otto 1.1.0.pre.alpha3 → 1.2.0

data/lib/otto.rb

@@ -1,4 +1,5 @@
 require 'logger'
+require 'securerandom'
 
 require 'rack/request'
 require 'rack/response'
@@ -10,9 +11,30 @@ require_relative 'otto/static'
 require_relative 'otto/helpers/request'
 require_relative 'otto/helpers/response'
 require_relative 'otto/version'
+require_relative 'otto/security/config'
+require_relative 'otto/security/csrf'
+require_relative 'otto/security/validator'
 
 # Otto is a simple Rack router that allows you to define routes in a file
+# with built-in security features including CSRF protection, input validation,
+# and trusted proxy support.
 #
+# Basic usage:
+#   otto = Otto.new('routes.txt')
+#
+# With security features:
+#   otto = Otto.new('routes.txt', {
+#     csrf_protection: true,
+#     request_validation: true,
+#     trusted_proxies: ['10.0.0.0/8']
+#   })
+#
+# Security headers are applied conservatively by default (only basic headers
+# like X-Content-Type-Options). Restrictive headers like HSTS, CSP, and
+# X-Frame-Options must be enabled explicitly:
+#   otto.enable_hsts!
+#   otto.enable_csp!
+#   otto.enable_frame_protection!
 #
 class Otto
   LIB_HOME = __dir__ unless defined?(Otto::LIB_HOME)
@@ -20,79 +42,141 @@ class Otto
   @debug = ENV['OTTO_DEBUG'] == 'true'
   @logger = Logger.new($stdout, Logger::INFO)
 
-  attr_reader :routes, :routes_literal, :routes_static, :route_definitions
-  attr_reader :option, :static_route
-  attr_accessor :not_found, :server_error
+  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option, :static_route, :security_config
+  attr_accessor :not_found, :server_error, :middleware_stack
 
-  def initialize path=nil, opts={}
+  def initialize(path = nil, opts = {})
     @routes_static =  { GET: {} }
     @routes =         { GET: [] }
     @routes_literal = { GET: {} }
     @route_definitions = {}
-    @option = opts.merge({
+    @option = {
       public: nil,
       locale: 'en'
-    })
+    }.merge(opts)
+    @security_config = Otto::Security::Config.new
+    @middleware_stack = []
+
+    # Configure security based on options
+    configure_security(opts)
+
     Otto.logger.debug "new Otto: #{opts}" if Otto.debug
     load(path) unless path.nil?
     super()
   end
-  alias_method :options, :option
+  alias options option
 
-  def load path
+  def load(path)
     path = File.expand_path(path)
     raise ArgumentError, "Bad path: #{path}" unless File.exist?(path)
+
     raw = File.readlines(path).select { |line| line =~ /^\w/ }.collect { |line| line.strip.split(/\s+/) }
-    raw.each { |entry|
-      begin
-        verb, path, definition = *entry
-        route = Otto::Route.new verb, path, definition
-        route.otto = self
-        path_clean = path.gsub /\/$/, ''
-        @route_definitions[route.definition] = route
-        Otto.logger.debug "route: #{route.pattern}" if Otto.debug
-        @routes[route.verb] ||= []
-        @routes[route.verb] << route
-        @routes_literal[route.verb] ||= {}
-        @routes_literal[route.verb][path_clean] = route
-
-      rescue StandardError => ex
-        Otto.logger.error "Bad route in #{path}: #{entry}"
-      end
-    }
+    raw.each do |entry|
+      verb, path, definition = *entry
+      route = Otto::Route.new verb, path, definition
+      route.otto = self
+      path_clean = path.gsub(%r{/$}, '')
+      @route_definitions[route.definition] = route
+      Otto.logger.debug "route: #{route.pattern}" if Otto.debug
+      @routes[route.verb] ||= []
+      @routes[route.verb] << route
+      @routes_literal[route.verb] ||= {}
+      @routes_literal[route.verb][path_clean] = route
+    rescue StandardError
+      Otto.logger.error "Bad route in #{path}: #{entry}"
+    end
     self
   end
 
-  def safe_file? path
-    globstr = File.join(option[:public], '*')
-    pathstr = File.join(option[:public], path)
-    File.fnmatch?(globstr, pathstr) && (File.owned?(pathstr) || File.grpowned?(pathstr)) && File.readable?(pathstr) && !File.directory?(pathstr)
+  def safe_file?(path)
+    return false if option[:public].nil? || option[:public].empty?
+    return false if path.nil? || path.empty?
+
+    # Normalize and resolve the public directory path
+    public_dir = File.expand_path(option[:public])
+    return false unless File.directory?(public_dir)
+
+    # Clean the requested path - remove null bytes and normalize
+    clean_path = path.gsub("\0", "").strip
+    return false if clean_path.empty?
+
+    # Join and expand to get the full resolved path
+    requested_path = File.expand_path(File.join(public_dir, clean_path))
+
+    # Ensure the resolved path is within the public directory (prevents path traversal)
+    return false unless requested_path.start_with?(public_dir + File::SEPARATOR)
+
+    # Check file exists, is readable, and is not a directory
+    File.exist?(requested_path) &&
+      File.readable?(requested_path) &&
+      !File.directory?(requested_path) &&
+      (File.owned?(requested_path) || File.grpowned?(requested_path))
+end
+
+  def safe_dir?(path)
+    return false if path.nil? || path.empty?
+
+    # Clean and expand the path
+    clean_path = path.gsub("\0", "").strip
+    return false if clean_path.empty?
+
+    expanded_path = File.expand_path(clean_path)
+
+    # Check directory exists, is readable, and has proper ownership
+    File.directory?(expanded_path) &&
+      File.readable?(expanded_path) &&
+      (File.owned?(expanded_path) || File.grpowned?(expanded_path))
   end
 
-  def safe_dir? path
-    (File.owned?(path) || File.grpowned?(path)) && File.directory?(path)
+  def add_static_path(path)
+    return unless safe_file?(path)
+
+    base_path = File.split(path).first
+    # Files in the root directory can refer to themselves
+    base_path = path if base_path == '/'
+    File.join(option[:public], base_path)
+    Otto.logger.debug "new static route: #{base_path} (#{path})" if Otto.debug
+    routes_static[:GET][base_path] = base_path
   end
 
-  def add_static_path path
-    if safe_file?(path)
-      base_path = File.split(path).first
-      # Files in the root directory can refer to themselves
-      base_path = path if base_path == '/'
-      static_path = File.join(option[:public], base_path)
-      Otto.logger.debug "new static route: #{base_path} (#{path})" if Otto.debug
-      routes_static[:GET][base_path] = base_path
+  def call(env)
+    # Apply middleware stack
+    app = lambda { |e| handle_request(e) }
+    @middleware_stack.reverse.each do |middleware|
+      app = middleware.new(app, @security_config)
+    end
+
+    begin
+      app.call(env)
+    rescue StandardError => e
+      handle_error(e, env)
     end
   end
 
-  def call env
+  def handle_request(env)
     locale = determine_locale env
     env['rack.locale'] = locale
-    if option[:public] && safe_dir?(option[:public])
-      @static_route ||= Rack::File.new(option[:public])
-    end
+    @static_route ||= Rack::Files.new(option[:public]) if option[:public] && safe_dir?(option[:public])
     path_info = Rack::Utils.unescape(env['PATH_INFO'])
     path_info = '/' if path_info.to_s.empty?
-    path_info_clean = path_info.gsub /\/$/, ''
+
+    begin
+      path_info_clean = path_info
+                        .encode(
+                          'UTF-8', # Target encoding
+                          invalid: :replace, # Replace invalid byte sequences
+                          undef: :replace,   # Replace characters undefined in UTF-8
+                          replace: ''        # Use empty string for replacement
+                        )
+                        .gsub(%r{/$}, '') # Remove trailing slash, if present
+    rescue ArgumentError => e
+      # Log the error but don't expose details
+      Otto.logger.error "[Otto.handle_request] Path encoding error"
+      Otto.logger.debug "[Otto.handle_request] Error details: #{e.message}" if Otto.debug
+      # Set a default value or use the original path_info
+      path_info_clean = path_info
+    end
+
     base_path = File.split(path_info).first
     # Files in the root directory can refer to themselves
     base_path = path_info if base_path == '/'
@@ -100,49 +184,47 @@ class Otto
     literal_routes = routes_literal[http_verb] || {}
     literal_routes.merge! routes_literal[:GET] if http_verb == :HEAD
     if static_route && http_verb == :GET && routes_static[:GET].member?(base_path)
-      #Otto.logger.debug " request: #{path_info} (static)"
+      # Otto.logger.debug " request: #{path_info} (static)"
       static_route.call(env)
     elsif literal_routes.has_key?(path_info_clean)
       route = literal_routes[path_info_clean]
-      #Otto.logger.debug " request: #{http_verb} #{path_info} (literal route: #{route.verb} #{route.path})"
+      # Otto.logger.debug " request: #{http_verb} #{path_info} (literal route: #{route.verb} #{route.path})"
       route.call(env)
     elsif static_route && http_verb == :GET && safe_file?(path_info)
-      static_path = File.join(option[:public], base_path)
-      Otto.logger.debug " new static route: #{base_path} (#{path_info})"
+      Otto.logger.debug " new static route: #{base_path} (#{path_info})" if Otto.debug
       routes_static[:GET][base_path] = base_path
       static_route.call(env)
     else
       extra_params = {}
       found_route = nil
       valid_routes = routes[http_verb] || []
-      valid_routes.push *routes[:GET] if http_verb == :HEAD
-      valid_routes.each { |route|
-        #Otto.logger.debug " request: #{http_verb} #{path_info} (trying route: #{route.verb} #{route.pattern})"
-        if (match = route.pattern.match(path_info))
-          values = match.captures.to_a
-          # The first capture returned is the entire matched string b/c
-          # we wrapped the entire regex in parens. We don't need it to
-          # the full match.
-          full_match = values.shift
-          extra_params =
-            if route.keys.any?
-              route.keys.zip(values).inject({}) do |hash,(k,v)|
-                if k == 'splat'
-                  (hash[k] ||= []) << v
-                else
-                  hash[k] = v
-                end
-                hash
+      valid_routes.push(*routes[:GET]) if http_verb == :HEAD
+      valid_routes.each do |route|
+        # Otto.logger.debug " request: #{http_verb} #{path_info} (trying route: #{route.verb} #{route.pattern})"
+        next unless (match = route.pattern.match(path_info))
+
+        values = match.captures.to_a
+        # The first capture returned is the entire matched string b/c
+        # we wrapped the entire regex in parens. We don't need it to
+        # the full match.
+        values.shift
+        extra_params =
+          if route.keys.any?
+            route.keys.zip(values).each_with_object({}) do |(k, v), hash|
+              if k == 'splat'
+                (hash[k] ||= []) << v
+              else
+                hash[k] = v
               end
-            elsif values.any?
-              {'captures' => values}
-            else
-              {}
             end
-            found_route = route
-            break
-        end
-      }
+          elsif values.any?
+            { 'captures' => values }
+          else
+            {}
+          end
+        found_route = route
+        break
+      end
       found_route ||= literal_routes['/404']
       if found_route
         found_route.call env, extra_params
@@ -150,14 +232,6 @@ class Otto
         @not_found || Otto::Static.not_found
       end
     end
-  rescue => ex
-    Otto.logger.error "#{ex.class}: #{ex.message} #{ex.backtrace.join("\n")}"
-
-    if found_route = literal_routes['/500']
-      found_route.call env
-    else
-      @server_error || Otto::Static.server_error
-    end
   end
 
   # Return the URI path for the given +route_definition+
@@ -165,44 +239,196 @@ class Otto
   #
   #     Otto.default.path 'YourClass.somemethod'  #=> /some/path
   #
-  def uri route_definition, params={}
-    #raise RuntimeError, "Not working"
+  def uri(route_definition, params = {})
+    # raise RuntimeError, "Not working"
     route = @route_definitions[route_definition]
-    unless route.nil?
-      local_params = params.clone
-      local_path = route.path.clone
-      if objid = local_params.delete(:id) || local_params.delete('id')
-        local_path.gsub! /\*/, objid
-      end
-      local_params.each_pair { |k,v|
-        next unless local_path.match(":#{k}")
-        local_path.gsub!(":#{k}", local_params.delete(k))
-      }
-      uri = Addressable::URI.new
-      uri.path = local_path
-      uri.query_values = local_params
-      uri.to_s
+    return if route.nil?
+
+    local_params = params.clone
+    local_path = route.path.clone
+
+    local_params.each_pair do |k, v|
+      next unless local_path.match(":#{k}")
+
+      local_path.gsub!(":#{k}", v.to_s)
+      local_params.delete(k)
     end
+    uri = Addressable::URI.new
+    uri.path = local_path
+    uri.query_values = local_params unless local_params.empty?
+    uri.to_s
   end
 
-  def determine_locale env
+  def determine_locale(env)
     accept_langs = env['HTTP_ACCEPT_LANGUAGE']
-    accept_langs = self.option[:locale] if accept_langs.to_s.empty?
+    accept_langs = option[:locale] if accept_langs.to_s.empty?
     locales = []
     unless accept_langs.empty?
-      locales = accept_langs.split(',').map { |l|
-        l += ';q=1.0' unless l =~ /;q=\d+(?:\.\d+)?$/
+      locales = accept_langs.split(',').map do |l|
+        l += ';q=1.0' unless /;q=\d+(?:\.\d+)?$/.match?(l)
         l.split(';q=')
-      }.sort_by { |locale, qvalue|
+      end.sort_by do |_locale, qvalue|
         qvalue.to_f
-      }.collect { |locale, qvalue|
+      end.collect do |locale, _qvalue|
         locale
-      }.reverse
+      end.reverse
     end
     Otto.logger.debug "locale: #{locales} (#{accept_langs})" if Otto.debug
     locales.empty? ? nil : locales
   end
 
+  # Add middleware to the stack
+  #
+  # @param middleware [Class] The middleware class to add
+  # @param args [Array] Additional arguments for the middleware
+  # @param block [Proc] Optional block for middleware configuration
+  def use(middleware, *args, &block)
+    @middleware_stack << middleware
+  end
+
+  # Enable CSRF protection for POST, PUT, DELETE, and PATCH requests.
+  # This will automatically add CSRF tokens to HTML forms and validate
+  # them on unsafe HTTP methods.
+  #
+  # @example
+  #   otto.enable_csrf_protection!
+  def enable_csrf_protection!
+    return if middleware_enabled?(Otto::Security::CSRFMiddleware)
+
+    @security_config.enable_csrf_protection!
+    use Otto::Security::CSRFMiddleware
+  end
+
+  # Enable request validation including input sanitization, size limits,
+  # and protection against XSS and SQL injection attacks.
+  #
+  # @example
+  #   otto.enable_request_validation!
+  def enable_request_validation!
+    return if middleware_enabled?(Otto::Security::ValidationMiddleware)
+
+    @security_config.input_validation = true
+    use Otto::Security::ValidationMiddleware
+  end
+
+  # Add a trusted proxy server for accurate client IP detection.
+  # Only requests from trusted proxies will have their forwarded headers honored.
+  #
+  # @param proxy [String, Regexp] IP address, CIDR range, or regex pattern
+  # @example
+  #   otto.add_trusted_proxy('10.0.0.0/8')
+  #   otto.add_trusted_proxy(/^172\.16\./)
+  def add_trusted_proxy(proxy)
+    @security_config.add_trusted_proxy(proxy)
+  end
+
+  # Set custom security headers that will be added to all responses.
+  # These merge with the default security headers.
+  #
+  # @param headers [Hash] Hash of header name => value pairs
+  # @example
+  #   otto.set_security_headers({
+  #     'content-security-policy' => "default-src 'self'",
+  #     'strict-transport-security' => 'max-age=31536000'
+  #   })
+  def set_security_headers(headers)
+    @security_config.security_headers.merge!(headers)
+  end
+
+  # Enable HTTP Strict Transport Security (HSTS) header.
+  # WARNING: This can make your domain inaccessible if HTTPS is not properly
+  # configured. Only enable this when you're certain HTTPS is working correctly.
+  #
+  # @param max_age [Integer] Maximum age in seconds (default: 1 year)
+  # @param include_subdomains [Boolean] Apply to all subdomains (default: true)
+  # @example
+  #   otto.enable_hsts!(max_age: 86400, include_subdomains: false)
+  def enable_hsts!(max_age: 31536000, include_subdomains: true)
+    @security_config.enable_hsts!(max_age: max_age, include_subdomains: include_subdomains)
+  end
+
+  # Enable Content Security Policy (CSP) header to prevent XSS attacks.
+  # The default policy only allows resources from the same origin.
+  #
+  # @param policy [String] CSP policy string (default: "default-src 'self'")
+  # @example
+  #   otto.enable_csp!("default-src 'self'; script-src 'self' 'unsafe-inline'")
+  def enable_csp!(policy = "default-src 'self'")
+    @security_config.enable_csp!(policy)
+  end
+
+  # Enable X-Frame-Options header to prevent clickjacking attacks.
+  #
+  # @param option [String] Frame options: 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM uri'
+  # @example
+  #   otto.enable_frame_protection!('DENY')
+  def enable_frame_protection!(option = 'SAMEORIGIN')
+    @security_config.enable_frame_protection!(option)
+  end
+
+  private
+
+  def configure_security(opts)
+    # Enable CSRF protection if requested
+    enable_csrf_protection! if opts[:csrf_protection]
+
+    # Enable request validation if requested
+    enable_request_validation! if opts[:request_validation]
+
+    # Add trusted proxies if provided
+    if opts[:trusted_proxies]
+      Array(opts[:trusted_proxies]).each { |proxy| add_trusted_proxy(proxy) }
+    end
+
+    # Set custom security headers
+    if opts[:security_headers]
+      set_security_headers(opts[:security_headers])
+    end
+  end
+
+  def middleware_enabled?(middleware_class)
+    @middleware_stack.any? { |m| m == middleware_class }
+  end
+
+  def handle_error(error, env)
+    # Log error details internally but don't expose them
+    error_id = SecureRandom.hex(8)
+    Otto.logger.error "[#{error_id}] #{error.class}: #{error.message}"
+    Otto.logger.debug "[#{error_id}] Backtrace: #{error.backtrace.join("\n")}" if Otto.debug
+
+    # Check for custom error routes
+    request = Rack::Request.new(env) rescue nil
+    literal_routes = @routes_literal[:GET] || {}
+
+    # Try custom 500 route first
+    if found_route = literal_routes['/500']
+      begin
+        env['otto.error_id'] = error_id
+        return found_route.call(env)
+      rescue StandardError => route_error
+        Otto.logger.error "[#{error_id}] Error in custom error handler: #{route_error.message}"
+      end
+    end
+
+    # Fallback to built-in error response
+    @server_error || secure_error_response(error_id)
+  end
+
+  def secure_error_response(error_id)
+    body = if Otto.env?(:dev, :development)
+             "Server error (ID: #{error_id}). Check logs for details."
+           else
+             "An error occurred. Please try again later."
+           end
+
+    headers = {
+      'content-type' => 'text/plain',
+      'content-length' => body.bytesize.to_s
+    }.merge(@security_config.security_headers)
+
+    [500, headers, [body]]
+  end
+
   class << self
     attr_accessor :debug, :logger
   end
@@ -212,15 +438,19 @@ class Otto
       @default ||= Otto.new
       @default
     end
-    def load path
+
+    def load(path)
       default.load path
     end
-    def path definition, params={}
+
+    def path(definition, params = {})
       default.path definition, params
     end
+
     def routes
       default.routes
     end
+
     def env? *guesses
       !guesses.flatten.select { |n| ENV['RACK_ENV'].to_s == n.to_s }.empty?
     end

data/otto.gemspec

@@ -1,24 +1,28 @@
-# -*- encoding: utf-8 -*-
+# otto.gemspec
 
 require_relative 'lib/otto/version'
 
 Gem::Specification.new do |spec|
-  spec.name = "otto"
+  spec.name = 'otto'
   spec.version = Otto::VERSION.to_s
-  spec.summary = "Auto-define your rack-apps in plaintext."
+  spec.summary = 'Auto-define your rack-apps in plaintext.'
   spec.description = "Otto: #{spec.summary}"
-  spec.email = "gems@solutious.com"
-  spec.authors = ["Delano Mandelbaum"]
-  spec.license = "MIT"
+  spec.email = 'gems@solutious.com'
+  spec.authors = ['Delano Mandelbaum']
+  spec.license = 'MIT'
   spec.files = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
-  spec.homepage = "https://github.com/delano/otto"
-  spec.require_paths = ["lib"]
-  spec.rubygems_version = "3.5.15" # Update to the latest version
+  spec.homepage = 'https://github.com/delano/otto'
+  spec.require_paths = ['lib']
 
-  spec.required_ruby_version = ['>= 2.6.8', '< 4.0']
+  spec.required_ruby_version = ['>= 3.4', '< 4.0']
 
-  spec.add_runtime_dependency 'addressable', '~> 2.2', '< 3'
-  spec.add_runtime_dependency 'rack', '~> 2.2', '< 3.0'
+  # https://github.com/delano/otto/security/dependabot/5
+  spec.add_dependency 'rexml', '>= 3.3.6'
+
+  spec.add_dependency 'addressable', '~> 2.2', '< 3'
+  spec.add_dependency 'rack', '~> 3.1', '< 4.0'
+  spec.add_dependency 'rack-parser', '~> 0.7'
+  spec.metadata['rubygems_mfa_required'] = 'true'
 end