Merge pull request rails#47852 from searls/patch-2

byroot · web-flow · commit 18acbe8948e0 · 2023-06-10T16:41:59.000+02:00
Enable force_ssl=true in production by default
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
@@ -1,3 +1,8 @@
+*   Enable force_ssl=true in production by default: Force all access to the app over SSL,
+    use Strict-Transport-Security, and use secure cookies
+
+    *Justin Searls*, *Aaron Patterson*, *Guillermo Iguaran*, *Vinícius Bispo*
+
 *   Add engine's draw paths to application route set, so that the application
     can draw route files defined in engine paths.
 
diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt
@@ -57,7 +57,7 @@ Rails.application.configure do
   # config.assume_ssl = true
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
-  # config.force_ssl = true
+  config.force_ssl = true
 
   # Log to STDOUT by default
   config.logger = ActiveSupport::Logger.new(STDOUT)
diff --git a/railties/test/application/asset_debugging_test.rb b/railties/test/application/asset_debugging_test.rb
@@ -49,7 +49,7 @@ def teardown
       class ::PostsController < ActionController::Base ; end
 
       # the debug_assets params isn't used if compile is off
-      get "/posts?debug_assets=true"
+      get("/posts?debug_assets=true", {}, "HTTPS" => "on")
       assert_match(/<script src="\/assets\/application-([0-z]+)\.js"><\/script>/, last_response.body)
       assert_no_match(/<script src="\/assets\/xmlhr-([0-z]+)\.js"><\/script>/, last_response.body)
     end
@@ -62,7 +62,7 @@ class ::PostsController < ActionController::Base ; end
 
       class ::PostsController < ActionController::Base ; end
 
-      get "/posts?debug_assets=true"
+      get("/posts?debug_assets=true", {}, "HTTPS" => "on")
       assert_match(/<script src="\/assets\/application(\.debug|\.self)?-([0-z]+)\.js(\?body=1)?"><\/script>/, last_response.body)
     end
 
diff --git a/railties/test/application/assets_test.rb b/railties/test/application/assets_test.rb
@@ -263,7 +263,7 @@ class User < ActiveRecord::Base; raise 'should not be reached'; end
 
       # Checking if Uglifier is defined we can know if Sprockets was reached or not
       assert_not defined?(Uglifier)
-      get "/assets/#{asset_path}"
+      get("/assets/#{asset_path}", {}, "HTTPS" => "on")
       assert_match "alert()", last_response.body
       assert_not defined?(Uglifier)
     end
@@ -348,7 +348,7 @@ class User < ActiveRecord::Base; raise 'should not be reached'; end
       # Load app env
       app "production"
 
-      get "/assets/demo.js"
+      get("/assets/demo.js", {}, "HTTPS" => "on")
       assert_equal 404, last_response.status
     end
 
@@ -410,7 +410,7 @@ def index
       class ::PostsController < ActionController::Base ; end
 
       # the debug_assets params isn't used if compile is off
-      get "/posts?debug_assets=true"
+      get("/posts?debug_assets=true", {}, "HTTPS" => "on")
       assert_match(/<script src="\/assets\/application-([0-z]+)\.js"><\/script>/, last_response.body)
       assert_no_match(/<script src="\/assets\/xmlhr-([0-z]+)\.js"><\/script>/, last_response.body)
     end
diff --git a/railties/test/application/loading_test.rb b/railties/test/application/loading_test.rb
@@ -446,7 +446,7 @@ def show
     require "rack/test"
     extend Rack::Test::Methods
 
-    get "/omg/show"
+    get("/omg/show", {}, "HTTPS" => "on")
     assert_equal "Query cache is enabled.", last_response.body
   end
 
diff --git a/railties/test/application/mailer_previews_test.rb b/railties/test/application/mailer_previews_test.rb
@@ -26,14 +26,14 @@ def teardown
 
     test "/rails/mailers is not accessible in production" do
       app("production")
-      get "/rails/mailers"
+      get("/rails/mailers", {}, { "HTTPS" => "on" })
       assert_equal 404, last_response.status
     end
 
     test "/rails/mailers is accessible with correct configuration" do
       add_to_config "config.action_mailer.show_previews = true"
       app("production")
-      get "/rails/mailers", {}, { "REMOTE_ADDR" => "4.2.42.42" }
+      get "/rails/mailers", {}, { "REMOTE_ADDR" => "4.2.42.42", "HTTPS" => "on" }
       assert_equal 200, last_response.status
     end
 
diff --git a/railties/test/application/middleware/cache_test.rb b/railties/test/application/middleware/cache_test.rb
@@ -10,6 +10,9 @@ def setup
       build_app
       require "rack/test"
       extend Rack::Test::Methods
+
+      add_to_env_config "production", "config.cache_store = :memory_store"
+      add_to_env_config "production", "config.action_dispatch.rack_cache = true"
     end
 
     def teardown
@@ -56,7 +59,7 @@ def test_cache_keeps_if_modified_since
       simple_controller
       expected = "Wed, 30 May 1984 19:43:31 GMT"
 
-      get "/expires/keeps_if_modified_since", {}, { "HTTP_IF_MODIFIED_SINCE" => expected }
+      get "/expires/keeps_if_modified_since", {}, { "HTTP_IF_MODIFIED_SINCE" => expected, "HTTPS" => "on" }
 
       assert_equal 200, last_response.status
       assert_equal expected, last_response.body, "cache should have kept If-Modified-Since"
@@ -79,15 +82,13 @@ def test_cache_is_disabled_in_dev_mode
     def test_cache_works_with_expires
       simple_controller
 
-      add_to_config "config.action_dispatch.rack_cache = true"
-
-      get "/expires/expires_header"
+      get "/expires/expires_header", {}, { "HTTPS" => "on" }
       assert_equal "miss, store", last_response.headers["X-Rack-Cache"]
       assert_equal "max-age=10, public", last_response.headers["Cache-Control"]
 
       body = last_response.body
 
-      get "/expires/expires_header"
+      get "/expires/expires_header", {}, { "HTTPS" => "on" }
 
       assert_equal "fresh", last_response.headers["X-Rack-Cache"]
 
@@ -97,31 +98,27 @@ def test_cache_works_with_expires
     def test_cache_works_with_expires_private
       simple_controller
 
-      add_to_config "config.action_dispatch.rack_cache = true"
-
-      get "/expires/expires_header", private: true
+      get "/expires/expires_header", { private: true }, { "HTTPS" => "on" }
       assert_equal "miss",                last_response.headers["X-Rack-Cache"]
       assert_equal "private, max-age=10", last_response.headers["Cache-Control"]
 
       body = last_response.body
 
-      get "/expires/expires_header", private: true
+      get "/expires/expires_header", { private: true }, { "HTTPS" => "on" }
       assert_equal "miss",           last_response.headers["X-Rack-Cache"]
       assert_not_equal body,         last_response.body
     end
 
     def test_cache_works_with_etags
       simple_controller
 
-      add_to_config "config.action_dispatch.rack_cache = true"
-
-      get "/expires/expires_etag"
-      assert_equal "miss, store", last_response.headers["X-Rack-Cache"]
+      get "/expires/expires_etag", {}, { "HTTPS" => "on" }
       assert_equal "public", last_response.headers["Cache-Control"]
+      assert_equal "miss, store", last_response.headers["X-Rack-Cache"]
 
       etag = last_response.headers["ETag"]
 
-      get "/expires/expires_etag", {}, { "HTTP_IF_NONE_MATCH" => etag }
+      get "/expires/expires_etag", {}, { "HTTP_IF_NONE_MATCH" => etag, "HTTPS" => "on" }
       assert_equal "stale, valid, store", last_response.headers["X-Rack-Cache"]
       assert_equal 304, last_response.status
       assert_equal "", last_response.body
@@ -130,32 +127,28 @@ def test_cache_works_with_etags
     def test_cache_works_with_etags_private
       simple_controller
 
-      add_to_config "config.action_dispatch.rack_cache = true"
-
-      get "/expires/expires_etag", private: true
+      get "/expires/expires_etag", { private: true }, { "HTTPS" => "on" }
       assert_equal "miss",                                last_response.headers["X-Rack-Cache"]
       assert_equal "must-revalidate, private, max-age=0", last_response.headers["Cache-Control"]
 
       body = last_response.body
       etag = last_response.headers["ETag"]
 
-      get "/expires/expires_etag", { private: true }, { "HTTP_IF_NONE_MATCH" => etag }
+      get "/expires/expires_etag", { private: true }, { "HTTP_IF_NONE_MATCH" => etag, "HTTPS" => "on" }
       assert_equal "miss", last_response.headers["X-Rack-Cache"]
       assert_not_equal body,   last_response.body
     end
 
     def test_cache_works_with_last_modified
       simple_controller
 
-      add_to_config "config.action_dispatch.rack_cache = true"
-
-      get "/expires/expires_last_modified"
-      assert_equal "miss, store", last_response.headers["X-Rack-Cache"]
+      get "/expires/expires_last_modified", {}, { "HTTPS" => "on" }
       assert_equal "public", last_response.headers["Cache-Control"]
+      assert_equal "miss, store", last_response.headers["X-Rack-Cache"]
 
       last = last_response.headers["Last-Modified"]
 
-      get "/expires/expires_last_modified", {}, { "HTTP_IF_MODIFIED_SINCE" => last }
+      get "/expires/expires_last_modified", {}, { "HTTP_IF_MODIFIED_SINCE" => last, "HTTPS" => "on" }
       assert_equal "stale, valid, store", last_response.headers["X-Rack-Cache"]
       assert_equal 304, last_response.status
       assert_equal "", last_response.body
@@ -164,16 +157,14 @@ def test_cache_works_with_last_modified
     def test_cache_works_with_last_modified_private
       simple_controller
 
-      add_to_config "config.action_dispatch.rack_cache = true"
-
-      get "/expires/expires_last_modified", private: true
+      get "/expires/expires_last_modified", { private: true }, { "HTTPS" => "on" }
       assert_equal "miss",                                last_response.headers["X-Rack-Cache"]
       assert_equal "must-revalidate, private, max-age=0", last_response.headers["Cache-Control"]
 
       body = last_response.body
       last = last_response.headers["Last-Modified"]
 
-      get "/expires/expires_last_modified", { private: true }, { "HTTP_IF_MODIFIED_SINCE" => last }
+      get "/expires/expires_last_modified", { private: true }, { "HTTP_IF_MODIFIED_SINCE" => last, "HTTPS" => "on" }
       assert_equal "miss", last_response.headers["X-Rack-Cache"]
       assert_not_equal body,   last_response.body
     end
diff --git a/railties/test/application/middleware/exceptions_test.rb b/railties/test/application/middleware/exceptions_test.rb
@@ -26,7 +26,7 @@ def index
       RUBY
 
       log = capture(:stdout) do
-        get "/foo"
+        get("/foo", {}, "HTTPS" => "on")
         assert_equal 500, last_response.status
       end
 
@@ -43,12 +43,12 @@ def index
         end
       RUBY
 
-      get "/foo"
+      get "/foo", {}, { "HTTPS" => "on" }
       assert_equal 404, last_response.status
     end
 
     test "renders unknown http methods as 405" do
-      request "/", { "REQUEST_METHOD" => "NOT_AN_HTTP_METHOD" }
+      request("/", { "REQUEST_METHOD" => "NOT_AN_HTTP_METHOD", "HTTPS" => "on" })
       assert_equal 405, last_response.status
     end
 
@@ -62,7 +62,7 @@ def index
 
       app.config.action_dispatch.show_exceptions = :all
 
-      request "/", { "REQUEST_METHOD" => "NOT_AN_HTTP_METHOD" }
+      request "/", { "REQUEST_METHOD" => "NOT_AN_HTTP_METHOD", "HTTPS" => "on" }
       assert_equal 405, last_response.status
     end
 
@@ -90,7 +90,7 @@ def not_acceptable
       add_to_config "config.action_dispatch.show_exceptions = :all"
       add_to_config "config.consider_all_requests_local = false"
 
-      get "/foo", {}, { "HTTP_ACCEPT" => "invalid" }
+      get "/foo", {}, { "HTTP_ACCEPT" => "invalid", "HTTPS" => "on" }
       assert_equal 406, last_response.status
       assert_not_equal "rendering index!", last_response.body
     end
@@ -104,7 +104,7 @@ def not_acceptable
 
       app.config.action_dispatch.show_exceptions = :all
 
-      get "/foo"
+      get("/foo", {}, "HTTPS" => "on")
       assert_equal 404, last_response.status
       assert_equal "YOU FAILED", last_response.body
     end
@@ -120,23 +120,23 @@ def index
 
       app.config.action_dispatch.show_exceptions = :all
 
-      get "/foo"
+      get("/foo", {}, "HTTPS" => "on")
       assert_equal 500, last_response.status
     end
 
     test "unspecified route when action_dispatch.show_exceptions is not set raises an exception" do
       app.config.action_dispatch.show_exceptions = :none
 
       assert_raise(ActionController::RoutingError) do
-        get "/foo"
+        get("/foo", {}, "HTTPS" => "on")
       end
     end
 
     test "unspecified route when action_dispatch.show_exceptions is set shows 404" do
       app.config.action_dispatch.show_exceptions = :all
 
       assert_nothing_raised do
-        get "/foo"
+        get("/foo", {}, "HTTPS" => "on")
         assert_match "The page you were looking for doesn't exist.", last_response.body
       end
     end
@@ -146,7 +146,7 @@ def index
       app.config.consider_all_requests_local = true
 
       assert_nothing_raised do
-        get "/foo"
+        get("/foo", {}, "HTTPS" => "on")
         assert_match "No route matches", last_response.body
       end
     end
@@ -161,7 +161,7 @@ def index
       app.config.action_dispatch.show_exceptions = :all
       app.config.consider_all_requests_local = true
 
-      get "/articles"
+      get("/articles", {}, "HTTPS" => "on")
       assert_match "<title>Action Controller: Exception caught</title>", last_response.body
     end
 
@@ -181,7 +181,7 @@ def index
         ✓測試テスト시험
       ERB
 
-      get "/foo", utf8: "✓"
+      get("/foo", { utf8: "✓" }, { "HTTPS" => "on" })
       assert_match(/boooom/, last_response.body)
       assert_match(/測試テスト시험/, last_response.body)
     end
@@ -197,7 +197,7 @@ def index
       app.config.action_dispatch.show_exceptions = :all
       app.config.consider_all_requests_local = true
 
-      get "/foo?x[y]=1&x[y][][w]=2"
+      get "/foo?x[y]=1&x[y][][w]=2", {}, "HTTPS" => "on"
       assert_equal 400, last_response.status
       assert_match "Invalid query parameters", last_response.body
     end
@@ -216,7 +216,7 @@ def index
       limit = Rack::Utils.param_depth_limit + 1
       malicious_url = "/foo?#{'[test]' * limit}=test"
 
-      get malicious_url
+      get(malicious_url, {}, "HTTPS" => "on")
       assert_equal 400, last_response.status
       assert_match "Invalid query parameters", last_response.body
     end
@@ -233,12 +233,12 @@ def index
       app.config.consider_all_requests_local = true
       app.config.action_dispatch.ignore_accept_header = false
 
-      get "/foo"
+      get("/foo", {}, "HTTPS" => "on")
       assert_equal 500, last_response.status
       assert_match "<title>Action Controller: Exception caught</title>", last_response.body
       assert_match "ActiveRecord::StatementInvalid", last_response.body
 
-      get "/foo", {}, { "HTTP_ACCEPT" => "text/plain", "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest" }
+      get "/foo", {}, { "HTTP_ACCEPT" => "text/plain", "HTTP_X_REQUESTED_WITH" => "XMLHttpRequest", "HTTPS" => "on" }
       assert_equal 500, last_response.status
       assert_equal "text/plain", last_response.media_type
       assert_match "ActiveRecord::StatementInvalid", last_response.body
@@ -255,7 +255,7 @@ def index
 
       app.config.action_dispatch.show_exceptions = :rescuable
 
-      get "/foo"
+      get "/foo", {}, { "HTTPS" => "on" }
       assert_equal 404, last_response.status
     end
 
@@ -270,7 +270,7 @@ def index
 
       app.config.action_dispatch.show_exceptions = :rescuable
 
-      error = assert_raises(RuntimeError) { get "/foo" }
+      error = assert_raises(RuntimeError) { get("/foo", {}, { "HTTPS" => "on" }) }
       assert_equal "oops", error.message
     end
   end
diff --git a/railties/test/application/query_logs_test.rb b/railties/test/application/query_logs_test.rb
diff --git a/railties/test/application/rendering_test.rb b/railties/test/application/rendering_test.rb
diff --git a/railties/test/application/routing_test.rb b/railties/test/application/routing_test.rb
