otto 1.6.0 → 2.0.0.pre2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/ci.yml +3 -2
- data/.github/workflows/claude-code-review.yml +53 -0
- data/.github/workflows/claude.yml +49 -0
- data/.gitignore +3 -0
- data/.rubocop.yml +26 -344
- data/CHANGELOG.rst +131 -0
- data/CLAUDE.md +56 -0
- data/Gemfile +11 -4
- data/Gemfile.lock +38 -42
- data/README.md +2 -0
- data/bin/rspec +4 -4
- data/changelog.d/README.md +120 -0
- data/changelog.d/scriv.ini +5 -0
- data/docs/.gitignore +2 -0
- data/docs/migrating/v2.0.0-pre1.md +276 -0
- data/docs/migrating/v2.0.0-pre2.md +345 -0
- data/examples/.gitignore +1 -0
- data/examples/advanced_routes/README.md +33 -0
- data/examples/advanced_routes/app/controllers/handlers/async.rb +9 -0
- data/examples/advanced_routes/app/controllers/handlers/dynamic.rb +9 -0
- data/examples/advanced_routes/app/controllers/handlers/static.rb +9 -0
- data/examples/advanced_routes/app/controllers/modules/auth.rb +9 -0
- data/examples/advanced_routes/app/controllers/modules/transformer.rb +9 -0
- data/examples/advanced_routes/app/controllers/modules/validator.rb +9 -0
- data/examples/advanced_routes/app/controllers/routes_app.rb +232 -0
- data/examples/advanced_routes/app/controllers/v2/admin.rb +9 -0
- data/examples/advanced_routes/app/controllers/v2/config.rb +9 -0
- data/examples/advanced_routes/app/controllers/v2/settings.rb +9 -0
- data/examples/advanced_routes/app/logic/admin/logic/manager.rb +27 -0
- data/examples/advanced_routes/app/logic/admin/panel.rb +27 -0
- data/examples/advanced_routes/app/logic/analytics_processor.rb +25 -0
- data/examples/advanced_routes/app/logic/complex/business/handler.rb +27 -0
- data/examples/advanced_routes/app/logic/data_logic.rb +23 -0
- data/examples/advanced_routes/app/logic/data_processor.rb +25 -0
- data/examples/advanced_routes/app/logic/input_validator.rb +24 -0
- data/examples/advanced_routes/app/logic/nested/feature/logic.rb +27 -0
- data/examples/advanced_routes/app/logic/reports_generator.rb +27 -0
- data/examples/advanced_routes/app/logic/simple_logic.rb +25 -0
- data/examples/advanced_routes/app/logic/system/config/manager.rb +27 -0
- data/examples/advanced_routes/app/logic/test_logic.rb +23 -0
- data/examples/advanced_routes/app/logic/transform_logic.rb +23 -0
- data/examples/advanced_routes/app/logic/upload_logic.rb +23 -0
- data/examples/advanced_routes/app/logic/v2/logic/dashboard.rb +27 -0
- data/examples/advanced_routes/app/logic/v2/logic/processor.rb +27 -0
- data/examples/advanced_routes/app.rb +33 -0
- data/examples/advanced_routes/config.rb +23 -0
- data/examples/advanced_routes/config.ru +7 -0
- data/examples/advanced_routes/puma.rb +20 -0
- data/examples/advanced_routes/routes +167 -0
- data/examples/advanced_routes/run.rb +39 -0
- data/examples/advanced_routes/test.rb +58 -0
- data/examples/authentication_strategies/README.md +32 -0
- data/examples/authentication_strategies/app/auth.rb +68 -0
- data/examples/authentication_strategies/app/controllers/auth_controller.rb +29 -0
- data/examples/authentication_strategies/app/controllers/main_controller.rb +28 -0
- data/examples/authentication_strategies/config.ru +24 -0
- data/examples/authentication_strategies/routes +37 -0
- data/examples/basic/README.md +29 -0
- data/examples/basic/app.rb +7 -35
- data/examples/basic/routes +0 -9
- data/examples/mcp_demo/README.md +87 -0
- data/examples/mcp_demo/app.rb +29 -34
- data/examples/mcp_demo/config.ru +9 -60
- data/examples/security_features/README.md +46 -0
- data/examples/security_features/app.rb +23 -24
- data/examples/security_features/config.ru +8 -10
- data/lib/otto/core/configuration.rb +167 -0
- data/lib/otto/core/error_handler.rb +86 -0
- data/lib/otto/core/file_safety.rb +61 -0
- data/lib/otto/core/middleware_stack.rb +237 -0
- data/lib/otto/core/router.rb +184 -0
- data/lib/otto/core/uri_generator.rb +44 -0
- data/lib/otto/design_system.rb +7 -5
- data/lib/otto/env_keys.rb +114 -0
- data/lib/otto/helpers/base.rb +5 -21
- data/lib/otto/helpers/request.rb +10 -8
- data/lib/otto/helpers/response.rb +27 -4
- data/lib/otto/helpers/validation.rb +9 -7
- data/lib/otto/mcp/auth/token.rb +10 -9
- data/lib/otto/mcp/protocol.rb +24 -27
- data/lib/otto/mcp/rate_limiting.rb +8 -3
- data/lib/otto/mcp/registry.rb +7 -2
- data/lib/otto/mcp/route_parser.rb +10 -15
- data/lib/otto/mcp/{validation.rb → schema_validation.rb} +16 -11
- data/lib/otto/mcp/server.rb +45 -22
- data/lib/otto/response_handlers/auto.rb +39 -0
- data/lib/otto/response_handlers/base.rb +16 -0
- data/lib/otto/response_handlers/default.rb +16 -0
- data/lib/otto/response_handlers/factory.rb +39 -0
- data/lib/otto/response_handlers/json.rb +34 -0
- data/lib/otto/response_handlers/redirect.rb +25 -0
- data/lib/otto/response_handlers/view.rb +24 -0
- data/lib/otto/response_handlers.rb +9 -135
- data/lib/otto/route.rb +51 -55
- data/lib/otto/route_definition.rb +15 -18
- data/lib/otto/route_handlers/base.rb +121 -0
- data/lib/otto/route_handlers/class_method.rb +89 -0
- data/lib/otto/route_handlers/factory.rb +42 -0
- data/lib/otto/route_handlers/instance_method.rb +69 -0
- data/lib/otto/route_handlers/lambda.rb +59 -0
- data/lib/otto/route_handlers/logic_class.rb +93 -0
- data/lib/otto/route_handlers.rb +10 -405
- data/lib/otto/security/authentication/auth_strategy.rb +44 -0
- data/lib/otto/security/authentication/authentication_middleware.rb +140 -0
- data/lib/otto/security/authentication/failure_result.rb +44 -0
- data/lib/otto/security/authentication/route_auth_wrapper.rb +149 -0
- data/lib/otto/security/authentication/strategies/api_key_strategy.rb +40 -0
- data/lib/otto/security/authentication/strategies/noauth_strategy.rb +19 -0
- data/lib/otto/security/authentication/strategies/permission_strategy.rb +47 -0
- data/lib/otto/security/authentication/strategies/role_strategy.rb +57 -0
- data/lib/otto/security/authentication/strategies/session_strategy.rb +41 -0
- data/lib/otto/security/authentication/strategy_result.rb +337 -0
- data/lib/otto/security/authentication.rb +28 -282
- data/lib/otto/security/config.rb +14 -23
- data/lib/otto/security/configurator.rb +219 -0
- data/lib/otto/security/csrf.rb +8 -143
- data/lib/otto/security/middleware/csrf_middleware.rb +151 -0
- data/lib/otto/security/middleware/rate_limit_middleware.rb +54 -0
- data/lib/otto/security/middleware/validation_middleware.rb +252 -0
- data/lib/otto/security/rate_limiter.rb +86 -0
- data/lib/otto/security/rate_limiting.rb +10 -105
- data/lib/otto/security/validator.rb +8 -253
- data/lib/otto/static.rb +3 -0
- data/lib/otto/utils.rb +14 -0
- data/lib/otto/version.rb +3 -1
- data/lib/otto.rb +141 -498
- data/otto.gemspec +4 -2
- metadata +99 -18
- data/examples/dynamic_pages/app.rb +0 -115
- data/examples/dynamic_pages/config.ru +0 -30
- data/examples/dynamic_pages/routes +0 -21
- data/examples/helpers_demo/app.rb +0 -244
- data/examples/helpers_demo/config.ru +0 -26
- data/examples/helpers_demo/routes +0 -7
- data/lib/concurrent_cache_store.rb +0 -68
| @@ -1,111 +1,16 @@ | |
| 1 | 
            -
             | 
| 1 | 
            +
            # frozen_string_literal: true
         | 
| 2 2 |  | 
| 3 | 
            -
             | 
| 4 | 
            -
             | 
| 5 | 
            -
             | 
| 6 | 
            -
             | 
| 7 | 
            -
             | 
| 3 | 
            +
            # lib/otto/security/rate_limiting.rb
         | 
| 4 | 
            +
            #
         | 
| 5 | 
            +
            # Index file for rate limiting components
         | 
| 6 | 
            +
            # Provides backward compatibility for existing rate limiting usage
         | 
| 7 | 
            +
             | 
| 8 | 
            +
            require_relative 'rate_limiter'
         | 
| 9 | 
            +
            require_relative 'middleware/rate_limit_middleware'
         | 
| 8 10 |  | 
| 9 11 | 
             
            class Otto
         | 
| 10 12 | 
             
              module Security
         | 
| 11 | 
            -
                 | 
| 12 | 
            -
             | 
| 13 | 
            -
                    return unless defined?(Rack::Attack)
         | 
| 14 | 
            -
             | 
| 15 | 
            -
                    # Use provided cache store or default
         | 
| 16 | 
            -
                    if config[:cache_store]
         | 
| 17 | 
            -
                      Rack::Attack.cache.store = config[:cache_store]
         | 
| 18 | 
            -
                    end
         | 
| 19 | 
            -
             | 
| 20 | 
            -
                    # Default rules
         | 
| 21 | 
            -
                    default_requests_per_minute = config.fetch(:requests_per_minute, 100)
         | 
| 22 | 
            -
             | 
| 23 | 
            -
                    # General request throttling
         | 
| 24 | 
            -
                    Rack::Attack.throttle('requests', limit: default_requests_per_minute, period: 60) do |request|
         | 
| 25 | 
            -
                      request.ip unless request.path.start_with?('/_') # Skip internal paths by default
         | 
| 26 | 
            -
                    end
         | 
| 27 | 
            -
             | 
| 28 | 
            -
                    # Apply custom rules if provided
         | 
| 29 | 
            -
                    if config[:custom_rules]
         | 
| 30 | 
            -
                      config[:custom_rules].each do |name, rule_config|
         | 
| 31 | 
            -
                        limit = rule_config[:limit]
         | 
| 32 | 
            -
                        period = rule_config[:period] || 60
         | 
| 33 | 
            -
                        condition = rule_config[:condition]
         | 
| 34 | 
            -
             | 
| 35 | 
            -
                        Rack::Attack.throttle(name.to_s, limit: limit, period: period) do |request|
         | 
| 36 | 
            -
                          if condition
         | 
| 37 | 
            -
                            request.ip if condition.call(request)
         | 
| 38 | 
            -
                          else
         | 
| 39 | 
            -
                            request.ip
         | 
| 40 | 
            -
                          end
         | 
| 41 | 
            -
                        end
         | 
| 42 | 
            -
                      end
         | 
| 43 | 
            -
                    end
         | 
| 44 | 
            -
             | 
| 45 | 
            -
                    # Custom response for rate limited requests
         | 
| 46 | 
            -
                    Rack::Attack.throttled_responder = lambda do |request|
         | 
| 47 | 
            -
                      match_data = request.env['rack.attack.match_data']
         | 
| 48 | 
            -
                      now = match_data[:epoch_time]
         | 
| 49 | 
            -
             | 
| 50 | 
            -
                      headers = {
         | 
| 51 | 
            -
                        'content-type' => 'application/json',
         | 
| 52 | 
            -
                        'retry-after' => (match_data[:period] - (now % match_data[:period])).to_s,
         | 
| 53 | 
            -
                      }
         | 
| 54 | 
            -
             | 
| 55 | 
            -
                      # Check if request expects JSON
         | 
| 56 | 
            -
                      accept_header = request.env['HTTP_ACCEPT'].to_s
         | 
| 57 | 
            -
                      if accept_header.include?('application/json')
         | 
| 58 | 
            -
                        error_response = {
         | 
| 59 | 
            -
                          error: 'Rate limit exceeded',
         | 
| 60 | 
            -
                          message: 'Too many requests',
         | 
| 61 | 
            -
                          retry_after: headers['retry-after'].to_i,
         | 
| 62 | 
            -
                          limit: match_data[:limit],
         | 
| 63 | 
            -
                          period: match_data[:period],
         | 
| 64 | 
            -
                        }
         | 
| 65 | 
            -
                        [429, headers, [JSON.generate(error_response)]]
         | 
| 66 | 
            -
                      else
         | 
| 67 | 
            -
                        body = "Rate limit exceeded. Retry after #{headers['retry-after']} seconds."
         | 
| 68 | 
            -
                        headers['content-type'] = 'text/plain'
         | 
| 69 | 
            -
                        [429, headers, [body]]
         | 
| 70 | 
            -
                      end
         | 
| 71 | 
            -
                    end
         | 
| 72 | 
            -
             | 
| 73 | 
            -
                    # Log blocked requests if ActiveSupport is available
         | 
| 74 | 
            -
                    return unless defined?(ActiveSupport::Notifications)
         | 
| 75 | 
            -
             | 
| 76 | 
            -
                    ActiveSupport::Notifications.subscribe('rack.attack') do |_name, _start, _finish, _request_id, payload|
         | 
| 77 | 
            -
                      req = payload[:request]
         | 
| 78 | 
            -
                      Otto.logger.warn "[Otto] Rate limit #{payload[:match_type]} for #{req.ip}: #{payload[:matched]}"
         | 
| 79 | 
            -
                    end
         | 
| 80 | 
            -
                  end
         | 
| 81 | 
            -
                end
         | 
| 82 | 
            -
             | 
| 83 | 
            -
                class RateLimitMiddleware
         | 
| 84 | 
            -
                  def initialize(app, security_config = nil)
         | 
| 85 | 
            -
                    @app = app
         | 
| 86 | 
            -
                    @security_config = security_config
         | 
| 87 | 
            -
                    @rate_limiter_available = defined?(Rack::Attack)
         | 
| 88 | 
            -
             | 
| 89 | 
            -
                    if @rate_limiter_available
         | 
| 90 | 
            -
                      configure_rate_limiting
         | 
| 91 | 
            -
                    else
         | 
| 92 | 
            -
                      Otto.logger.warn '[Otto] rack-attack not available - rate limiting disabled'
         | 
| 93 | 
            -
                    end
         | 
| 94 | 
            -
                  end
         | 
| 95 | 
            -
             | 
| 96 | 
            -
                  def call(env)
         | 
| 97 | 
            -
                    return @app.call(env) unless @rate_limiter_available
         | 
| 98 | 
            -
             | 
| 99 | 
            -
                    # Let rack-attack handle the rate limiting
         | 
| 100 | 
            -
                    @app.call(env)
         | 
| 101 | 
            -
                  end
         | 
| 102 | 
            -
             | 
| 103 | 
            -
                  private
         | 
| 104 | 
            -
             | 
| 105 | 
            -
                  def configure_rate_limiting
         | 
| 106 | 
            -
                    config = @security_config&.rate_limiting_config || {}
         | 
| 107 | 
            -
                    RateLimiting.configure_rack_attack!(config)
         | 
| 108 | 
            -
                  end
         | 
| 109 | 
            -
                end
         | 
| 13 | 
            +
                # Backward compatibility alias
         | 
| 14 | 
            +
                RateLimitMiddleware = Middleware::RateLimitMiddleware
         | 
| 110 15 | 
             
              end
         | 
| 111 16 | 
             
            end
         | 
| @@ -1,260 +1,15 @@ | |
| 1 | 
            -
            #  | 
| 1 | 
            +
            # frozen_string_literal: true
         | 
| 2 2 |  | 
| 3 | 
            -
             | 
| 4 | 
            -
             | 
| 5 | 
            -
             | 
| 6 | 
            -
             | 
| 3 | 
            +
            # lib/otto/security/validator.rb
         | 
| 4 | 
            +
            #
         | 
| 5 | 
            +
            # Index file for validation middleware
         | 
| 6 | 
            +
            # Provides backward compatibility for existing validation usage
         | 
| 7 7 |  | 
| 8 | 
            -
            require_relative ' | 
| 8 | 
            +
            require_relative 'middleware/validation_middleware'
         | 
| 9 9 |  | 
| 10 10 | 
             
            class Otto
         | 
| 11 11 | 
             
              module Security
         | 
| 12 | 
            -
                #  | 
| 13 | 
            -
                 | 
| 14 | 
            -
                class ValidationMiddleware
         | 
| 15 | 
            -
                  # Character validation patterns
         | 
| 16 | 
            -
                  INVALID_CHARACTERS = /[\x00-\x1f\x7f-\xff]/n
         | 
| 17 | 
            -
                  NULL_BYTE          = /\0/
         | 
| 18 | 
            -
             | 
| 19 | 
            -
                  # HTML/XSS sanitization is handled by Loofah library for better security coverage
         | 
| 20 | 
            -
             | 
| 21 | 
            -
                  SQL_INJECTION_PATTERNS = [
         | 
| 22 | 
            -
                    /('|(\\')|(;)|(\\)|(--)|(%27)|(%3B)|(%3D))/i,
         | 
| 23 | 
            -
                    /(union|select|insert|update|delete|drop|create|alter|exec|execute)/i,
         | 
| 24 | 
            -
                    /(or|and)\s+\w+\s*=\s*\w+/i,
         | 
| 25 | 
            -
                    /\d+\s*(=|>|<|>=|<=|<>|!=)\s*\d+/i,
         | 
| 26 | 
            -
                  ].freeze
         | 
| 27 | 
            -
             | 
| 28 | 
            -
                  def initialize(app, config = nil)
         | 
| 29 | 
            -
                    @app    = app
         | 
| 30 | 
            -
                    @config = config || Otto::Security::Config.new
         | 
| 31 | 
            -
                  end
         | 
| 32 | 
            -
             | 
| 33 | 
            -
                  def call(env)
         | 
| 34 | 
            -
                    return @app.call(env) unless @config.input_validation
         | 
| 35 | 
            -
             | 
| 36 | 
            -
                    request = Rack::Request.new(env)
         | 
| 37 | 
            -
             | 
| 38 | 
            -
                    begin
         | 
| 39 | 
            -
                      # Validate request size
         | 
| 40 | 
            -
                      validate_request_size(request)
         | 
| 41 | 
            -
             | 
| 42 | 
            -
                      # Validate content type
         | 
| 43 | 
            -
                      validate_content_type(request)
         | 
| 44 | 
            -
             | 
| 45 | 
            -
                      # Validate and sanitize parameters
         | 
| 46 | 
            -
                      begin
         | 
| 47 | 
            -
                        validate_parameters(request) if request.params
         | 
| 48 | 
            -
                      rescue Rack::QueryParser::QueryLimitError => ex
         | 
| 49 | 
            -
                        # Handle Rack's built-in query parsing limits
         | 
| 50 | 
            -
                        raise Otto::Security::ValidationError, "Parameter structure too complex: #{ex.message}"
         | 
| 51 | 
            -
                      end
         | 
| 52 | 
            -
             | 
| 53 | 
            -
                      # Validate headers
         | 
| 54 | 
            -
                      validate_headers(request)
         | 
| 55 | 
            -
             | 
| 56 | 
            -
                      @app.call(env)
         | 
| 57 | 
            -
                    rescue Otto::Security::ValidationError => ex
         | 
| 58 | 
            -
                      validation_error_response(ex.message)
         | 
| 59 | 
            -
                    rescue Otto::Security::RequestTooLargeError => ex
         | 
| 60 | 
            -
                      request_too_large_response(ex.message)
         | 
| 61 | 
            -
                    end
         | 
| 62 | 
            -
                  end
         | 
| 63 | 
            -
             | 
| 64 | 
            -
                  private
         | 
| 65 | 
            -
             | 
| 66 | 
            -
                  def validate_request_size(request)
         | 
| 67 | 
            -
                    content_length = request.env['CONTENT_LENGTH']
         | 
| 68 | 
            -
                    @config.validate_request_size(content_length)
         | 
| 69 | 
            -
                  end
         | 
| 70 | 
            -
             | 
| 71 | 
            -
                  def validate_content_type(request)
         | 
| 72 | 
            -
                    content_type = request.env['CONTENT_TYPE']
         | 
| 73 | 
            -
                    return unless content_type
         | 
| 74 | 
            -
             | 
| 75 | 
            -
                    # Block dangerous content types
         | 
| 76 | 
            -
                    dangerous_types = [
         | 
| 77 | 
            -
                      'application/x-shockwave-flash',
         | 
| 78 | 
            -
                      'application/x-silverlight-app',
         | 
| 79 | 
            -
                      'text/vbscript',
         | 
| 80 | 
            -
                      'application/vbscript',
         | 
| 81 | 
            -
                    ]
         | 
| 82 | 
            -
             | 
| 83 | 
            -
                    if dangerous_types.any? { |type| content_type.downcase.include?(type) }
         | 
| 84 | 
            -
                      raise Otto::Security::ValidationError, "Dangerous content type: #{content_type}"
         | 
| 85 | 
            -
                    end
         | 
| 86 | 
            -
                  end
         | 
| 87 | 
            -
             | 
| 88 | 
            -
                  def validate_parameters(request)
         | 
| 89 | 
            -
                    validate_param_structure(request.params, 0)
         | 
| 90 | 
            -
                    sanitize_params(request.params)
         | 
| 91 | 
            -
                  end
         | 
| 92 | 
            -
             | 
| 93 | 
            -
                  def validate_param_structure(params, depth = 0)
         | 
| 94 | 
            -
                    if depth >= @config.max_param_depth
         | 
| 95 | 
            -
                      raise Otto::Security::ValidationError, "Parameter depth exceeds maximum (#{@config.max_param_depth})"
         | 
| 96 | 
            -
                    end
         | 
| 97 | 
            -
             | 
| 98 | 
            -
                    case params
         | 
| 99 | 
            -
                    when Hash
         | 
| 100 | 
            -
                      if params.keys.length > @config.max_param_keys
         | 
| 101 | 
            -
                        raise Otto::Security::ValidationError, "Too many parameters (#{params.keys.length} > #{@config.max_param_keys})"
         | 
| 102 | 
            -
                      end
         | 
| 103 | 
            -
             | 
| 104 | 
            -
                      params.each do |key, value|
         | 
| 105 | 
            -
                        validate_param_key(key)
         | 
| 106 | 
            -
                        validate_param_structure(value, depth + 1) if value.is_a?(Hash) || value.is_a?(Array)
         | 
| 107 | 
            -
                      end
         | 
| 108 | 
            -
                    when Array
         | 
| 109 | 
            -
                      if params.length > @config.max_param_keys
         | 
| 110 | 
            -
                        raise Otto::Security::ValidationError, "Too many array elements (#{params.length} > #{@config.max_param_keys})"
         | 
| 111 | 
            -
                      end
         | 
| 112 | 
            -
             | 
| 113 | 
            -
                      params.each do |value|
         | 
| 114 | 
            -
                        validate_param_structure(value, depth + 1) if value.is_a?(Hash) || value.is_a?(Array)
         | 
| 115 | 
            -
                      end
         | 
| 116 | 
            -
                    end
         | 
| 117 | 
            -
                  end
         | 
| 118 | 
            -
             | 
| 119 | 
            -
                  def validate_param_key(key)
         | 
| 120 | 
            -
                    key_str = key.to_s
         | 
| 121 | 
            -
             | 
| 122 | 
            -
                    # Check for dangerous characters in parameter names using shared patterns
         | 
| 123 | 
            -
                    if key_str.match?(NULL_BYTE) || key_str.match?(INVALID_CHARACTERS)
         | 
| 124 | 
            -
                      raise Otto::Security::ValidationError, "Invalid characters in parameter name: #{key_str}"
         | 
| 125 | 
            -
                    end
         | 
| 126 | 
            -
             | 
| 127 | 
            -
                    # Check for suspiciously long parameter names
         | 
| 128 | 
            -
                    if key_str.length > 256
         | 
| 129 | 
            -
                      raise Otto::Security::ValidationError, "Parameter name too long: #{key_str[0..50]}..."
         | 
| 130 | 
            -
                    end
         | 
| 131 | 
            -
                  end
         | 
| 132 | 
            -
             | 
| 133 | 
            -
                  def sanitize_params(params)
         | 
| 134 | 
            -
                    case params
         | 
| 135 | 
            -
                    when Hash
         | 
| 136 | 
            -
                      params.each do |key, value|
         | 
| 137 | 
            -
                        params[key] = sanitize_value(value)
         | 
| 138 | 
            -
                      end
         | 
| 139 | 
            -
                    when Array
         | 
| 140 | 
            -
                      params.map! { |value| sanitize_value(value) }
         | 
| 141 | 
            -
                    else
         | 
| 142 | 
            -
                      sanitize_value(params)
         | 
| 143 | 
            -
                    end
         | 
| 144 | 
            -
                  end
         | 
| 145 | 
            -
             | 
| 146 | 
            -
                  def sanitize_value(value)
         | 
| 147 | 
            -
                    return value unless value.is_a?(String)
         | 
| 148 | 
            -
             | 
| 149 | 
            -
                    # Check for extremely long values first
         | 
| 150 | 
            -
                    if value.length > 10_000
         | 
| 151 | 
            -
                      raise Otto::Security::ValidationError, "Parameter value too long (#{value.length} characters)"
         | 
| 152 | 
            -
                    end
         | 
| 153 | 
            -
             | 
| 154 | 
            -
                    # Start with the original value
         | 
| 155 | 
            -
                    original = value.dup
         | 
| 156 | 
            -
             | 
| 157 | 
            -
                    # Check for null bytes first (these should be rejected, not sanitized)
         | 
| 158 | 
            -
                    if original.match?(NULL_BYTE)
         | 
| 159 | 
            -
                      raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
         | 
| 160 | 
            -
                    end
         | 
| 161 | 
            -
             | 
| 162 | 
            -
                    # Check for script injection first (these should always be rejected)
         | 
| 163 | 
            -
                    if looks_like_script_injection?(original)
         | 
| 164 | 
            -
                      raise Otto::Security::ValidationError, 'Dangerous content detected in parameter'
         | 
| 165 | 
            -
                    end
         | 
| 166 | 
            -
             | 
| 167 | 
            -
                    # Use Loofah to sanitize HTML/XSS content for less dangerous HTML
         | 
| 168 | 
            -
                    # Loofah.fragment removes dangerous HTML but preserves safe content
         | 
| 169 | 
            -
                    sanitized = Loofah.fragment(original).scrub!(:whitewash).to_s
         | 
| 170 | 
            -
             | 
| 171 | 
            -
                    # Remove control characters (sanitize, don't block)
         | 
| 172 | 
            -
                    sanitized = sanitized.gsub(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/, '')
         | 
| 173 | 
            -
             | 
| 174 | 
            -
                    # Check for SQL injection patterns
         | 
| 175 | 
            -
                    SQL_INJECTION_PATTERNS.each do |pattern|
         | 
| 176 | 
            -
                      if sanitized.match?(pattern)
         | 
| 177 | 
            -
                        raise Otto::Security::ValidationError, 'Potential SQL injection detected'
         | 
| 178 | 
            -
                      end
         | 
| 179 | 
            -
                    end
         | 
| 180 | 
            -
             | 
| 181 | 
            -
                    sanitized
         | 
| 182 | 
            -
                  end
         | 
| 183 | 
            -
             | 
| 184 | 
            -
                  include ValidationHelpers
         | 
| 185 | 
            -
             | 
| 186 | 
            -
                  private
         | 
| 187 | 
            -
             | 
| 188 | 
            -
                  def validate_headers(request)
         | 
| 189 | 
            -
                    # Check for dangerous headers
         | 
| 190 | 
            -
                    dangerous_headers = %w[
         | 
| 191 | 
            -
                      HTTP_X_FORWARDED_HOST
         | 
| 192 | 
            -
                      HTTP_X_ORIGINAL_URL
         | 
| 193 | 
            -
                      HTTP_X_REWRITE_URL
         | 
| 194 | 
            -
                      HTTP_DESTINATION
         | 
| 195 | 
            -
                      HTTP_UPGRADE_INSECURE_REQUESTS
         | 
| 196 | 
            -
                    ]
         | 
| 197 | 
            -
             | 
| 198 | 
            -
                    dangerous_headers.each do |header|
         | 
| 199 | 
            -
                      value = request.env[header]
         | 
| 200 | 
            -
                      next unless value
         | 
| 201 | 
            -
             | 
| 202 | 
            -
                      # Basic validation - no null bytes or control characters
         | 
| 203 | 
            -
                      if value.match?(NULL_BYTE) || value.match?(INVALID_CHARACTERS)
         | 
| 204 | 
            -
                        raise Otto::Security::ValidationError, "Invalid characters in header: #{header}"
         | 
| 205 | 
            -
                      end
         | 
| 206 | 
            -
                    end
         | 
| 207 | 
            -
             | 
| 208 | 
            -
                    # Validate User-Agent length
         | 
| 209 | 
            -
                    user_agent = request.env['HTTP_USER_AGENT']
         | 
| 210 | 
            -
                    if user_agent && user_agent.length > 1000
         | 
| 211 | 
            -
                      raise Otto::Security::ValidationError, 'User-Agent header too long'
         | 
| 212 | 
            -
                    end
         | 
| 213 | 
            -
             | 
| 214 | 
            -
                    # Validate Referer header
         | 
| 215 | 
            -
                    referer = request.env['HTTP_REFERER']
         | 
| 216 | 
            -
                    if referer && referer.length > 2000
         | 
| 217 | 
            -
                      raise Otto::Security::ValidationError, 'Referer header too long'
         | 
| 218 | 
            -
                    end
         | 
| 219 | 
            -
                  end
         | 
| 220 | 
            -
             | 
| 221 | 
            -
                  def validation_error_response(message)
         | 
| 222 | 
            -
                    [
         | 
| 223 | 
            -
                      400,
         | 
| 224 | 
            -
                      {
         | 
| 225 | 
            -
                        'content-type' => 'application/json',
         | 
| 226 | 
            -
                        'content-length' => validation_error_body(message).bytesize.to_s,
         | 
| 227 | 
            -
                      },
         | 
| 228 | 
            -
                      [validation_error_body(message)],
         | 
| 229 | 
            -
                    ]
         | 
| 230 | 
            -
                  end
         | 
| 231 | 
            -
             | 
| 232 | 
            -
                  def request_too_large_response(message)
         | 
| 233 | 
            -
                    [
         | 
| 234 | 
            -
                      413,
         | 
| 235 | 
            -
                      {
         | 
| 236 | 
            -
                        'content-type' => 'application/json',
         | 
| 237 | 
            -
                        'content-length' => request_too_large_body(message).bytesize.to_s,
         | 
| 238 | 
            -
                      },
         | 
| 239 | 
            -
                      [request_too_large_body(message)],
         | 
| 240 | 
            -
                    ]
         | 
| 241 | 
            -
                  end
         | 
| 242 | 
            -
             | 
| 243 | 
            -
                  def validation_error_body(message)
         | 
| 244 | 
            -
                    require 'json'
         | 
| 245 | 
            -
                    {
         | 
| 246 | 
            -
                      error: 'Validation failed',
         | 
| 247 | 
            -
                      message: message,
         | 
| 248 | 
            -
                    }.to_json
         | 
| 249 | 
            -
                  end
         | 
| 250 | 
            -
             | 
| 251 | 
            -
                  def request_too_large_body(message)
         | 
| 252 | 
            -
                    require 'json'
         | 
| 253 | 
            -
                    {
         | 
| 254 | 
            -
                      error: 'Request too large',
         | 
| 255 | 
            -
                      message: message,
         | 
| 256 | 
            -
                    }.to_json
         | 
| 257 | 
            -
                  end
         | 
| 258 | 
            -
                end
         | 
| 12 | 
            +
                # Backward compatibility alias
         | 
| 13 | 
            +
                ValidationMiddleware = Middleware::ValidationMiddleware
         | 
| 259 14 | 
             
              end
         | 
| 260 15 | 
             
            end
         | 
    
        data/lib/otto/static.rb
    CHANGED
    
    
    
        data/lib/otto/utils.rb
    ADDED
    
    | @@ -0,0 +1,14 @@ | |
| 1 | 
            +
            # frozen_string_literal: true
         | 
| 2 | 
            +
             | 
| 3 | 
            +
            # lib/otto/utils.rb
         | 
| 4 | 
            +
             | 
| 5 | 
            +
            class Otto
         | 
| 6 | 
            +
              # Utility methods for common operations and helpers
         | 
| 7 | 
            +
              module Utils
         | 
| 8 | 
            +
                extend self
         | 
| 9 | 
            +
             | 
| 10 | 
            +
                def yes?(value)
         | 
| 11 | 
            +
                  !value.to_s.empty? && %w[true yes 1].include?(value.to_s.downcase)
         | 
| 12 | 
            +
                end
         | 
| 13 | 
            +
              end
         | 
| 14 | 
            +
            end
         |