RubyGems - otto - Versions diffs - 1.5.0 → 2.0.0.pre1 - Mend

otto 1.5.0 → 2.0.0.pre1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yml +44 -5
data/.github/workflows/claude-code-review.yml +53 -0
data/.github/workflows/claude.yml +49 -0
data/.gitignore +3 -0
data/.rubocop.yml +24 -345
data/CHANGELOG.rst +83 -0
data/CLAUDE.md +56 -0
data/Gemfile +21 -5
data/Gemfile.lock +69 -31
data/README.md +2 -0
data/bin/rspec +16 -0
data/changelog.d/20250911_235619_delano_next.rst +28 -0
data/changelog.d/20250912_123055_delano_remove_ostruct.rst +21 -0
data/changelog.d/20250912_175625_claude_delano_remove_ostruct.rst +21 -0
data/changelog.d/README.md +120 -0
data/changelog.d/scriv.ini +5 -0
data/docs/.gitignore +1 -0
data/docs/migrating/v2.0.0-pre1.md +276 -0
data/examples/.gitignore +1 -0
data/examples/advanced_routes/README.md +33 -0
data/examples/advanced_routes/app/controllers/handlers/async.rb +9 -0
data/examples/advanced_routes/app/controllers/handlers/dynamic.rb +9 -0
data/examples/advanced_routes/app/controllers/handlers/static.rb +9 -0
data/examples/advanced_routes/app/controllers/modules/auth.rb +9 -0
data/examples/advanced_routes/app/controllers/modules/transformer.rb +9 -0
data/examples/advanced_routes/app/controllers/modules/validator.rb +9 -0
data/examples/advanced_routes/app/controllers/routes_app.rb +232 -0
data/examples/advanced_routes/app/controllers/v2/admin.rb +9 -0
data/examples/advanced_routes/app/controllers/v2/config.rb +9 -0
data/examples/advanced_routes/app/controllers/v2/settings.rb +9 -0
data/examples/advanced_routes/app/logic/admin/logic/manager.rb +27 -0
data/examples/advanced_routes/app/logic/admin/panel.rb +27 -0
data/examples/advanced_routes/app/logic/analytics_processor.rb +25 -0
data/examples/advanced_routes/app/logic/complex/business/handler.rb +27 -0
data/examples/advanced_routes/app/logic/data_logic.rb +23 -0
data/examples/advanced_routes/app/logic/data_processor.rb +25 -0
data/examples/advanced_routes/app/logic/input_validator.rb +24 -0
data/examples/advanced_routes/app/logic/nested/feature/logic.rb +27 -0
data/examples/advanced_routes/app/logic/reports_generator.rb +27 -0
data/examples/advanced_routes/app/logic/simple_logic.rb +25 -0
data/examples/advanced_routes/app/logic/system/config/manager.rb +27 -0
data/examples/advanced_routes/app/logic/test_logic.rb +23 -0
data/examples/advanced_routes/app/logic/transform_logic.rb +23 -0
data/examples/advanced_routes/app/logic/upload_logic.rb +23 -0
data/examples/advanced_routes/app/logic/v2/logic/dashboard.rb +27 -0
data/examples/advanced_routes/app/logic/v2/logic/processor.rb +27 -0
data/examples/advanced_routes/app.rb +33 -0
data/examples/advanced_routes/config.rb +23 -0
data/examples/advanced_routes/config.ru +7 -0
data/examples/advanced_routes/puma.rb +20 -0
data/examples/advanced_routes/routes +167 -0
data/examples/advanced_routes/run.rb +39 -0
data/examples/advanced_routes/test.rb +58 -0
data/examples/authentication_strategies/README.md +32 -0
data/examples/authentication_strategies/app/auth.rb +68 -0
data/examples/authentication_strategies/app/controllers/auth_controller.rb +29 -0
data/examples/authentication_strategies/app/controllers/main_controller.rb +28 -0
data/examples/authentication_strategies/config.ru +24 -0
data/examples/authentication_strategies/routes +37 -0
data/examples/basic/README.md +29 -0
data/examples/basic/app.rb +7 -35
data/examples/basic/routes +0 -9
data/examples/mcp_demo/README.md +87 -0
data/examples/mcp_demo/app.rb +51 -0
data/examples/mcp_demo/config.ru +17 -0
data/examples/mcp_demo/routes +9 -0
data/examples/security_features/README.md +46 -0
data/examples/security_features/app.rb +23 -24
data/examples/security_features/config.ru +8 -10
data/lib/otto/core/configuration.rb +167 -0
data/lib/otto/core/error_handler.rb +86 -0
data/lib/otto/core/file_safety.rb +61 -0
data/lib/otto/core/middleware_stack.rb +157 -0
data/lib/otto/core/router.rb +183 -0
data/lib/otto/core/uri_generator.rb +44 -0
data/lib/otto/design_system.rb +7 -5
data/lib/otto/helpers/base.rb +3 -0
data/lib/otto/helpers/request.rb +10 -8
data/lib/otto/helpers/response.rb +5 -4
data/lib/otto/helpers/validation.rb +85 -0
data/lib/otto/mcp/auth/token.rb +77 -0
data/lib/otto/mcp/protocol.rb +164 -0
data/lib/otto/mcp/rate_limiting.rb +155 -0
data/lib/otto/mcp/registry.rb +100 -0
data/lib/otto/mcp/route_parser.rb +77 -0
data/lib/otto/mcp/server.rb +206 -0
data/lib/otto/mcp/validation.rb +123 -0
data/lib/otto/response_handlers/auto.rb +39 -0
data/lib/otto/response_handlers/base.rb +16 -0
data/lib/otto/response_handlers/default.rb +16 -0
data/lib/otto/response_handlers/factory.rb +39 -0
data/lib/otto/response_handlers/json.rb +28 -0
data/lib/otto/response_handlers/redirect.rb +25 -0
data/lib/otto/response_handlers/view.rb +24 -0
data/lib/otto/response_handlers.rb +9 -135
data/lib/otto/route.rb +9 -9
data/lib/otto/route_definition.rb +30 -33
data/lib/otto/route_handlers/base.rb +121 -0
data/lib/otto/route_handlers/class_method.rb +89 -0
data/lib/otto/route_handlers/factory.rb +29 -0
data/lib/otto/route_handlers/instance_method.rb +69 -0
data/lib/otto/route_handlers/lambda.rb +59 -0
data/lib/otto/route_handlers/logic_class.rb +93 -0
data/lib/otto/route_handlers.rb +10 -376
data/lib/otto/security/authentication/auth_strategy.rb +44 -0
data/lib/otto/security/authentication/authentication_middleware.rb +123 -0
data/lib/otto/security/authentication/failure_result.rb +36 -0
data/lib/otto/security/authentication/strategies/api_key_strategy.rb +40 -0
data/lib/otto/security/authentication/strategies/permission_strategy.rb +47 -0
data/lib/otto/security/authentication/strategies/public_strategy.rb +19 -0
data/lib/otto/security/authentication/strategies/role_strategy.rb +57 -0
data/lib/otto/security/authentication/strategies/session_strategy.rb +41 -0
data/lib/otto/security/authentication/strategy_result.rb +223 -0
data/lib/otto/security/authentication.rb +28 -282
data/lib/otto/security/config.rb +15 -11
data/lib/otto/security/configurator.rb +219 -0
data/lib/otto/security/csrf.rb +8 -143
data/lib/otto/security/middleware/csrf_middleware.rb +151 -0
data/lib/otto/security/middleware/rate_limit_middleware.rb +38 -0
data/lib/otto/security/middleware/validation_middleware.rb +252 -0
data/lib/otto/security/rate_limiter.rb +86 -0
data/lib/otto/security/rate_limiting.rb +16 -0
data/lib/otto/security/validator.rb +8 -292
data/lib/otto/static.rb +3 -0
data/lib/otto/utils.rb +14 -0
data/lib/otto/version.rb +3 -1
data/lib/otto.rb +184 -414
data/otto.gemspec +11 -6
metadata +134 -25
data/examples/dynamic_pages/app.rb +0 -115
data/examples/dynamic_pages/config.ru +0 -30
data/examples/dynamic_pages/routes +0 -21
data/examples/helpers_demo/app.rb +0 -244
data/examples/helpers_demo/config.ru +0 -26
data/examples/helpers_demo/routes +0 -7

data/lib/otto/security/middleware/validation_middleware.rb ADDED Viewed

@@ -0,0 +1,252 @@
+# frozen_string_literal: true
+require_relative '../config'
+require_relative '../../helpers/validation'
+class Otto
+  module Security
+    module Middleware
+      # ValidationMiddleware provides input validation and sanitization for web requests
+      # Uses Loofah for HTML/XSS sanitization and Facets for filename sanitization
+      class ValidationMiddleware
+        # Character validation patterns
+        INVALID_CHARACTERS = /[\x00-\x1f\x7f-\xff]/n
+        NULL_BYTE          = /\0/
+        # HTML/XSS sanitization is handled by Loofah library for better security coverage
+        SQL_INJECTION_PATTERNS = [
+          /('|(\\')|(;)|(\\)|(--)|(%27)|(%3B)|(%3D))/i,
+          /(union|select|insert|update|delete|drop|create|alter|exec|execute)/i,
+          /(or|and)\s+\w+\s*=\s*\w+/i,
+          /\d+\s*(=|>|<|>=|<=|<>|!=)\s*\d+/i,
+        ].freeze
+        def initialize(app, config = nil)
+          @app    = app
+          @config = config || Otto::Security::Config.new
+        end
+        def call(env)
+          return @app.call(env) unless @config.input_validation
+          request = Rack::Request.new(env)
+          begin
+            # Validate request size
+            validate_request_size(request)
+            # Validate content type
+            validate_content_type(request)
+            # Validate and sanitize parameters
+            begin
+              validate_parameters(request) if request.params
+            rescue Rack::QueryParser::QueryLimitError => e
+              # Handle Rack's built-in query parsing limits
+              raise Otto::Security::ValidationError, "Parameter structure too complex: #{e.message}"
+            end
+            # Validate headers
+            validate_headers(request)
+            @app.call(env)
+          rescue Otto::Security::ValidationError => e
+            validation_error_response(e.message)
+          rescue Otto::Security::RequestTooLargeError => e
+            request_too_large_response(e.message)
+          end
+        end
+        private
+        def validate_request_size(request)
+          content_length = request.env['CONTENT_LENGTH']
+          @config.validate_request_size(content_length)
+        end
+        def validate_content_type(request)
+          content_type = request.env['CONTENT_TYPE']
+          return unless content_type
+          # Block dangerous content types
+          dangerous_types = [
+            'application/x-shockwave-flash',
+            'application/x-silverlight-app',
+            'text/vbscript',
+            'application/vbscript',
+          ]
+          return unless dangerous_types.any? { |type| content_type.downcase.include?(type) }
+          raise Otto::Security::ValidationError, "Dangerous content type: #{content_type}"
+        end
+        def validate_parameters(request)
+          validate_param_structure(request.params, 0)
+          sanitize_params(request.params)
+        end
+        def validate_param_structure(params, depth = 0)
+          if depth >= @config.max_param_depth
+            raise Otto::Security::ValidationError, "Parameter depth exceeds maximum (#{@config.max_param_depth})"
+          end
+          case params
+          when Hash
+            if params.keys.length > @config.max_param_keys
+              raise Otto::Security::ValidationError,
+                    "Too many parameters (#{params.keys.length} > #{@config.max_param_keys})"
+            end
+            params.each do |key, value|
+              validate_param_key(key)
+              validate_param_structure(value, depth + 1) if value.is_a?(Hash) || value.is_a?(Array)
+            end
+          when Array
+            if params.length > @config.max_param_keys
+              raise Otto::Security::ValidationError,
+                    "Too many array elements (#{params.length} > #{@config.max_param_keys})"
+            end
+            params.each do |value|
+              validate_param_structure(value, depth + 1) if value.is_a?(Hash) || value.is_a?(Array)
+            end
+          end
+        end
+        def validate_param_key(key)
+          key_str = key.to_s
+          # Check for dangerous characters in parameter names using shared patterns
+          if key_str.match?(NULL_BYTE) || key_str.match?(INVALID_CHARACTERS)
+            raise Otto::Security::ValidationError, "Invalid characters in parameter name: #{key_str}"
+          end
+          # Check for suspiciously long parameter names
+          return unless key_str.length > 256
+          raise Otto::Security::ValidationError, "Parameter name too long: #{key_str[0..50]}..."
+        end
+        def sanitize_params(params)
+          case params
+          when Hash
+            params.each do |key, value|
+              params[key] = sanitize_value(value)
+            end
+          when Array
+            params.map! { |value| sanitize_value(value) }
+          else
+            sanitize_value(params)
+          end
+        end
+        def sanitize_value(value)
+          return value unless value.is_a?(String)
+          # Check for extremely long values first
+          if value.length > 10_000
+            raise Otto::Security::ValidationError, "Parameter value too long (#{value.length} characters)"
+          end
+          # Start with the original value
+          original = value.dup
+          # Check for null bytes first (these should be rejected, not sanitized)
+          raise Otto::Security::ValidationError, 'Dangerous content detected in parameter' if original.match?(NULL_BYTE)
+          # Check for script injection first (these should always be rejected)
+          if looks_like_script_injection?(original)
+            raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
+          end
+          # Use Loofah to sanitize HTML/XSS content for less dangerous HTML
+          # Loofah.fragment removes dangerous HTML but preserves safe content
+          sanitized = Loofah.fragment(original).scrub!(:whitewash).to_s
+          # Remove control characters (sanitize, don't block)
+          sanitized = sanitized.gsub(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/, '')
+          # Check for SQL injection patterns
+          SQL_INJECTION_PATTERNS.each do |pattern|
+            raise Otto::Security::ValidationError, 'Potential SQL injection detected' if sanitized.match?(pattern)
+          end
+          sanitized
+        end
+        include Otto::Security::ValidationHelpers
+        def validate_headers(request)
+          # Check for dangerous headers
+          dangerous_headers = %w[
+            HTTP_X_FORWARDED_HOST
+            HTTP_X_ORIGINAL_URL
+            HTTP_X_REWRITE_URL
+            HTTP_DESTINATION
+            HTTP_UPGRADE_INSECURE_REQUESTS
+          ]
+          dangerous_headers.each do |header|
+            value = request.env[header]
+            next unless value
+            # Basic validation - no null bytes or control characters
+            if value.match?(NULL_BYTE) || value.match?(INVALID_CHARACTERS)
+              raise Otto::Security::ValidationError, "Invalid characters in header: #{header}"
+            end
+          end
+          # Validate User-Agent length
+          user_agent = request.env['HTTP_USER_AGENT']
+          raise Otto::Security::ValidationError, 'User-Agent header too long' if user_agent && user_agent.length > 1000
+          # Validate Referer header
+          referer = request.env['HTTP_REFERER']
+          return unless referer && referer.length > 2000
+          raise Otto::Security::ValidationError, 'Referer header too long'
+        end
+        def validation_error_response(message)
+          [
+            400,
+            {
+              'content-type' => 'application/json',
+              'content-length' => validation_error_body(message).bytesize.to_s,
+            },
+            [validation_error_body(message)],
+          ]
+        end
+        def request_too_large_response(message)
+          [
+            413,
+            {
+              'content-type' => 'application/json',
+              'content-length' => request_too_large_body(message).bytesize.to_s,
+            },
+            [request_too_large_body(message)],
+          ]
+        end
+        def validation_error_body(message)
+          require 'json'
+          {
+            error: 'Validation failed',
+            message: message,
+          }.to_json
+        end
+        def request_too_large_body(message)
+          require 'json'
+          {
+            error: 'Request too large',
+            message: message,
+          }.to_json
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/rate_limiter.rb ADDED Viewed

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+# lib/otto/security/rate_limiter.rb
+require 'json'
+begin
+  require 'rack/attack'
+rescue LoadError
+  # rack-attack is optional - graceful fallback
+end
+class Otto
+  module Security
+    # Rate limiting implementation using Rack::Attack
+    class RateLimiting
+      def self.configure_rack_attack!(config = {})
+        return unless defined?(Rack::Attack)
+        # Use provided cache store or default
+        Rack::Attack.cache.store = config[:cache_store] if config[:cache_store]
+        # Default rules
+        default_requests_per_minute = config.fetch(:requests_per_minute, 100)
+        # General request throttling
+        Rack::Attack.throttle('requests', limit: default_requests_per_minute, period: 60) do |request|
+          request.ip unless request.path.start_with?('/_') # Skip internal paths by default
+        end
+        # Apply custom rules if provided
+        if config[:custom_rules]
+          config[:custom_rules].each do |name, rule_config|
+            limit = rule_config[:limit]
+            period = rule_config[:period] || 60
+            condition = rule_config[:condition]
+            Rack::Attack.throttle(name.to_s, limit: limit, period: period) do |request|
+              if condition
+                request.ip if condition.call(request)
+              else
+                request.ip
+              end
+            end
+          end
+        end
+        # Custom response for rate limited requests
+        Rack::Attack.throttled_responder = lambda do |request|
+          match_data = request.env['rack.attack.match_data']
+          now = match_data[:epoch_time]
+          headers = {
+            'content-type' => 'application/json',
+            'retry-after' => (match_data[:period] - (now % match_data[:period])).to_s,
+          }
+          # Check if request expects JSON
+          accept_header = request.env['HTTP_ACCEPT'].to_s
+          if accept_header.include?('application/json')
+            error_response = {
+              error: 'Rate limit exceeded',
+              message: 'Too many requests',
+              retry_after: headers['retry-after'].to_i,
+              limit: match_data[:limit],
+              period: match_data[:period],
+            }
+            [429, headers, [JSON.generate(error_response)]]
+          else
+            body = "Rate limit exceeded. Retry after #{headers['retry-after']} seconds."
+            headers['content-type'] = 'text/plain'
+            [429, headers, [body]]
+          end
+        end
+        # Log blocked requests if ActiveSupport is available
+        return unless defined?(ActiveSupport::Notifications)
+        ActiveSupport::Notifications.subscribe('rack.attack') do |_name, _start, _finish, _request_id, payload|
+          req = payload[:request]
+          Otto.logger.warn "[Otto] Rate limit #{payload[:match_type]} for #{req.ip}: #{payload[:matched]}"
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/rate_limiting.rb ADDED Viewed

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+# lib/otto/security/rate_limiting.rb
+#
+# Index file for rate limiting components
+# Provides backward compatibility for existing rate limiting usage
+require_relative 'rate_limiter'
+require_relative 'middleware/rate_limit_middleware'
+class Otto
+  module Security
+    # Backward compatibility alias
+    RateLimitMiddleware = Middleware::RateLimitMiddleware
+  end
+end

data/lib/otto/security/validator.rb CHANGED Viewed

@@ -1,299 +1,15 @@
+# frozen_string_literal: true
 # lib/otto/security/validator.rb
+#
+# Index file for validation middleware
+# Provides backward compatibility for existing validation usage
-require 'json'
-require 'cgi'
+require_relative 'middleware/validation_middleware'
 class Otto
   module Security
-    # ValidationMiddleware provides input validation and sanitization for web requests
-    class ValidationMiddleware
-      # Character validation patterns
-      INVALID_CHARACTERS = /[\x00-\x1f\x7f-\xff]/n
-      NULL_BYTE          = /\0/
-      DANGEROUS_PATTERNS = [
-        /<script[^>]*>/i,           # Script tags
-        /javascript:/i,             # JavaScript protocol
-        /data:.*base64/i,           # Data URLs with base64
-        /on\w+\s*=/i,               # Event handlers
-        /expression\s*\(/i,         # CSS expressions
-        /url\s*\(/i,                # CSS url() functions
-        NULL_BYTE,                  # Null bytes
-        INVALID_CHARACTERS,         # Control characters and extended ASCII
-      ].freeze
-      SQL_INJECTION_PATTERNS = [
-        /('|(\\')|(;)|(\\)|(--)|(%27)|(%3B)|(%3D))/i,
-        /(union|select|insert|update|delete|drop|create|alter|exec|execute)/i,
-        /(or|and)\s+\w+\s*=\s*\w+/i,
-        /\d+\s*(=|>|<|>=|<=|<>|!=)\s*\d+/i,
-      ].freeze
-      def initialize(app, config = nil)
-        @app    = app
-        @config = config || Otto::Security::Config.new
-      end
-      def call(env)
-        return @app.call(env) unless @config.input_validation
-        request = Rack::Request.new(env)
-        begin
-          # Validate request size
-          validate_request_size(request)
-          # Validate content type
-          validate_content_type(request)
-          # Validate and sanitize parameters
-          begin
-            validate_parameters(request) if request.params
-          rescue Rack::QueryParser::QueryLimitError => ex
-            # Handle Rack's built-in query parsing limits
-            raise Otto::Security::ValidationError, "Parameter structure too complex: #{ex.message}"
-          end
-          # Validate headers
-          validate_headers(request)
-          @app.call(env)
-        rescue Otto::Security::ValidationError => ex
-          validation_error_response(ex.message)
-        rescue Otto::Security::RequestTooLargeError => ex
-          request_too_large_response(ex.message)
-        end
-      end
-      private
-      def validate_request_size(request)
-        content_length = request.env['CONTENT_LENGTH']
-        @config.validate_request_size(content_length)
-      end
-      def validate_content_type(request)
-        content_type = request.env['CONTENT_TYPE']
-        return unless content_type
-        # Block dangerous content types
-        dangerous_types = [
-          'application/x-shockwave-flash',
-          'application/x-silverlight-app',
-          'text/vbscript',
-          'application/vbscript',
-        ]
-        if dangerous_types.any? { |type| content_type.downcase.include?(type) }
-          raise Otto::Security::ValidationError, "Dangerous content type: #{content_type}"
-        end
-      end
-      def validate_parameters(request)
-        validate_param_structure(request.params, 0)
-        sanitize_params(request.params)
-      end
-      def validate_param_structure(params, depth = 0)
-        if depth > @config.max_param_depth
-          raise Otto::Security::ValidationError, "Parameter depth exceeds maximum (#{@config.max_param_depth})"
-        end
-        case params
-        when Hash
-          if params.keys.length > @config.max_param_keys
-            raise Otto::Security::ValidationError, "Too many parameters (#{params.keys.length} > #{@config.max_param_keys})"
-          end
-          params.each do |key, value|
-            validate_param_key(key)
-            validate_param_structure(value, depth + 1) if value.is_a?(Hash) || value.is_a?(Array)
-          end
-        when Array
-          if params.length > @config.max_param_keys
-            raise Otto::Security::ValidationError, "Too many array elements (#{params.length} > #{@config.max_param_keys})"
-          end
-          params.each do |value|
-            validate_param_structure(value, depth + 1) if value.is_a?(Hash) || value.is_a?(Array)
-          end
-        end
-      end
-      def validate_param_key(key)
-        key_str = key.to_s
-        # Check for dangerous characters in parameter names using shared patterns
-        if key_str.match?(NULL_BYTE) || key_str.match?(INVALID_CHARACTERS)
-          raise Otto::Security::ValidationError, "Invalid characters in parameter name: #{key_str}"
-        end
-        # Check for suspiciously long parameter names
-        if key_str.length > 256
-          raise Otto::Security::ValidationError, "Parameter name too long: #{key_str[0..50]}..."
-        end
-      end
-      def sanitize_params(params)
-        case params
-        when Hash
-          params.each do |key, value|
-            params[key] = sanitize_value(value)
-          end
-        when Array
-          params.map! { |value| sanitize_value(value) }
-        else
-          sanitize_value(params)
-        end
-      end
-      def sanitize_value(value)
-        return value unless value.is_a?(String)
-        # Check for dangerous patterns
-        DANGEROUS_PATTERNS.each do |pattern|
-          if value.match?(pattern)
-            raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
-          end
-        end
-        # Check for SQL injection patterns
-        SQL_INJECTION_PATTERNS.each do |pattern|
-          if value.match?(pattern)
-            raise Otto::Security::ValidationError, 'Potential SQL injection detected'
-          end
-        end
-        # Check for extremely long values
-        if value.length > 10_000
-          raise Otto::Security::ValidationError, "Parameter value too long (#{value.length} characters)"
-        end
-        # Basic sanitization - remove null bytes and control characters
-        sanitized = value.gsub(/\0/, '').gsub(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/, '')
-        # Additional sanitization for common attack vectors
-        sanitized = sanitized.gsub(/<!--.*?-->/m, '') # Remove HTML comments
-        sanitized.gsub(/<!\[CDATA\[.*?\]\]>/m, '') # Remove CDATA sections
-      end
-      def validate_headers(request)
-        # Check for dangerous headers
-        dangerous_headers = %w[
-          HTTP_X_FORWARDED_HOST
-          HTTP_X_ORIGINAL_URL
-          HTTP_X_REWRITE_URL
-          HTTP_DESTINATION
-          HTTP_UPGRADE_INSECURE_REQUESTS
-        ]
-        dangerous_headers.each do |header|
-          value = request.env[header]
-          next unless value
-          # Basic validation - no null bytes or control characters
-          if value.match?(NULL_BYTE) || value.match?(INVALID_CHARACTERS)
-            raise Otto::Security::ValidationError, "Invalid characters in header: #{header}"
-          end
-        end
-        # Validate User-Agent length
-        user_agent = request.env['HTTP_USER_AGENT']
-        if user_agent && user_agent.length > 1000
-          raise Otto::Security::ValidationError, 'User-Agent header too long'
-        end
-        # Validate Referer header
-        referer = request.env['HTTP_REFERER']
-        if referer && referer.length > 2000
-          raise Otto::Security::ValidationError, 'Referer header too long'
-        end
-      end
-      def validation_error_response(message)
-        [
-          400,
-          {
-            'content-type' => 'application/json',
-            'content-length' => validation_error_body(message).bytesize.to_s,
-          },
-          [validation_error_body(message)],
-        ]
-      end
-      def request_too_large_response(message)
-        [
-          413,
-          {
-            'content-type' => 'application/json',
-            'content-length' => request_too_large_body(message).bytesize.to_s,
-          },
-          [request_too_large_body(message)],
-        ]
-      end
-      def validation_error_body(message)
-        require 'json'
-        {
-          error: 'Validation failed',
-          message: message,
-        }.to_json
-      end
-      def request_too_large_body(message)
-        require 'json'
-        {
-          error: 'Request too large',
-          message: message,
-        }.to_json
-      end
-    end
-    module ValidationHelpers
-      def validate_input(input, max_length: 1000, allow_html: false)
-        return input if input.nil? || input.empty?
-        input_str = input.to_s
-        # Check length
-        if input_str.length > max_length
-          raise Otto::Security::ValidationError, "Input too long (#{input_str.length} > #{max_length})"
-        end
-        # Check for dangerous patterns unless HTML is allowed
-        unless allow_html
-          ValidationMiddleware::DANGEROUS_PATTERNS.each do |pattern|
-            if input_str.match?(pattern)
-              raise Otto::Security::ValidationError, 'Dangerous content detected'
-            end
-          end
-        end
-        # Always check for SQL injection
-        ValidationMiddleware::SQL_INJECTION_PATTERNS.each do |pattern|
-          if input_str.match?(pattern)
-            raise Otto::Security::ValidationError, 'Potential SQL injection detected'
-          end
-        end
-        input_str
-      end
-      def sanitize_filename(filename)
-        return nil if filename.nil? || filename.empty?
-        # Remove path components and dangerous characters
-        clean_name = File.basename(filename.to_s)
-        clean_name = clean_name.gsub(/[^\w\-_\.]/, '_')
-        clean_name = clean_name.gsub(/_{2,}/, '_')
-        clean_name = clean_name.gsub(/^_+|_+$/, '')
-        # Ensure it's not empty and has reasonable length
-        clean_name = 'file' if clean_name.empty?
-        clean_name = clean_name[0..100] if clean_name.length > 100
-        clean_name
-      end
-    end
+    # Backward compatibility alias
+    ValidationMiddleware = Middleware::ValidationMiddleware
   end
 end

data/lib/otto/static.rb CHANGED Viewed

@@ -1,6 +1,9 @@
+# frozen_string_literal: true
 # lib/otto/static.rb
 class Otto
+  # Static response utilities for common HTTP responses
   module Static
     extend self

data/lib/otto/utils.rb ADDED Viewed

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+# lib/otto/utils.rb
+class Otto
+  # Utility methods for common operations and helpers
+  module Utils
+    extend self
+    def yes?(value)
+      !value.to_s.empty? && %w[true yes 1].include?(value.to_s.downcase)
+    end
+  end
+end

data/lib/otto/version.rb CHANGED Viewed

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
 # lib/otto/version.rb
 class Otto
-  VERSION = '1.5.0'.freeze
+  VERSION = '2.0.0.pre1'
 end