Merge branch '6-0-sec' into 6-0-stable

rails · Apr 26, 2022 · 23f8485 · 23f8485
2 parents f9c6da7 + 27a5ec7
commit 23f8485
Show file tree

Hide file tree

Showing 39 changed files with 6,173 additions and 6,038 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -32,79 +32,79 @@ GIT
 PATH
   remote: .
   specs:
-    actioncable (6.0.4.7)
-      actionpack (= 6.0.4.7)
+    actioncable (6.0.4.8)
+      actionpack (= 6.0.4.8)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.4.7)
-      actionpack (= 6.0.4.7)
-      activejob (= 6.0.4.7)
-      activerecord (= 6.0.4.7)
-      activestorage (= 6.0.4.7)
-      activesupport (= 6.0.4.7)
+    actionmailbox (6.0.4.8)
+      actionpack (= 6.0.4.8)
+      activejob (= 6.0.4.8)
+      activerecord (= 6.0.4.8)
+      activestorage (= 6.0.4.8)
+      activesupport (= 6.0.4.8)
       mail (>= 2.7.1)
-    actionmailer (6.0.4.7)
-      actionpack (= 6.0.4.7)
-      actionview (= 6.0.4.7)
-      activejob (= 6.0.4.7)
+    actionmailer (6.0.4.8)
+      actionpack (= 6.0.4.8)
+      actionview (= 6.0.4.8)
+      activejob (= 6.0.4.8)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.4.7)
-      actionview (= 6.0.4.7)
-      activesupport (= 6.0.4.7)
+    actionpack (6.0.4.8)
+      actionview (= 6.0.4.8)
+      activesupport (= 6.0.4.8)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.0.4.7)
-      actionpack (= 6.0.4.7)
-      activerecord (= 6.0.4.7)
-      activestorage (= 6.0.4.7)
-      activesupport (= 6.0.4.7)
+    actiontext (6.0.4.8)
+      actionpack (= 6.0.4.8)
+      activerecord (= 6.0.4.8)
+      activestorage (= 6.0.4.8)
+      activesupport (= 6.0.4.8)
       nokogiri (>= 1.8.5)
-    actionview (6.0.4.7)
-      activesupport (= 6.0.4.7)
+    actionview (6.0.4.8)
+      activesupport (= 6.0.4.8)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.4.7)
-      activesupport (= 6.0.4.7)
+    activejob (6.0.4.8)
+      activesupport (= 6.0.4.8)
       globalid (>= 0.3.6)
-    activemodel (6.0.4.7)
-      activesupport (= 6.0.4.7)
-    activerecord (6.0.4.7)
-      activemodel (= 6.0.4.7)
-      activesupport (= 6.0.4.7)
-    activestorage (6.0.4.7)
-      actionpack (= 6.0.4.7)
-      activejob (= 6.0.4.7)
-      activerecord (= 6.0.4.7)
+    activemodel (6.0.4.8)
+      activesupport (= 6.0.4.8)
+    activerecord (6.0.4.8)
+      activemodel (= 6.0.4.8)
+      activesupport (= 6.0.4.8)
+    activestorage (6.0.4.8)
+      actionpack (= 6.0.4.8)
+      activejob (= 6.0.4.8)
+      activerecord (= 6.0.4.8)
       marcel (~> 1.0)
-    activesupport (6.0.4.7)
+    activesupport (6.0.4.8)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
       zeitwerk (~> 2.2, >= 2.2.2)
-    rails (6.0.4.7)
-      actioncable (= 6.0.4.7)
-      actionmailbox (= 6.0.4.7)
-      actionmailer (= 6.0.4.7)
-      actionpack (= 6.0.4.7)
-      actiontext (= 6.0.4.7)
-      actionview (= 6.0.4.7)
-      activejob (= 6.0.4.7)
-      activemodel (= 6.0.4.7)
-      activerecord (= 6.0.4.7)
-      activestorage (= 6.0.4.7)
-      activesupport (= 6.0.4.7)
+    rails (6.0.4.8)
+      actioncable (= 6.0.4.8)
+      actionmailbox (= 6.0.4.8)
+      actionmailer (= 6.0.4.8)
+      actionpack (= 6.0.4.8)
+      actiontext (= 6.0.4.8)
+      actionview (= 6.0.4.8)
+      activejob (= 6.0.4.8)
+      activemodel (= 6.0.4.8)
+      activerecord (= 6.0.4.8)
+      activestorage (= 6.0.4.8)
+      activesupport (= 6.0.4.8)
       bundler (>= 1.3.0)
-      railties (= 6.0.4.7)
+      railties (= 6.0.4.8)
       sprockets-rails (>= 2.0.0)
-    railties (6.0.4.7)
-      actionpack (= 6.0.4.7)
-      activesupport (= 6.0.4.7)
+    railties (6.0.4.8)
+      actionpack (= 6.0.4.8)
+      activesupport (= 6.0.4.8)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
@@ -204,6 +204,7 @@ GEM
     delayed_job_active_record (4.1.6)
       activerecord (>= 3.0, < 6.2)
       delayed_job (>= 3.0, < 5)
+    digest (3.1.0)
     digest-crc (0.6.3)
       rake (>= 12.0.0, < 14.0.0)
     em-http-request (1.1.7)
@@ -292,12 +293,13 @@ GEM
       mustache
       nokogiri
     libxml-ruby (3.2.1)
-    loofah (2.14.0)
+    loofah (2.16.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
     marcel (1.0.2)
+    matrix (0.4.2)
     memoist (0.16.2)
     method_source (1.0.0)
     mini_magick (4.11.0)
@@ -324,12 +326,24 @@ GEM
     mustermann (1.1.1)
       ruby2_keywords (~> 0.0.1)
     mysql2 (0.5.3)
+    net-imap (0.2.3)
+      digest
+      net-protocol
+      strscan
+    net-pop (0.1.1)
+      digest
+      net-protocol
+      timeout
+    net-protocol (0.1.3)
+      timeout
+    net-smtp (0.3.1)
+      digest
+      net-protocol
+      timeout
     nio4r (2.5.7)
     nokogiri (1.11.3)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
-    nokogiri (1.11.3-x86_64-darwin)
-      racc (~> 1.4)
     os (1.1.1)
     parallel (1.20.1)
     parser (3.0.1.1)
@@ -462,6 +476,7 @@ GEM
       sprockets (>= 3.0.0)
     sqlite3 (1.4.2)
     stackprof (0.2.17)
+    strscan (3.0.1)
     sucker_punch (3.0.1)
       concurrent-ruby (~> 1.0)
     thin (1.8.0)
@@ -471,6 +486,7 @@ GEM
     thor (1.1.0)
     thread_safe (0.3.6)
     tilt (2.0.10)
+    timeout (0.2.0)
     trailblazer-option (0.1.1)
     turbolinks (5.2.1)
       turbolinks-source (~> 5.2)
@@ -539,11 +555,15 @@ DEPENDENCIES
   kindlerb (~> 1.2.0)
   libxml-ruby
   listen (~> 3.2)!
+  matrix
   minitest (< 5.15.0)
   minitest-bisect
   minitest-reporters
   minitest-retry
   mysql2 (>= 0.4.10)
+  net-imap
+  net-pop
+  net-smtp
   nokogiri (>= 1.8.1)
   pg (>= 0.18.0)
   psych (~> 3.0)

diff --git a/RAILS_VERSION b/RAILS_VERSION
@@ -1 +1 @@
-6.0.4.7
+6.0.4.8
diff --git a/actioncable/CHANGELOG.md b/actioncable/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.8 (April 26, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.7 (March 08, 2022) ##
 
 *   No changes.

diff --git a/actioncable/lib/action_cable/gem_version.rb b/actioncable/lib/action_cable/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "7"
+    PRE   = "8"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actioncable/package.json b/actioncable/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/actioncable",
-  "version": "6.0.4-7",
+  "version": "6.0.4-8",
   "description": "WebSocket framework for Ruby on Rails.",
   "main": "app/assets/javascripts/action_cable.js",
   "files": [

diff --git a/actionmailbox/CHANGELOG.md b/actionmailbox/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.8 (April 26, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.7 (March 08, 2022) ##
 
 *   No changes.

diff --git a/actionmailbox/lib/action_mailbox/gem_version.rb b/actionmailbox/lib/action_mailbox/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "7"
+    PRE   = "8"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
@@ -1,3 +1,8 @@
+## Rails 6.0.4.8 (April 26, 2022) ##
+
+*   No changes.
+
+
 ## Rails 6.0.4.7 (March 08, 2022) ##
 
 *   No changes.

diff --git a/actionmailer/lib/action_mailer/gem_version.rb b/actionmailer/lib/action_mailer/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "7"
+    PRE   = "8"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
@@ -1,3 +1,9 @@
+## Rails 6.0.4.8 (April 26, 2022) ##
+
+*   Allow Content Security Policy DSL to generate for API responses.
+
+    *Tim Wade*
+
 ## Rails 6.0.4.7 (March 08, 2022) ##
 
 *   No changes.

diff --git a/actionpack/lib/action_dispatch/http/content_security_policy.rb b/actionpack/lib/action_dispatch/http/content_security_policy.rb
@@ -17,7 +17,6 @@ def call(env)
         request = ActionDispatch::Request.new env
         _, headers, _ = response = @app.call(env)
 
-        return response unless html_response?(headers)
         return response if policy_present?(headers)
 
         if policy = request.content_security_policy
@@ -31,12 +30,6 @@ def call(env)
       end
 
       private
-        def html_response?(headers)
-          if content_type = headers[CONTENT_TYPE]
-            content_type =~ /html/
-          end
-        end
-
         def header_name(request)
           if request.content_security_policy_report_only
             POLICY_REPORT_ONLY

diff --git a/actionpack/lib/action_pack/gem_version.rb b/actionpack/lib/action_pack/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "7"
+    PRE   = "8"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actionpack/test/dispatch/content_security_policy_test.rb b/actionpack/test/dispatch/content_security_policy_test.rb
@@ -353,6 +353,11 @@ class PolicyController < ActionController::Base
 
     content_security_policy_report_only only: :report_only
 
+    content_security_policy only: :api do |p|
+      p.default_src :none
+      p.frame_ancestors :none
+    end
+
     def index
       head :ok
     end
@@ -381,6 +386,10 @@ def no_policy
       head :ok
     end
 
+    def api
+      render json: {}
+    end
+
     private
       def condition?
         params[:condition] == "true"
@@ -397,6 +406,7 @@ def condition?
       get "/script-src", to: "policy#script_src"
       get "/style-src", to: "policy#style_src"
       get "/no-policy", to: "policy#no_policy"
+      get "/api", to: "policy#api"
     end
   end
 
@@ -468,6 +478,11 @@ def test_generates_no_content_security_policy
     assert_nil response.headers["Content-Security-Policy-Report-Only"]
   end
 
+  def test_generates_api_security_policy
+    get "/api"
+    assert_policy "default-src 'none'; frame-ancestors 'none'"
+  end
+
   private
     def assert_policy(expected, report_only: false)
       assert_response :success

diff --git a/actiontext/CHANGELOG.md b/actiontext/CHANGELOG.md
@@ -9,6 +9,10 @@
 
     *Jonathan Hefner*
 
+## Rails 6.0.4.8 (April 26, 2022) ##
+
+*   No changes.
+
 
 ## Rails 6.0.4.7 (March 08, 2022) ##
 

diff --git a/actiontext/lib/action_text/gem_version.rb b/actiontext/lib/action_text/gem_version.rb
@@ -10,7 +10,7 @@ module VERSION
     MAJOR = 6
     MINOR = 0
     TINY  = 4
-    PRE   = "7"
+    PRE   = "8"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

diff --git a/actiontext/package.json b/actiontext/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@rails/actiontext",
-  "version": "6.0.4-7",
+  "version": "6.0.4-8",
   "description": "Edit and display rich text in Rails applications",
   "main": "app/javascript/actiontext/index.js",
   "files": [