otto 1.1.0.pre.alpha4 → 1.3.0

data/lib/otto/helpers/response.rb

@@ -1,22 +1,80 @@
+# lib/otto/helpers/response.rb
+
 class Otto
   module ResponseHelpers
     attr_accessor :request
-    def send_secure_cookie name, value, ttl
-      send_cookie name, value, ttl, true
-    end
-    def send_cookie name, value, ttl, secure=true
-      secure = false if request.local?
-      opts = {
-        :value    => value,
-        :path     => '/',
-        :expires  => (Time.now.utc + ttl + 10),
-        :secure   => secure
+
+    def send_secure_cookie(name, value, ttl, opts = {})
+      # Default security options
+      defaults = {
+        secure: true,
+        httponly: true,
+        same_site: :strict,
+        path: '/',
       }
-      #opts[:domain] = request.env['SERVER_NAME']
-      set_cookie name, opts
+
+      # Merge with provided options
+      cookie_opts = defaults.merge(opts)
+
+      # Set expiration using max-age (preferred) and expires (fallback)
+      if ttl&.positive?
+        cookie_opts[:max_age] = ttl
+        cookie_opts[:expires] = (Time.now.utc + ttl + 10)
+      elsif ttl&.negative?
+        # For deletion, set both to past date
+        cookie_opts[:max_age] = 0
+        cookie_opts[:expires] = Time.now.utc - 86_400
+      end
+
+      # Set the cookie value
+      cookie_opts[:value] = value
+
+      # Validate SameSite attribute
+      valid_same_site         = [:strict, :lax, :none, 'Strict', 'Lax', 'None']
+      cookie_opts[:same_site] = :strict unless valid_same_site.include?(cookie_opts[:same_site])
+
+      # If SameSite=None, Secure must be true
+      cookie_opts[:secure] = true if cookie_opts[:same_site].to_s.downcase == 'none'
+
+      set_cookie name, cookie_opts
+    end
+
+    def send_session_cookie(name, value, opts = {})
+      # Session cookies don't have expiration
+      session_opts = opts.merge(
+        secure: true,
+        httponly: true,
+        samesite: :strict,
+      )
+
+      # Remove expiration-related options for session cookies
+      session_opts.delete(:max_age)
+      session_opts.delete(:expires)
+
+      # Adjust secure flag for local development
+      session_opts[:secure] = false if request.local?
+
+      session_opts[:value] = value
+      set_cookie name, session_opts
     end
-    def delete_cookie name
-      send_cookie name, nil, -1.day
+
+    def cookie_security_headers
+      # Add security headers that complement cookie security
+      headers = {}
+
+      # Prevent MIME type sniffing
+      headers['x-content-type-options'] = 'nosniff'
+
+      # Add referrer policy
+      headers['referrer-policy'] = 'strict-origin-when-cross-origin'
+
+      # Add frame options
+      headers['x-frame-options'] = 'DENY'
+
+      # Add XSS protection
+      headers['x-xss-protection'] = '1; mode=block'
+
+      headers
     end
   end
 end

data/lib/otto/route.rb

@@ -1,3 +1,4 @@
+# lib/otto/route.rb
 
 class Otto
   # Otto::Route
@@ -6,6 +7,12 @@ class Otto
   # that path is requested. Each route represents a single line in a
   # routes file.
   #
+  # Routes include built-in security features:
+  # - Class name validation to prevent code injection
+  # - Automatic security header injection
+  # - CSRF protection when enabled
+  # - Input validation and sanitization
+  #
   # e.g.
   #
   #      GET   /uri/path      YourApp.method
@@ -18,35 +25,117 @@ class Otto
     end
     attr_reader :verb, :path, :pattern, :method, :klass, :name, :definition, :keys, :kind
     attr_accessor :otto
-    def initialize verb, path, definition
-      @verb, @path, @definition = verb.to_s.upcase.to_sym, path, definition
+
+    # Initialize a new route with security validations
+    #
+    # @param verb [String] HTTP verb (GET, POST, PUT, DELETE, etc.)
+    # @param path [String] URL path pattern with optional parameters
+    # @param definition [String] Class and method definition (Class.method or Class#method)
+    # @raise [ArgumentError] if definition format is invalid or class name is unsafe
+    def initialize(verb, path, definition)
+      @verb           = verb.to_s.upcase.to_sym
+      @path           = path
+      @definition     = definition
       @pattern, @keys = *compile(@path)
       if !@definition.index('.').nil?
         @klass, @name = @definition.split('.')
-        @kind = :class
+        @kind         = :class
       elsif !@definition.index('#').nil?
         @klass, @name = @definition.split('#')
-        @kind = :instance
+        @kind         = :instance
       else
         raise ArgumentError, "Bad definition: #{@definition}"
       end
-      @klass = eval(@klass)
-      #@method = eval(@klass).method(@name)
+      @klass          = safe_const_get(@klass)
+      # @method = @klass.method(@name)
+    end
+
+    private
+
+    # Safely resolve a class name using Object.const_get with security validations
+    # This replaces the previous eval() usage to prevent code injection attacks.
+    #
+    # Security features:
+    # - Validates class name format (must start with capital letter)
+    # - Prevents access to dangerous system classes
+    # - Blocks relative class references (starting with ::)
+    # - Provides clear error messages for debugging
+    #
+    # @param class_name [String] The class name to resolve
+    # @return [Class] The resolved class
+    # @raise [ArgumentError] if class name is invalid, forbidden, or not found
+    def safe_const_get(class_name)
+      # Validate class name format
+      unless class_name.match?(/\A[A-Z][a-zA-Z0-9_]*(?:::[A-Z][a-zA-Z0-9_]*)*\z/)
+        raise ArgumentError, "Invalid class name format: #{class_name}"
+      end
+
+      # Prevent dangerous class names
+      forbidden_classes = %w[
+        Kernel Module Class Object BasicObject
+        File Dir IO Process System
+        Binding Proc Method UnboundMethod
+        Thread ThreadGroup Fiber
+        ObjectSpace GC
+      ]
+
+      if forbidden_classes.include?(class_name) || class_name.start_with?('::')
+        raise ArgumentError, "Forbidden class name: #{class_name}"
+      end
+
+      begin
+        Object.const_get(class_name)
+      rescue NameError => ex
+        raise ArgumentError, "Class not found: #{class_name} - #{ex.message}"
+      end
     end
+
+    public
+
     def pattern_regexp
-      Regexp.new(@path.gsub(/\/\*/, '/.+'))
+      Regexp.new(@path.gsub('/*', '/.+'))
     end
-    def call(env, extra_params={})
+
+    # Execute the route by calling the associated class method
+    #
+    # This method handles the complete request/response cycle with built-in security:
+    # - Processes parameters through the security layer
+    # - Adds configured security headers to the response
+    # - Extends request/response with security helpers when enabled
+    # - Provides CSRF and validation helpers to the target class
+    #
+    # @param env [Hash] Rack environment hash
+    # @param extra_params [Hash] Additional parameters to merge (default: {})
+    # @return [Array] Rack response array [status, headers, body]
+    def call(env, extra_params = {})
       extra_params ||= {}
-      req = Rack::Request.new(env)
-      res = Rack::Response.new
+      req            = Rack::Request.new(env)
+      res            = Rack::Response.new
       req.extend Otto::RequestHelpers
       res.extend Otto::ResponseHelpers
-      res.request = req
+      res.request    = req
+
+      # Process parameters through security layer
       req.params.merge! extra_params
       req.params.replace Otto::Static.indifferent_params(req.params)
+
+      # Add security headers
+      if otto.respond_to?(:security_config) && otto.security_config
+        otto.security_config.security_headers.each do |header, value|
+          res.headers[header] = value
+        end
+      end
+
       klass.extend Otto::Route::ClassMethods
-      klass.otto = self.otto
+      klass.otto = otto
+
+      # Add security helpers if CSRF is enabled
+      if otto.respond_to?(:security_config) && otto.security_config&.csrf_enabled?
+        res.extend Otto::Security::CSRFHelpers
+      end
+
+      # Add validation helpers
+      res.extend Otto::Security::ValidationHelpers
 
       case kind
       when :instance
@@ -55,28 +144,31 @@ class Otto
       when :class
         klass.send(name, req, res)
       else
-        raise RuntimeError, "Unsupported kind for #{@definition}: #{kind}"
+        raise "Unsupported kind for #{@definition}: #{kind}"
       end
       res.body = [res.body] unless res.body.respond_to?(:each)
       res.finish
     end
+
+    private
+
     # Brazenly borrowed from Sinatra::Base:
     # https://github.com/sinatra/sinatra/blob/v1.2.6/lib/sinatra/base.rb#L1156
     def compile(path)
       keys = []
       if path.respond_to? :to_str
-        special_chars = %w{. + ( ) $}
-        pattern =
+        special_chars = %w[. + ( ) $]
+        pattern       =
           path.to_str.gsub(/((:\w+)|[\*#{special_chars.join}])/) do |match|
             case match
-            when "*"
+            when '*'
               keys << 'splat'
-              "(.*?)"
+              '(.*?)'
             when *special_chars
               Regexp.escape(match)
             else
-              keys << $2[1..-1]
-              "([^/?#]+)"
+              keys << ::Regexp.last_match(2)[1..-1]
+              '([^/?#]+)'
             end
           end
         # Wrap the regex in parens so the regex works properly.

data/lib/otto/security/config.rb

@@ -0,0 +1,312 @@
+# lib/otto/security/config.rb
+
+require 'securerandom'
+require 'digest'
+
+class Otto
+  module Security
+    # Security configuration for Otto applications
+    #
+    # This class manages all security-related settings including CSRF protection,
+    # input validation, trusted proxies, and security headers. Security features
+    # are disabled by default for backward compatibility.
+    #
+    # @example Basic usage
+    #   config = Otto::Security::Config.new
+    #   config.enable_csrf_protection!
+    #   config.add_trusted_proxy('10.0.0.0/8')
+    #
+    # @example Custom limits
+    #   config = Otto::Security::Config.new
+    #   config.max_request_size = 5 * 1024 * 1024  # 5MB
+    #   config.max_param_depth = 16
+    class Config
+      attr_accessor :csrf_protection, :csrf_token_key, :csrf_header_key, :csrf_session_key,
+        :max_request_size, :max_param_depth, :max_param_keys,
+        :trusted_proxies, :require_secure_cookies,
+        :security_headers, :input_validation
+
+      # Initialize security configuration with safe defaults
+      #
+      # All security features are disabled by default to maintain backward
+      # compatibility with existing Otto applications.
+      def initialize
+        @csrf_protection        = false
+        @csrf_token_key         = '_csrf_token'
+        @csrf_header_key        = 'HTTP_X_CSRF_TOKEN'
+        @csrf_session_key       = '_csrf_session_id'
+        @max_request_size       = 10 * 1024 * 1024 # 10MB
+        @max_param_depth        = 32
+        @max_param_keys         = 64
+        @trusted_proxies        = []
+        @require_secure_cookies = false
+        @security_headers       = default_security_headers
+        @input_validation       = true
+      end
+
+      # Enable CSRF (Cross-Site Request Forgery) protection
+      #
+      # When enabled, Otto will:
+      # - Generate CSRF tokens for safe HTTP methods (GET, HEAD, OPTIONS, TRACE)
+      # - Validate CSRF tokens for unsafe methods (POST, PUT, DELETE, PATCH)
+      # - Automatically inject CSRF meta tags into HTML responses
+      # - Provide helper methods for forms and AJAX requests
+      #
+      # @return [void]
+      def enable_csrf_protection!
+        @csrf_protection = true
+      end
+
+      # Disable CSRF protection
+      #
+      # @return [void]
+      def disable_csrf_protection!
+        @csrf_protection = false
+      end
+
+      # Check if CSRF protection is currently enabled
+      #
+      # @return [Boolean] true if CSRF protection is enabled
+      def csrf_enabled?
+        @csrf_protection
+      end
+
+      # Add a trusted proxy server for accurate client IP detection
+      #
+      # Only requests from trusted proxies will have their X-Forwarded-For
+      # and similar headers honored for IP detection. This prevents IP spoofing
+      # from untrusted sources.
+      #
+      # @param proxy [String, Array] IP address, CIDR range, or array of addresses
+      # @raise [ArgumentError] if proxy is not a String or Array
+      # @return [void]
+      #
+      # @example Add single proxy
+      #   config.add_trusted_proxy('10.0.0.1')
+      #
+      # @example Add CIDR range
+      #   config.add_trusted_proxy('192.168.0.0/16')
+      #
+      # @example Add multiple proxies
+      #   config.add_trusted_proxy(['10.0.0.1', '172.16.0.0/12'])
+      def add_trusted_proxy(proxy)
+        case proxy
+        when String
+          @trusted_proxies << proxy
+        when Array
+          @trusted_proxies.concat(proxy)
+        else
+          raise ArgumentError, 'Proxy must be a String or Array'
+        end
+      end
+
+      # Check if an IP address is from a trusted proxy
+      #
+      # @param ip [String] IP address to check
+      # @return [Boolean] true if the IP is from a trusted proxy
+      def trusted_proxy?(ip)
+        return false if @trusted_proxies.empty?
+
+        @trusted_proxies.any? do |proxy|
+          case proxy
+          when String
+            ip == proxy || ip.start_with?(proxy)
+          when Regexp
+            proxy.match?(ip)
+          else
+            false
+          end
+        end
+      end
+
+      # Validate that a request size is within acceptable limits
+      #
+      # @param content_length [String, Integer, nil] Content-Length header value
+      # @raise [Otto::Security::RequestTooLargeError] if request exceeds maximum size
+      # @return [Boolean] true if request size is acceptable
+      def validate_request_size(content_length)
+        return true if content_length.nil?
+
+        size = content_length.to_i
+        if size > @max_request_size
+          raise Otto::Security::RequestTooLargeError,
+            "Request size #{size} exceeds maximum #{@max_request_size}"
+        end
+        true
+      end
+
+      def generate_csrf_token(session_id = nil)
+        base       = session_id || 'no-session'
+        token      = SecureRandom.hex(32)
+        hash_input = base + ':' + token
+        signature  = Digest::SHA256.hexdigest(hash_input)
+        csrf_token = "#{token}:#{signature}"
+
+        puts '=== CSRF Generation ==='
+        puts "hash_input: #{hash_input.inspect}"
+        puts "signature: #{signature}"
+        puts "csrf_token: #{csrf_token}"
+
+        csrf_token
+      end
+
+      def verify_csrf_token(token, session_id = nil)
+        return false if token.nil? || token.empty?
+
+        token_part, signature = token.split(':')
+        return false if token_part.nil? || signature.nil?
+
+        base               = session_id || 'no-session'
+        hash_input         = "#{base}:#{token_part}"
+        expected_signature = Digest::SHA256.hexdigest(hash_input)
+        comparison_result  = secure_compare(signature, expected_signature)
+
+        puts '=== CSRF Verification ==='
+        puts "hash_input: #{hash_input.inspect}"
+        puts "received_signature: #{signature}"
+        puts "expected_signature: #{expected_signature}"
+        puts "match: #{comparison_result}"
+
+        comparison_result
+      end
+
+      # Enable HTTP Strict Transport Security (HSTS) header
+      #
+      # HSTS forces browsers to use HTTPS for all future requests to this domain.
+      # WARNING: This can make your domain inaccessible if HTTPS is not properly
+      # configured. Only enable this when you're certain HTTPS is working correctly.
+      #
+      # @param max_age [Integer] Maximum age in seconds (default: 1 year)
+      # @param include_subdomains [Boolean] Apply to all subdomains (default: true)
+      # @return [void]
+      def enable_hsts!(max_age: 31_536_000, include_subdomains: true)
+        hsts_value                                     = "max-age=#{max_age}"
+        hsts_value                                    += '; includeSubDomains' if include_subdomains
+        @security_headers['strict-transport-security'] = hsts_value
+      end
+
+      # Enable Content Security Policy (CSP) header
+      #
+      # CSP helps prevent XSS attacks by controlling which resources can be loaded.
+      # The default policy only allows resources from the same origin.
+      #
+      # @param policy [String] CSP policy string (default: "default-src 'self'")
+      # @return [void]
+      #
+      # @example Custom policy
+      #   config.enable_csp!("default-src 'self'; script-src 'self' 'unsafe-inline'")
+      def enable_csp!(policy = "default-src 'self'")
+        @security_headers['content-security-policy'] = policy
+      end
+
+      # Enable X-Frame-Options header to prevent clickjacking
+      #
+      # @param option [String] Frame options: 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM uri'
+      # @return [void]
+      def enable_frame_protection!(option = 'SAMEORIGIN')
+        @security_headers['x-frame-options'] = option
+      end
+
+      # Set custom security headers
+      #
+      # @param headers [Hash] Hash of header name => value pairs
+      # @return [void]
+      #
+      # @example
+      #   config.set_custom_headers({
+      #     'permissions-policy' => 'geolocation=(), microphone=()',
+      #     'cross-origin-opener-policy' => 'same-origin'
+      #   })
+      def set_custom_headers(headers)
+        @security_headers.merge!(headers)
+      end
+
+      def get_or_create_session_id(request)
+        # Try existing sources first
+        session_id = extract_existing_session_id(request)
+
+        # Create and persist if none found
+        if session_id.nil? || session_id.empty?
+          session_id = SecureRandom.hex(16)
+          store_session_id(request, session_id)
+        end
+
+        session_id
+      end
+
+      private
+
+      def extract_existing_session_id(request)
+        # Try session first
+        begin
+          session = request.session
+          if session
+            return session.id if session.respond_to?(:id) && session.id
+            return session[csrf_session_key] if session[csrf_session_key]
+            return session['session_id'] if session['session_id']
+          end
+        rescue StandardError
+          # Fall through to cookies
+        end
+
+        # Try cookies
+        request.cookies['_otto_session'] ||
+          request.cookies['session_id'] ||
+          request.cookies['_session_id']
+      end
+
+      def store_session_id(request, session_id)
+          session                   = request.session
+          session[csrf_session_key] = session_id if session
+      rescue StandardError
+        # Cookie fallback handled in inject_csrf_token
+      end
+
+      # Default security headers applied to all responses
+      #
+      # These headers provide basic defense against common web vulnerabilities:
+      # - x-content-type-options: Prevents MIME type sniffing
+      # - x-xss-protection: Enables browser XSS filtering (legacy browsers)
+      # - referrer-policy: Controls referrer information leakage
+      #
+      # Note: Restrictive headers like HSTS, CSP, and X-Frame-Options are not
+      # included by default to avoid breaking downstream applications. These
+      # should be configured explicitly when appropriate.
+      #
+      # @return [Hash] Hash of header names and values (all lowercase for Rack 3+)
+      def default_security_headers
+        {
+          'x-content-type-options' => 'nosniff',
+          'x-xss-protection' => '1; mode=block',
+          'referrer-policy' => 'strict-origin-when-cross-origin',
+        }
+      end
+
+      # Perform constant-time string comparison to prevent timing attacks
+      #
+      # This method compares two strings in constant time regardless of where
+      # they differ, preventing attackers from using timing differences to
+      # deduce information about secret values.
+      #
+      # @param a [String, nil] First string to compare
+      # @param b [String, nil] Second string to compare
+      # @return [Boolean] true if strings are equal
+      def secure_compare(a, b)
+        return false if a.nil? || b.nil? || a.length != b.length
+
+        result                                = 0
+        a.bytes.zip(b.bytes) { |x, y| result |= x ^ y }
+        result == 0
+      end
+    end
+
+    # Raised when a request exceeds the configured size limit
+    class RequestTooLargeError < StandardError; end
+
+    # Raised when CSRF token validation fails
+    class CSRFError < StandardError; end
+
+    # Raised when input validation fails (XSS, SQL injection, etc.)
+    class ValidationError < StandardError; end
+  end
+end