otto 1.2.0 → 1.4.0

data/lib/otto/route.rb

@@ -33,20 +33,20 @@ class Otto
     # @param definition [String] Class and method definition (Class.method or Class#method)
     # @raise [ArgumentError] if definition format is invalid or class name is unsafe
     def initialize(verb, path, definition)
-      @verb = verb.to_s.upcase.to_sym
-      @path = path
-      @definition = definition
+      @verb           = verb.to_s.upcase.to_sym
+      @path           = path
+      @definition     = definition
       @pattern, @keys = *compile(@path)
       if !@definition.index('.').nil?
         @klass, @name = @definition.split('.')
-        @kind = :class
+        @kind         = :class
       elsif !@definition.index('#').nil?
         @klass, @name = @definition.split('#')
-        @kind = :instance
+        @kind         = :instance
       else
         raise ArgumentError, "Bad definition: #{@definition}"
       end
-      @klass = safe_const_get(@klass)
+      @klass          = safe_const_get(@klass)
       # @method = @klass.method(@name)
     end
 
@@ -85,8 +85,8 @@ class Otto
 
       begin
         Object.const_get(class_name)
-      rescue NameError => e
-        raise ArgumentError, "Class not found: #{class_name} - #{e.message}"
+      rescue NameError => ex
+        raise ArgumentError, "Class not found: #{class_name} - #{ex.message}"
       end
     end
 
@@ -109,11 +109,16 @@ class Otto
     # @return [Array] Rack response array [status, headers, body]
     def call(env, extra_params = {})
       extra_params ||= {}
-      req = Rack::Request.new(env)
-      res = Rack::Response.new
+      req            = Rack::Request.new(env)
+      res            = Rack::Response.new
       req.extend Otto::RequestHelpers
       res.extend Otto::ResponseHelpers
-      res.request = req
+      res.request    = req
+
+      # Make security config available to response helpers
+      if otto.respond_to?(:security_config) && otto.security_config
+        env['otto.security_config'] = otto.security_config
+      end
 
       # Process parameters through security layer
       req.params.merge! extra_params
@@ -158,7 +163,7 @@ class Otto
       keys = []
       if path.respond_to? :to_str
         special_chars = %w[. + ( ) $]
-        pattern =
+        pattern       =
           path.to_str.gsub(/((:\w+)|[\*#{special_chars.join}])/) do |match|
             case match
             when '*'

data/lib/otto/security/config.rb

@@ -22,26 +22,29 @@ class Otto
     #   config.max_param_depth = 16
     class Config
       attr_accessor :csrf_protection, :csrf_token_key, :csrf_header_key, :csrf_session_key,
-                    :max_request_size, :max_param_depth, :max_param_keys,
-                    :trusted_proxies, :require_secure_cookies,
-                    :security_headers, :input_validation
+        :max_request_size, :max_param_depth, :max_param_keys,
+        :trusted_proxies, :require_secure_cookies,
+        :security_headers, :input_validation,
+        :csp_nonce_enabled, :debug_csp
 
       # Initialize security configuration with safe defaults
       #
       # All security features are disabled by default to maintain backward
       # compatibility with existing Otto applications.
       def initialize
-        @csrf_protection = false
-        @csrf_token_key = '_csrf_token'
-        @csrf_header_key = 'HTTP_X_CSRF_TOKEN'
-        @csrf_session_key = '_csrf_session_id'
-        @max_request_size = 10 * 1024 * 1024 # 10MB
-        @max_param_depth = 32
-        @max_param_keys = 64
-        @trusted_proxies = []
+        @csrf_protection        = false
+        @csrf_token_key         = '_csrf_token'
+        @csrf_header_key        = 'HTTP_X_CSRF_TOKEN'
+        @csrf_session_key       = '_csrf_session_id'
+        @max_request_size       = 10 * 1024 * 1024 # 10MB
+        @max_param_depth        = 32
+        @max_param_keys         = 64
+        @trusted_proxies        = []
         @require_secure_cookies = false
-        @security_headers = default_security_headers
-        @input_validation = true
+        @security_headers       = default_security_headers
+        @input_validation       = true
+        @csp_nonce_enabled      = false
+        @debug_csp              = false
       end
 
       # Enable CSRF (Cross-Site Request Forgery) protection
@@ -96,7 +99,7 @@ class Otto
         when Array
           @trusted_proxies.concat(proxy)
         else
-          raise ArgumentError, "Proxy must be a String or Array"
+          raise ArgumentError, 'Proxy must be a String or Array'
         end
       end
 
@@ -130,19 +133,19 @@ class Otto
         size = content_length.to_i
         if size > @max_request_size
           raise Otto::Security::RequestTooLargeError,
-                "Request size #{size} exceeds maximum #{@max_request_size}"
+            "Request size #{size} exceeds maximum #{@max_request_size}"
         end
         true
       end
 
       def generate_csrf_token(session_id = nil)
-        base = session_id || 'no-session'
-        token = SecureRandom.hex(32)
+        base       = session_id || 'no-session'
+        token      = SecureRandom.hex(32)
         hash_input = base + ':' + token
-        signature = Digest::SHA256.hexdigest(hash_input)
+        signature  = Digest::SHA256.hexdigest(hash_input)
         csrf_token = "#{token}:#{signature}"
 
-        puts "=== CSRF Generation ==="
+        puts '=== CSRF Generation ==='
         puts "hash_input: #{hash_input.inspect}"
         puts "signature: #{signature}"
         puts "csrf_token: #{csrf_token}"
@@ -156,12 +159,12 @@ class Otto
         token_part, signature = token.split(':')
         return false if token_part.nil? || signature.nil?
 
-        base = session_id || 'no-session'
-        hash_input = "#{base}:#{token_part}"
+        base               = session_id || 'no-session'
+        hash_input         = "#{base}:#{token_part}"
         expected_signature = Digest::SHA256.hexdigest(hash_input)
-        comparison_result = secure_compare(signature, expected_signature)
+        comparison_result  = secure_compare(signature, expected_signature)
 
-        puts "=== CSRF Verification ==="
+        puts '=== CSRF Verification ==='
         puts "hash_input: #{hash_input.inspect}"
         puts "received_signature: #{signature}"
         puts "expected_signature: #{expected_signature}"
@@ -179,9 +182,9 @@ class Otto
       # @param max_age [Integer] Maximum age in seconds (default: 1 year)
       # @param include_subdomains [Boolean] Apply to all subdomains (default: true)
       # @return [void]
-      def enable_hsts!(max_age: 31536000, include_subdomains: true)
-        hsts_value = "max-age=#{max_age}"
-        hsts_value += "; includeSubDomains" if include_subdomains
+      def enable_hsts!(max_age: 31_536_000, include_subdomains: true)
+        hsts_value                                     = "max-age=#{max_age}"
+        hsts_value                                    += '; includeSubDomains' if include_subdomains
         @security_headers['strict-transport-security'] = hsts_value
       end
 
@@ -199,6 +202,53 @@ class Otto
         @security_headers['content-security-policy'] = policy
       end
 
+      # Enable Content Security Policy (CSP) with nonce support
+      #
+      # This enables dynamic CSP header generation with nonces for enhanced security.
+      # Unlike enable_csp!, this doesn't set a static policy but enables the response
+      # helper to generate CSP headers with nonces on a per-request basis.
+      #
+      # @param debug [Boolean] Enable debug logging for CSP headers (default: false)
+      # @return [void]
+      #
+      # @example
+      #   config.enable_csp_with_nonce!(debug: true)
+      def enable_csp_with_nonce!(debug: false)
+        @csp_nonce_enabled = true
+        @debug_csp         = debug
+      end
+
+      # Disable CSP nonce support
+      #
+      # @return [void]
+      def disable_csp_nonce!
+        @csp_nonce_enabled = false
+      end
+
+      # Check if CSP nonce support is enabled
+      #
+      # @return [Boolean] true if CSP nonce support is enabled
+      def csp_nonce_enabled?
+        @csp_nonce_enabled
+      end
+
+      # Check if CSP debug logging is enabled
+      #
+      # @return [Boolean] true if CSP debug logging is enabled
+      def debug_csp?
+        @debug_csp
+      end
+
+      # Generate a CSP policy string with the provided nonce
+      #
+      # @param nonce [String] The nonce value to include in the CSP
+      # @param development_mode [Boolean] Whether to use development-friendly directives
+      # @return [String] Complete CSP policy string
+      def generate_nonce_csp(nonce, development_mode: false)
+        directives = development_mode ? development_csp_directives(nonce) : production_csp_directives(nonce)
+        directives.join(' ')
+      end
+
       # Enable X-Frame-Options header to prevent clickjacking
       #
       # @param option [String] Frame options: 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM uri'
@@ -245,27 +295,23 @@ class Otto
             return session[csrf_session_key] if session[csrf_session_key]
             return session['session_id'] if session['session_id']
           end
-        rescue
+        rescue StandardError
           # Fall through to cookies
         end
 
         # Try cookies
         request.cookies['_otto_session'] ||
-        request.cookies['session_id'] ||
-        request.cookies['_session_id']
+          request.cookies['session_id'] ||
+          request.cookies['_session_id']
       end
 
       def store_session_id(request, session_id)
-        begin
-          session = request.session
+          session                   = request.session
           session[csrf_session_key] = session_id if session
-        rescue
-          # Cookie fallback handled in inject_csrf_token
-        end
+      rescue StandardError
+        # Cookie fallback handled in inject_csrf_token
       end
 
-      private
-
       # Default security headers applied to all responses
       #
       # These headers provide basic defense against common web vulnerabilities:
@@ -282,7 +328,7 @@ class Otto
         {
           'x-content-type-options' => 'nosniff',
           'x-xss-protection' => '1; mode=block',
-          'referrer-policy' => 'strict-origin-when-cross-origin'
+          'referrer-policy' => 'strict-origin-when-cross-origin',
         }
       end
 
@@ -298,10 +344,58 @@ class Otto
       def secure_compare(a, b)
         return false if a.nil? || b.nil? || a.length != b.length
 
-        result = 0
+        result                                = 0
         a.bytes.zip(b.bytes) { |x, y| result |= x ^ y }
         result == 0
       end
+
+      # Generate CSP directives for development environment
+      #
+      # Development mode allows inline scripts/styles and hot reloading connections
+      # for better developer experience with build tools like Vite.
+      #
+      # @param nonce [String] The nonce value to include in script-src
+      # @return [Array<String>] Array of CSP directive strings
+      def development_csp_directives(nonce)
+        [
+          "default-src 'none';",
+          "script-src 'nonce-#{nonce}' 'unsafe-inline';",  # Allow inline scripts for development tools
+          "style-src 'self' 'unsafe-inline';",
+          "connect-src 'self' ws: wss: http: https:;",      # Allow HTTP and all WebSocket connections for dev tools
+          "img-src 'self' data:;",
+          "font-src 'self';",
+          "object-src 'none';",
+          "base-uri 'self';",
+          "form-action 'self';",
+          "frame-ancestors 'none';",
+          "manifest-src 'self';",
+          "worker-src 'self' data:;",
+        ]
+      end
+
+      # Generate CSP directives for production environment
+      #
+      # Production mode is more restrictive, only allowing HTTPS connections
+      # and nonce-only scripts for enhanced XSS protection.
+      #
+      # @param nonce [String] The nonce value to include in script-src
+      # @return [Array<String>] Array of CSP directive strings
+      def production_csp_directives(nonce)
+        [
+          "default-src 'none';",                     # Restrict to same origin by default
+          "script-src 'nonce-#{nonce}';",            # Only allow scripts with valid nonce
+          "style-src 'self' 'unsafe-inline';",       # Allow inline styles and same-origin stylesheets
+          "connect-src 'self' wss: https:;",         # Only HTTPS and secure WebSockets
+          "img-src 'self' data:;",                   # Allow images from same origin and data URIs
+          "font-src 'self';",                        # Allow fonts from same origin only
+          "object-src 'none';",                      # Block <object>, <embed>, and <applet> elements
+          "base-uri 'self';",                        # Restrict <base> tag targets to same origin
+          "form-action 'self';",                     # Restrict form submissions to same origin
+          "frame-ancestors 'none';",                 # Prevent site from being embedded in frames
+          "manifest-src 'self';",                    # Allow web app manifests from same origin
+          "worker-src 'self' data:;",                # Allow Workers from same origin and data blobs
+        ]
+      end
     end
 
     # Raised when a request exceeds the configured size limit

data/lib/otto/security/csrf.rb

@@ -3,12 +3,14 @@
 require 'securerandom'
 
 class Otto
+  # CSRF protection middleware for Otto framework
   module Security
+    # Middleware that provides Cross-Site Request Forgery (CSRF) protection
     class CSRFMiddleware
       SAFE_METHODS = %w[GET HEAD OPTIONS TRACE].freeze
 
       def initialize(app, config = nil)
-        @app = app
+        @app    = app
         @config = config || Otto::Security::Config.new
       end
 
@@ -25,9 +27,7 @@ class Otto
         end
 
         # Validate CSRF token for unsafe methods
-        unless valid_csrf_token?(request)
-          return csrf_error_response
-        end
+        return csrf_error_response unless valid_csrf_token?(request)
 
         @app.call(env)
       end
@@ -54,8 +54,7 @@ class Otto
         token ||= request.env[@config.csrf_header_key]
 
         # Try alternative header format
-        token ||= request.env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' ?
-                    request.env['HTTP_X_CSRF_TOKEN'] : nil
+        token ||= request.env['HTTP_X_CSRF_TOKEN'] if request.env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'
 
         token
       end
@@ -68,7 +67,7 @@ class Otto
         return response unless response.is_a?(Array) && response.length >= 3
 
         status, headers, body = response
-        content_type = headers.find { |k, v| k.downcase == 'content-type' }&.last
+        content_type          = headers.find { |k, _v| k.downcase == 'content-type' }&.last
 
         return response unless content_type&.include?('text/html')
 
@@ -85,14 +84,12 @@ class Otto
         body_content = body.respond_to?(:join) ? body.join : body.to_s
 
         if body_content.match?(/<head>/i)
-          meta_tag = %(<meta name="csrf-token" content="#{csrf_token}">)
+          meta_tag     = %(<meta name="csrf-token" content="#{csrf_token}">)
           body_content = body_content.sub(/<head>/i, "<head>\n#{meta_tag}")
 
           # Update content length if present
-          content_length_key = headers.keys.find { |k| k.downcase == 'content-length' }
-          if content_length_key
-            headers[content_length_key] = body_content.bytesize.to_s
-          end
+          content_length_key          = headers.keys.find { |k| k.downcase == 'content-length' }
+          headers[content_length_key] = body_content.bytesize.to_s if content_length_key
 
           [status, headers, [body_content]]
         else
@@ -106,8 +103,8 @@ class Otto
         return if existing_cookie == session_id
 
         # Set the session cookie
-        cookie_value = "#{session_id}; Path=/; HttpOnly; SameSite=Lax"
-        cookie_value += "; Secure" if request.scheme == 'https'
+        cookie_value  = "#{session_id}; Path=/; HttpOnly; SameSite=Lax"
+        cookie_value += '; Secure' if request.scheme == 'https'
 
         # Handle existing Set-Cookie headers
         existing_cookies = headers['set-cookie'] || headers['Set-Cookie']
@@ -126,8 +123,8 @@ class Otto
       def html_response?(response)
         return false unless response.is_a?(Array) && response.length >= 2
 
-        headers = response[1]
-        content_type = headers.find { |k, v| k.downcase == 'content-type' }&.last
+        headers      = response[1]
+        content_type = headers.find { |k, _v| k.downcase == 'content-type' }&.last
         content_type&.include?('text/html')
       end
 
@@ -136,34 +133,30 @@ class Otto
           403,
           {
             'content-type' => 'application/json',
-            'content-length' => csrf_error_body.bytesize.to_s
+            'content-length' => csrf_error_body.bytesize.to_s,
           },
-          [csrf_error_body]
+          [csrf_error_body],
         ]
       end
 
       def csrf_error_body
         {
           error: 'CSRF token validation failed',
-          message: 'The request could not be authenticated. Please refresh the page and try again.'
+          message: 'The request could not be authenticated. Please refresh the page and try again.',
         }.to_json
       end
-
     end
 
+    # Helper methods for CSRF token handling in views and controllers
     module CSRFHelpers
       def csrf_token
         if @csrf_token.nil? && otto.respond_to?(:security_config)
-          session_id = otto.security_config.get_or_create_session_id(req)
+          session_id  = otto.security_config.get_or_create_session_id(req)
           @csrf_token = otto.security_config.generate_csrf_token(session_id)
         end
         @csrf_token
       end
 
-      private
-
-      public
-
       def csrf_meta_tag
         %(<meta name="csrf-token" content="#{csrf_token}">)
       end
@@ -173,8 +166,11 @@ class Otto
       end
 
       def csrf_token_key
-        otto.respond_to?(:security_config) ?
-          otto.security_config.csrf_token_key : '_csrf_token'
+        if otto.respond_to?(:security_config)
+          otto.security_config.csrf_token_key
+        else
+          '_csrf_token'
+        end
       end
     end
   end

data/lib/otto/security/validator.rb

@@ -5,31 +5,32 @@ require 'cgi'
 
 class Otto
   module Security
+    # ValidationMiddleware provides input validation and sanitization for web requests
     class ValidationMiddleware
       # Character validation patterns
-      INVALID_CHARACTERS = /[\x00-\x1f\x7f-\xff]/n.freeze
-      NULL_BYTE = /\0/.freeze
+      INVALID_CHARACTERS = /[\x00-\x1f\x7f-\xff]/n
+      NULL_BYTE          = /\0/
 
       DANGEROUS_PATTERNS = [
         /<script[^>]*>/i,           # Script tags
         /javascript:/i,             # JavaScript protocol
         /data:.*base64/i,           # Data URLs with base64
-        /on\w+\s*=/i,              # Event handlers
+        /on\w+\s*=/i,               # Event handlers
         /expression\s*\(/i,         # CSS expressions
-        /url\s*\(/i,               # CSS url() functions
-        NULL_BYTE,                 # Null bytes
-        INVALID_CHARACTERS         # Control characters and extended ASCII
+        /url\s*\(/i,                # CSS url() functions
+        NULL_BYTE,                  # Null bytes
+        INVALID_CHARACTERS,         # Control characters and extended ASCII
       ].freeze
 
       SQL_INJECTION_PATTERNS = [
         /('|(\\')|(;)|(\\)|(--)|(%27)|(%3B)|(%3D))/i,
         /(union|select|insert|update|delete|drop|create|alter|exec|execute)/i,
         /(or|and)\s+\w+\s*=\s*\w+/i,
-        /\d+\s*(=|>|<|>=|<=|<>|!=)\s*\d+/i
+        /\d+\s*(=|>|<|>=|<=|<>|!=)\s*\d+/i,
       ].freeze
 
       def initialize(app, config = nil)
-        @app = app
+        @app    = app
         @config = config || Otto::Security::Config.new
       end
 
@@ -46,17 +47,21 @@ class Otto
           validate_content_type(request)
 
           # Validate and sanitize parameters
-          validate_parameters(request) if request.params
+          begin
+            validate_parameters(request) if request.params
+          rescue Rack::QueryParser::QueryLimitError => ex
+            # Handle Rack's built-in query parsing limits
+            raise Otto::Security::ValidationError, "Parameter structure too complex: #{ex.message}"
+          end
 
           # Validate headers
           validate_headers(request)
 
           @app.call(env)
-
-        rescue Otto::Security::ValidationError => e
-          return validation_error_response(e.message)
-        rescue Otto::Security::RequestTooLargeError => e
-          return request_too_large_response(e.message)
+        rescue Otto::Security::ValidationError => ex
+          validation_error_response(ex.message)
+        rescue Otto::Security::RequestTooLargeError => ex
+          request_too_large_response(ex.message)
         end
       end
 
@@ -76,7 +81,7 @@ class Otto
           'application/x-shockwave-flash',
           'application/x-silverlight-app',
           'text/vbscript',
-          'application/vbscript'
+          'application/vbscript',
         ]
 
         if dangerous_types.any? { |type| content_type.downcase.include?(type) }
@@ -148,14 +153,14 @@ class Otto
         # Check for dangerous patterns
         DANGEROUS_PATTERNS.each do |pattern|
           if value.match?(pattern)
-            raise Otto::Security::ValidationError, "Dangerous content detected in parameter"
+            raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
           end
         end
 
         # Check for SQL injection patterns
         SQL_INJECTION_PATTERNS.each do |pattern|
           if value.match?(pattern)
-            raise Otto::Security::ValidationError, "Potential SQL injection detected"
+            raise Otto::Security::ValidationError, 'Potential SQL injection detected'
           end
         end
 
@@ -169,9 +174,7 @@ class Otto
 
         # Additional sanitization for common attack vectors
         sanitized = sanitized.gsub(/<!--.*?-->/m, '') # Remove HTML comments
-        sanitized = sanitized.gsub(/<!\[CDATA\[.*?\]\]>/m, '') # Remove CDATA sections
-
-        sanitized
+        sanitized.gsub(/<!\[CDATA\[.*?\]\]>/m, '') # Remove CDATA sections
       end
 
       def validate_headers(request)
@@ -197,13 +200,13 @@ class Otto
         # Validate User-Agent length
         user_agent = request.env['HTTP_USER_AGENT']
         if user_agent && user_agent.length > 1000
-          raise Otto::Security::ValidationError, "User-Agent header too long"
+          raise Otto::Security::ValidationError, 'User-Agent header too long'
         end
 
         # Validate Referer header
         referer = request.env['HTTP_REFERER']
         if referer && referer.length > 2000
-          raise Otto::Security::ValidationError, "Referer header too long"
+          raise Otto::Security::ValidationError, 'Referer header too long'
         end
       end
 
@@ -212,9 +215,9 @@ class Otto
           400,
           {
             'content-type' => 'application/json',
-            'content-length' => validation_error_body(message).bytesize.to_s
+            'content-length' => validation_error_body(message).bytesize.to_s,
           },
-          [validation_error_body(message)]
+          [validation_error_body(message)],
         ]
       end
 
@@ -223,9 +226,9 @@ class Otto
           413,
           {
             'content-type' => 'application/json',
-            'content-length' => request_too_large_body(message).bytesize.to_s
+            'content-length' => request_too_large_body(message).bytesize.to_s,
           },
-          [request_too_large_body(message)]
+          [request_too_large_body(message)],
         ]
       end
 
@@ -233,7 +236,7 @@ class Otto
         require 'json'
         {
           error: 'Validation failed',
-          message: message
+          message: message,
         }.to_json
       end
 
@@ -241,7 +244,7 @@ class Otto
         require 'json'
         {
           error: 'Request too large',
-          message: message
+          message: message,
         }.to_json
       end
     end
@@ -261,7 +264,7 @@ class Otto
         unless allow_html
           ValidationMiddleware::DANGEROUS_PATTERNS.each do |pattern|
             if input_str.match?(pattern)
-              raise Otto::Security::ValidationError, "Dangerous content detected"
+              raise Otto::Security::ValidationError, 'Dangerous content detected'
             end
           end
         end
@@ -269,7 +272,7 @@ class Otto
         # Always check for SQL injection
         ValidationMiddleware::SQL_INJECTION_PATTERNS.each do |pattern|
           if input_str.match?(pattern)
-            raise Otto::Security::ValidationError, "Potential SQL injection detected"
+            raise Otto::Security::ValidationError, 'Potential SQL injection detected'
           end
         end
 

data/lib/otto/static.rb

@@ -17,7 +17,7 @@ class Otto
         'x-frame-options' => 'DENY',
         'x-content-type-options' => 'nosniff',
         'x-xss-protection' => '1; mode=block',
-        'referrer-policy' => 'strict-origin-when-cross-origin'
+        'referrer-policy' => 'strict-origin-when-cross-origin',
       }
     end