_open_page.
assert_raise(InvalidResponse) { save_and_open_page }
^^^^^^^^^^^^^^^^^^
```
```
actionpack/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb:111:13: W: Lint/Debugger: Remove debugger entry point page.save_page(absolute_html_path).
page.save_page(absolute_html_path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
actionpack/lib/action_dispatch/system_testing/test_helpers/screenshot_helper.rb:115:13: W: Lint/Debugger: Remove debugger entry point page.save_screenshot(absolute_image
_path).
page.save_screenshot(absolute_image_path)
```
The DebuggerRequires option was first available in rubocop v1.63.0, in rubocop/rubocop#12766.
Executes the first routes reload in middleware, or when the route set
url_helpers is called. Previously, this was executed unconditionally on
boot, which can slow down boot time unnecessarily for larger apps with
lots of routes.
Allocations count is often an interesting proxy for performance,
but not necessarily the most relevant thing to include in request
logs, given they aren't a per thread metric, so the reporting
is widely innacurate in multi-threaded environments.
Since Ruby 3.1 there is now `GC.total_time` which is a monotonically
increasing counter of time spent in GC. It still isn't really a per
thread metric, but is is more interesting because it uses the same
unit as the response time, allowing to better see when you have a GC
pause performance issue.
```
2024-04-26 09:36:45 INFO Selenium [:logger_info] Details on how to use and modify Selenium logger:
https://selenium.dev/documentation/webdriver/troubleshooting/logging
2024-04-26 09:36:45 WARN Selenium [DEPRECATION] DriverFinder.path(options, service_class) is deprecated. Use DriverFinder.new(options, service).driver_path instead.
```
Fixes MIME parsing raising errors on valid parameters #51594.
Mime type lookups were updated to handle custom registered types as part of #48397.
This fix the strips out custom media range parameters before falling back to the default type creation.
`save_and_open_page` is a capybara helper that lets developers
inspect the status of the page at any given point in their
test. This is helpful when trying to keep a short feedback loop while
working on a test.
This change adds a similar helper with matching signature to
integration tests.
RFC 9110 specifies:
The server MUST send an Upgrade header field in a 426 response
to indicate the required protocol(s)
https://httpwg.org/specs/rfc9110.html#status.426
Status 406 Not Acceptable is more appropriate because it indicates the
resource
does not have a current representation that would be acceptable
to the user agent, according to the proactive negotiation header
fields received in the request
https://httpwg.org/specs/rfc9110.html#status.406
With the proactive negociation section mentionining:
implicit characteristics, such as the client's network address
or parts of the User-Agent field.
https://httpwg.org/specs/rfc9110.html#proactive.negotiation
The `:to` option for routes can once again be a String without a
controller if the controller is implicitly provided by a nesting
`controller` or `resources` call.
This can be reproduced using a version of rdoc that includes this fix:
- c65266437c
The fix correctly adds a newline between definition list items, which
was not added previously.
This commit was generated with the following commands:
```
$ git checkout 3079e8b0f894e9a7e85a3bbf42383dc0a616af41 -- actionpack/lib/action_controller/metal/conditional_get.rb
$ ./tools/rdoc-to-md --only=actionpack -a
```
When converting docs from RDoc to Markdown, some label-lists ended up
not rendering properly. This appears to be due to RDoc's Markdown
parser not recognizing label-list labels if the label has additional
markup around it (in this case, bold markers `**`).
Additionally, the markdown label-list was missing newlines between list
items which also caused the label-list to not render correctly.
This commit fixes both of these issues for cases where the RDoc
originally used <b> tags in a label-list label. Since label-list labels
will already be bolded, there is no reason to also use `**` on the
labels.
rails/rails#51131 introduced parameter filtering for redirects. We
didn't account for invalid URIs though, and it changes the behaviour of
redirect_to to raise URI errors when we try to filter a bad URI.
Instead, we should fallback to filtering bad URIs entirely to preserve behaviour.