otto 1.5.0 → 1.6.0

data/lib/otto/security/validator.rb

@@ -2,25 +2,21 @@
 
 require 'json'
 require 'cgi'
+require 'loofah'
+require 'facets/file'
+
+require_relative '../helpers/validation'
 
 class Otto
   module Security
     # ValidationMiddleware provides input validation and sanitization for web requests
+    # Uses Loofah for HTML/XSS sanitization and Facets for filename sanitization
     class ValidationMiddleware
       # Character validation patterns
       INVALID_CHARACTERS = /[\x00-\x1f\x7f-\xff]/n
       NULL_BYTE          = /\0/
 
-      DANGEROUS_PATTERNS = [
-        /<script[^>]*>/i,           # Script tags
-        /javascript:/i,             # JavaScript protocol
-        /data:.*base64/i,           # Data URLs with base64
-        /on\w+\s*=/i,               # Event handlers
-        /expression\s*\(/i,         # CSS expressions
-        /url\s*\(/i,                # CSS url() functions
-        NULL_BYTE,                  # Null bytes
-        INVALID_CHARACTERS,         # Control characters and extended ASCII
-      ].freeze
+      # HTML/XSS sanitization is handled by Loofah library for better security coverage
 
       SQL_INJECTION_PATTERNS = [
         /('|(\\')|(;)|(\\)|(--)|(%27)|(%3B)|(%3D))/i,
@@ -95,7 +91,7 @@ class Otto
       end
 
       def validate_param_structure(params, depth = 0)
-        if depth > @config.max_param_depth
+        if depth >= @config.max_param_depth
           raise Otto::Security::ValidationError, "Parameter depth exceeds maximum (#{@config.max_param_depth})"
         end
 
@@ -150,32 +146,44 @@ class Otto
       def sanitize_value(value)
         return value unless value.is_a?(String)
 
-        # Check for dangerous patterns
-        DANGEROUS_PATTERNS.each do |pattern|
-          if value.match?(pattern)
-            raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
-          end
+        # Check for extremely long values first
+        if value.length > 10_000
+          raise Otto::Security::ValidationError, "Parameter value too long (#{value.length} characters)"
+        end
+
+        # Start with the original value
+        original = value.dup
+
+        # Check for null bytes first (these should be rejected, not sanitized)
+        if original.match?(NULL_BYTE)
+          raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
+        end
+
+        # Check for script injection first (these should always be rejected)
+        if looks_like_script_injection?(original)
+          raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
         end
 
+        # Use Loofah to sanitize HTML/XSS content for less dangerous HTML
+        # Loofah.fragment removes dangerous HTML but preserves safe content
+        sanitized = Loofah.fragment(original).scrub!(:whitewash).to_s
+
+        # Remove control characters (sanitize, don't block)
+        sanitized = sanitized.gsub(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/, '')
+
         # Check for SQL injection patterns
         SQL_INJECTION_PATTERNS.each do |pattern|
-          if value.match?(pattern)
+          if sanitized.match?(pattern)
             raise Otto::Security::ValidationError, 'Potential SQL injection detected'
           end
         end
 
-        # Check for extremely long values
-        if value.length > 10_000
-          raise Otto::Security::ValidationError, "Parameter value too long (#{value.length} characters)"
-        end
+        sanitized
+      end
 
-        # Basic sanitization - remove null bytes and control characters
-        sanitized = value.gsub(/\0/, '').gsub(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/, '')
+      include ValidationHelpers
 
-        # Additional sanitization for common attack vectors
-        sanitized = sanitized.gsub(/<!--.*?-->/m, '') # Remove HTML comments
-        sanitized.gsub(/<!\[CDATA\[.*?\]\]>/m, '') # Remove CDATA sections
-      end
+      private
 
       def validate_headers(request)
         # Check for dangerous headers
@@ -248,52 +256,5 @@ class Otto
         }.to_json
       end
     end
-
-    module ValidationHelpers
-      def validate_input(input, max_length: 1000, allow_html: false)
-        return input if input.nil? || input.empty?
-
-        input_str = input.to_s
-
-        # Check length
-        if input_str.length > max_length
-          raise Otto::Security::ValidationError, "Input too long (#{input_str.length} > #{max_length})"
-        end
-
-        # Check for dangerous patterns unless HTML is allowed
-        unless allow_html
-          ValidationMiddleware::DANGEROUS_PATTERNS.each do |pattern|
-            if input_str.match?(pattern)
-              raise Otto::Security::ValidationError, 'Dangerous content detected'
-            end
-          end
-        end
-
-        # Always check for SQL injection
-        ValidationMiddleware::SQL_INJECTION_PATTERNS.each do |pattern|
-          if input_str.match?(pattern)
-            raise Otto::Security::ValidationError, 'Potential SQL injection detected'
-          end
-        end
-
-        input_str
-      end
-
-      def sanitize_filename(filename)
-        return nil if filename.nil? || filename.empty?
-
-        # Remove path components and dangerous characters
-        clean_name = File.basename(filename.to_s)
-        clean_name = clean_name.gsub(/[^\w\-_\.]/, '_')
-        clean_name = clean_name.gsub(/_{2,}/, '_')
-        clean_name = clean_name.gsub(/^_+|_+$/, '')
-
-        # Ensure it's not empty and has reasonable length
-        clean_name = 'file' if clean_name.empty?
-        clean_name = clean_name[0..100] if clean_name.length > 100
-
-        clean_name
-      end
-    end
   end
 end

data/lib/otto/version.rb

@@ -1,5 +1,5 @@
 # lib/otto/version.rb
 
 class Otto
-  VERSION = '1.5.0'.freeze
+  VERSION = '1.6.0'.freeze
 end

data/lib/otto.rb

@@ -20,6 +20,8 @@ require_relative 'otto/security/config'
 require_relative 'otto/security/csrf'
 require_relative 'otto/security/validator'
 require_relative 'otto/security/authentication'
+require_relative 'otto/security/rate_limiting'
+require_relative 'otto/mcp/server'
 
 # Otto is a simple Rack router that allows you to define routes in a file
 # with built-in security features including CSRF protection, input validation,
@@ -60,7 +62,7 @@ class Otto
     @global_config
   end
 
-  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option, :static_route, :security_config, :locale_config, :auth_config, :route_handler_factory
+  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option, :static_route, :security_config, :locale_config, :auth_config, :route_handler_factory, :mcp_server
   attr_accessor :not_found, :server_error, :middleware_stack
 
   def initialize(path = nil, opts = {})
@@ -85,6 +87,9 @@ class Otto
     # Configure authentication based on options
     configure_authentication(opts)
 
+    # Initialize MCP server
+    configure_mcp(opts)
+
     Otto.logger.debug "new Otto: #{opts}" if Otto.debug
     load(path) unless path.nil?
     super()
@@ -101,6 +106,16 @@ class Otto
       # This preserves parameters in the definition part
       parts = entry.split(/\s+/, 3)
       verb, path, definition = parts[0], parts[1], parts[2]
+
+      # Check for MCP routes
+      if Otto::MCP::RouteParser.is_mcp_route?(definition)
+        handle_mcp_route(verb, path, definition) if @mcp_server
+        next
+      elsif Otto::MCP::RouteParser.is_tool_route?(definition)
+        handle_tool_route(verb, path, definition) if @mcp_server
+        next
+      end
+
       route                                   = Otto::Route.new verb, path, definition
       route.otto                              = self
       path_clean                              = path.gsub(%r{/$}, '')
@@ -343,6 +358,52 @@ class Otto
     use Otto::Security::ValidationMiddleware
   end
 
+  # Enable rate limiting to protect against abuse and DDoS attacks.
+  # This will automatically add rate limiting rules based on client IP.
+  #
+  # @param options [Hash] Rate limiting configuration options
+  # @option options [Integer] :requests_per_minute Maximum requests per minute per IP (default: 100)
+  # @option options [Hash] :custom_rules Custom rate limiting rules
+  # @example
+  #   otto.enable_rate_limiting!(requests_per_minute: 50)
+  def enable_rate_limiting!(options = {})
+    return if middleware_enabled?(Otto::Security::RateLimitMiddleware)
+
+    configure_rate_limiting(options)
+    use Otto::Security::RateLimitMiddleware
+  end
+
+  # Configure rate limiting settings.
+  #
+  # @param config [Hash] Rate limiting configuration
+  # @option config [Integer] :requests_per_minute Maximum requests per minute per IP
+  # @option config [Hash] :custom_rules Hash of custom rate limiting rules
+  # @option config [Object] :cache_store Custom cache store for rate limiting
+  # @example
+  #   otto.configure_rate_limiting({
+  #     requests_per_minute: 50,
+  #     custom_rules: {
+  #       'api_calls' => { limit: 30, period: 60, condition: ->(req) { req.path.start_with?('/api') }}
+  #     }
+  #   })
+  def configure_rate_limiting(config)
+    @security_config.rate_limiting_config.merge!(config)
+  end
+
+  # Add a custom rate limiting rule.
+  #
+  # @param name [String, Symbol] Rule name
+  # @param options [Hash] Rule configuration
+  # @option options [Integer] :limit Maximum requests
+  # @option options [Integer] :period Time period in seconds (default: 60)
+  # @option options [Proc] :condition Optional condition proc that receives request
+  # @example
+  #   otto.add_rate_limit_rule('uploads', limit: 5, period: 300, condition: ->(req) { req.post? && req.path.include?('upload') })
+  def add_rate_limit_rule(name, options)
+    @security_config.rate_limiting_config[:custom_rules] ||= {}
+    @security_config.rate_limiting_config[:custom_rules][name.to_s] = options
+  end
+
   # Add a trusted proxy server for accurate client IP detection.
   # Only requests from trusted proxies will have their forwarded headers honored.
   #
@@ -466,6 +527,29 @@ class Otto
     enable_authentication!
   end
 
+  # Enable MCP (Model Context Protocol) server support
+  #
+  # @param options [Hash] MCP configuration options
+  # @option options [Boolean] :http Enable HTTP endpoint (default: true)
+  # @option options [Boolean] :stdio Enable STDIO communication (default: false)
+  # @option options [String] :endpoint HTTP endpoint path (default: '/_mcp')
+  # @example
+  #   otto.enable_mcp!(http: true, endpoint: '/api/mcp')
+  def enable_mcp!(options = {})
+    unless @mcp_server
+      @mcp_server = Otto::MCP::Server.new(self)
+    end
+
+    @mcp_server.enable!(options)
+    Otto.logger.info "[MCP] Enabled MCP server" if Otto.debug
+  end
+
+  # Check if MCP is enabled
+  # @return [Boolean]
+  def mcp_enabled?
+    @mcp_server&.enabled?
+  end
+
   private
 
   def configure_locale(opts)
@@ -506,6 +590,12 @@ class Otto
     # Enable request validation if requested
     enable_request_validation! if opts[:request_validation]
 
+    # Enable rate limiting if requested
+    if opts[:rate_limiting]
+      rate_limiting_opts = opts[:rate_limiting].is_a?(Hash) ? opts[:rate_limiting] : {}
+      enable_rate_limiting!(rate_limiting_opts)
+    end
+
     # Add trusted proxies if provided
     if opts[:trusted_proxies]
       Array(opts[:trusted_proxies]).each { |proxy| add_trusted_proxy(proxy) }
@@ -534,6 +624,42 @@ class Otto
     end
   end
 
+  def configure_mcp(opts)
+    @mcp_server = nil
+
+    # Enable MCP if requested in options
+    if opts[:mcp_enabled] || opts[:mcp_http] || opts[:mcp_stdio]
+      @mcp_server = Otto::MCP::Server.new(self)
+
+      mcp_options = {}
+      mcp_options[:http_endpoint] = opts[:mcp_endpoint] if opts[:mcp_endpoint]
+
+      if opts[:mcp_http] != false  # Default to true unless explicitly disabled
+        @mcp_server.enable!(mcp_options)
+      end
+    end
+  end
+
+  def handle_mcp_route(verb, path, definition)
+    begin
+      route_info = Otto::MCP::RouteParser.parse_mcp_route(verb, path, definition)
+      @mcp_server.register_mcp_route(route_info)
+      Otto.logger.debug "[MCP] Registered resource route: #{definition}" if Otto.debug
+    rescue => e
+      Otto.logger.error "[MCP] Failed to parse MCP route: #{definition} - #{e.message}"
+    end
+  end
+
+  def handle_tool_route(verb, path, definition)
+    begin
+      route_info = Otto::MCP::RouteParser.parse_tool_route(verb, path, definition)
+      @mcp_server.register_mcp_route(route_info)
+      Otto.logger.debug "[MCP] Registered tool route: #{definition}" if Otto.debug
+    rescue => e
+      Otto.logger.error "[MCP] Failed to parse TOOL route: #{definition} - #{e.message}"
+    end
+  end
+
   def handle_error(error, env)
     # Log error details internally but don't expose them
     error_id = SecureRandom.hex(8)

data/otto.gemspec

@@ -10,18 +10,23 @@ Gem::Specification.new do |spec|
   spec.email         = 'gems@solutious.com'
   spec.authors       = ['Delano Mandelbaum']
   spec.license       = 'MIT'
-  spec.files         = Dir.chdir(File.expand_path(__dir__)) do
-    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  end
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   spec.homepage      = 'https://github.com/delano/otto'
   spec.require_paths = ['lib']
 
   spec.required_ruby_version = ['>= 3.2', '< 4.0']
 
-  # https://github.com/delano/otto/security/dependabot/5
-  spec.add_dependency 'rexml', '>= 3.3.6'
-  spec.add_dependency 'ostruct'
+  spec.add_dependency 'ostruct', '~> 0.6.3'
   spec.add_dependency 'rack', '~> 3.1', '< 4.0'
   spec.add_dependency 'rack-parser', '~> 0.7'
+  spec.add_dependency 'rexml', '~> 3.3', '>= 3.3.6'
+
+  # Security dependencies
+  spec.add_dependency 'facets', '~> 3.1'
+  spec.add_dependency 'loofah', '~> 2.20'
+
+  # Optional MCP dependencies
+  # spec.add_dependency 'json_schemer', '~> 2.0'
+  # spec.add_dependency 'rack-attack', '~> 6.7'
   spec.metadata['rubygems_mfa_required'] = 'true'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: otto
 version: !ruby/object:Gem::Version
-  version: 1.5.0
+  version: 1.6.0
 platform: ruby
 authors:
 - Delano Mandelbaum
@@ -9,34 +9,20 @@ bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: rexml
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.3.6
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.3.6
 - !ruby/object:Gem::Dependency
   name: ostruct
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.6.3
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -71,6 +57,54 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.3.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.3.6
+- !ruby/object:Gem::Dependency
+  name: facets
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: loofah
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.20'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.20'
 description: 'Otto: Auto-define your rack-apps in plaintext.'
 email: gems@solutious.com
 executables: []
@@ -88,6 +122,7 @@ files:
 - Gemfile.lock
 - LICENSE.txt
 - README.md
+- bin/rspec
 - docs/.gitignore
 - examples/basic/app.rb
 - examples/basic/config.ru
@@ -98,14 +133,26 @@ files:
 - examples/helpers_demo/app.rb
 - examples/helpers_demo/config.ru
 - examples/helpers_demo/routes
+- examples/mcp_demo/app.rb
+- examples/mcp_demo/config.ru
+- examples/mcp_demo/routes
 - examples/security_features/app.rb
 - examples/security_features/config.ru
 - examples/security_features/routes
+- lib/concurrent_cache_store.rb
 - lib/otto.rb
 - lib/otto/design_system.rb
 - lib/otto/helpers/base.rb
 - lib/otto/helpers/request.rb
 - lib/otto/helpers/response.rb
+- lib/otto/helpers/validation.rb
+- lib/otto/mcp/auth/token.rb
+- lib/otto/mcp/protocol.rb
+- lib/otto/mcp/rate_limiting.rb
+- lib/otto/mcp/registry.rb
+- lib/otto/mcp/route_parser.rb
+- lib/otto/mcp/server.rb
+- lib/otto/mcp/validation.rb
 - lib/otto/response_handlers.rb
 - lib/otto/route.rb
 - lib/otto/route_definition.rb
@@ -113,6 +160,7 @@ files:
 - lib/otto/security/authentication.rb
 - lib/otto/security/config.rb
 - lib/otto/security/csrf.rb
+- lib/otto/security/rate_limiting.rb
 - lib/otto/security/validator.rb
 - lib/otto/static.rb
 - lib/otto/version.rb