macaw_framework 1.0.1 → 1.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 03ac2a8df24de8757381abc1e9a85f7854ac71a49b44d51aa7a23f1d42f95380
-  data.tar.gz: 4431ce9ab63887660aaa5cc464c00a1dd3a81b08cf4f99bb53926d0aec440fc2
+  metadata.gz: 25f8f9d1a39c45e8cab35097244e958621fd566992335198ad0fae2fd482bdbd
+  data.tar.gz: 1c0d3558ccd3aaa5b81ee4df1c80227aa558df0a62cc5b82695f0aa58b5b875f
 SHA512:
-  metadata.gz: 7f981191cafd8504428de742979979a82ce1609c69ab08afc9f0b8e131381d12cc298b9b7447679b1611719605b825fcf409c9b4afee2b0d0f3a4fa8f28b5c79
-  data.tar.gz: cda629f9c4c779d11712c18dd5f9b7c8c90805688630d75c14b7fcd7c485b3cdcb2ea2386b5f6bcde62296a7b283337ee45418a08b67e61686f23ef18bf56bb2
+  metadata.gz: 25013e659bf86515d3d730a2d8b98c7efdb3f69fc691122e7515b6de38c772d0973d3c23d8dac9824001eb4a34b9ffe99f0c08826f71b14263fdb273b74c0cdb
+  data.tar.gz: 872c0b12123044cf2ae34c01e2b6ff05cf1bfaa0698de8d4571fdf8492647b24c88ba415407753423db8dfcd6c6854b5cc4c16b2c856884b4ae260f25c8b6454

data/CHANGELOG.md

@@ -47,3 +47,15 @@
 - Introducing server-side session management
 - Fixing a bug with cache
 - Improving README
+
+## [1.0.2] - 2023-05-06
+
+- Fixing a bug with cache where ignored_headers where not being properly loaded
+- Fixed a bug with cache where URL parameters were not being considered in the strategy
+- Updating SECURITY.md with more information
+
+## [1.0.3] - 2023-05-10
+
+- Fixing issue of error responses being cached
+- Implementing support for min and max SSL version
+- Creating log sanitization to prevent log forging

data/Gemfile

@@ -13,6 +13,8 @@ gem "rubocop", "~> 1.21"
 
 gem "prometheus-client", "~> 4.1"
 
+gem "openssl"
+
 group :test do
   gem "simplecov", "~> 0.21.2"
   gem "simplecov-json"

data/README.md

@@ -56,17 +56,20 @@ m.get('/cached_data', cache: true) do |context|
 end
 ```
 
+Observation: To activate caching you also have to set it's properties on the application.json file. If you don't, caching strategy will not work.
+See section below for configurations.
+
 ### Session management: Handle user sessions securely with server-side in-memory storage
 
 ```ruby
 m.get('/login') do |context|
   # Authenticate user
-  context[:session][:user_id] = user_id
+  context[:client][:user_id] = user_id
 end
 
 m.get('/dashboard') do |context|
   # Check if the user is logged in
-  if context[:session][:user_id]
+  if context[:client][:user_id]
     # Show dashboard
   else
     # Redirect to login
@@ -82,6 +85,12 @@ end
     "port": 8080,
     "bind": "localhost",
     "threads": 10,
+    "log": {
+      "max_length": 1024,
+      "sensitive_fields": [
+        "password"
+      ]
+    },
     "cache": {
       "cache_invalidation": 3600,
       "ignore_headers": [
@@ -97,6 +106,8 @@ end
       "max_requests": 3
     },
     "ssl": {
+      "min": "SSL3",
+      "max": "TLS1.3",
       "cert_file_name": "path/to/cert/file/file.crt",
       "key_file_name": "path/to/cert/key/file.key"
     }
@@ -132,6 +143,8 @@ exists inside `application.json`.
 If the SSL configuration is provided in the `application.json` file with valid certificate and key files, the TCP server
 will be wrapped with HTTPS security using the provided certificate.
 
+The supported values for `min` and `max` in the SSL configuration are: `SSL2`, `SSL3`, `TLS1.1`, `TLS1.2` and `TLS1.3`
+
 If prometheus is enabled, a get endpoint will be defined at path `/metrics` to collect prometheus metrics. This path
 is configurable via the `application.json` file.
 

data/SECURITY.md

@@ -2,12 +2,26 @@
 
 ## Supported Versions
 
+We are committed to addressing security issues in a timely manner. The following versions of MacawFramework are currently supported with security updates:
+
 | Version | Supported          |
 | ------- | ------------------ |
 | 1.0.x   | :white_check_mark: |
 | < 1.x   | :x:                |
 
-
 ## Reporting a Vulnerability
 
-If you find a vulnerability, please open an issue or send an e-mail to aria.diniz.dev@gmail.com
+We encourage responsible disclosure of security vulnerabilities. If you find a vulnerability in MacawFramework, please follow the steps below:
+
+1. Open an issue on the [GitHub repository](https://github.com/ariasdiniz/macaw_framework/issues) describing the vulnerability. Please include as much detail as possible, such as the affected version, the steps to reproduce the issue, and the potential impact of the vulnerability.
+
+Alternatively, you can send an email to aria.diniz.dev@gmail.com with the same information.
+
+2. We will review and acknowledge the report within a reasonable time frame. We may ask for additional information or guidance to help us understand and reproduce the issue.
+
+3. We will work on addressing the vulnerability and will provide updates on the progress.
+
+4. Once the issue is resolved, we will release a new version of MacawFramework with the necessary security fixes.
+
+Please remember to follow the project's [Code of Conduct](https://github.com/ariasdiniz/macaw_framework/blob/main/CODE_OF_CONDUCT.md) when reporting security vulnerabilities.
+

data/lib/macaw_framework/aspects/cache_aspect.rb

@@ -12,7 +12,7 @@ module CacheAspect
       return cache[:cache].cache[cache_filtered_name][0] unless cache[:cache].cache[cache_filtered_name].nil?
 
       response = super(*args)
-      cache[:cache].cache[cache_filtered_name] = [response, Time.now]
+      cache[:cache].cache[cache_filtered_name] = [response, Time.now] if should_cache_response?(response[1])
       response
     end
   end
@@ -23,4 +23,8 @@ module CacheAspect
     filtered_headers = client_data[:headers].filter { |key, _value| !ignored_headers&.include?(key) }
     [{ body: client_data[:body], params: client_data[:params], headers: filtered_headers }].to_s.to_sym
   end
+
+  def should_cache_response?(status)
+    (200..299).include?(status.to_i)
+  end
 end

data/lib/macaw_framework/aspects/logging_aspect.rb

@@ -1,6 +1,7 @@
-# frozen_string_literal: true
+# frozen_string_literal: false
 
 require "logger"
+require_relative "../data_filters/log_data_filter"
 
 ##
 # This Aspect is responsible for logging
@@ -9,13 +10,17 @@ require "logger"
 module LoggingAspect
   def call_endpoint(logger, *args)
     endpoint_name = args[1].split(".")[1..].join("/")
-    logger.info("Request received for #{endpoint_name} with arguments: #{args[2..]}")
+    logger.info(LogDataFilter.sanitize_for_logging(
+                  "Request received for #{endpoint_name} with arguments: #{args[2..]}"
+                ))
 
     begin
       response = super(*args)
-      logger.info("Response for #{endpoint_name}: #{response}")
+      logger.info(LogDataFilter.sanitize_for_logging("Response for #{endpoint_name}: #{response}"))
     rescue StandardError => e
-      logger.error("Error processing #{endpoint_name}: #{e.message}\n#{e.backtrace.join("\n")}")
+      logger.error(
+        LogDataFilter.sanitize_for_logging("Error processing #{endpoint_name}: #{e.message}\n#{e.backtrace.join("\n")}")
+      )
       raise e
     end
 

data/lib/macaw_framework/core/server.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
+require_relative "../middlewares/memory_invalidation_middleware"
 require_relative "../middlewares/rate_limiter_middleware"
 require_relative "../data_filters/response_data_filter"
-require_relative "../middlewares/memory_invalidation_middleware"
 require_relative "../errors/too_many_requests_error"
+require_relative "../utils/supported_ssl_versions"
 require_relative "../aspects/prometheus_aspect"
 require_relative "../aspects/logging_aspect"
 require_relative "../aspects/cache_aspect"
@@ -18,6 +19,8 @@ class Server
   prepend PrometheusAspect
   # rubocop:disable Metrics/ParameterLists
 
+  attr_reader :context
+
   ##
   # Create a new instance of Server.
   # @param {Macaw} macaw
@@ -123,18 +126,21 @@ class Server
   end
 
   def set_cache_ignored_h
-    ignored_headers = []
-    if @macaw.config&.dig("macaw", "cache", "ignored_headers")
-      ignored_headers = @macaw.config["macaw"]["cache"]["ignore_headers"] || []
-    end
-    ignored_headers
+    return unless @macaw.config&.dig("macaw", "cache", "ignore_headers")
+
+    @macaw.config["macaw"]["cache"]["ignore_headers"] || []
   end
 
   def set_ssl
-    if @macaw.config&.dig("macaw", "ssl")
+    ssl_config = @macaw.config["macaw"]["ssl"] if @macaw.config&.dig("macaw", "ssl")
+    ssl_config ||= nil
+    unless ssl_config.nil?
+      version_config = { min: ssl_config["min"], max: ssl_config["max"] }
       @context = OpenSSL::SSL::SSLContext.new
-      @context.cert = OpenSSL::X509::Certificate.new(File.read(@macaw.config["macaw"]["ssl"]["cert_file_name"]))
-      @context.key = OpenSSL::PKey::RSA.new(File.read(@macaw.config["macaw"]["ssl"]["key_file_name"]))
+      @context.min_version = SupportedSSLVersions::VERSIONS[version_config[:min]] unless version_config[:min].nil?
+      @context.max_version = SupportedSSLVersions::VERSIONS[version_config[:max]] unless version_config[:max].nil?
+      @context.cert = OpenSSL::X509::Certificate.new(File.read(ssl_config["cert_file_name"]))
+      @context.key = OpenSSL::PKey::RSA.new(File.read(ssl_config["key_file_name"]))
     end
     @context ||= nil
   rescue IOError => e
@@ -166,13 +172,13 @@ class Server
       {
         headers: client_data[:headers],
         body: client_data[:body],
-        params: client_data[:parameters],
+        params: client_data[:params],
         client: @session[client_ip][0]
       }
     )
   end
 
   def get_client_data(body, headers, parameters)
-    { body: body, headers: headers, parameters: parameters }
+    { body: body, headers: headers, params: parameters }
   end
 end

data/lib/macaw_framework/data_filters/log_data_filter.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: false
+
+require "json"
+
+##
+# Module responsible for sanitizing log data
+module LogDataFilter
+  DEFAULT_MAX_LENGTH = 512
+  DEFAULT_SENSITIVE_FIELDS = [].freeze
+
+  def self.config
+    @config ||= begin
+      file_path = "application.json"
+      config = {
+        max_length: DEFAULT_MAX_LENGTH,
+        sensitive_fields: DEFAULT_SENSITIVE_FIELDS
+      }
+
+      if File.exist?(file_path)
+        json = JSON.parse(File.read(file_path))
+
+        if json["macaw"] && json["macaw"]["log"]
+          log_config = json["macaw"]["log"]
+          config[:max_length] = log_config["max_length"] if log_config["max_length"]
+          config[:sensitive_fields] = log_config["sensitive_fields"] if log_config["sensitive_fields"]
+        end
+      end
+
+      config
+    end
+  end
+
+  def self.sanitize_for_logging(data, sensitive_fields: config[:sensitive_fields])
+    return "" if data.nil?
+
+    data = data.to_s.force_encoding("UTF-8")
+    data = data.gsub(/[\x00-\x1F\x7F]/, "")
+    data = data.gsub(/\s+/, " ")
+    data = data.slice(0, config[:max_length])
+
+    sensitive_fields.each do |field|
+      next unless data.include?(field.to_s)
+
+      data = data.gsub(/(#{Regexp.escape(field.to_s)}\s*[:=]\s*)([^\s]+)/) do |_match|
+        "#{::Regexp.last_match(1)}#{Digest::SHA256.hexdigest(::Regexp.last_match(2))}"
+      end
+    end
+
+    data
+  end
+end

data/lib/macaw_framework/data_filters/request_data_filtering.rb

@@ -114,6 +114,6 @@ module RequestDataFiltering
   # Method responsible for sanitizing the parameter value
   def self.sanitize_parameter_value(value)
     value.gsub(/[^\w\s]/, "")
-    value.gsub(/[\r\n\s]/, "")
+    value.gsub(/\s/, "")
   end
 end

data/lib/macaw_framework/utils/supported_ssl_versions.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module SupportedSSLVersions
+  VERSIONS = {
+    "SSL2" => OpenSSL::SSL::SSL2_VERSION,
+    "SSL3" => OpenSSL::SSL::SSL3_VERSION,
+    "TLS1.1" => OpenSSL::SSL::TLS1_1_VERSION,
+    "TLS1.2" => OpenSSL::SSL::TLS1_2_VERSION,
+    "TLS1.3" => OpenSSL::SSL::TLS1_3_VERSION
+  }.freeze
+end

data/lib/macaw_framework/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MacawFramework
-  VERSION = "1.0.1"
+  VERSION = "1.0.3"
 end

data/lib/macaw_framework.rb

@@ -37,7 +37,7 @@ module MacawFramework
         @prometheus_middleware = PrometheusMiddleware.new if @config["macaw"]["prometheus"]
         @prometheus_middleware.configure_prometheus(@prometheus, @config, self) if @config["macaw"]["prometheus"]
       rescue StandardError => e
-        @macaw_log.error(e.message)
+        @macaw_log.warn(e.message)
       end
       @port ||= 8080
       @bind ||= "localhost"

data/main/CODEOWNERS

@@ -0,0 +1 @@
+*       @ariasdiniz

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: macaw_framework
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.3
 platform: ruby
 authors:
 - Aria Diniz
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-05-03 00:00:00.000000000 Z
+date: 2023-05-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: prometheus-client
@@ -46,6 +46,7 @@ files:
 - lib/macaw_framework/aspects/logging_aspect.rb
 - lib/macaw_framework/aspects/prometheus_aspect.rb
 - lib/macaw_framework/core/server.rb
+- lib/macaw_framework/data_filters/log_data_filter.rb
 - lib/macaw_framework/data_filters/request_data_filtering.rb
 - lib/macaw_framework/data_filters/response_data_filter.rb
 - lib/macaw_framework/errors/endpoint_not_mapped_error.rb
@@ -54,8 +55,10 @@ files:
 - lib/macaw_framework/middlewares/prometheus_middleware.rb
 - lib/macaw_framework/middlewares/rate_limiter_middleware.rb
 - lib/macaw_framework/utils/http_status_code.rb
+- lib/macaw_framework/utils/supported_ssl_versions.rb
 - lib/macaw_framework/version.rb
 - macaw_logo.png
+- main/CODEOWNERS
 - sig/http_status_code.rbs
 - sig/logging_aspect.rbs
 - sig/macaw_framework.rbs
@@ -85,7 +88,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.12
+rubygems_version: 3.4.10
 signing_key: 
 specification_version: 4
 summary: A lightweight back-end web framework