otto 1.4.0 → 1.6.0

data/lib/otto/security/config.rb

@@ -25,7 +25,8 @@ class Otto
         :max_request_size, :max_param_depth, :max_param_keys,
         :trusted_proxies, :require_secure_cookies,
         :security_headers, :input_validation,
-        :csp_nonce_enabled, :debug_csp
+        :csp_nonce_enabled, :debug_csp, :mcp_auth,
+        :rate_limiting_config
 
       # Initialize security configuration with safe defaults
       #
@@ -45,6 +46,7 @@ class Otto
         @input_validation       = true
         @csp_nonce_enabled      = false
         @debug_csp              = false
+        @rate_limiting_config   = {}
       end
 
       # Enable CSRF (Cross-Site Request Forgery) protection

data/lib/otto/security/rate_limiting.rb

@@ -0,0 +1,111 @@
+require 'json'
+
+begin
+  require 'rack/attack'
+rescue LoadError
+  # rack-attack is optional - graceful fallback
+end
+
+class Otto
+  module Security
+    class RateLimiting
+      def self.configure_rack_attack!(config = {})
+        return unless defined?(Rack::Attack)
+
+        # Use provided cache store or default
+        if config[:cache_store]
+          Rack::Attack.cache.store = config[:cache_store]
+        end
+
+        # Default rules
+        default_requests_per_minute = config.fetch(:requests_per_minute, 100)
+
+        # General request throttling
+        Rack::Attack.throttle('requests', limit: default_requests_per_minute, period: 60) do |request|
+          request.ip unless request.path.start_with?('/_') # Skip internal paths by default
+        end
+
+        # Apply custom rules if provided
+        if config[:custom_rules]
+          config[:custom_rules].each do |name, rule_config|
+            limit = rule_config[:limit]
+            period = rule_config[:period] || 60
+            condition = rule_config[:condition]
+
+            Rack::Attack.throttle(name.to_s, limit: limit, period: period) do |request|
+              if condition
+                request.ip if condition.call(request)
+              else
+                request.ip
+              end
+            end
+          end
+        end
+
+        # Custom response for rate limited requests
+        Rack::Attack.throttled_responder = lambda do |request|
+          match_data = request.env['rack.attack.match_data']
+          now = match_data[:epoch_time]
+
+          headers = {
+            'content-type' => 'application/json',
+            'retry-after' => (match_data[:period] - (now % match_data[:period])).to_s,
+          }
+
+          # Check if request expects JSON
+          accept_header = request.env['HTTP_ACCEPT'].to_s
+          if accept_header.include?('application/json')
+            error_response = {
+              error: 'Rate limit exceeded',
+              message: 'Too many requests',
+              retry_after: headers['retry-after'].to_i,
+              limit: match_data[:limit],
+              period: match_data[:period],
+            }
+            [429, headers, [JSON.generate(error_response)]]
+          else
+            body = "Rate limit exceeded. Retry after #{headers['retry-after']} seconds."
+            headers['content-type'] = 'text/plain'
+            [429, headers, [body]]
+          end
+        end
+
+        # Log blocked requests if ActiveSupport is available
+        return unless defined?(ActiveSupport::Notifications)
+
+        ActiveSupport::Notifications.subscribe('rack.attack') do |_name, _start, _finish, _request_id, payload|
+          req = payload[:request]
+          Otto.logger.warn "[Otto] Rate limit #{payload[:match_type]} for #{req.ip}: #{payload[:matched]}"
+        end
+      end
+    end
+
+    class RateLimitMiddleware
+      def initialize(app, security_config = nil)
+        @app = app
+        @security_config = security_config
+        @rate_limiter_available = defined?(Rack::Attack)
+
+        if @rate_limiter_available
+          configure_rate_limiting
+        else
+          Otto.logger.warn '[Otto] rack-attack not available - rate limiting disabled'
+        end
+      end
+
+      def call(env)
+        return @app.call(env) unless @rate_limiter_available
+
+        # Let rack-attack handle the rate limiting
+        @app.call(env)
+      end
+
+      private
+
+      def configure_rate_limiting
+        config = @security_config&.rate_limiting_config || {}
+        RateLimiting.configure_rack_attack!(config)
+      end
+    end
+  end
+end

data/lib/otto/security/validator.rb

@@ -2,25 +2,21 @@
 
 require 'json'
 require 'cgi'
+require 'loofah'
+require 'facets/file'
+
+require_relative '../helpers/validation'
 
 class Otto
   module Security
     # ValidationMiddleware provides input validation and sanitization for web requests
+    # Uses Loofah for HTML/XSS sanitization and Facets for filename sanitization
     class ValidationMiddleware
       # Character validation patterns
       INVALID_CHARACTERS = /[\x00-\x1f\x7f-\xff]/n
       NULL_BYTE          = /\0/
 
-      DANGEROUS_PATTERNS = [
-        /<script[^>]*>/i,           # Script tags
-        /javascript:/i,             # JavaScript protocol
-        /data:.*base64/i,           # Data URLs with base64
-        /on\w+\s*=/i,               # Event handlers
-        /expression\s*\(/i,         # CSS expressions
-        /url\s*\(/i,                # CSS url() functions
-        NULL_BYTE,                  # Null bytes
-        INVALID_CHARACTERS,         # Control characters and extended ASCII
-      ].freeze
+      # HTML/XSS sanitization is handled by Loofah library for better security coverage
 
       SQL_INJECTION_PATTERNS = [
         /('|(\\')|(;)|(\\)|(--)|(%27)|(%3B)|(%3D))/i,
@@ -95,7 +91,7 @@ class Otto
       end
 
       def validate_param_structure(params, depth = 0)
-        if depth > @config.max_param_depth
+        if depth >= @config.max_param_depth
           raise Otto::Security::ValidationError, "Parameter depth exceeds maximum (#{@config.max_param_depth})"
         end
 
@@ -150,32 +146,44 @@ class Otto
       def sanitize_value(value)
         return value unless value.is_a?(String)
 
-        # Check for dangerous patterns
-        DANGEROUS_PATTERNS.each do |pattern|
-          if value.match?(pattern)
-            raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
-          end
+        # Check for extremely long values first
+        if value.length > 10_000
+          raise Otto::Security::ValidationError, "Parameter value too long (#{value.length} characters)"
+        end
+
+        # Start with the original value
+        original = value.dup
+
+        # Check for null bytes first (these should be rejected, not sanitized)
+        if original.match?(NULL_BYTE)
+          raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
+        end
+
+        # Check for script injection first (these should always be rejected)
+        if looks_like_script_injection?(original)
+          raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
         end
 
+        # Use Loofah to sanitize HTML/XSS content for less dangerous HTML
+        # Loofah.fragment removes dangerous HTML but preserves safe content
+        sanitized = Loofah.fragment(original).scrub!(:whitewash).to_s
+
+        # Remove control characters (sanitize, don't block)
+        sanitized = sanitized.gsub(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/, '')
+
         # Check for SQL injection patterns
         SQL_INJECTION_PATTERNS.each do |pattern|
-          if value.match?(pattern)
+          if sanitized.match?(pattern)
             raise Otto::Security::ValidationError, 'Potential SQL injection detected'
           end
         end
 
-        # Check for extremely long values
-        if value.length > 10_000
-          raise Otto::Security::ValidationError, "Parameter value too long (#{value.length} characters)"
-        end
+        sanitized
+      end
 
-        # Basic sanitization - remove null bytes and control characters
-        sanitized = value.gsub(/\0/, '').gsub(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/, '')
+      include ValidationHelpers
 
-        # Additional sanitization for common attack vectors
-        sanitized = sanitized.gsub(/<!--.*?-->/m, '') # Remove HTML comments
-        sanitized.gsub(/<!\[CDATA\[.*?\]\]>/m, '') # Remove CDATA sections
-      end
+      private
 
       def validate_headers(request)
         # Check for dangerous headers
@@ -248,52 +256,5 @@ class Otto
         }.to_json
       end
     end
-
-    module ValidationHelpers
-      def validate_input(input, max_length: 1000, allow_html: false)
-        return input if input.nil? || input.empty?
-
-        input_str = input.to_s
-
-        # Check length
-        if input_str.length > max_length
-          raise Otto::Security::ValidationError, "Input too long (#{input_str.length} > #{max_length})"
-        end
-
-        # Check for dangerous patterns unless HTML is allowed
-        unless allow_html
-          ValidationMiddleware::DANGEROUS_PATTERNS.each do |pattern|
-            if input_str.match?(pattern)
-              raise Otto::Security::ValidationError, 'Dangerous content detected'
-            end
-          end
-        end
-
-        # Always check for SQL injection
-        ValidationMiddleware::SQL_INJECTION_PATTERNS.each do |pattern|
-          if input_str.match?(pattern)
-            raise Otto::Security::ValidationError, 'Potential SQL injection detected'
-          end
-        end
-
-        input_str
-      end
-
-      def sanitize_filename(filename)
-        return nil if filename.nil? || filename.empty?
-
-        # Remove path components and dangerous characters
-        clean_name = File.basename(filename.to_s)
-        clean_name = clean_name.gsub(/[^\w\-_\.]/, '_')
-        clean_name = clean_name.gsub(/_{2,}/, '_')
-        clean_name = clean_name.gsub(/^_+|_+$/, '')
-
-        # Ensure it's not empty and has reasonable length
-        clean_name = 'file' if clean_name.empty?
-        clean_name = clean_name[0..100] if clean_name.length > 100
-
-        clean_name
-      end
-    end
   end
 end

data/lib/otto/version.rb

@@ -1,5 +1,5 @@
 # lib/otto/version.rb
 
 class Otto
-  VERSION = '1.4.0'.freeze
+  VERSION = '1.6.0'.freeze
 end

data/lib/otto.rb

@@ -8,14 +8,20 @@ require 'rack/request'
 require 'rack/response'
 require 'rack/utils'
 
+require_relative 'otto/route_definition'
 require_relative 'otto/route'
 require_relative 'otto/static'
 require_relative 'otto/helpers/request'
 require_relative 'otto/helpers/response'
+require_relative 'otto/response_handlers'
+require_relative 'otto/route_handlers'
 require_relative 'otto/version'
 require_relative 'otto/security/config'
 require_relative 'otto/security/csrf'
 require_relative 'otto/security/validator'
+require_relative 'otto/security/authentication'
+require_relative 'otto/security/rate_limiting'
+require_relative 'otto/mcp/server'
 
 # Otto is a simple Rack router that allows you to define routes in a file
 # with built-in security features including CSRF protection, input validation,
@@ -56,7 +62,7 @@ class Otto
     @global_config
   end
 
-  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option, :static_route, :security_config, :locale_config
+  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option, :static_route, :security_config, :locale_config, :auth_config, :route_handler_factory, :mcp_server
   attr_accessor :not_found, :server_error, :middleware_stack
 
   def initialize(path = nil, opts = {})
@@ -70,6 +76,7 @@ class Otto
     }.merge(opts)
     @security_config   = Otto::Security::Config.new
     @middleware_stack  = []
+    @route_handler_factory = opts[:route_handler_factory] || Otto::RouteHandlers::HandlerFactory
 
     # Configure locale support (merge global config with instance options)
     configure_locale(opts)
@@ -77,6 +84,12 @@ class Otto
     # Configure security based on options
     configure_security(opts)
 
+    # Configure authentication based on options
+    configure_authentication(opts)
+
+    # Initialize MCP server
+    configure_mcp(opts)
+
     Otto.logger.debug "new Otto: #{opts}" if Otto.debug
     load(path) unless path.nil?
     super()
@@ -87,9 +100,22 @@ class Otto
     path = File.expand_path(path)
     raise ArgumentError, "Bad path: #{path}" unless File.exist?(path)
 
-    raw = File.readlines(path).select { |line| line =~ /^\w/ }.collect { |line| line.strip.split(/\s+/) }
+    raw = File.readlines(path).select { |line| line =~ /^\w/ }.collect { |line| line.strip }
     raw.each do |entry|
-      verb, path, definition                  = *entry
+      # Enhanced parsing: split only on first two whitespace boundaries
+      # This preserves parameters in the definition part
+      parts = entry.split(/\s+/, 3)
+      verb, path, definition = parts[0], parts[1], parts[2]
+
+      # Check for MCP routes
+      if Otto::MCP::RouteParser.is_mcp_route?(definition)
+        handle_mcp_route(verb, path, definition) if @mcp_server
+        next
+      elsif Otto::MCP::RouteParser.is_tool_route?(definition)
+        handle_tool_route(verb, path, definition) if @mcp_server
+        next
+      end
+
       route                                   = Otto::Route.new verb, path, definition
       route.otto                              = self
       path_clean                              = path.gsub(%r{/$}, '')
@@ -332,6 +358,52 @@ class Otto
     use Otto::Security::ValidationMiddleware
   end
 
+  # Enable rate limiting to protect against abuse and DDoS attacks.
+  # This will automatically add rate limiting rules based on client IP.
+  #
+  # @param options [Hash] Rate limiting configuration options
+  # @option options [Integer] :requests_per_minute Maximum requests per minute per IP (default: 100)
+  # @option options [Hash] :custom_rules Custom rate limiting rules
+  # @example
+  #   otto.enable_rate_limiting!(requests_per_minute: 50)
+  def enable_rate_limiting!(options = {})
+    return if middleware_enabled?(Otto::Security::RateLimitMiddleware)
+
+    configure_rate_limiting(options)
+    use Otto::Security::RateLimitMiddleware
+  end
+
+  # Configure rate limiting settings.
+  #
+  # @param config [Hash] Rate limiting configuration
+  # @option config [Integer] :requests_per_minute Maximum requests per minute per IP
+  # @option config [Hash] :custom_rules Hash of custom rate limiting rules
+  # @option config [Object] :cache_store Custom cache store for rate limiting
+  # @example
+  #   otto.configure_rate_limiting({
+  #     requests_per_minute: 50,
+  #     custom_rules: {
+  #       'api_calls' => { limit: 30, period: 60, condition: ->(req) { req.path.start_with?('/api') }}
+  #     }
+  #   })
+  def configure_rate_limiting(config)
+    @security_config.rate_limiting_config.merge!(config)
+  end
+
+  # Add a custom rate limiting rule.
+  #
+  # @param name [String, Symbol] Rule name
+  # @param options [Hash] Rule configuration
+  # @option options [Integer] :limit Maximum requests
+  # @option options [Integer] :period Time period in seconds (default: 60)
+  # @option options [Proc] :condition Optional condition proc that receives request
+  # @example
+  #   otto.add_rate_limit_rule('uploads', limit: 5, period: 300, condition: ->(req) { req.post? && req.path.include?('upload') })
+  def add_rate_limit_rule(name, options)
+    @security_config.rate_limiting_config[:custom_rules] ||= {}
+    @security_config.rate_limiting_config[:custom_rules][name.to_s] = options
+  end
+
   # Add a trusted proxy server for accurate client IP detection.
   # Only requests from trusted proxies will have their forwarded headers honored.
   #
@@ -412,6 +484,72 @@ class Otto
     @locale_config[:default_locale] = default_locale if default_locale
   end
 
+  # Enable authentication middleware for route-level access control.
+  # This will automatically check route auth parameters and enforce authentication.
+  #
+  # @example
+  #   otto.enable_authentication!
+  def enable_authentication!
+    return if middleware_enabled?(Otto::Security::AuthenticationMiddleware)
+
+    use Otto::Security::AuthenticationMiddleware, @auth_config
+  end
+
+  # Configure authentication strategies for route-level access control.
+  #
+  # @param strategies [Hash] Hash mapping strategy names to strategy instances
+  # @param default_strategy [String] Default strategy to use when none specified
+  # @example
+  #   otto.configure_auth_strategies({
+  #     'publically' => Otto::Security::PublicStrategy.new,
+  #     'authenticated' => Otto::Security::SessionStrategy.new(session_key: 'user_id'),
+  #     'role:admin' => Otto::Security::RoleStrategy.new(['admin']),
+  #     'api_key' => Otto::Security::APIKeyStrategy.new(api_keys: ['secret123'])
+  #   })
+  def configure_auth_strategies(strategies, default_strategy: 'publically')
+    @auth_config ||= {}
+    @auth_config[:auth_strategies] = strategies
+    @auth_config[:default_auth_strategy] = default_strategy
+
+    enable_authentication! unless strategies.empty?
+  end
+
+  # Add a single authentication strategy
+  #
+  # @param name [String] Strategy name
+  # @param strategy [Otto::Security::AuthStrategy] Strategy instance
+  # @example
+  #   otto.add_auth_strategy('custom', MyCustomStrategy.new)
+  def add_auth_strategy(name, strategy)
+    @auth_config ||= { auth_strategies: {}, default_auth_strategy: 'publically' }
+    @auth_config[:auth_strategies][name] = strategy
+
+    enable_authentication!
+  end
+
+  # Enable MCP (Model Context Protocol) server support
+  #
+  # @param options [Hash] MCP configuration options
+  # @option options [Boolean] :http Enable HTTP endpoint (default: true)
+  # @option options [Boolean] :stdio Enable STDIO communication (default: false)
+  # @option options [String] :endpoint HTTP endpoint path (default: '/_mcp')
+  # @example
+  #   otto.enable_mcp!(http: true, endpoint: '/api/mcp')
+  def enable_mcp!(options = {})
+    unless @mcp_server
+      @mcp_server = Otto::MCP::Server.new(self)
+    end
+
+    @mcp_server.enable!(options)
+    Otto.logger.info "[MCP] Enabled MCP server" if Otto.debug
+  end
+
+  # Check if MCP is enabled
+  # @return [Boolean]
+  def mcp_enabled?
+    @mcp_server&.enabled?
+  end
+
   private
 
   def configure_locale(opts)
@@ -452,6 +590,12 @@ class Otto
     # Enable request validation if requested
     enable_request_validation! if opts[:request_validation]
 
+    # Enable rate limiting if requested
+    if opts[:rate_limiting]
+      rate_limiting_opts = opts[:rate_limiting].is_a?(Hash) ? opts[:rate_limiting] : {}
+      enable_rate_limiting!(rate_limiting_opts)
+    end
+
     # Add trusted proxies if provided
     if opts[:trusted_proxies]
       Array(opts[:trusted_proxies]).each { |proxy| add_trusted_proxy(proxy) }
@@ -467,6 +611,55 @@ class Otto
     @middleware_stack.any? { |m| m == middleware_class }
   end
 
+  def configure_authentication(opts)
+    # Configure authentication strategies
+    @auth_config = {
+      auth_strategies: opts[:auth_strategies] || {},
+      default_auth_strategy: opts[:default_auth_strategy] || 'publically'
+    }
+
+    # Enable authentication middleware if strategies are configured
+    if opts[:auth_strategies] && !opts[:auth_strategies].empty?
+      enable_authentication!
+    end
+  end
+
+  def configure_mcp(opts)
+    @mcp_server = nil
+
+    # Enable MCP if requested in options
+    if opts[:mcp_enabled] || opts[:mcp_http] || opts[:mcp_stdio]
+      @mcp_server = Otto::MCP::Server.new(self)
+
+      mcp_options = {}
+      mcp_options[:http_endpoint] = opts[:mcp_endpoint] if opts[:mcp_endpoint]
+
+      if opts[:mcp_http] != false  # Default to true unless explicitly disabled
+        @mcp_server.enable!(mcp_options)
+      end
+    end
+  end
+
+  def handle_mcp_route(verb, path, definition)
+    begin
+      route_info = Otto::MCP::RouteParser.parse_mcp_route(verb, path, definition)
+      @mcp_server.register_mcp_route(route_info)
+      Otto.logger.debug "[MCP] Registered resource route: #{definition}" if Otto.debug
+    rescue => e
+      Otto.logger.error "[MCP] Failed to parse MCP route: #{definition} - #{e.message}"
+    end
+  end
+
+  def handle_tool_route(verb, path, definition)
+    begin
+      route_info = Otto::MCP::RouteParser.parse_tool_route(verb, path, definition)
+      @mcp_server.register_mcp_route(route_info)
+      Otto.logger.debug "[MCP] Registered tool route: #{definition}" if Otto.debug
+    rescue => e
+      Otto.logger.error "[MCP] Failed to parse TOOL route: #{definition} - #{e.message}"
+    end
+  end
+
   def handle_error(error, env)
     # Log error details internally but don't expose them
     error_id = SecureRandom.hex(8)

data/otto.gemspec

@@ -10,18 +10,23 @@ Gem::Specification.new do |spec|
   spec.email         = 'gems@solutious.com'
   spec.authors       = ['Delano Mandelbaum']
   spec.license       = 'MIT'
-  spec.files         = Dir.chdir(File.expand_path(__dir__)) do
-    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  end
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.homepage      = 'https://github.com/delano/otto'
   spec.require_paths = ['lib']
 
   spec.required_ruby_version = ['>= 3.2', '< 4.0']
 
-  # https://github.com/delano/otto/security/dependabot/5
-  spec.add_dependency 'rexml', '>= 3.3.6'
-  spec.add_dependency 'ostruct'
+  spec.add_dependency 'ostruct', '~> 0.6.3'
   spec.add_dependency 'rack', '~> 3.1', '< 4.0'
   spec.add_dependency 'rack-parser', '~> 0.7'
+  spec.add_dependency 'rexml', '~> 3.3', '>= 3.3.6'
+
+  # Security dependencies
+  spec.add_dependency 'facets', '~> 3.1'
+  spec.add_dependency 'loofah', '~> 2.20'
+
+  # Optional MCP dependencies
+  # spec.add_dependency 'json_schemer', '~> 2.0'
+  # spec.add_dependency 'rack-attack', '~> 6.7'
   spec.metadata['rubygems_mfa_required'] = 'true'
 end