提交 · 69fc0e1b5e6a3227576d67587c386142ef65854e · 张重言 / rails

20 8月, 2014 1 次提交

Auth token mask from breach-mitigation-rails gem · 69fc0e1b

由 Bradley Buda 提交于 8月 19, 2014

This merges in the code from the breach-mitigation-rails gem that masks
authenticity tokens on each request by XORing them with a random set of
bytes. The masking is used to make it impossible for an attacker to
steal a CSRF token from an SSL session by using techniques like the
BREACH attack.

The patch is pretty simple - I've copied over the [relevant
code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb)
and updated the tests to pass, mostly by adjusting stubs and mocks.

69fc0e1b

15 8月, 2014 5 次提交

A
Merge pull request #16504 from schneems/schneems/fix_url_for · 4751a8c5
由 Aaron Patterson 提交于 8月 14, 2014
```
Perf optimization for `url_for` called w/ Hash
```
4751a8c5

Perf optimization for `url_for` called w/ Hash · 4d47220d

由 schneems 提交于 8月 14, 2014

Benchmarking the existing code:

```ruby
{ :only_path => options[:host].nil? }.merge!(options.symbolize_keys)) 
```

Against optimized code, that does not require a new hash or a merge:

```ruby
options = options.symbolize_keys
options[:only_path] = options[:host].nil? unless options.key?(:only_path)
options
```

We see a statistically significant performance gain:

![](https://www.dropbox.com/s/onocpc0zfw4kjxl/Screenshot%202014-08-14%2012.45.30.png?dl=1)

Updated to not mutate incoming parameters

4d47220d

A

Ignore MySQL "SHOW VARIABLES" when counting queries · c8ede235
由 Akira Matsuda 提交于 8月 15, 2014

c8ede235
A

extract methods and metaprogram less. · 6c51cc85
由 Aaron Patterson 提交于 8月 14, 2014

6c51cc85
A

Be sure to reset PK name renamed in the test · cf38bda8
由 Akira Matsuda 提交于 8月 15, 2014

cf38bda8

14 8月, 2014 34 次提交
- Z
  
  Use string for order argument, fixed from #16501 [ci skip] · fdd4b73c
  由 Zachary Scott 提交于 8月 14, 2014
  
  fdd4b73c
- Z
  Merge pull request #16501 from tomkadwill/update_delete_to_new_style · b131978f
  由 Zachary Scott 提交于 8月 14, 2014
```
[ci skip] updated 'where' in association documention to new style syntax
```
  b131978f
- A
  Warm up Symbols with where method · 9a7d7624
  由 Akira Matsuda 提交于 8月 15, 2014
```
Looks like #first wasn't warm enough...
```
  9a7d7624
- S
  Merge pull request #16502 from bogdan/where-hash-nested-relation · 71e8f199
  由 Santiago Pastorino 提交于 8月 14, 2014
```
[Regression 4.0 -> 4.1] Fixed AR::Relation#where edge case with Hash and other Relation
```
  71e8f199
- J
  Merge pull request #16438 from agrobbin/input-placeholder-i18n · dfc3f883
  由 Jeremy Kemper 提交于 8月 14, 2014
```
Add I18n support for `:placeholder` HTML option is passed to form fields
```
  dfc3f883
- B
  Fixed AR::Relation#where edge case with Hash and other Relation · fe67dfbb
  由 Bogdan Gusiev 提交于 8月 14, 2014
```
Example:

  Author.where(posts: { author_id: Author.where(country_id: 1) }).joins(:posts)
```
  fe67dfbb
- A
  
  Ignore SCHEMA queries in some habtm tests · b5c4c50a
  由 Akira Matsuda 提交于 8月 14, 2014
  
  b5c4c50a
- Y
  Merge pull request #8813 from greyblake/dont_write_timestamps_if_they_are_not_attributes · 76b58788
  由 Yves Senn 提交于 8月 14, 2014
```
Write timestamps only if there are timestamps columns

Conflicts:
	activerecord/CHANGELOG.md
```
  76b58788
- T
  
  [ci skip] updated 'where' in association documention to new style syntax · 006225b0
  由 Tom Kadwill 提交于 8月 14, 2014
  
  006225b0
- A
  
  Make sure that fixtures are loaded before finding · 76ea9f97
  由 Akira Matsuda 提交于 8月 14, 2014
  
  76ea9f97
- A
  
  Format · 4bb823bd
  由 Akira Matsuda 提交于 8月 14, 2014
  
  4bb823bd
- Y
  
  ಠ_ಠ now that the commit sha is known I can add it to the relese guide. · 37cae67e
  由 Yves Senn 提交于 8月 14, 2014
  
  37cae67e
- Y
  remove deprecated `MissingHelperError` proxy. · a1ddde15
  由 Yves Senn 提交于 8月 14, 2014
```
The error was moved outside of the `ClassMethods` module.
```
  a1ddde15
- A
  Clear validators before and after each test · e76379b0
  由 Akira Matsuda 提交于 8月 14, 2014
```
Or some tests fail when run in random order
```
  e76379b0
- Y
  Merge pull request #16027 from tgxworld/template_assertions · 9c91c168
  由 Yves Senn 提交于 8月 14, 2014
```
Fixes to ActionController::TemplateAssertions
```
  9c91c168
- A
  
  ask the scope object if it is a resource_method_scope · 43ce6e22
  由 Aaron Patterson 提交于 8月 13, 2014
  
  43ce6e22
- A
  
  ask the scope for the action name · e4cb3819
  由 Aaron Patterson 提交于 8月 13, 2014
  
  e4cb3819
- A
  reduce calls to scope_level · 374d66be
  由 Aaron Patterson 提交于 8月 13, 2014
```
this will help us to encapsulate magical symbols so hopefully we can
eliminate hardcoded magic symbols
```
  374d66be
- A
  
  change to attr_reader · 047af8dd
  由 Aaron Patterson 提交于 8月 13, 2014
  
  047af8dd
- A
  
  scope_level is no longer a hash key, just use the ivar · 677bc212
  由 Aaron Patterson 提交于 8月 13, 2014
  
  677bc212
- A
  
  move the scope level key fully inside the scope object · 19bb6770
  由 Aaron Patterson 提交于 8月 13, 2014
  
  19bb6770
- A
  move scope_level to a method on the scope object · 911ef972
  由 Aaron Patterson 提交于 8月 13, 2014
```
now we don't have to have a hard coded key
```
  911ef972
- A
  
  Finally! None of our tests are order_dependent! · 2440933f
  由 Akira Matsuda 提交于 8月 14, 2014
  
  2440933f
- A
  only look up scope level once · 0127f028
  由 Aaron Patterson 提交于 8月 13, 2014
```
avoid hash lookups and remove depency on the instance
```
  0127f028
- A
  only test `prefix` once · 91608dc3
  由 Aaron Patterson 提交于 8月 13, 2014
```
we don't need to repeat if statements
```
  91608dc3
- A
  pass consistent parameters to canonical_action? · 318eea06
  由 Aaron Patterson 提交于 8月 13, 2014
```
now we only have to look up @scope[:scope_level] once per call to
canonical_action? and we don't have a variable named "flag"
```
  318eea06
- A
  fewer operations on the options hash · 3b908cba
  由 Aaron Patterson 提交于 8月 13, 2014
```
since we pass `as` down, then we won't have to do an insert / delete
dance with the options hash
```
  3b908cba
- A
  
  this should be accessing the hash, not calling a method · d4981c39
  由 Aaron Patterson 提交于 8月 13, 2014
  
  d4981c39
- A
  UnexpectedErrors may reference exceptions that can't be dumped · efb835c9
  由 Aaron Patterson 提交于 8月 13, 2014
```
UnexpectedError exceptions wrap the original exception, and the original
exception may contain a reference to something that can't be marshal
dumped which will cause the process to die.
```
  efb835c9
- Z
  Merge pull request #16408 from aditya-kapoor/add-doc-ERB-escape · c6af3bad
  由 Zachary Scott 提交于 8月 13, 2014
```
[ci skip] add note about the ERB escape in generator docs
```
  c6af3bad
- A
  
  [ci skip] add note about the ERB escape in generator docs · 32e18486
  由 Aditya Kapoor 提交于 8月 14, 2014
  
  32e18486
- S
  Merge pull request #16493 from aditya-kapoor/correct-cache-store-doc · 2750cc41
  由 Santiago Pastorino 提交于 8月 13, 2014
```
[ci skip] correct default cache store class
```
  2750cc41
- A
  
  Missing ActiveSupport require for calling String#first · 1a299b6c
  由 Akira Matsuda 提交于 8月 14, 2014
  
  1a299b6c
- G
  Fix assert_template for files. · b1ba333e
  由 Guo Xiang Tan 提交于 7月 02, 2014
```
The test was not failing for `assert_template file: nil` when a file
has been rendered.
```
  b1ba333e