RubyGems - otto - Versions diffs - 1.6.0 → 2.0.0.pre1 - Mend

otto 1.6.0 → 2.0.0.pre1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yml +1 -1
data/.github/workflows/claude-code-review.yml +53 -0
data/.github/workflows/claude.yml +49 -0
data/.gitignore +3 -0
data/.rubocop.yml +24 -345
data/CHANGELOG.rst +83 -0
data/CLAUDE.md +56 -0
data/Gemfile +10 -3
data/Gemfile.lock +23 -28
data/README.md +2 -0
data/bin/rspec +4 -4
data/changelog.d/20250911_235619_delano_next.rst +28 -0
data/changelog.d/20250912_123055_delano_remove_ostruct.rst +21 -0
data/changelog.d/20250912_175625_claude_delano_remove_ostruct.rst +21 -0
data/changelog.d/README.md +120 -0
data/changelog.d/scriv.ini +5 -0
data/docs/.gitignore +1 -0
data/docs/migrating/v2.0.0-pre1.md +276 -0
data/examples/.gitignore +1 -0
data/examples/advanced_routes/README.md +33 -0
data/examples/advanced_routes/app/controllers/handlers/async.rb +9 -0
data/examples/advanced_routes/app/controllers/handlers/dynamic.rb +9 -0
data/examples/advanced_routes/app/controllers/handlers/static.rb +9 -0
data/examples/advanced_routes/app/controllers/modules/auth.rb +9 -0
data/examples/advanced_routes/app/controllers/modules/transformer.rb +9 -0
data/examples/advanced_routes/app/controllers/modules/validator.rb +9 -0
data/examples/advanced_routes/app/controllers/routes_app.rb +232 -0
data/examples/advanced_routes/app/controllers/v2/admin.rb +9 -0
data/examples/advanced_routes/app/controllers/v2/config.rb +9 -0
data/examples/advanced_routes/app/controllers/v2/settings.rb +9 -0
data/examples/advanced_routes/app/logic/admin/logic/manager.rb +27 -0
data/examples/advanced_routes/app/logic/admin/panel.rb +27 -0
data/examples/advanced_routes/app/logic/analytics_processor.rb +25 -0
data/examples/advanced_routes/app/logic/complex/business/handler.rb +27 -0
data/examples/advanced_routes/app/logic/data_logic.rb +23 -0
data/examples/advanced_routes/app/logic/data_processor.rb +25 -0
data/examples/advanced_routes/app/logic/input_validator.rb +24 -0
data/examples/advanced_routes/app/logic/nested/feature/logic.rb +27 -0
data/examples/advanced_routes/app/logic/reports_generator.rb +27 -0
data/examples/advanced_routes/app/logic/simple_logic.rb +25 -0
data/examples/advanced_routes/app/logic/system/config/manager.rb +27 -0
data/examples/advanced_routes/app/logic/test_logic.rb +23 -0
data/examples/advanced_routes/app/logic/transform_logic.rb +23 -0
data/examples/advanced_routes/app/logic/upload_logic.rb +23 -0
data/examples/advanced_routes/app/logic/v2/logic/dashboard.rb +27 -0
data/examples/advanced_routes/app/logic/v2/logic/processor.rb +27 -0
data/examples/advanced_routes/app.rb +33 -0
data/examples/advanced_routes/config.rb +23 -0
data/examples/advanced_routes/config.ru +7 -0
data/examples/advanced_routes/puma.rb +20 -0
data/examples/advanced_routes/routes +167 -0
data/examples/advanced_routes/run.rb +39 -0
data/examples/advanced_routes/test.rb +58 -0
data/examples/authentication_strategies/README.md +32 -0
data/examples/authentication_strategies/app/auth.rb +68 -0
data/examples/authentication_strategies/app/controllers/auth_controller.rb +29 -0
data/examples/authentication_strategies/app/controllers/main_controller.rb +28 -0
data/examples/authentication_strategies/config.ru +24 -0
data/examples/authentication_strategies/routes +37 -0
data/examples/basic/README.md +29 -0
data/examples/basic/app.rb +7 -35
data/examples/basic/routes +0 -9
data/examples/mcp_demo/README.md +87 -0
data/examples/mcp_demo/app.rb +29 -34
data/examples/mcp_demo/config.ru +9 -60
data/examples/security_features/README.md +46 -0
data/examples/security_features/app.rb +23 -24
data/examples/security_features/config.ru +8 -10
data/lib/otto/core/configuration.rb +167 -0
data/lib/otto/core/error_handler.rb +86 -0
data/lib/otto/core/file_safety.rb +61 -0
data/lib/otto/core/middleware_stack.rb +157 -0
data/lib/otto/core/router.rb +183 -0
data/lib/otto/core/uri_generator.rb +44 -0
data/lib/otto/design_system.rb +7 -5
data/lib/otto/helpers/base.rb +3 -0
data/lib/otto/helpers/request.rb +10 -8
data/lib/otto/helpers/response.rb +5 -4
data/lib/otto/helpers/validation.rb +9 -7
data/lib/otto/mcp/auth/token.rb +10 -9
data/lib/otto/mcp/protocol.rb +24 -27
data/lib/otto/mcp/rate_limiting.rb +8 -3
data/lib/otto/mcp/registry.rb +7 -2
data/lib/otto/mcp/route_parser.rb +10 -15
data/lib/otto/mcp/server.rb +21 -11
data/lib/otto/mcp/validation.rb +14 -10
data/lib/otto/response_handlers/auto.rb +39 -0
data/lib/otto/response_handlers/base.rb +16 -0
data/lib/otto/response_handlers/default.rb +16 -0
data/lib/otto/response_handlers/factory.rb +39 -0
data/lib/otto/response_handlers/json.rb +28 -0
data/lib/otto/response_handlers/redirect.rb +25 -0
data/lib/otto/response_handlers/view.rb +24 -0
data/lib/otto/response_handlers.rb +9 -135
data/lib/otto/route.rb +9 -9
data/lib/otto/route_definition.rb +15 -18
data/lib/otto/route_handlers/base.rb +121 -0
data/lib/otto/route_handlers/class_method.rb +89 -0
data/lib/otto/route_handlers/factory.rb +29 -0
data/lib/otto/route_handlers/instance_method.rb +69 -0
data/lib/otto/route_handlers/lambda.rb +59 -0
data/lib/otto/route_handlers/logic_class.rb +93 -0
data/lib/otto/route_handlers.rb +10 -405
data/lib/otto/security/authentication/auth_strategy.rb +44 -0
data/lib/otto/security/authentication/authentication_middleware.rb +123 -0
data/lib/otto/security/authentication/failure_result.rb +36 -0
data/lib/otto/security/authentication/strategies/api_key_strategy.rb +40 -0
data/lib/otto/security/authentication/strategies/permission_strategy.rb +47 -0
data/lib/otto/security/authentication/strategies/public_strategy.rb +19 -0
data/lib/otto/security/authentication/strategies/role_strategy.rb +57 -0
data/lib/otto/security/authentication/strategies/session_strategy.rb +41 -0
data/lib/otto/security/authentication/strategy_result.rb +223 -0
data/lib/otto/security/authentication.rb +28 -282
data/lib/otto/security/config.rb +14 -12
data/lib/otto/security/configurator.rb +219 -0
data/lib/otto/security/csrf.rb +8 -143
data/lib/otto/security/middleware/csrf_middleware.rb +151 -0
data/lib/otto/security/middleware/rate_limit_middleware.rb +38 -0
data/lib/otto/security/middleware/validation_middleware.rb +252 -0
data/lib/otto/security/rate_limiter.rb +86 -0
data/lib/otto/security/rate_limiting.rb +10 -105
data/lib/otto/security/validator.rb +8 -253
data/lib/otto/static.rb +3 -0
data/lib/otto/utils.rb +14 -0
data/lib/otto/version.rb +3 -1
data/lib/otto.rb +142 -498
data/otto.gemspec +2 -2
metadata +89 -28
data/examples/dynamic_pages/app.rb +0 -115
data/examples/dynamic_pages/config.ru +0 -30
data/examples/dynamic_pages/routes +0 -21
data/examples/helpers_demo/app.rb +0 -244
data/examples/helpers_demo/config.ru +0 -26
data/examples/helpers_demo/routes +0 -7
data/lib/concurrent_cache_store.rb +0 -68

data/lib/otto/security/csrf.rb CHANGED Viewed

@@ -1,151 +1,16 @@
+# frozen_string_literal: true
 # lib/otto/security/csrf.rb
+#
+# Index file for CSRF protection components
+# Provides backward compatibility for existing CSRF usage
-require 'securerandom'
+require_relative 'middleware/csrf_middleware'
 class Otto
-  # CSRF protection middleware for Otto framework
   module Security
-    # Middleware that provides Cross-Site Request Forgery (CSRF) protection
-    class CSRFMiddleware
-      SAFE_METHODS = %w[GET HEAD OPTIONS TRACE].freeze
-      def initialize(app, config = nil)
-        @app    = app
-        @config = config || Otto::Security::Config.new
-      end
-      def call(env)
-        return @app.call(env) unless @config.csrf_enabled?
-        request = Rack::Request.new(env)
-        # Skip CSRF protection for safe methods
-        if safe_method?(request.request_method)
-          response = @app.call(env)
-          response = inject_csrf_token(request, response) if html_response?(response)
-          return response
-        end
-        # Validate CSRF token for unsafe methods
-        return csrf_error_response unless valid_csrf_token?(request)
-        @app.call(env)
-      end
-      private
-      def safe_method?(method)
-        SAFE_METHODS.include?(method.upcase)
-      end
-      def valid_csrf_token?(request)
-        token = extract_csrf_token(request)
-        return false if token.nil? || token.empty?
-        session_id = @config.get_or_create_session_id(request)
-        @config.verify_csrf_token(token, session_id)
-      end
-      def extract_csrf_token(request)
-        # Try form parameter first
-        token = request.params[@config.csrf_token_key]
-        # Try header if not in params
-        token ||= request.env[@config.csrf_header_key]
-        # Try alternative header format
-        token ||= request.env['HTTP_X_CSRF_TOKEN'] if request.env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'
-        token
-      end
-      def extract_session_id(request)
-        @config.get_or_create_session_id(request)
-      end
-      def inject_csrf_token(request, response)
-        return response unless response.is_a?(Array) && response.length >= 3
-        status, headers, body = response
-        content_type          = headers.find { |k, _v| k.downcase == 'content-type' }&.last
-        return response unless content_type&.include?('text/html')
-        # Get or create session ID
-        session_id = @config.get_or_create_session_id(request)
-        # Ensure session ID is saved to cookie if it was newly created
-        ensure_session_cookie(request, headers, session_id)
-        # Generate new CSRF token
-        csrf_token = @config.generate_csrf_token(session_id)
-        # Inject meta tag into HTML head
-        body_content = body.respond_to?(:join) ? body.join : body.to_s
-        if body_content.match?(/<head>/i)
-          meta_tag     = %(<meta name="csrf-token" content="#{csrf_token}">)
-          body_content = body_content.sub(/<head>/i, "<head>\n#{meta_tag}")
-          # Update content length if present
-          content_length_key          = headers.keys.find { |k| k.downcase == 'content-length' }
-          headers[content_length_key] = body_content.bytesize.to_s if content_length_key
-          [status, headers, [body_content]]
-        else
-          response
-        end
-      end
-      def ensure_session_cookie(request, headers, session_id)
-        # Check if session ID already exists in cookies
-        existing_cookie = request.cookies['_otto_session']
-        return if existing_cookie == session_id
-        # Set the session cookie
-        cookie_value  = "#{session_id}; Path=/; HttpOnly; SameSite=Lax"
-        cookie_value += '; Secure' if request.scheme == 'https'
-        # Handle existing Set-Cookie headers
-        existing_cookies = headers['set-cookie'] || headers['Set-Cookie']
-        if existing_cookies
-          # Append to existing cookies (handle both string and array formats)
-          if existing_cookies.is_a?(Array)
-            existing_cookies << "_otto_session=#{cookie_value}"
-          else
-            headers['set-cookie'] = [existing_cookies, "_otto_session=#{cookie_value}"]
-          end
-        else
-          headers['set-cookie'] = "_otto_session=#{cookie_value}"
-        end
-      end
-      def html_response?(response)
-        return false unless response.is_a?(Array) && response.length >= 2
-        headers      = response[1]
-        content_type = headers.find { |k, _v| k.downcase == 'content-type' }&.last
-        content_type&.include?('text/html')
-      end
-      def csrf_error_response
-        [
-          403,
-          {
-            'content-type' => 'application/json',
-            'content-length' => csrf_error_body.bytesize.to_s,
-          },
-          [csrf_error_body],
-        ]
-      end
-      def csrf_error_body
-        {
-          error: 'CSRF token validation failed',
-          message: 'The request could not be authenticated. Please refresh the page and try again.',
-        }.to_json
-      end
-    end
+    # Backward compatibility alias
+    CSRFMiddleware = Middleware::CSRFMiddleware
     # Helper methods for CSRF token handling in views and controllers
     module CSRFHelpers

data/lib/otto/security/middleware/csrf_middleware.rb ADDED Viewed

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+require_relative '../config'
+class Otto
+  module Security
+    module Middleware
+      # Middleware that provides Cross-Site Request Forgery (CSRF) protection
+      class CSRFMiddleware
+        SAFE_METHODS = %w[GET HEAD OPTIONS TRACE].freeze
+        def initialize(app, config = nil)
+          @app    = app
+          @config = config || Otto::Security::Config.new
+        end
+        def call(env)
+          return @app.call(env) unless @config.csrf_enabled?
+          request = Rack::Request.new(env)
+          # Skip CSRF protection for safe methods
+          if safe_method?(request.request_method)
+            response = @app.call(env)
+            response = inject_csrf_token(request, response) if html_response?(response)
+            return response
+          end
+          # Validate CSRF token for unsafe methods
+          return csrf_error_response unless valid_csrf_token?(request)
+          @app.call(env)
+        end
+        private
+        def safe_method?(method)
+          SAFE_METHODS.include?(method.upcase)
+        end
+        def valid_csrf_token?(request)
+          token = extract_csrf_token(request)
+          return false if token.nil? || token.empty?
+          session_id = @config.get_or_create_session_id(request)
+          @config.verify_csrf_token(token, session_id)
+        end
+        def extract_csrf_token(request)
+          # Try form parameter first
+          token = request.params[@config.csrf_token_key]
+          # Try header if not in params
+          token ||= request.env[@config.csrf_header_key]
+          # Try alternative header format
+          token ||= request.env['HTTP_X_CSRF_TOKEN'] if request.env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'
+          token
+        end
+        def extract_session_id(request)
+          @config.get_or_create_session_id(request)
+        end
+        def inject_csrf_token(request, response)
+          return response unless response.is_a?(Array) && response.length >= 3
+          status, headers, body = response
+          content_type          = headers.find { |k, _v| k.downcase == 'content-type' }&.last
+          return response unless content_type&.include?('text/html')
+          # Get or create session ID
+          session_id = @config.get_or_create_session_id(request)
+          # Ensure session ID is saved to cookie if it was newly created
+          ensure_session_cookie(request, headers, session_id)
+          # Generate new CSRF token
+          csrf_token = @config.generate_csrf_token(session_id)
+          # Inject meta tag into HTML head
+          body_content = body.respond_to?(:join) ? body.join : body.to_s
+          if body_content.match?(/<head>/i)
+            meta_tag     = %(<meta name="csrf-token" content="#{csrf_token}">)
+            body_content = body_content.sub(/<head>/i, "<head>\n#{meta_tag}")
+            # Update content length if present
+            content_length_key          = headers.keys.find { |k| k.downcase == 'content-length' }
+            headers[content_length_key] = body_content.bytesize.to_s if content_length_key
+            [status, headers, [body_content]]
+          else
+            response
+          end
+        end
+        def ensure_session_cookie(request, headers, session_id)
+          # Check if session ID already exists in cookies
+          existing_cookie = request.cookies['_otto_session']
+          return if existing_cookie == session_id
+          # Set the session cookie
+          cookie_value  = "#{session_id}; Path=/; HttpOnly; SameSite=Lax"
+          cookie_value += '; Secure' if request.scheme == 'https'
+          # Handle existing Set-Cookie headers
+          existing_cookies = headers['set-cookie'] || headers['Set-Cookie']
+          if existing_cookies
+            # Append to existing cookies (handle both string and array formats)
+            if existing_cookies.is_a?(Array)
+              existing_cookies << "_otto_session=#{cookie_value}"
+            else
+              headers['set-cookie'] = [existing_cookies, "_otto_session=#{cookie_value}"]
+            end
+          else
+            headers['set-cookie'] = "_otto_session=#{cookie_value}"
+          end
+        end
+        def html_response?(response)
+          return false unless response.is_a?(Array) && response.length >= 2
+          headers      = response[1]
+          content_type = headers.find { |k, _v| k.downcase == 'content-type' }&.last
+          content_type&.include?('text/html')
+        end
+        def csrf_error_response
+          [
+            403,
+            {
+              'content-type' => 'application/json',
+              'content-length' => csrf_error_body.bytesize.to_s,
+            },
+            [csrf_error_body],
+          ]
+        end
+        def csrf_error_body
+          {
+            error: 'CSRF token validation failed',
+            message: 'The request could not be authenticated. Please refresh the page and try again.',
+          }.to_json
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/middleware/rate_limit_middleware.rb ADDED Viewed

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+require_relative '../rate_limiter'
+class Otto
+  module Security
+    module Middleware
+      # Middleware for applying rate limiting to HTTP requests
+      class RateLimitMiddleware
+        def initialize(app, security_config = nil)
+          @app = app
+          @security_config = security_config
+          @rate_limiter_available = defined?(Rack::Attack)
+          if @rate_limiter_available
+            configure_rate_limiting
+          else
+            Otto.logger.warn '[Otto] rack-attack not available - rate limiting disabled'
+          end
+        end
+        def call(env)
+          return @app.call(env) unless @rate_limiter_available
+          # Let rack-attack handle the rate limiting
+          @app.call(env)
+        end
+        private
+        def configure_rate_limiting
+          config = @security_config&.rate_limiting_config || {}
+          Otto::Security::RateLimiting.configure_rack_attack!(config)
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/middleware/validation_middleware.rb ADDED Viewed

@@ -0,0 +1,252 @@
+# frozen_string_literal: true
+require_relative '../config'
+require_relative '../../helpers/validation'
+class Otto
+  module Security
+    module Middleware
+      # ValidationMiddleware provides input validation and sanitization for web requests
+      # Uses Loofah for HTML/XSS sanitization and Facets for filename sanitization
+      class ValidationMiddleware
+        # Character validation patterns
+        INVALID_CHARACTERS = /[\x00-\x1f\x7f-\xff]/n
+        NULL_BYTE          = /\0/
+        # HTML/XSS sanitization is handled by Loofah library for better security coverage
+        SQL_INJECTION_PATTERNS = [
+          /('|(\\')|(;)|(\\)|(--)|(%27)|(%3B)|(%3D))/i,
+          /(union|select|insert|update|delete|drop|create|alter|exec|execute)/i,
+          /(or|and)\s+\w+\s*=\s*\w+/i,
+          /\d+\s*(=|>|<|>=|<=|<>|!=)\s*\d+/i,
+        ].freeze
+        def initialize(app, config = nil)
+          @app    = app
+          @config = config || Otto::Security::Config.new
+        end
+        def call(env)
+          return @app.call(env) unless @config.input_validation
+          request = Rack::Request.new(env)
+          begin
+            # Validate request size
+            validate_request_size(request)
+            # Validate content type
+            validate_content_type(request)
+            # Validate and sanitize parameters
+            begin
+              validate_parameters(request) if request.params
+            rescue Rack::QueryParser::QueryLimitError => e
+              # Handle Rack's built-in query parsing limits
+              raise Otto::Security::ValidationError, "Parameter structure too complex: #{e.message}"
+            end
+            # Validate headers
+            validate_headers(request)
+            @app.call(env)
+          rescue Otto::Security::ValidationError => e
+            validation_error_response(e.message)
+          rescue Otto::Security::RequestTooLargeError => e
+            request_too_large_response(e.message)
+          end
+        end
+        private
+        def validate_request_size(request)
+          content_length = request.env['CONTENT_LENGTH']
+          @config.validate_request_size(content_length)
+        end
+        def validate_content_type(request)
+          content_type = request.env['CONTENT_TYPE']
+          return unless content_type
+          # Block dangerous content types
+          dangerous_types = [
+            'application/x-shockwave-flash',
+            'application/x-silverlight-app',
+            'text/vbscript',
+            'application/vbscript',
+          ]
+          return unless dangerous_types.any? { |type| content_type.downcase.include?(type) }
+          raise Otto::Security::ValidationError, "Dangerous content type: #{content_type}"
+        end
+        def validate_parameters(request)
+          validate_param_structure(request.params, 0)
+          sanitize_params(request.params)
+        end
+        def validate_param_structure(params, depth = 0)
+          if depth >= @config.max_param_depth
+            raise Otto::Security::ValidationError, "Parameter depth exceeds maximum (#{@config.max_param_depth})"
+          end
+          case params
+          when Hash
+            if params.keys.length > @config.max_param_keys
+              raise Otto::Security::ValidationError,
+                    "Too many parameters (#{params.keys.length} > #{@config.max_param_keys})"
+            end
+            params.each do |key, value|
+              validate_param_key(key)
+              validate_param_structure(value, depth + 1) if value.is_a?(Hash) || value.is_a?(Array)
+            end
+          when Array
+            if params.length > @config.max_param_keys
+              raise Otto::Security::ValidationError,
+                    "Too many array elements (#{params.length} > #{@config.max_param_keys})"
+            end
+            params.each do |value|
+              validate_param_structure(value, depth + 1) if value.is_a?(Hash) || value.is_a?(Array)
+            end
+          end
+        end
+        def validate_param_key(key)
+          key_str = key.to_s
+          # Check for dangerous characters in parameter names using shared patterns
+          if key_str.match?(NULL_BYTE) || key_str.match?(INVALID_CHARACTERS)
+            raise Otto::Security::ValidationError, "Invalid characters in parameter name: #{key_str}"
+          end
+          # Check for suspiciously long parameter names
+          return unless key_str.length > 256
+          raise Otto::Security::ValidationError, "Parameter name too long: #{key_str[0..50]}..."
+        end
+        def sanitize_params(params)
+          case params
+          when Hash
+            params.each do |key, value|
+              params[key] = sanitize_value(value)
+            end
+          when Array
+            params.map! { |value| sanitize_value(value) }
+          else
+            sanitize_value(params)
+          end
+        end
+        def sanitize_value(value)
+          return value unless value.is_a?(String)
+          # Check for extremely long values first
+          if value.length > 10_000
+            raise Otto::Security::ValidationError, "Parameter value too long (#{value.length} characters)"
+          end
+          # Start with the original value
+          original = value.dup
+          # Check for null bytes first (these should be rejected, not sanitized)
+          raise Otto::Security::ValidationError, 'Dangerous content detected in parameter' if original.match?(NULL_BYTE)
+          # Check for script injection first (these should always be rejected)
+          if looks_like_script_injection?(original)
+            raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
+          end
+          # Use Loofah to sanitize HTML/XSS content for less dangerous HTML
+          # Loofah.fragment removes dangerous HTML but preserves safe content
+          sanitized = Loofah.fragment(original).scrub!(:whitewash).to_s
+          # Remove control characters (sanitize, don't block)
+          sanitized = sanitized.gsub(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/, '')
+          # Check for SQL injection patterns
+          SQL_INJECTION_PATTERNS.each do |pattern|
+            raise Otto::Security::ValidationError, 'Potential SQL injection detected' if sanitized.match?(pattern)
+          end
+          sanitized
+        end
+        include Otto::Security::ValidationHelpers
+        def validate_headers(request)
+          # Check for dangerous headers
+          dangerous_headers = %w[
+            HTTP_X_FORWARDED_HOST
+            HTTP_X_ORIGINAL_URL
+            HTTP_X_REWRITE_URL
+            HTTP_DESTINATION
+            HTTP_UPGRADE_INSECURE_REQUESTS
+          ]
+          dangerous_headers.each do |header|
+            value = request.env[header]
+            next unless value
+            # Basic validation - no null bytes or control characters
+            if value.match?(NULL_BYTE) || value.match?(INVALID_CHARACTERS)
+              raise Otto::Security::ValidationError, "Invalid characters in header: #{header}"
+            end
+          end
+          # Validate User-Agent length
+          user_agent = request.env['HTTP_USER_AGENT']
+          raise Otto::Security::ValidationError, 'User-Agent header too long' if user_agent && user_agent.length > 1000
+          # Validate Referer header
+          referer = request.env['HTTP_REFERER']
+          return unless referer && referer.length > 2000
+          raise Otto::Security::ValidationError, 'Referer header too long'
+        end
+        def validation_error_response(message)
+          [
+            400,
+            {
+              'content-type' => 'application/json',
+              'content-length' => validation_error_body(message).bytesize.to_s,
+            },
+            [validation_error_body(message)],
+          ]
+        end
+        def request_too_large_response(message)
+          [
+            413,
+            {
+              'content-type' => 'application/json',
+              'content-length' => request_too_large_body(message).bytesize.to_s,
+            },
+            [request_too_large_body(message)],
+          ]
+        end
+        def validation_error_body(message)
+          require 'json'
+          {
+            error: 'Validation failed',
+            message: message,
+          }.to_json
+        end
+        def request_too_large_body(message)
+          require 'json'
+          {
+            error: 'Request too large',
+            message: message,
+          }.to_json
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/rate_limiter.rb ADDED Viewed

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+# lib/otto/security/rate_limiter.rb
+require 'json'
+begin
+  require 'rack/attack'
+rescue LoadError
+  # rack-attack is optional - graceful fallback
+end
+class Otto
+  module Security
+    # Rate limiting implementation using Rack::Attack
+    class RateLimiting
+      def self.configure_rack_attack!(config = {})
+        return unless defined?(Rack::Attack)
+        # Use provided cache store or default
+        Rack::Attack.cache.store = config[:cache_store] if config[:cache_store]
+        # Default rules
+        default_requests_per_minute = config.fetch(:requests_per_minute, 100)
+        # General request throttling
+        Rack::Attack.throttle('requests', limit: default_requests_per_minute, period: 60) do |request|
+          request.ip unless request.path.start_with?('/_') # Skip internal paths by default
+        end
+        # Apply custom rules if provided
+        if config[:custom_rules]
+          config[:custom_rules].each do |name, rule_config|
+            limit = rule_config[:limit]
+            period = rule_config[:period] || 60
+            condition = rule_config[:condition]
+            Rack::Attack.throttle(name.to_s, limit: limit, period: period) do |request|
+              if condition
+                request.ip if condition.call(request)
+              else
+                request.ip
+              end
+            end
+          end
+        end
+        # Custom response for rate limited requests
+        Rack::Attack.throttled_responder = lambda do |request|
+          match_data = request.env['rack.attack.match_data']
+          now = match_data[:epoch_time]
+          headers = {
+            'content-type' => 'application/json',
+            'retry-after' => (match_data[:period] - (now % match_data[:period])).to_s,
+          }
+          # Check if request expects JSON
+          accept_header = request.env['HTTP_ACCEPT'].to_s
+          if accept_header.include?('application/json')
+            error_response = {
+              error: 'Rate limit exceeded',
+              message: 'Too many requests',
+              retry_after: headers['retry-after'].to_i,
+              limit: match_data[:limit],
+              period: match_data[:period],
+            }
+            [429, headers, [JSON.generate(error_response)]]
+          else
+            body = "Rate limit exceeded. Retry after #{headers['retry-after']} seconds."
+            headers['content-type'] = 'text/plain'
+            [429, headers, [body]]
+          end
+        end
+        # Log blocked requests if ActiveSupport is available
+        return unless defined?(ActiveSupport::Notifications)
+        ActiveSupport::Notifications.subscribe('rack.attack') do |_name, _start, _finish, _request_id, payload|
+          req = payload[:request]
+          Otto.logger.warn "[Otto] Rate limit #{payload[:match_type]} for #{req.ip}: #{payload[:matched]}"
+        end
+      end
+    end
+  end
+end