otto 1.1.0.pre.alpha4 → 1.3.0

data/lib/otto/security/csrf.rb

@@ -0,0 +1,177 @@
+# lib/otto/security/csrf.rb
+
+require 'securerandom'
+
+class Otto
+  # CSRF protection middleware for Otto framework
+  module Security
+    # Middleware that provides Cross-Site Request Forgery (CSRF) protection
+    class CSRFMiddleware
+      SAFE_METHODS = %w[GET HEAD OPTIONS TRACE].freeze
+
+      def initialize(app, config = nil)
+        @app    = app
+        @config = config || Otto::Security::Config.new
+      end
+
+      def call(env)
+        return @app.call(env) unless @config.csrf_enabled?
+
+        request = Rack::Request.new(env)
+
+        # Skip CSRF protection for safe methods
+        if safe_method?(request.request_method)
+          response = @app.call(env)
+          response = inject_csrf_token(request, response) if html_response?(response)
+          return response
+        end
+
+        # Validate CSRF token for unsafe methods
+        return csrf_error_response unless valid_csrf_token?(request)
+
+        @app.call(env)
+      end
+
+      private
+
+      def safe_method?(method)
+        SAFE_METHODS.include?(method.upcase)
+      end
+
+      def valid_csrf_token?(request)
+        token = extract_csrf_token(request)
+        return false if token.nil? || token.empty?
+
+        session_id = @config.get_or_create_session_id(request)
+        @config.verify_csrf_token(token, session_id)
+      end
+
+      def extract_csrf_token(request)
+        # Try form parameter first
+        token = request.params[@config.csrf_token_key]
+
+        # Try header if not in params
+        token ||= request.env[@config.csrf_header_key]
+
+        # Try alternative header format
+        token ||= request.env['HTTP_X_CSRF_TOKEN'] if request.env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'
+
+        token
+      end
+
+      def extract_session_id(request)
+        @config.get_or_create_session_id(request)
+      end
+
+      def inject_csrf_token(request, response)
+        return response unless response.is_a?(Array) && response.length >= 3
+
+        status, headers, body = response
+        content_type          = headers.find { |k, _v| k.downcase == 'content-type' }&.last
+
+        return response unless content_type&.include?('text/html')
+
+        # Get or create session ID
+        session_id = @config.get_or_create_session_id(request)
+
+        # Ensure session ID is saved to cookie if it was newly created
+        ensure_session_cookie(request, headers, session_id)
+
+        # Generate new CSRF token
+        csrf_token = @config.generate_csrf_token(session_id)
+
+        # Inject meta tag into HTML head
+        body_content = body.respond_to?(:join) ? body.join : body.to_s
+
+        if body_content.match?(/<head>/i)
+          meta_tag     = %(<meta name="csrf-token" content="#{csrf_token}">)
+          body_content = body_content.sub(/<head>/i, "<head>\n#{meta_tag}")
+
+          # Update content length if present
+          content_length_key          = headers.keys.find { |k| k.downcase == 'content-length' }
+          headers[content_length_key] = body_content.bytesize.to_s if content_length_key
+
+          [status, headers, [body_content]]
+        else
+          response
+        end
+      end
+
+      def ensure_session_cookie(request, headers, session_id)
+        # Check if session ID already exists in cookies
+        existing_cookie = request.cookies['_otto_session']
+        return if existing_cookie == session_id
+
+        # Set the session cookie
+        cookie_value  = "#{session_id}; Path=/; HttpOnly; SameSite=Lax"
+        cookie_value += '; Secure' if request.scheme == 'https'
+
+        # Handle existing Set-Cookie headers
+        existing_cookies = headers['set-cookie'] || headers['Set-Cookie']
+        if existing_cookies
+          # Append to existing cookies (handle both string and array formats)
+          if existing_cookies.is_a?(Array)
+            existing_cookies << "_otto_session=#{cookie_value}"
+          else
+            headers['set-cookie'] = [existing_cookies, "_otto_session=#{cookie_value}"]
+          end
+        else
+          headers['set-cookie'] = "_otto_session=#{cookie_value}"
+        end
+      end
+
+      def html_response?(response)
+        return false unless response.is_a?(Array) && response.length >= 2
+
+        headers      = response[1]
+        content_type = headers.find { |k, _v| k.downcase == 'content-type' }&.last
+        content_type&.include?('text/html')
+      end
+
+      def csrf_error_response
+        [
+          403,
+          {
+            'content-type' => 'application/json',
+            'content-length' => csrf_error_body.bytesize.to_s,
+          },
+          [csrf_error_body],
+        ]
+      end
+
+      def csrf_error_body
+        {
+          error: 'CSRF token validation failed',
+          message: 'The request could not be authenticated. Please refresh the page and try again.',
+        }.to_json
+      end
+    end
+
+    # Helper methods for CSRF token handling in views and controllers
+    module CSRFHelpers
+      def csrf_token
+        if @csrf_token.nil? && otto.respond_to?(:security_config)
+          session_id  = otto.security_config.get_or_create_session_id(req)
+          @csrf_token = otto.security_config.generate_csrf_token(session_id)
+        end
+        @csrf_token
+      end
+
+      def csrf_meta_tag
+        %(<meta name="csrf-token" content="#{csrf_token}">)
+      end
+
+      def csrf_form_tag
+        %(<input type="hidden" name="#{csrf_token_key}" value="#{csrf_token}">)
+      end
+
+      def csrf_token_key
+        if otto.respond_to?(:security_config)
+          otto.security_config.csrf_token_key
+        else
+          '_csrf_token'
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/validator.rb

@@ -0,0 +1,299 @@
+# lib/otto/security/validator.rb
+
+require 'json'
+require 'cgi'
+
+class Otto
+  module Security
+    # ValidationMiddleware provides input validation and sanitization for web requests
+    class ValidationMiddleware
+      # Character validation patterns
+      INVALID_CHARACTERS = /[\x00-\x1f\x7f-\xff]/n
+      NULL_BYTE          = /\0/
+
+      DANGEROUS_PATTERNS = [
+        /<script[^>]*>/i,           # Script tags
+        /javascript:/i,             # JavaScript protocol
+        /data:.*base64/i,           # Data URLs with base64
+        /on\w+\s*=/i,               # Event handlers
+        /expression\s*\(/i,         # CSS expressions
+        /url\s*\(/i,                # CSS url() functions
+        NULL_BYTE,                  # Null bytes
+        INVALID_CHARACTERS,         # Control characters and extended ASCII
+      ].freeze
+
+      SQL_INJECTION_PATTERNS = [
+        /('|(\\')|(;)|(\\)|(--)|(%27)|(%3B)|(%3D))/i,
+        /(union|select|insert|update|delete|drop|create|alter|exec|execute)/i,
+        /(or|and)\s+\w+\s*=\s*\w+/i,
+        /\d+\s*(=|>|<|>=|<=|<>|!=)\s*\d+/i,
+      ].freeze
+
+      def initialize(app, config = nil)
+        @app    = app
+        @config = config || Otto::Security::Config.new
+      end
+
+      def call(env)
+        return @app.call(env) unless @config.input_validation
+
+        request = Rack::Request.new(env)
+
+        begin
+          # Validate request size
+          validate_request_size(request)
+
+          # Validate content type
+          validate_content_type(request)
+
+          # Validate and sanitize parameters
+          begin
+            validate_parameters(request) if request.params
+          rescue Rack::QueryParser::QueryLimitError => ex
+            # Handle Rack's built-in query parsing limits
+            raise Otto::Security::ValidationError, "Parameter structure too complex: #{ex.message}"
+          end
+
+          # Validate headers
+          validate_headers(request)
+
+          @app.call(env)
+        rescue Otto::Security::ValidationError => ex
+          validation_error_response(ex.message)
+        rescue Otto::Security::RequestTooLargeError => ex
+          request_too_large_response(ex.message)
+        end
+      end
+
+      private
+
+      def validate_request_size(request)
+        content_length = request.env['CONTENT_LENGTH']
+        @config.validate_request_size(content_length)
+      end
+
+      def validate_content_type(request)
+        content_type = request.env['CONTENT_TYPE']
+        return unless content_type
+
+        # Block dangerous content types
+        dangerous_types = [
+          'application/x-shockwave-flash',
+          'application/x-silverlight-app',
+          'text/vbscript',
+          'application/vbscript',
+        ]
+
+        if dangerous_types.any? { |type| content_type.downcase.include?(type) }
+          raise Otto::Security::ValidationError, "Dangerous content type: #{content_type}"
+        end
+      end
+
+      def validate_parameters(request)
+        validate_param_structure(request.params, 0)
+        sanitize_params(request.params)
+      end
+
+      def validate_param_structure(params, depth = 0)
+        if depth > @config.max_param_depth
+          raise Otto::Security::ValidationError, "Parameter depth exceeds maximum (#{@config.max_param_depth})"
+        end
+
+        case params
+        when Hash
+          if params.keys.length > @config.max_param_keys
+            raise Otto::Security::ValidationError, "Too many parameters (#{params.keys.length} > #{@config.max_param_keys})"
+          end
+
+          params.each do |key, value|
+            validate_param_key(key)
+            validate_param_structure(value, depth + 1) if value.is_a?(Hash) || value.is_a?(Array)
+          end
+        when Array
+          if params.length > @config.max_param_keys
+            raise Otto::Security::ValidationError, "Too many array elements (#{params.length} > #{@config.max_param_keys})"
+          end
+
+          params.each do |value|
+            validate_param_structure(value, depth + 1) if value.is_a?(Hash) || value.is_a?(Array)
+          end
+        end
+      end
+
+      def validate_param_key(key)
+        key_str = key.to_s
+
+        # Check for dangerous characters in parameter names using shared patterns
+        if key_str.match?(NULL_BYTE) || key_str.match?(INVALID_CHARACTERS)
+          raise Otto::Security::ValidationError, "Invalid characters in parameter name: #{key_str}"
+        end
+
+        # Check for suspiciously long parameter names
+        if key_str.length > 256
+          raise Otto::Security::ValidationError, "Parameter name too long: #{key_str[0..50]}..."
+        end
+      end
+
+      def sanitize_params(params)
+        case params
+        when Hash
+          params.each do |key, value|
+            params[key] = sanitize_value(value)
+          end
+        when Array
+          params.map! { |value| sanitize_value(value) }
+        else
+          sanitize_value(params)
+        end
+      end
+
+      def sanitize_value(value)
+        return value unless value.is_a?(String)
+
+        # Check for dangerous patterns
+        DANGEROUS_PATTERNS.each do |pattern|
+          if value.match?(pattern)
+            raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
+          end
+        end
+
+        # Check for SQL injection patterns
+        SQL_INJECTION_PATTERNS.each do |pattern|
+          if value.match?(pattern)
+            raise Otto::Security::ValidationError, 'Potential SQL injection detected'
+          end
+        end
+
+        # Check for extremely long values
+        if value.length > 10_000
+          raise Otto::Security::ValidationError, "Parameter value too long (#{value.length} characters)"
+        end
+
+        # Basic sanitization - remove null bytes and control characters
+        sanitized = value.gsub(/\0/, '').gsub(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/, '')
+
+        # Additional sanitization for common attack vectors
+        sanitized = sanitized.gsub(/<!--.*?-->/m, '') # Remove HTML comments
+        sanitized.gsub(/<!\[CDATA\[.*?\]\]>/m, '') # Remove CDATA sections
+      end
+
+      def validate_headers(request)
+        # Check for dangerous headers
+        dangerous_headers = %w[
+          HTTP_X_FORWARDED_HOST
+          HTTP_X_ORIGINAL_URL
+          HTTP_X_REWRITE_URL
+          HTTP_DESTINATION
+          HTTP_UPGRADE_INSECURE_REQUESTS
+        ]
+
+        dangerous_headers.each do |header|
+          value = request.env[header]
+          next unless value
+
+          # Basic validation - no null bytes or control characters
+          if value.match?(NULL_BYTE) || value.match?(INVALID_CHARACTERS)
+            raise Otto::Security::ValidationError, "Invalid characters in header: #{header}"
+          end
+        end
+
+        # Validate User-Agent length
+        user_agent = request.env['HTTP_USER_AGENT']
+        if user_agent && user_agent.length > 1000
+          raise Otto::Security::ValidationError, 'User-Agent header too long'
+        end
+
+        # Validate Referer header
+        referer = request.env['HTTP_REFERER']
+        if referer && referer.length > 2000
+          raise Otto::Security::ValidationError, 'Referer header too long'
+        end
+      end
+
+      def validation_error_response(message)
+        [
+          400,
+          {
+            'content-type' => 'application/json',
+            'content-length' => validation_error_body(message).bytesize.to_s,
+          },
+          [validation_error_body(message)],
+        ]
+      end
+
+      def request_too_large_response(message)
+        [
+          413,
+          {
+            'content-type' => 'application/json',
+            'content-length' => request_too_large_body(message).bytesize.to_s,
+          },
+          [request_too_large_body(message)],
+        ]
+      end
+
+      def validation_error_body(message)
+        require 'json'
+        {
+          error: 'Validation failed',
+          message: message,
+        }.to_json
+      end
+
+      def request_too_large_body(message)
+        require 'json'
+        {
+          error: 'Request too large',
+          message: message,
+        }.to_json
+      end
+    end
+
+    module ValidationHelpers
+      def validate_input(input, max_length: 1000, allow_html: false)
+        return input if input.nil? || input.empty?
+
+        input_str = input.to_s
+
+        # Check length
+        if input_str.length > max_length
+          raise Otto::Security::ValidationError, "Input too long (#{input_str.length} > #{max_length})"
+        end
+
+        # Check for dangerous patterns unless HTML is allowed
+        unless allow_html
+          ValidationMiddleware::DANGEROUS_PATTERNS.each do |pattern|
+            if input_str.match?(pattern)
+              raise Otto::Security::ValidationError, 'Dangerous content detected'
+            end
+          end
+        end
+
+        # Always check for SQL injection
+        ValidationMiddleware::SQL_INJECTION_PATTERNS.each do |pattern|
+          if input_str.match?(pattern)
+            raise Otto::Security::ValidationError, 'Potential SQL injection detected'
+          end
+        end
+
+        input_str
+      end
+
+      def sanitize_filename(filename)
+        return nil if filename.nil? || filename.empty?
+
+        # Remove path components and dangerous characters
+        clean_name = File.basename(filename.to_s)
+        clean_name = clean_name.gsub(/[^\w\-_\.]/, '_')
+        clean_name = clean_name.gsub(/_{2,}/, '_')
+        clean_name = clean_name.gsub(/^_+|_+$/, '')
+
+        # Ensure it's not empty and has reasonable length
+        clean_name = 'file' if clean_name.empty?
+        clean_name = clean_name[0..100] if clean_name.length > 100
+
+        clean_name
+      end
+    end
+  end
+end

data/lib/otto/static.rb

@@ -1,20 +1,33 @@
+# lib/otto/static.rb
 
 class Otto
-
   module Static
     extend self
+
     def server_error
-      [500, {'Content-Type'=>'text/plain'}, ["Server error"]]
+      [500, security_headers.merge({ 'content-type' => 'text/plain' }), ['Server error']]
     end
+
     def not_found
-      [404, {'Content-Type'=>'text/plain'}, ["Not Found"]]
+      [404, security_headers.merge({ 'content-type' => 'text/plain' }), ['Not Found']]
+    end
+
+    def security_headers
+      {
+        'x-frame-options' => 'DENY',
+        'x-content-type-options' => 'nosniff',
+        'x-xss-protection' => '1; mode=block',
+        'referrer-policy' => 'strict-origin-when-cross-origin',
+      }
     end
+
     # Enable string or symbol key access to the nested params hash.
     def indifferent_params(params)
       if params.is_a?(Hash)
         params = indifferent_hash.merge(params)
         params.each do |key, value|
           next unless value.is_a?(Hash) || value.is_a?(Array)
+
           params[key] = indifferent_params(value)
         end
       elsif params.is_a?(Array)
@@ -27,10 +40,10 @@ class Otto
         end
       end
     end
+
     # Creates a Hash with indifferent access.
     def indifferent_hash
-      Hash.new {|hash,key| hash[key.to_s] if Symbol === key }
+      Hash.new { |hash, key| hash[key.to_s] if key.is_a?(Symbol) }
     end
   end
-
 end

data/lib/otto/version.rb

@@ -1,27 +1,5 @@
-#
+# lib/otto/version.rb
 
 class Otto
-  # Otto::VERSION
-  #
-  module VERSION
-    def self.to_a
-      load_config
-      [@version[:MAJOR], @version[:MINOR], @version[:PATCH]]
-    end
-
-    def self.to_s
-      version = to_a.join('.')
-      "#{version}-#{@version[:PRE]}" if @version[:PRE]
-    end
-
-    def self.inspect
-      to_s
-    end
-
-    def self.load_config
-      return if @version
-      require 'yaml'
-      @version = YAML.load_file(File.join(__dir__, '..', '..', 'VERSION.yml'))
-    end
-  end
+  VERSION = '1.3.0'.freeze
 end