roda-cj 0.9.5 → 0.9.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4b2651937ad6d2d3c5d87389b03fd9e0f1e3cef2
-  data.tar.gz: e231917660219dd780e2adaacd5fd8fbbd42afd3
+  metadata.gz: b1af4812c5c122b1788a1e021e201cd000da9414
+  data.tar.gz: c48935831202f575e8a6032e7f765be91cc00efb
 SHA512:
-  metadata.gz: 8ebb628c78058e1e9c61acf148a1e791f3036cf01290461c9ebf01b220b997ab62b78bb2f2429b87b378d1ea0d64134d4a0101ee8dcef5a8794cfe2b6d4effb5
-  data.tar.gz: db3d4837c8af107e4f3ee6224a15ebadeb5afd0d4122a77f359aa1b9ccb9a263153e5e1628ce77456738f9b76c68fb7cc59a3e5e228dd3c3ba7dd1a84dcc90d6
+  metadata.gz: 4c6b474e100d17790346d51b78f8b3ba9d08a600770c58b6a34476c60b1347c17da326428a1ce2e22519258d2efec957be58cc37b945ab4c1fcb5a08c608208c
+  data.tar.gz: 91451697eba17949e058401335579b1d915e0b0a6b535df8cc4f480978c3ad5acf804c08fee8e5ac3ea67af6e433f99d87da7c9b844e5ca0a10cc9f323645904

data/CHANGELOG

@@ -1,5 +1,11 @@
 = HEAD
 
+* Add :content option to view method in render plugin to use given content instead of rendering a template (jeremyevans)
+
+* Add :escape option to render plugin for using erb templates where <%= %> escapes and <%== %> does not (jeremyevans)
+
+* Make multi_route plugin route("route_name") method a request method instead of an instance method (jeremyevans)
+
 * Add r.multi_route method to multi_route plugin, for dispatching to named route based on first segment in path (jeremyevans)
 
 * Allow non-GET requests to use r.redirect with no argument, redirecting to current path (jeremyevans)

data/README.rdoc

@@ -368,31 +368,6 @@ for the response.
     end
   end
 
-== Security
-
-If you want to protect against some common web application
-vulnerabilities, you can use
-{Rack::Protection}[https://github.com/rkh/rack-protection].
-It is not included by default because there are legitimate
-uses for plain Roda (for instance, when designing an API).
-
-If you are using sessions, you should also always set a session
-secret to some undisclosed value. Keep in mind that the content
-in the session cookie is not encrypted, just signed to prevent
-tampering.
-
-  require "roda"
-  require "rack/protection"
-
-  class App < Roda
-    use Rack::Session::Cookie, :secret => ENV['SECRET']
-    use Rack::Protection
-
-    route do |r|
-      # ...
-    end
-  end
-
 == Verb Methods
 
 The main match method is +r.on+, but as displayed above, you can also
@@ -617,12 +592,82 @@ You can override the default rendering options by passing a hash to the plugin,
 or modifying the +render_opts+ hash after loading the plugin:
 
   class App < Roda
-    plugin :render, :engine=>'slim' # Tilt engine/template file extension to use
+    plugin :render, :escape => true # Automatically escape output in erb templates
     render_opts[:views] = 'admin_views' # Default views directory
     render_opts[:layout] = "admin_layout" # Default layout template
     render_opts[:layout_opts] = {:engine=>'haml'} # Default layout template options
     render_opts[:opts] = {:default_encoding=>'UTF-8'} # Default template options
     render_opts[:cache] = false # Disable template caching
+    render_opts[:engine] = 'slim' # Tilt engine/template file extension to use
+  end
+
+== Sessions
+
+By default, Roda doesn't turn on sessions, but most users are going to
+want to turn on session support, and the simplest way to do that is to
+use the <tt>Rack::Session::Cookie</tt> middleware that comes with rack:
+
+  require "roda"
+
+  class App < Roda
+    use Rack::Session::Cookie, :secret => ENV['SECRET']
+  end
+
+== Security
+
+Web application security is a very large topic, but here are some
+things you can do with Roda to prevent some common web application
+vulnerabilities.
+
+=== Session Security
+
+If you are using sessions, you should also always set a session
+secret using the +:secret+ option as shown above.  Make sure this
+secret is not disclosed, because if an attacker knows the +:secret+
+value, they can inject arbitrary session values, which in the worst case
+scenario can lead to remote code execution.
+
+Keep in mind that with <tt>Rack::Session::Cookie</tt>, the content in
+the session cookie is not encrypted, just signed to prevent tampering.
+This means you should not store any data in the session that itself is
+secret.
+
+=== Cross Site Request Forgery (CSRF)
+
+CSRF can be prevented by using the +csrf+ plugin that ships with Roda,
+which uses the {rack_csrf}[https://github.com/baldowl/rack_csrf]
+library.  Just make sure that you include the CSRF token tags in your
+html as appropriate.
+
+It's also possible to use the <tt>Rack::Csrf</tt> middleware directly,
+you don't have to use the +csrf+ plugin.
+
+=== Cross Site Scripting (XSS)
+
+The easiest way to prevent XSS with Roda is to use a template library
+that automatically escapes output by default.  The +:escape+ option
+to the render plugin sets the ERB template processor to escape by
+default, so that in your templates:
+
+  <%= '<>' %>  # outputs &lt;&gt; 
+  <%== '<>' %> # outputs <>
+
+Note that unlike most other render options, the :escape option
+must be passed to the <tt>plugin :render</tt> call, it won't be
+respected if added later.
+
+=== Other
+
+For prevention of some other vulnerabilities, such as click-jacking,
+directory traversal, session hijacking, and IP spoofing, consider using
+{Rack::Protection}[https://github.com/rkh/rack-protection], which is
+a rack middleware that can be added the usual way:
+
+  require 'roda'
+  require 'rack/protection'
+
+  class App < Roda
+    use Rack::Protection
   end
 
 == Plugins

data/lib/roda/plugins/_erubis_escaping.rb

@@ -0,0 +1,28 @@
+require 'erubis'
+
+class Roda
+  module RodaPlugins
+    # The _erubis_escaping plugin is an internal plugin that provides a
+    # subclass of Erubis::EscapedEruby with a bugfix and an optimization.
+    module ErubisEscaping
+      # Optimized subclass that fixes escaping of postfix conditionals.
+      class Eruby < Erubis::EscapedEruby
+        # Set escaping class to a local variable, so you don't need a
+        # constant lookup per escape.
+        def convert_input(codebuf, input)
+          codebuf << '_erubis_xml_helper = Erubis::XmlHelper;'
+          super
+        end
+
+        # Fix bug in Erubis::EscapedEruby where postfix conditionals inside
+        # <%= %> are broken (e.g. <%= foo if bar %> ), and optimize by using
+        # a local variable instead of a constant lookup.
+        def add_expr_escaped(src, code)
+          src << " #{@bufvar} << _erubis_xml_helper.escape_xml((" << code << '));'
+        end
+      end
+    end
+
+    register_plugin(:_erubis_escaping, ErubisEscaping)
+  end
+end

data/lib/roda/plugins/multi_route.rb

@@ -32,11 +32,11 @@ class Roda
     #     # or
     #
     #     r.on "foo" do
-    #       route 'foo'
+    #       r.route 'foo'
     #     end
     #
     #     r.on "bar" do
-    #       route 'bar'
+    #       r.route 'bar'
     #     end
     #   end
     #
@@ -86,13 +86,6 @@ class Roda
         end
       end
 
-      module InstanceMethods
-        # Dispatch to the named route with the given name.
-        def route(name)
-          instance_exec(request, &self.class.named_route(name))
-        end
-      end
-
       module RequestClassMethods
         # A regexp matching any of the current named routes.
         def named_route_regexp
@@ -107,10 +100,15 @@ class Roda
         # is given, yield to the block.
         def multi_route
           on self.class.named_route_regexp do |section|
-            scope.route(section)
+            route(section)
             yield if block_given?
           end
         end
+
+        # Dispatch to the named route with the given name.
+        def route(name)
+          scope.instance_exec(self, &self.class.roda_class.named_route(name))
+        end
       end
     end
 

data/lib/roda/plugins/render.rb

@@ -30,6 +30,8 @@ class Roda
     # :cache :: nil/false to not cache templates (useful for development), defaults
     #           to true to automatically use the default template cache.
     # :engine :: The tilt engine to use for rendering, defaults to 'erb'.
+    # :escape :: Use Roda's Erubis escaping support, which handles postfix
+    #            conditions inside <%= %> tags.
     # :ext :: The file extension to assume for view files, defaults to the :engine
     #         option.
     # :layout :: The base name of the layout file, defaults to 'layout'.
@@ -49,6 +51,9 @@ class Roda
     # There are a couple of additional options to +view+ and +render+ that are
     # available at runtime:
     #
+    # :content :: Only respected by +view+, provides the content to render
+    #             inside the layout, instead of rendering a template to get
+    #             the content.
     # :inline :: Use the value given as the template code, instead of looking
     #            for template code in a file.
     # :locals :: Hash of local variables to make available inside the template.
@@ -64,6 +69,12 @@ class Roda
     # If you pass a hash as the first argument to +view+ or +render+, it should
     # have either +:inline+ or +:path+ as one of the keys.
     module Render
+      def self.load_dependencies(app, opts={})
+        if opts[:escape]
+          app.plugin :_erubis_escaping
+        end
+      end
+
       # Setup default rendering options.  See Render for details.
       def self.configure(app, opts={})
         if app.opts[:render]
@@ -83,6 +94,9 @@ class Roda
         if RUBY_VERSION >= "1.9"
           opts[:opts][:default_encoding] ||= Encoding.default_external
         end
+        if opts[:escape]
+          opts[:opts][:engine_class] = ErubisEscaping::Eruby
+        end
         opts[:cache] = app.thread_safe_cache if opts.fetch(:cache, true)
       end
 
@@ -149,7 +163,7 @@ class Roda
             end
           end
 
-          content = render(template, opts)
+          content = opts[:content] || render(template, opts)
 
           if layout = opts.fetch(:layout, render_opts[:layout])
             if layout_opts = opts[:layout_opts]

data/lib/roda/version.rb

@@ -1,3 +1,3 @@
 class Roda
-  RodaVersion = '0.9.5'.freeze
+  RodaVersion = '0.9.6'.freeze
 end

data/spec/plugin/_erubis_escaping_spec.rb

@@ -0,0 +1,28 @@
+require File.expand_path("spec_helper", File.dirname(File.dirname(__FILE__)))
+
+begin
+  require 'tilt/erb'
+  begin
+    require 'tilt/erubis'
+  rescue LoadError
+    # Tilt 1 support
+  end
+rescue LoadError
+  warn "tilt or erubis not installed, skipping _erubis_escaping plugin test"  
+else
+describe "_erubis_escaping plugin" do
+  before do
+    app(:bare) do
+      plugin :render, :escape=>true
+
+      route do |r|
+        render(:inline=>'<%= "<>" %> <%== "<>" %><%= "<>" if false %>')
+      end
+    end
+  end
+
+  it "should escape inside <%= %> and not inside <%== %>, and handle postfix conditionals" do
+    body.should == '&lt;&gt; <>'
+  end
+end
+end

data/spec/plugin/multi_route_spec.rb

@@ -33,7 +33,7 @@ describe "multi_route plugin" do
         end
 
         r.get do
-          route("get")
+          r.route("get")
 
           r.is "b" do
             "getb"
@@ -41,7 +41,7 @@ describe "multi_route plugin" do
         end
 
         r.post do
-          route("post")
+          r.route("post")
 
           r.is "b" do
             "postb"
@@ -87,14 +87,14 @@ describe "multi_route plugin" do
     @app = Class.new(@app)
     @app.route do |r|
       r.get do
-        route("post")
+        r.route("post")
 
         r.is "b" do
           "1b"
         end
       end
       r.post do
-        route("get")
+        r.route("get")
 
         r.is "b" do
           "2b"

data/spec/plugin/render_spec.rb

@@ -28,6 +28,10 @@ describe "render plugin" do
         r.on "path" do
           render(:path=>"./spec/views/about.erb", :locals=>{:title => "Path"}, :layout_opts=>{:locals=>{:title=>"Home"}})
         end
+
+        r.on "content" do
+          view(:content=>'bar', :layout_opts=>{:locals=>{:title=>"Home"}})
+        end
       end
     end
   end
@@ -37,6 +41,7 @@ describe "render plugin" do
     body("/home").strip.should == "<title>Roda: Home</title>\n<h1>Home</h1>\n<p>Hello Agent Smith</p>"
     body("/inline").strip.should == "Hello Agent Smith"
     body("/path").strip.should == "<h1>Path</h1>"
+    body("/content").strip.should == "<title>Roda: Home</title>\nbar"
   end
 
   it "with str as engine" do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: roda-cj
 version: !ruby/object:Gem::Version
-  version: 0.9.5
+  version: 0.9.6
 platform: ruby
 authors:
 - Jeremy Evans
@@ -52,6 +52,20 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: erubis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack_csrf
   requirement: !ruby/object:Gem::Requirement
@@ -94,6 +108,7 @@ files:
 - lib/roda/plugins/header_matchers.rb
 - lib/roda/plugins/per_thread_caching.rb
 - lib/roda/plugins/error_handler.rb
+- lib/roda/plugins/_erubis_escaping.rb
 - lib/roda/plugins/indifferent_params.rb
 - lib/roda/plugins/head.rb
 - lib/roda/plugins/json.rb
@@ -130,6 +145,7 @@ files:
 - spec/plugin/csrf_spec.rb
 - spec/plugin/default_headers_spec.rb
 - spec/plugin/backtracking_array_spec.rb
+- spec/plugin/_erubis_escaping_spec.rb
 - spec/plugin/per_thread_caching_spec.rb
 - spec/plugin/content_for_spec.rb
 - spec/plugin/hooks_spec.rb