roda 3.59.0 → 3.61.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 963e2d9ac538dbe97835ef65e2e2ba4184838664696bb084ce423a85ef23c205
-  data.tar.gz: d47a7f9c86357e99b0c9f470b6c33a32962df55189303020982af55d70907c7b
+  metadata.gz: 337e7cc074ffe0c300a4dbf9a14f72552caa5b9446fdf0ca04b9f22d9117c9c7
+  data.tar.gz: 53a8b4ec124df8ef0efdc7efcc7bec3e0e7ea7d13fa60fb5d6adf06f50ed081e
 SHA512:
-  metadata.gz: c84cb0ae8c66b537c0a7d32d83d9c5a639439b15fbc650d3569efab5e134e0883ba06183c7f17bfb379f4018060c7d276a5016431ae3e21d05c2db3801a85762
-  data.tar.gz: 0c9495ec5fe24b774512f6495f97f5bb4cf8189b964f21a04c5e880d4a536ade2e045c7131f0a54a7c1cd203fe142d53c6d7cde4cf223a8e8be4cb5c5475fede
+  metadata.gz: 78671d90145cf431a7deff333e6b75ad681252cae159b5ff09dfaba70d4b3fc17ec1f7362c52454c3f8e94e2343bd4b4d419a5c23738a6b525e9fdd79dc8846c
+  data.tar.gz: 55b5bc0be878d58d66e0834110b47313f522e1f109b95c23348b2cb09430b01383595197db8f8db6587f10d3d9e4a7a353a2d70fb1ed4a099573309a5aabcae6

data/CHANGELOG

@@ -1,3 +1,13 @@
+= 3.61.0 (2022-10-12)
+
+* Make Integer matcher limit integer segments to 100 characters by default (jeremyevans)
+
+* Limit input bytesize by default for integer, float, and date/time typecasts in typecast_params (jeremyevans)
+
+= 3.60.0 (2022-09-13)
+
+* Add link_to plugin with link_to method for creating HTML links (jeremyevans)
+
 = 3.59.0 (2022-08-12)
 
 * Add additional_render_engines plugin, for considering multiple render engines for templates (jeremyevans)

data/README.rdoc

@@ -1,9 +1,35 @@
-= Roda
-
-Roda is a routing tree web toolkit, designed for building fast and
-maintainable web applications in ruby.
-
-= Installation
+rdoc-image:https://roda.jeremyevans.net/images/roda-logo.svg
+
+A routing tree web toolkit, designed for building fast and maintainable web applications in Ruby.
+
+== Table of contents
+
+- {Installation}[#label-Installation]
+- {Resources}[#label-Resources]
+- {Goals}[#label-Goals]
+- {Usage}[#label-Usage]
+- {Running the application}[#label-Running+the+Application]
+- {The routing tree}[#label-The+Routing+Tree]
+- {Matchers}[#label-Matchers]
+- {Optional segments}[#label-Optional+segments]
+- {Match/Route Block Return Values}[#label-Match-2FRoute+Block+Return+Values]
+- {Status codes}[#label-Status+Codes]
+- {Verb methods}[#label-Verb+Methods]
+- {Root method}[#label-Root+Method]
+- {Request and Response}[#label-Request+and+Response]
+- {Pollution}[#label-Pollution]
+- {Composition}[#label-Composition]
+- {Testing}[#label-Testing]
+- {Settings}[#label-Settings]
+- {Rendering}[#label-Rendering]
+- {Security}[#label-Security]
+- {Code Reloading}[#label-Code+Reloading]
+- {Plugins}[#label-Plugins]
+- {No introspection}[#label-No+Introspection]
+- {Inspiration}[#label-Inspiration]
+- {Ruby Support Policy}[#label-Ruby+Support+Policy]
+
+== Installation
 
   $ gem install roda
 
@@ -140,13 +166,11 @@ for every request.
 == Running the Application
 
 Running a Roda application is similar to running any other rack-based application
-that uses a +config.ru+ file.  You can start a basic server using +rackup+:
+that uses a +config.ru+ file.  You can start a basic server using +rackup+, +puma+,
++unicorn+, +passenger+, or any other webserver that can handle +config.ru+ files:
 
   $ rackup
 
-Ruby web servers such as Unicorn and Puma also ship with their own programs
-that you can use to run a Roda application.
-
 == The Routing Tree
 
 Roda is called a routing tree web toolkit because the way most sites are structured,
@@ -454,7 +478,7 @@ shared branch:
 
 This works well for many cases, but there are also cases where you really want to
 treat it as one route with an optional segment.  One simple way to do that is to
-use a parameter instead of an optional segment (e.g. +/items/123?opt=456+).
+use a parameter instead of an optional segment (e.g. <tt>/items/123?opt=456</tt>).
 
   r.is "items", Integer do |item_id|
     optional_data = r.params['opt'].to_s
@@ -647,14 +671,14 @@ If you have a lot of rack applications that you want to dispatch to, and
 which one to dispatch to is based on the request path prefix, look into the
 +multi_run+ plugin.
 
-=== hash_routes plugin
+=== hash_branches plugin
 
 If you are just looking to split up the main route block up by branches,
-you should use the +hash_routes+ plugin,
+you should use the +hash_branches+ plugin,
 which keeps the current scope of the +route+ block:
 
   class App < Roda
-    plugin :hash_routes
+    plugin :hash_branches
 
     hash_branch "api" do |r|
       r.is do
@@ -663,7 +687,7 @@ which keeps the current scope of the +route+ block:
     end
 
     route do |r|
-      r.hash_routes
+      r.hash_branches
     end
   end
 
@@ -1120,3 +1144,4 @@ MIT
 == Maintainer
 
 Jeremy Evans <code@jeremyevans.net>
+

data/doc/release_notes/3.60.0.txt

@@ -0,0 +1,56 @@
+= New Features
+
+* A link_to plugin has been added with a link_to method for
+  creating HTML links.
+
+  The simplest usage of link_to is passing the body and the location
+  to link to as strings:
+ 
+    # Instance level
+    link_to("body", "/path")
+    # => "<a href=\"/path\">body</a>"
+ 
+  The link_to plugin depends on the path plugin, and allows you to
+  pass symbols for named paths:
+ 
+    # Class level
+    path :foo, "/path/to/too"
+ 
+    # Instance level
+    link_to("body", :foo)
+    # => "<a href=\"/path/to/foo\">body</a>"
+ 
+  It also allows you to pass instances of classes that you have
+  registered with the path plugin:
+ 
+    # Class level
+    A = Struct.new(:id)
+    path A do
+      "/path/to/a/#{id}"
+    end
+ 
+    # Instance level
+    link_to("body", A.new(1))
+    # => "<a href=\"/path/to/a/1\">body</a>"
+ 
+  To set additional HTML attributes on the tag, you can pass them as
+  an options hash:
+ 
+    link_to("body", "/path", foo: "bar")
+    # => "<a href=\"/path\" foo=\"bar\">body</a>"
+ 
+  If the body is nil, it will be set to the same as the path:
+ 
+    link_to(nil, "/path")
+    # => "<a href=\"/path\">/path</a>"
+ 
+  The plugin will automatically HTML escape the path and any HTML
+  attribute values, using the h plugin:
+ 
+    link_to("body", "/path?a=1&b=2", foo: '"bar"')
+    # => "<a href=\"/path?a=1&amp;b=2\" foo=\"&quot;bar&quot;\">body</a>"
+
+= Other Improvements
+
+* Coverage testing has been expanded to multiple rack versions, instead
+  of just the current rack release.

data/doc/release_notes/3.61.0.txt

@@ -0,0 +1,24 @@
+= Improvements
+
+* The typecast_params plugin now limits input bytesize for integer,
+  float, and date/time typecasts.  If the input is over the allowed
+  bytesize, typecasting will fail.  This prevents issues with trying
+  to typecast arbitrarily large input.
+
+* The default Integer class matcher now limits integer segments to
+  100 characters by default, also to prevent issues with typecasting
+  arbitrarily large input.  Segments larger than 100 characters will
+  no longer be matched by the Integer class matcher.
+
+= Backwards Compatibility
+
+* If the input bytesize limits in the typecast_params plugin cause
+  issues in your application, you can use the :skip_bytesize_checking
+  option when loading the plugin to disable the checks.
+
+* If the default Integer class matcher limit causes problems in your
+  application, you can use the class_matchers plugin to override the
+  matcher to not use a limit:
+
+    plugin :class_matchers
+    class_matcher(Integer, /(\d+)/){|a| [a.to_i]}

data/lib/roda/plugins/_optimized_matching.rb

@@ -52,7 +52,7 @@ class Roda
                   end
                 end
               elsif matcher == Integer
-                if matchdata = /\A\/(\d+)(?=\/|\z)/.match(@remaining_path)
+                if matchdata = /\A\/(\d{1,100})(?=\/|\z)/.match(@remaining_path)
                   @remaining_path = matchdata.post_match
                   always{yield(matchdata[1].to_i)}
                 end
@@ -151,7 +151,7 @@ class Roda
                 always{yield rp[1, len]}
               end
             elsif matcher == Integer
-              if matchdata = /\A\/(\d+)\z/.match(@remaining_path)
+              if matchdata = /\A\/(\d{1,100})\z/.match(@remaining_path)
                 @remaining_path = ''
                 always{yield(matchdata[1].to_i)}
               end

data/lib/roda/plugins/all_verbs.rb

@@ -34,9 +34,7 @@ class Roda
     module AllVerbs
       module RequestMethods
         %w'delete head options link patch put trace unlink'.each do |verb|
-          # :nocov:
           if ::Rack::Request.method_defined?("#{verb}?")
-          # :nocov:
             class_eval(<<-END, __FILE__, __LINE__+1)
               def #{verb}(*args, &block)
                 _verb(args, &block) if #{verb}?

data/lib/roda/plugins/common_logger.rb

@@ -11,7 +11,7 @@ class Roda
     # * Doesn't include middleware timing
     # * Doesn't proxy the body
     # * Doesn't support different capitalization of the Content-Length response header
-    # * Logs to $stderr instead of env['rack.errors'] if explicit logger not passed
+    # * Logs to +$stderr+ instead of <tt>env['rack.errors']</tt> if explicit logger not passed
     #
     # Example:
     #

data/lib/roda/plugins/disallow_file_uploads.rb

@@ -1,8 +1,6 @@
 # frozen-string-literal: true
 
-# :nocov:
 raise LoadError, "disallow_file_uploads plugin not supported on Rack <1.6" if Rack.release < '1.6'
-# :nocov:
 
 #
 class Roda

data/lib/roda/plugins/indifferent_params.rb

@@ -52,14 +52,12 @@ class Roda
           end
           
           class Params < Rack::QueryParser::Params
-            # :nocov:
-            if Rack.release >= '2.3'
+            if Rack.release >= '3'
               def initialize
                 @size   = 0
                 @params = Hash.new(&INDIFFERENT_PROC)
               end
             else
-            # :nocov:
               def initialize(limit = Rack::Utils.key_space_limit)
                 @limit  = limit
                 @size   = 0
@@ -71,9 +69,7 @@ class Roda
         end
 
         module RequestMethods
-          # :nocov:
-          query_parser = Rack.release >= '2.3' ? QueryParser.new(QueryParser::Params, 32) : QueryParser.new(QueryParser::Params, 65536, 32)
-          # :nocov:
+          query_parser = Rack.release >= '3' ? QueryParser.new(QueryParser::Params, 32) : QueryParser.new(QueryParser::Params, 65536, 32)
           QUERY_PARSER = Rack::Utils.default_query_parser = query_parser
 
           private
@@ -89,7 +85,6 @@ class Roda
           end
         end
       else
-        # :nocov:
         module InstanceMethods
           # A copy of the request params that will automatically
           # convert symbols to strings.
@@ -115,7 +110,6 @@ class Roda
             end
           end
         end
-        # :nocov:
       end  
     end
 

data/lib/roda/plugins/json_parser.rb

@@ -86,12 +86,10 @@ class Roda
 
         
         # Rack 3 dropped requirement that input be rewindable
-        if Rack.release >= '2.3'
-          # :nocov:
+        if Rack.release >= '3'
           def _read_json_input(input)
             input.read
           end
-          # :nocov:
         else
           def _read_json_input(input)
             input.rewind

data/lib/roda/plugins/link_to.rb

@@ -0,0 +1,83 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The link_to plugin adds the +link_to+ instance method, which can be used for constructing
+    # HTML links (+a+ tag with +href+ attribute).
+    #
+    # The simplest usage of +link_to+ is passing the body and the location to link to as strings:
+    #
+    #   link_to("body", "/path")
+    #   # => "<a href=\"/path\">body</a>"
+    #
+    # The link_to plugin depends on the path plugin, and allows you to pass symbols for named paths:
+    #
+    #   # Class level
+    #   path :foo, "/path/to/too"
+    #
+    #   # Instance level
+    #   link_to("body", :foo)
+    #   # => "<a href=\"/path/to/foo\">body</a>"
+    #
+    # It also allows you to pass instances of classes that you have registered with the path plugin:
+    #
+    #   # Class level
+    #   A = Struct.new(:id)
+    #   path A do
+    #     "/path/to/a/#{id}"
+    #   end
+    #
+    #   # Instance level
+    #   link_to("body", A.new(1))
+    #   # => "<a href=\"/path/to/a/1\">body</a>"
+    #
+    # To set additional HTML attributes on the +a+ tag, you can pass them as an options hash:
+    #
+    #   link_to("body", "/path", foo: "bar")
+    #   # => "<a href=\"/path\" foo=\"bar\">body</a>"
+    #
+    # If the body is nil, it will be set to the same as the path:
+    #
+    #   link_to(nil, "/path")
+    #   # => "<a href=\"/path\">/path</a>"
+    #
+    # The plugin will automatically HTML escape the path and any HTML attribute values, using the h plugin:
+    #
+    #   link_to("body", "/path?a=1&b=2", foo: '"bar"')
+    #   # => "<a href=\"/path?a=1&amp;b=2\" foo=\"&quot;bar&quot;\">body</a>"
+    module LinkTo
+      def self.load_dependencies(app)
+        app.plugin :h
+        app.plugin :path
+      end
+
+      module InstanceMethods
+        # Return a string with an HTML +a+ tag with an +href+ attribute. See LinkTo
+        # module documentation for details.
+        def link_to(body, href, attributes=OPTS)
+          case href
+          when Symbol
+            href = public_send(:"#{href}_path")
+          when String
+            # nothing
+          else
+            href = path(href)
+          end
+
+          href = h(href)
+
+          body = href if body.nil?
+
+          buf = String.new << "<a href=\"#{href}\""
+          attributes.each do |k, v|
+            buf << " " << k.to_s << "=\"" << h(v) << "\""
+          end
+          buf << ">" << body << "</a>"
+        end
+      end
+    end
+
+    register_plugin(:link_to, LinkTo)
+  end
+end

data/lib/roda/plugins/multi_public.rb

@@ -3,9 +3,7 @@
 begin
   require 'rack/files'
 rescue LoadError
-  # :nocov:
   require 'rack/file'
-  # :nocov:
 end
 
 #
@@ -66,9 +64,7 @@ class Roda
     #     end
     #   end
     module MultiPublic
-      # :nocov:
       RACK_FILES = defined?(Rack::Files) ? Rack::Files : Rack::File
-      # :nocov:
 
       def self.load_dependencies(app, _, opts=OPTS)
         app.plugin(:public, opts)

data/lib/roda/plugins/not_allowed.rb

@@ -116,9 +116,7 @@ class Roda
         # arguments, record the verb used.  If given an argument, add an is
         # check with the arguments.
         %w'get post delete head options link patch put trace unlink'.each do |verb|
-          # :nocov:
           if ::Rack::Request.method_defined?("#{verb}?")
-          # :nocov:
             class_eval(<<-END, __FILE__, __LINE__+1)
               def #{verb}(*args, &block)
                 if (empty = args.empty?) && @_is_verbs

data/lib/roda/plugins/public.rb

@@ -5,9 +5,7 @@ require 'uri'
 begin
   require 'rack/files'
 rescue LoadError
-  # :nocov:
   require 'rack/file'
-  # :nocov:
 end
 
 #
@@ -45,9 +43,7 @@ class Roda
     module Public
       SPLIT = Regexp.union(*[File::SEPARATOR, File::ALT_SEPARATOR].compact)
       PARSER = URI::DEFAULT_PARSER
-      # :nocov:
       RACK_FILES = defined?(Rack::Files) ? Rack::Files : Rack::File
-      # :nocov:
 
       # Use options given to setup a Rack::File instance for serving files. Options:
       # :default_mime :: The default mime type to use if the mime type is not recognized.
@@ -142,13 +138,11 @@ class Roda
             server.serving(self, path)
           end
         else
-          # :nocov:
           def public_serve(server, path)
             server = server.dup
             server.path = path
             server.serving(env)
           end
-          # :nocov:
         end
       end
     end

data/lib/roda/plugins/render.rb

@@ -214,18 +214,18 @@ class Roda
       tilt_compiled_method_support = defined?(Tilt::VERSION) && Tilt::VERSION >= '1.2' &&
         ([1, -2].include?(((compiled_method_arity = Tilt::Template.instance_method(:compiled_method).arity) rescue false)))
       NO_CACHE = {:cache=>false}.freeze
-      COMPILED_METHOD_SUPPORT = RUBY_VERSION >= '2.3' && tilt_compiled_method_support
+      COMPILED_METHOD_SUPPORT = RUBY_VERSION >= '2.3' && tilt_compiled_method_support && ENV['RODA_RENDER_COMPILED_METHOD_SUPPORT'] != 'no'
 
       if compiled_method_arity == -2
         def self.tilt_template_compiled_method(template, locals_keys, scope_class)
           template.send(:compiled_method, locals_keys, scope_class)
         end
+      # :nocov:
       else
-        # :nocov:
         def self.tilt_template_compiled_method(template, locals_keys, scope_class)
           template.send(:compiled_method, locals_keys)
         end
-        # :nocov:
+      # :nocov:
       end
 
       # Setup default rendering options.  See Render for details.
@@ -366,9 +366,7 @@ class Roda
           false
         end
 
-        # :nocov:
         if COMPILED_METHOD_SUPPORT
-        # :nocov:
           # Compile a method in the given module with the given name that will
           # call the compiled template method, updating the compiled template method
           def define_compiled_method(roda_class, method_name, locals_keys=EMPTY_ARRAY)
@@ -412,9 +410,7 @@ class Roda
       end
 
       module ClassMethods
-        # :nocov:
         if COMPILED_METHOD_SUPPORT
-        # :nocov:
           # If using compiled methods and there is an optimized layout, speed up
           # access to the layout method to improve the performance of view.
           def freeze
@@ -437,9 +433,7 @@ class Roda
         def inherited(subclass)
           super
           opts = subclass.opts[:render] = subclass.opts[:render].dup
-          # :nocov:
           if COMPILED_METHOD_SUPPORT
-          # :nocov:
             opts[:template_method_cache] = (opts[:cache_class] || RodaCache).new
           end
           opts[:cache] = opts[:cache].dup
@@ -459,9 +453,7 @@ class Roda
             instance = allocate
             instance.send(:retrieve_template, instance.send(:view_layout_opts, OPTS))
 
-            # :nocov:
             if COMPILED_METHOD_SUPPORT
-            # :nocov:
               if (layout_template = render_opts[:optimize_layout]) && !opts[:render][:optimized_layout_method_created]
                 instance.send(:retrieve_template, :template=>layout_template, :cache_key=>nil, :template_method_cache_key => :_roda_layout)
                 layout_method = opts[:render][:template_method_cache][:_roda_layout]
@@ -610,7 +602,6 @@ class Roda
             end
           end
         else
-          # :nocov:
           def _cached_template_method(_)
             nil
           end
@@ -630,7 +621,6 @@ class Roda
           def _optimized_view_content(template)
             nil
           end
-          # :nocov:
         end
 
 

data/lib/roda/plugins/render_each.rb

@@ -109,11 +109,9 @@ class Roda
             end.join
           end
         else
-          # :nocov:
           def _cached_render_each_template_method(template)
             nil
           end
-          # :nocov:
         end
       end
     end

data/lib/roda/plugins/render_locals.rb

@@ -43,9 +43,7 @@ class Roda
       module InstanceMethods
         private
 
-        # :nocov:
         if Render::COMPILED_METHOD_SUPPORT
-        # :nocov:
           # Disable use of cached templates, since it assumes a render/view call with no
           # options will have no locals.
           def _cached_template_method(template)

data/lib/roda/plugins/sinatra_helpers.rb

@@ -4,9 +4,7 @@ require 'rack/mime'
 begin
   require 'rack/files'
 rescue LoadError
-  # :nocov:
   require 'rack/file'
-  # :nocov:
 end
 
 
@@ -225,9 +223,7 @@ class Roda
       ISO88591_ENCODING = Encoding.find('ISO-8859-1')
       BINARY_ENCODING = Encoding.find('BINARY')
 
-      # :nocov:
       RACK_FILES = defined?(Rack::Files) ? Rack::Files : Rack::File
-      # :nocov:
 
       # Depend on the status_303 plugin.
       def self.load_dependencies(app, _opts = nil)
@@ -351,10 +347,8 @@ class Roda
           s, h, b = if Rack.release > '2'
             file.serving(self, path)
           else
-            # :nocov:
             file.path = path
             file.serving(@env)
-            # :nocov:
           end
 
           res.status = opts[:status] || s

data/lib/roda/plugins/status_handler.rb

@@ -45,11 +45,9 @@ class Roda
           when nil, false
             CLEAR_HEADERS
           when Array
-            # :nocov:
-            if Rack.release >= '2.3'
+            if Rack.release >= '3'
               keep_headers = keep_headers.map(&:downcase)
             end
-            # :nocov:
             lambda{|headers| headers.delete_if{|k,_| !keep_headers.include?(k)}}
           else
             raise RodaError, "Invalid :keep_headers option"

data/lib/roda/plugins/typecast_params.rb

@@ -5,34 +5,26 @@ require 'time'
 
 class Roda
   module RodaPlugins
-    # The typecast_params plugin allows for the simple type conversion for
-    # submitted parameters.  Submitted parameters should be considered
-    # untrusted input, and in standard use with browsers, parameters are
-    # submitted as strings (or a hash/array containing strings).  In most
-    # cases it makes sense to explicitly convert the parameter to the
+    # The typecast_params plugin allows for type conversion of submitted parameters.
+    # Submitted parameters should be considered untrusted input, and in standard use
+    # with browsers, parameters are # submitted as strings (or a hash/array containing
+    # strings).  In most # cases it makes sense to explicitly convert the parameter to the
     # desired type.  While this can be done via manual conversion:
     #
-    #   key = request.params['key'].to_i
-    #   key = nil unless key > 0
+    #   val = request.params['key'].to_i
+    #   val = nil unless val > 0
     #
     # the typecast_params plugin adds a friendlier interface:
     #
-    #   key = typecast_params.pos_int('key')
+    #   val = typecast_params.pos_int('key')
     #
-    # As +typecast_params+ is a fairly long method name, you may want to
-    # consider aliasing it to something more terse in your application,
-    # such as +tp+.
-    #
-    # One advantage of using typecast_params is that access or conversion
-    # errors are raised as a specific exception class
-    # (+Roda::RodaPlugins::TypecastParams::Error+).  This allows you to handle
-    # this specific exception class globally and return an appropriate 4xx
-    # response to the client.  You can use the Error#param_name and Error#reason 
-    # methods to get more information about the error.
+    # As +typecast_params+ is a fairly long method name, and may be a method you call
+    # frequently, you may want to consider aliasing it to something more terse in your
+    # application, such as +tp+.
     #
     # typecast_params offers support for default values:
     #
-    #   key = typecast_params.pos_int('key', 1)
+    #   val = typecast_params.pos_int('key', 1)
     #
     # The default value is only used if no value has been submitted for the parameter,
     # or if the conversion of the value results in +nil+.  Handling defaults for parameter
@@ -43,35 +35,41 @@ class Roda
     # In many cases, parameters should be required, and if they aren't submitted, that
     # should be considered an error.  typecast_params handles this with ! methods:
     #
-    #   key = typecast_params.pos_int!('key')
+    #   val = typecast_params.pos_int!('key')
     #
     # These ! methods raise an error instead of returning +nil+, and do not allow defaults.
     #
+    # The errors raised by this plugin use a specific exception class,
+    # +Roda::RodaPlugins::TypecastParams::Error+.  This allows you to handle
+    # this specific exception class globally and return an appropriate 4xx
+    # response to the client.  You can use the Error#param_name and Error#reason 
+    # methods to get more information about the error.
+    #
     # To make it easy to handle cases where many parameters need the same conversion
     # done, you can pass an array of keys to a conversion method, and it will return an array
     # of converted values:
     #
-    #   key1, key2 = typecast_params.pos_int(['key1', 'key2'])
+    #   val1, val2 = typecast_params.pos_int(['key1', 'key2'])
     #
     # This is equivalent to:
     #
-    #   key1 = typecast_params.pos_int('key1')
-    #   key2 = typecast_params.pos_int('key2')
+    #   val1 = typecast_params.pos_int('key1')
+    #   val2 = typecast_params.pos_int('key2')
     #
     # The ! methods also support arrays, ensuring that all parameters have a value:
     #
-    #   key1, key2 = typecast_params.pos_int!(['key1', 'key2'])
+    #   val1, val2 = typecast_params.pos_int!(['key1', 'key2'])
     #
     # For handling of array parameters, where all entries in the array use the
     # same conversion, there is an +array+ method which takes the type as the first argument
     # and the keys to convert as the second argument:
     #
-    #   keys = typecast_params.array(:pos_int, 'keys')
+    #   vals = typecast_params.array(:pos_int, 'keys')
     #
     # If you want to ensure that all entries in the array are converted successfully and that
     # there is a value for the array itself, you can use +array!+:
     #
-    #   keys = typecast_params.array!(:pos_int, 'keys')
+    #   vals = typecast_params.array!(:pos_int, 'keys')
     #
     # This will raise an exception if any of the values in the array for parameter +keys+ cannot
     # be converted to integer.
@@ -79,8 +77,8 @@ class Roda
     # Both +array+ and +array!+ support default values which are used if no value is present
     # for the parameter:
     #
-    #   keys = typecast_params.array(:pos_int, 'keys', [])
-    #   keys = typecast_params.array!(:pos_int, 'keys', [])
+    #   vals1 = typecast_params.array(:pos_int, 'keys1', [])
+    #   vals2 = typecast_params.array!(:pos_int, 'keys2', [])
     #
     # You can also pass an array of keys to +array+ or +array!+, if you would like to perform
     # the same conversion on multiple arrays:
@@ -88,7 +86,7 @@ class Roda
     #   foo_ids, bar_ids = typecast_params.array!(:pos_int, ['foo_ids', 'bar_ids'])
     #
     # The previous examples have shown use of the +pos_int+ method, which uses +to_i+ to convert the
-    # value to an integer, but returns nil if the resulting integer is not positive.  Unless you need
+    # value to an integer, but returns +nil+ if the resulting integer is not positive.  Unless you need
     # to handle negative numbers, it is recommended to use +pos_int+ instead of +int+ as +int+ will
     # convert invalid values to 0 (since that is how <tt>String#to_i</tt> works).
     #
@@ -224,10 +222,10 @@ class Roda
     #   # }
     #
     # Using the +:symbolize+ option makes it simpler to transition from untrusted external
-    # data (string keys), to trusted data that can be used internally (trusted in the sense that
-    # the expected types are used).
+    # data (string keys), to semitrusted data that can be used internally (trusted in the sense that
+    # the expected types are used, not that you trust the values).
     #
-    # Note that if there are multiple conversion Error raised inside a +convert!+ or +convert_each!+ 
+    # Note that if there are multiple conversion errors raised inside a +convert!+ or +convert_each!+ 
     # block, they are recorded and a single TypecastParams::Error instance is raised after
     # processing the block.  TypecastParams::Error#param_names can be called on the exception to
     # get an array of all parameter names with conversion issues, and TypecastParams::Error#all_errors
@@ -245,14 +243,18 @@ class Roda
     # specific to the Roda application.  You can add support for custom types by passing a block
     # when loading the typecast_params plugin.  This block is executed in the context of the
     # subclass, and calling +handle_type+ in the block can be used to add conversion methods.
-    # +handle_type+ accepts a type name and the block used to convert the type:
+    # +handle_type+ accepts a type name, an options hash, and the block used to convert the type.
+    # The only currently supported option is +:max_input_bytesize+, specifying the maximum bytesize of
+    # string input.  You can also override the max input bytesize of an existing type using the
+    # +max_input_bytesize+ method.
     #
     #   plugin :typecast_params do
-    #     handle_type(:album) do |value|
+    #     handle_type(:album, max_input_bytesize: 100) do |value|
     #       if id = convert_pos_int(val)
     #         Album[id]
     #       end
     #     end
+    #     max_input_bytesize(:date, 256)
     #   end
     #
     # By default, the typecast_params conversion procs are passed the parameter value directly
@@ -260,10 +262,18 @@ class Roda
     # strip leading and trailing whitespace from parameter string values before processing, which
     # you can do by passing the <tt>strip: :all</tt> option when loading the plugin.
     #
-    # By default, the typecast_params conversion procs check that null bytes are not allowed
-    # in param string values. This check for null bytes occurs prior to any type conversion.
+    # By default, the typecasting methods for some types check whether the bytesize of input
+    # strings is over the maximum expected values, and raise an error in such cases. The input
+    # bytesize is checked prior to any type conversion.  If you would like to skip this check
+    # and allow any bytesize when doing type conversion for param string values, you can do so by
+    # passing the # <tt>:skip_bytesize_checking</tt> option when loading the plugin. By default,
+    # there is an 100 byte limit on integer input, an 1000 byte input on float input, and a 128
+    # byte limit on date/time input.
+    #
+    # By default, the typecasting methods check whether input strings have null bytes, and raise
+    # an error in such cases.  This check for null bytes occurs prior to any type conversion.
     # If you would like to skip this check and allow null bytes in param string values,
-    # you can do by passing the <tt>:allow_null_bytes</tt> option when loading the plugin.
+    # you can do so by passing the <tt>:allow_null_bytes</tt> option when loading the plugin.
     #
     # You can use the :date_parse_input_handler option to specify custom handling of date
     # parsing input.  Modern versions of Ruby and the date gem internally raise if the input to
@@ -282,6 +292,11 @@ class Roda
     #       string.b[0, 128]
     #     }
     #
+    # The +date_parse_input_handler+ is only called if the value is under the max input
+    # bytesize, so you may need to call +max_input_bytesize+ for the +:date+, +:time+, and
+    # +:datetime+ methods to override the max input bytesize if you want to use this option
+    # for input strings over 128 bytes.
+    #
     # By design, typecast_params only deals with string keys, it is not possible to use
     # symbol keys as arguments to the conversion methods and have them converted.
     module TypecastParams
@@ -409,6 +424,14 @@ class Roda
         end
       end
 
+      module SkipBytesizeChecking
+        private
+
+        # Do not check max input bytesize
+        def check_allowed_bytesize(v, max)
+        end
+      end
+
       # Class handling conversion of submitted parameters to desired types.
       class Params
         # Handle conversions for the given type using the given block.
@@ -422,23 +445,29 @@ class Roda
         # This method is used to define all type conversions, even the built
         # in ones.  It can be called in subclasses to setup subclass-specific
         # types.
-        def self.handle_type(type, &block)
+        def self.handle_type(type, opts=OPTS, &block)
           convert_meth = :"convert_#{type}"
           define_method(convert_meth, &block)
 
+          max_input_bytesize = opts[:max_input_bytesize]
+          max_input_bytesize_meth = :"_max_input_bytesize_for_#{type}"
+          define_method(max_input_bytesize_meth){max_input_bytesize}
+
           convert_array_meth = :"_convert_array_#{type}"
           define_method(convert_array_meth) do |v|
             raise Error, "expected array but received #{v.inspect}" unless v.is_a?(Array)
             v.map! do |val|
+              check_allowed_bytesize(val, send(max_input_bytesize_meth))
               check_null_byte(val)
               send(convert_meth, val)
             end
           end
 
-          private convert_meth, convert_array_meth
+          private convert_meth, convert_array_meth, max_input_bytesize_meth
+          alias_method max_input_bytesize_meth, max_input_bytesize_meth
 
           define_method(type) do |key, default=nil|
-            process_arg(convert_meth, key, default) if require_hash!
+            process_arg(convert_meth, key, default, send(max_input_bytesize_meth)) if require_hash!
           end
 
           define_method(:"#{type}!") do |key|
@@ -446,6 +475,15 @@ class Roda
           end
         end
 
+        # Override the maximum input bytesize for the given type. This is mostly useful
+        # for overriding the sizes for the default input types.
+        def self.max_input_bytesize(type, bytesize)
+          max_input_bytesize_meth = :"_max_input_bytesize_for_#{type}"
+          define_method(max_input_bytesize_meth){bytesize}
+          private max_input_bytesize_meth
+          alias_method max_input_bytesize_meth, max_input_bytesize_meth
+        end
+
         # Create a new instance with the given object and nesting level.
         # +obj+ should be an array or hash, and +nesting+ should be an
         # array.  Designed for internal use, should not be called by
@@ -485,17 +523,17 @@ class Roda
           end
         end
 
-        handle_type(:int) do |v|
+        handle_type(:int, :max_input_bytesize=>100) do |v|
           string_or_numeric!(v) && v.to_i
         end
 
-        handle_type(:pos_int) do |v|
+        handle_type(:pos_int, :max_input_bytesize=>100) do |v|
           if (v = convert_int(v)) && v > 0
             v
           end
         end
 
-        handle_type(:Integer) do |v|
+        handle_type(:Integer, :max_input_bytesize=>100) do |v|
           if string_or_numeric!(v)
             case v
             when String
@@ -510,11 +548,11 @@ class Roda
           end
         end
 
-        handle_type(:float) do |v|
+        handle_type(:float, :max_input_bytesize=>1000) do |v|
           string_or_numeric!(v) && v.to_f
         end
 
-        handle_type(:Float) do |v|
+        handle_type(:Float, :max_input_bytesize=>1000) do |v|
           string_or_numeric!(v) && ::Kernel::Float(v)
         end
 
@@ -523,15 +561,15 @@ class Roda
           v
         end
 
-        handle_type(:date) do |v|
+        handle_type(:date, :max_input_bytesize=>128) do |v|
           parse!(::Date, v)
         end
 
-        handle_type(:time) do |v|
+        handle_type(:time, :max_input_bytesize=>128) do |v|
           parse!(::Time, v)
         end
 
-        handle_type(:datetime) do |v|
+        handle_type(:datetime, :max_input_bytesize=>128) do |v|
           parse!(::DateTime, v)
         end
 
@@ -712,7 +750,7 @@ class Roda
         def array(type, key, default=nil)
           meth = :"_convert_array_#{type}"
           raise ProgrammerError, "no typecast_params type registered for #{type.inspect}" unless respond_to?(meth, true)
-          process_arg(meth, key, default) if require_hash!
+          process_arg(meth, key, default, send(:"_max_input_bytesize_for_#{type}")) if require_hash!
         end
 
         # Call +array+ with the +type+, +key+, and +default+, but if the return value is nil or any value in
@@ -945,10 +983,10 @@ class Roda
 
         # If +key+ is not an array, convert the value at the given +key+ using the +meth+ method and +default+
         # value.  If +key+ is an array, return an array with the conversion done for each respective member of +key+.
-        def process_arg(meth, key, default)
+        def process_arg(meth, key, default, max_input_bytesize=nil)
           case key
           when String
-            v = process(meth, key, default)
+            v = process(meth, key, default, max_input_bytesize)
 
             if @capture
               key = key.to_sym if symbolize?
@@ -961,13 +999,20 @@ class Roda
           when Array
             key.map do |k|
               raise ProgrammerError, "non-String element in array argument passed to typecast_params: #{k.inspect}" unless k.is_a?(String)
-              process_arg(meth, k, default)
+              process_arg(meth, k, default, max_input_bytesize)
             end
           else
             raise ProgrammerError, "Unsupported argument for typecast_params conversion method: #{key.inspect}"
           end
         end
 
+        # Raise an Error if the value is a string with bytesize over max (if max is given)
+        def check_allowed_bytesize(v, max)
+          if max && v.is_a?(String) && v.bytesize > max
+            handle_error(nil, :too_long, "string parameter is too long for type", true)
+          end
+        end
+
         # Raise an Error if the value is a string containing a null byte.
         def check_null_byte(v)
           if v.is_a?(String) && v.index("\0")
@@ -977,10 +1022,11 @@ class Roda
 
         # Get the value of +key+ for the object, and convert it to the expected type using +meth+.
         # If the value either before or after conversion is nil, return the +default+ value.
-        def process(meth, key, default)
+        def process(meth, key, default, max_input_bytesize=nil)
           v = param_value(key)
 
           unless v.nil?
+            check_allowed_bytesize(v, max_input_bytesize)
             check_null_byte(v)
             v = send(meth, v)
           end
@@ -1049,6 +1095,9 @@ class Roda
         if opts[:allow_null_bytes]
           app::TypecastParams.send(:include, AllowNullByte)
         end
+        if opts[:skip_bytesize_checking]
+          app::TypecastParams.send(:include, SkipBytesizeChecking)
+        end
         if opts[:date_parse_input_handler]
           app::TypecastParams.class_eval do
             include DateParseInputHandler

data/lib/roda/plugins/view_options.rb

@@ -126,9 +126,7 @@ class Roda
 
         private
 
-        # :nocov:
         if Render::COMPILED_METHOD_SUPPORT
-        # :nocov:
           # Return nil if using custom view or layout options.
           # If using a view subdir, prefix the template key with the subdir.
           def _cached_template_method_key(template)

data/lib/roda/request.rb

@@ -1,18 +1,16 @@
 # frozen-string-literal: true
 
-# :nocov:
 begin
   require "rack/version"
 rescue LoadError
   require "rack"
 else
-  if Rack.release >= '2.3'
+  if Rack.release >= '3'
     require "rack/request"
   else
     require "rack"
   end
 end
-# :nocov:
 
 require_relative "cache"
 
@@ -129,8 +127,7 @@ class Roda
           "#<#{self.class.inspect} #{@env["REQUEST_METHOD"]} #{path}>"
         end
 
-        # :nocov:
-        if Rack.release >= '2.3'
+        if Rack.release >= '3'
           def http_version
             # Prefer SERVER_PROTOCOL as it is required in Rack 3.
             # Still fall back to HTTP_VERSION if SERVER_PROTOCOL
@@ -139,7 +136,6 @@ class Roda
             @env['SERVER_PROTOCOL'] || @env['HTTP_VERSION']
           end
         else
-        # :nocov:
           # What HTTP version the request was submitted with.
           def http_version
             # Prefer HTTP_VERSION as it is backwards compatible
@@ -444,10 +440,10 @@ class Roda
           hash.all?{|k,v| send("match_#{k}", v)}
         end
 
-        # Match integer segment, and yield resulting value as an
+        # Match integer segment of up to 100 decimal characters, and yield resulting value as an
         # integer.
         def _match_class_Integer
-          consume(/\A\/(\d+)(?=\/|\z)/){|i| [i.to_i]}
+          consume(/\A\/(\d{1,100})(?=\/|\z)/){|i| [i.to_i]}
         end
 
         # Match only if all of the arguments in the given array match.

data/lib/roda/response.rb

@@ -42,7 +42,6 @@ class Roda
         # code for non-empty responses and a 404 code for empty responses.
         attr_accessor :status
 
-        # :nocov:
         if defined?(Rack::Headers) && Rack::Headers.is_a?(Class)
           # Set the default headers when creating a response.
           def initialize
@@ -51,7 +50,6 @@ class Roda
             @length  = 0
           end
         else
-        # :nocov:
           # Set the default headers when creating a response.
           def initialize
             @headers = {}
@@ -173,7 +171,6 @@ class Roda
 
         private
 
-        # :nocov:
         if Rack.release < '2.0.2'
           # Don't use a content length for empty 205 responses on
           # rack 1, as it violates Rack::Lint in that version.
@@ -181,7 +178,6 @@ class Roda
             headers.delete("Content-Type")
             headers.delete("Content-Length")
           end
-        # :nocov:
         else
           # Set the content length for empty 205 responses to 0
           def empty_205_headers(headers)

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 59
+  RodaMinorVersion = 61
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.59.0
+  version: 3.61.0
 platform: ruby
 authors:
 - Jeremy Evans
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-08-12 00:00:00.000000000 Z
+date: 2022-10-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -164,7 +164,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email:
 - code@jeremyevans.net
 executables: []
@@ -232,6 +232,8 @@ extra_rdoc_files:
 - doc/release_notes/3.58.0.txt
 - doc/release_notes/3.59.0.txt
 - doc/release_notes/3.6.0.txt
+- doc/release_notes/3.60.0.txt
+- doc/release_notes/3.61.0.txt
 - doc/release_notes/3.7.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
@@ -298,6 +300,8 @@ files:
 - doc/release_notes/3.58.0.txt
 - doc/release_notes/3.59.0.txt
 - doc/release_notes/3.6.0.txt
+- doc/release_notes/3.60.0.txt
+- doc/release_notes/3.61.0.txt
 - doc/release_notes/3.7.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
@@ -359,6 +363,7 @@ files:
 - lib/roda/plugins/inject_erb.rb
 - lib/roda/plugins/json.rb
 - lib/roda/plugins/json_parser.rb
+- lib/roda/plugins/link_to.rb
 - lib/roda/plugins/mail_processor.rb
 - lib/roda/plugins/mailer.rb
 - lib/roda/plugins/match_affix.rb
@@ -433,7 +438,7 @@ metadata:
   documentation_uri: https://roda.jeremyevans.net/documentation.html
   mailing_list_uri: https://github.com/jeremyevans/roda/discussions
   source_code_uri: https://github.com/jeremyevans/roda
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -449,7 +454,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.3.7
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Routing tree web toolkit
 test_files: []