Switch use of Rack::Request to ActionDispatch::Request

As mentioned in https://gitlab.com/gitlab-org/gitlab-ee/issues/9035#note_129093444, Rails 5 switched ActionDispatch::Request so that it no longer inherits Rack::Request directly. A middleware that uses Rack::Request to read the environment may see stale request parameters if another middleware modifies the environment via ActionDispatch::Request. To be safe, we should be using ActionDispatch::Request everywhere.

Switch use of Rack::Request to ActionDispatch::Request
As mentioned in https://gitlab.com/gitlab-org/gitlab-ee/issues/9035#note_129093444, Rails 5 switched ActionDispatch::Request so that it no longer inherits Rack::Request directly. A middleware that uses Rack::Request to read the environment may see stale request parameters if another middleware modifies the environment via ActionDispatch::Request. To be safe, we should be using ActionDispatch::Request everywhere.
aff2b6e4 · Stan Hu · b83be503 · aff2b6e4 · aff2b6e4 · aff2b6e4
Commit aff2b6e4 authored Jan 07, 2019 by Stan Hu
9 changed files
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -512,7 +512,7 @@ module API
    # `request`. We workaround this by defining methods that returns the right
    # values.
    def define_params_for_grape_middleware
-      self.define_singleton_method(:request) { Rack::Request.new(env) }
+      self.define_singleton_method(:request) { ActionDispatch::Request.new(env) }
      self.define_singleton_method(:params) { request.params.symbolize_keys }
    end


--- a/lib/gitlab/etag_caching/middleware.rb
+++ b/lib/gitlab/etag_caching/middleware.rb
@@ -8,7 +8,7 @@ module Gitlab
      end

      def call(env)
-        request = Rack::Request.new(env)
+        request = ActionDispatch::Request.new(env)
        route = Gitlab::EtagCaching::Router.match(request.path_info)
        return @app.call(env) unless route


--- a/lib/gitlab/middleware/basic_health_check.rb
+++ b/lib/gitlab/middleware/basic_health_check.rb
@@ -24,7 +24,7 @@ module Gitlab
      def call(env)
        return @app.call(env) unless env['PATH_INFO'] == HEALTH_PATH

-        request = Rack::Request.new(env)
+        request = ActionDispatch::Request.new(env)

        return OK_RESPONSE if client_ip_whitelisted?(request)


--- a/lib/gitlab/middleware/read_only/controller.rb
+++ b/lib/gitlab/middleware/read_only/controller.rb
@@ -60,7 +60,7 @@ module Gitlab
        end

        def request
-          @env['rack.request'] ||= Rack::Request.new(@env)
+          @env['actionpack.request'] ||= ActionDispatch::Request.new(@env)
        end

        def last_visited_url

--- a/lib/gitlab/request_context.rb
+++ b/lib/gitlab/request_context.rb
@@ -13,7 +13,7 @@ module Gitlab
    end

    def call(env)
-      req = Rack::Request.new(env)
+      req = ActionDispatch::Request.new(env)

      Gitlab::SafeRequestStore[:client_ip] = req.ip


--- a/spec/lib/gitlab/auth/user_auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/user_auth_finders_spec.rb
@@ -9,7 +9,7 @@ describe Gitlab::Auth::UserAuthFinders do
      'rack.input' => ''
    }
  end
-  let(:request) { Rack::Request.new(env) }
+  let(:request) { ActionDispatch::Request.new(env) }

  def set_param(key, value)
    request.update_param(key, value)

--- a/spec/lib/gitlab/request_context_spec.rb
+++ b/spec/lib/gitlab/request_context_spec.rb
@@ -15,7 +15,7 @@ describe Gitlab::RequestContext do
        let(:ip) { '192.168.1.11' }

        before do
-          allow_any_instance_of(Rack::Request).to receive(:ip).and_return(ip)
+          allow_any_instance_of(ActionDispatch::Request).to receive(:ip).and_return(ip)
          described_class.new(app).call(env)
        end


--- a/spec/lib/omni_auth/strategies/jwt_spec.rb
+++ b/spec/lib/omni_auth/strategies/jwt_spec.rb
@@ -25,6 +25,8 @@ describe OmniAuth::Strategies::Jwt do
      subject.options[:secret] = secret
      subject.options[:algorithm] = algorithm

+      # We use Rack::Request instead of ActionDispatch::Request because
+      # Rack::Test::Methods enables testing of this module.
      expect_next_instance_of(Rack::Request) do |rack_request|
        expect(rack_request).to receive(:params).and_return('jwt' => payload)
      end

--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -387,7 +387,7 @@ describe 'Git HTTP requests' do

              it "responds with status 401" do
                expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true)
-                allow_any_instance_of(Rack::Request).to receive(:ip).and_return('1.2.3.4')
+                allow_any_instance_of(ActionDispatch::Request).to receive(:ip).and_return('1.2.3.4')

                clone_get(path, env)

@@ -548,7 +548,7 @@ describe 'Git HTTP requests' do
                  maxretry = options[:maxretry] - 1
                  ip = '1.2.3.4'

-                  allow_any_instance_of(Rack::Request).to receive(:ip).and_return(ip)
+                  allow_any_instance_of(ActionDispatch::Request).to receive(:ip).and_return(ip)
                  Rack::Attack::Allow2Ban.reset(ip, options)

                  maxretry.times.each do