roda 3.73.0 → 3.75.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7a47f703af806a15f523b99b38d084520bada92f23196374d6d9781d5953faa8
-  data.tar.gz: 4612153820b89e6dbcfa2370c04269666c49277d8f11256869f6c1f0bb0b571a
+  metadata.gz: 4ebdbc5b5707ba21044b5f4c83445ff8fca6a3925488c72a5176cc662c2ad15b
+  data.tar.gz: ac528e50bfe1e778b5b4d32d16d12e117e87dc55b2f7cad1170b682e2f979586
 SHA512:
-  metadata.gz: bdc42cdc9540750195327dac290e3f0bb08c3ed0100b610441b644c85849e7e9f9f974013cea041cdf640f590e2027996d68b62eea9c31d41bd42a57df6530bb
-  data.tar.gz: 3ab05db704cf45803ad706e78b558ea7798d8d9782a06c7dec79814a4d862582249e5554946c59fff88e1f1d2d360e242268c593a8c9c95fe87b5489e4a4a44c
+  metadata.gz: b7d13975d6c7705f1d7b184f27430320e1dfd5fea96e532f119f86b4c09fdb5c7e460107033d8d099c6ef8da354a514289981163d74cdb293b89074299a57eda
+  data.tar.gz: d16c1b3a2edd401a73b104bf9458fcb865e441f4de649dcfcb8144eb3102abcd6abee741ecbbbf1cad3b13d8efca7260d7785b7e5a2505f29541ad001de9b1e4

data/CHANGELOG

@@ -1,3 +1,11 @@
+= 3.75.0 (2023-12-14)
+
+* Add cookie_flags plugin, for overriding, warning, or raising for incorrect cookie flags (jeremyevans)
+
+= 3.74.0 (2023-11-13)
+
+* Add redirect_http_to_https plugin, helping to ensure future requests from the browser are submitted via HTTPS (jeremyevans)
+
 = 3.73.0 (2023-10-13)
 
 * Support :next_if_not_found option for middleware plugin (jeremyevans) (#334)

data/README.rdoc

@@ -723,7 +723,7 @@ Note that when subclassing, Roda only does a shallow clone of the settings.
 
 If you store nested structures and plan to mutate them in subclasses,
 it is your responsibility to dup the nested structures inside +Roda.inherited+
-(making sure to call +super+).  This should be is done so that that modifications
+(making sure to call +super+).  This should be is done so that modifications
 to the parent class made after subclassing do _not_ affect the subclass, and
 vice-versa.
 
@@ -851,9 +851,8 @@ should use an appropriate external middleware.
 It is possible to use other session cookie middleware such as
 <tt>Rack::Session::Cookie</tt>, but other middleware may not have the same security
 features that Roda's session support does.  For example, the session cookies used by
-the <tt>Rack::Session::Cookie</tt> middleware are not encrypted, just signed to
-prevent tampering.  This means you should not store any secret data in the session
-when using <tt>Rack::Session::Cookie</tt>.
+the <tt>Rack::Session::Cookie</tt> middleware provided by Rack before Rack 3 are not
+encrypted, just signed to prevent tampering.
 
 For any cookie-based sessions, make sure that the necessary secrets (+:secret+ option)
 are not disclosed to an attacker.  Knowledge of the
@@ -960,17 +959,17 @@ application level using using the +default_headers+ plugin:
 Strict-Transport-Security :: Enforces SSL/TLS Connections to the application.
 X-Content-Type-Options :: Forces some browsers to respect a declared Content-Type header.
 X-Frame-Options :: Provides click-jacking protection by not allowing usage inside a frame.
-X-XSS-Protection :: Enables an XSS mitigation filter in some browsers.
+                   Only include this if you want to support and protect old browsers that
+                   do not support Content-Security-Policy.
 
 Example:
 
   class App < Roda
     plugin :default_headers,
       'Content-Type'=>'text/html',
-      'Strict-Transport-Security'=>'max-age=16070400;',
+      'Strict-Transport-Security'=>'max-age=63072000; includeSubDomains',
       'X-Content-Type-Options'=>'nosniff',
-      'X-Frame-Options'=>'deny',
-      'X-XSS-Protection'=>'1; mode=block'
+      'X-Frame-Options'=>'deny'
   end
 
 === Rendering Templates Derived From User Input
@@ -1007,25 +1006,16 @@ constants and removing them when any of the reloadable loaded files changes. It
 +require+ and +require_relative+ when activated (usually in the development environment). No
 configurations other than +reloadable_paths+ are required.
 
-Both {rerun}[https://github.com/alexch/rerun] and
-{shotgun}[https://github.com/rtomayko/shotgun] use a fork/exec approach for loading new
-versions of your app.  rerun is faster as it only reloads the app on changes, whereas
-shotgun reloads the app on every request.  Both work without any changes to application
+{rerun}[https://github.com/alexch/rerun] uses a fork/exec approach for loading new
+versions of your app.  It work without any changes to application
 code, but may be slower as they have to reload the entire application on every change.
-However, for small apps that load quickly, either may be a good approach.
-
-{Rack::Reloader}[https://github.com/rack/rack/blob/master/lib/rack/reloader.rb] ships
-with rack and just reloads monitored files when they change, without unloading constants.
-It's fast but may cause issues in cases where you remove classes, constants, or methods,
-or when you are not clearing out cached data manually when files are reloaded.
+However, for small apps that load quickly, it may be a good approach.
 
 There is no one reloading solution that is the best for all applications and development
 approaches.  Consider your needs and the tradeoffs of each of the reloading approaches,
-and pick the one you think will work best.
-
-If you are unsure where to start, it may be best to start with rerun or shotgun
-(unless you're running on JRuby or Windows), and only consider other options if rerun or
-shotgun are not fast enough.
+and pick the one you think will work best.  If you are unsure where to start,
+it may be best to start with Zeitwerk, and only consider other options if it does not
+work well for you.
 
 == Plugins
 
@@ -1144,4 +1134,3 @@ MIT
 == Maintainer
 
 Jeremy Evans <code@jeremyevans.net>
-

data/doc/conventions.rdoc

@@ -55,7 +55,7 @@ via <tt>irb -r ./models</tt>, without loading the Roda application.
 migrations.
 
 +spec/+ (or +test/+ should contain your specifications/tests.  For a small application, it's recommended
-to a have a single file for your model tests, and a single file for your web/integration tests.
+to have a single file for your model tests, and a single file for your web/integration tests.
 
 +Rakefile+ should contain the rake tasks for the application.  The convention is that the
 default rake task will run all specs/tests related to the application.  If you are using

data/doc/release_notes/3.74.0.txt

@@ -0,0 +1,28 @@
+= New Features
+
+* A redirect_http_to_https plugin has been added, redirecting HTTP
+  requests to the same path on an HTTPS site.  Using the routing tree,
+  you can control where to do the redirection, which allows you to
+  easily have part of your site accessible via HTTP, with sensitive
+  sections requiring HTTPS:
+
+    plugin :redirect_http_to_https
+
+    route do |r|
+      # routes available via both HTTP and HTTPS
+      r.redirect_http_to_https
+      # routes available only via HTTPS
+    end
+
+  If you want to redirect to HTTPS for all routes in the routing tree, you
+  can have r.redirect_http_to_https as the very first method call in the
+  routing tree.  Note that in Roda it is possible to handle routing before
+  the normal routing tree using before hooks.  The static_routing and
+  heartbeat plugins use this feature. If you would like to handle routes
+  before the normal routing tree, you can setup a before hook:
+
+    plugin :hooks
+
+    before do
+      request.redirect_http_to_https
+    end

data/doc/release_notes/3.75.0.txt

@@ -0,0 +1,19 @@
+= New Features
+
+* A cookie_flags plugin has been added, for overriding, warning, or
+  raising for incorrect cookie flags. The plugin by default checks
+  whether the secure, httponly, and samesite=strict flags are set.
+  The default behavior is to add the appropriate flags if they are
+  not set, and change the samesite flag to strict if it is set to
+  something else.  You can configure the flag checking behavior
+  via the :httponly, :same_site, and :secure options.
+
+  You can configure the action the plugin takes via the :action option.
+  The default action is to modify the flags, but the :action option can
+  be set to :raise, :warn, or :warn_and_modify to override the behavior.
+
+  The recommended way to use the plugin is to use it during testing,
+  and specify action: :raise, so you can catch places where cookies
+  are set with the wrong flags.  Then you can fix those places to
+  use the correct flags, which is better than relying on the plugin
+  at runtime in production to fix incorrect flags.

data/lib/roda/plugins/cookie_flags.rb

@@ -0,0 +1,157 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The cookie_flags plugin allows users to force specific cookie flags for
+    # all cookies set by the application.  It can also be used to warn or
+    # raise for unexpected cookie flags.
+    #
+    # The cookie_flags plugin deals with the following cookie flags:
+    #
+    # httponly :: Disallows access to the cookie from client-side scripts.
+    # samesite :: Restricts to which domains the cookie is sent.
+    # secure :: Instructs the browser to only transmit the cookie over HTTPS.
+    #
+    # This plugin ships in secure-by-default mode, where it enforces
+    # secure, httponly, samesite=strict cookies. You can disable enforcing
+    # specific flags using the following options:
+    #
+    # :httponly :: Set to false to not enforce httponly flag.
+    # :same_site :: Set to symbol or string to enforce a different samesite
+    #               setting, or false to not enforce a specific samesite setting.
+    # :secure :: Set to false to not enforce secure flag.
+    #
+    # For example, to enforce secure cookies and enforce samesite=lax, but not enforce
+    # an httponly flag:
+    #
+    #   plugin :cookie_flags, httponly: false, same_site: 'lax'
+    #
+    # In general, overriding cookie flags using this plugin should be considered a
+    # stop-gap solution.  Instead of overriding cookie flags, it's better to fix
+    # whatever is setting the cookie flags incorrectly.  You can use the :action
+    # option to modify the behavior:
+    #
+    #   # Issue warnings when modifying cookie flags
+    #   plugin :cookie_flags, action: :warn_and_modify
+    #
+    #   # Issue warnings for incorrect cookie flags without modifying cookie flags
+    #   plugin :cookie_flags, action: :warn
+    #
+    #   # Raise errors for incorrect cookie flags
+    #   plugin :cookie_flags, action: :raise
+    #
+    # The recommended way to use the plugin is to use it only during testing with
+    # <tt>action: :raise</tt>.  Then as long as you have fully covering tests, you
+    # can be sure the cookies set by your application use the correct flags.
+    #
+    # Note that this plugin only affects cookies set by the application, and does not
+    # affect cookies set by middleware the application is using.
+    module CookieFlags
+      # :nocov:
+      MATCH_METH = RUBY_VERSION >= '2.4' ? :match? : :match
+      # :nocov:
+      private_constant :MATCH_METH
+
+      DEFAULTS = {:secure=>true, :httponly=>true, :same_site=>'strict', :action=>:modify}.freeze
+      private_constant :DEFAULTS
+
+      # Error class raised for action: :raise when incorrect cookie flags are used.
+      class Error < RodaError
+      end
+
+      def self.configure(app, opts=OPTS)
+        previous = app.opts[:cookie_flags] || DEFAULTS
+        opts = app.opts[:cookie_flags] = previous.merge(opts)
+
+        case opts[:same_site]
+        when String, Symbol
+          opts[:same_site] = opts[:same_site].to_s.downcase.freeze
+          opts[:same_site_string] = "; samesite=#{opts[:same_site]}".freeze
+          opts[:secure] = true if opts[:same_site] == 'none'
+        end
+
+        opts.freeze
+      end
+
+      module InstanceMethods
+        private
+
+        def _handle_cookie_flags_array(cookies)
+          opts = self.class.opts[:cookie_flags]
+          needs_secure = opts[:secure]
+          needs_httponly = opts[:httponly]
+          if needs_same_site = opts[:same_site]
+            same_site_string = opts[:same_site_string]
+            same_site_regexp = /;\s*samesite\s*=\s*(\S+)\s*(?:\z|;)/i
+          end
+          action = opts[:action]
+
+          cookies.map do |cookie|
+            if needs_secure
+              add_secure = !/;\s*secure\s*(?:\z|;)/i.send(MATCH_METH, cookie)
+            end
+
+            if needs_httponly
+              add_httponly = !/;\s*httponly\s*(?:\z|;)/i.send(MATCH_METH, cookie)
+            end
+
+            if needs_same_site
+              has_same_site = same_site_regexp.match(cookie)
+              unless add_same_site = !has_same_site
+                update_same_site = needs_same_site != has_same_site[1].downcase
+              end
+            end
+
+            next cookie unless add_secure || add_httponly || add_same_site || update_same_site
+
+            case action
+            when :raise, :warn, :warn_and_modify
+              message = "Response contains cookie with unexpected flags: #{cookie.inspect}." \
+                   "Expecting the following cookie flags: "\
+                   "#{'secure ' if add_secure}#{'httponly ' if add_httponly}#{same_site_string[2..-1] if add_same_site || update_same_site}"
+
+              if action == :raise
+                raise Error, message
+              else
+                warn(message)
+                next cookie if action == :warn
+              end
+            end
+
+            if update_same_site
+              cookie = cookie.gsub(same_site_regexp, same_site_string)
+            else
+              cookie = cookie.dup
+              cookie << same_site_string if add_same_site
+            end
+
+            cookie << '; secure' if add_secure
+            cookie << '; httponly' if add_httponly
+
+            cookie
+          end
+        end
+
+        if Rack.release >= '3'
+          def _handle_cookie_flags(cookies)
+            cookies = [cookies] if cookies.is_a?(String)
+            _handle_cookie_flags_array(cookies)
+          end
+        else
+          def _handle_cookie_flags(cookie_string)
+            _handle_cookie_flags_array(cookie_string.split("\n")).join("\n")
+          end
+        end
+
+        # Handle cookie flags in response
+        def _roda_after_85__cookie_flags(res)
+          return unless res && (headers = res[1]) && (value = headers[RodaResponseHeaders::SET_COOKIE])
+          headers[RodaResponseHeaders::SET_COOKIE] = _handle_cookie_flags(value)
+        end
+      end
+    end
+
+    register_plugin(:cookie_flags, CookieFlags)
+  end
+end

data/lib/roda/plugins/redirect_http_to_https.rb

@@ -0,0 +1,99 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The redirect_http_to_https plugin exposes a +redirect_http_to_https+
+    # request method that redirects HTTP requests to HTTPS, helping to ensure
+    # that future requests by the same browser will be submitted securely.
+    #
+    # You should use this plugin if you have an application that can receive
+    # requests using both HTTP and HTTPS, and you want to make sure that all
+    # or a subset of routes are only handled for HTTPS requests.
+    #
+    # The reason this exposes a request method is so that you can choose where
+    # in your routing tree to do the redirection:
+    #
+    #   route do |r|
+    #     # routes available via both HTTP and HTTPS
+    #     r.redirect_http_to_https
+    #     # routes available only via HTTPS
+    #   end
+    #
+    # If you want to redirect to HTTPS for all routes in the routing tree, you
+    # can have this as the very first method call in the routing tree.  Note that
+    # in Roda it is possible to handle routing before the normal routing tree
+    # using before hooks.  The static_routing and heartbeat plugins use this
+    # feature. If you would like to handle routes before the normal routing tree,
+    # you can setup a before hook:
+    #
+    #   plugin :hooks
+    #
+    #   before do
+    #     request.redirect_http_to_https
+    #   end
+    module RedirectHttpToHttps
+      status_map = Hash.new(307)
+      status_map['GET'] = status_map['HEAD'] = 301
+      status_map.freeze
+      DEFAULTS = {:status_map => status_map}.freeze
+      private_constant :DEFAULTS
+
+      # Configures redirection from HTTP to HTTPS.  Available options:
+      #
+      # :body :: The body used in the redirect.  If not set, uses an empty body.
+      # :headers :: Any additional headers used in the redirect response. By default,
+      #             no additional headers are set, the only header used is the Location header.
+      # :host :: The host to redirect to.  If not set, redirects to the same host as the HTTP
+      #          requested to.  It is highly recommended that you set this if requests with
+      #          arbitrary Host headers can be submitted to the application.
+      # :port :: The port to use in the redirect.  By default, will not set an explicit port,
+      #          so that it will implicitly use the HTTPS default port of 443.
+      # :status_map :: A hash mapping request methods to response status codes.  By default,
+      #                uses a hash that redirects GET and HEAD requests with a 301 status,
+      #                and other request methods with a 307 status.
+      def self.configure(app, opts=OPTS)
+        previous = app.opts[:redirect_http_to_https] || DEFAULTS
+        opts = app.opts[:redirect_http_to_https] = previous.merge(opts)
+        opts[:port_string] = opts[:port] ? ":#{opts[:port]}".freeze : "".freeze
+        opts[:prefix] = opts[:host] ? "https://#{opts[:host]}#{opts[:port_string]}".freeze : nil
+        opts.freeze
+      end
+
+      module RequestMethods
+        # Redirect HTTP requests to HTTPS. While this doesn't secure the
+        # current request, it makes it more likely that the browser will submit
+        # future requests securely via HTTPS.
+        def redirect_http_to_https
+          return if ssl?
+
+          opts = roda_class.opts[:redirect_http_to_https]
+
+          res = response
+
+          if body = opts[:body]
+            res.write(body)
+          end
+
+          if headers = opts[:headers]
+            res.headers.merge!(headers)
+          end
+
+          path = if prefix = opts[:prefix]
+            prefix + fullpath
+          else
+            "https://#{host}#{opts[:port_string]}#{fullpath}"
+          end
+
+          unless status = opts[:status_map][@env['REQUEST_METHOD']]
+            raise RodaError, "redirect_http_to_https :status_map provided does not support #{@env['REQUEST_METHOD']}"
+          end
+
+          redirect(path, status)
+        end
+      end
+    end
+
+    register_plugin(:redirect_http_to_https, RedirectHttpToHttps)
+  end
+end

data/lib/roda/plugins/route_csrf.rb

@@ -22,9 +22,11 @@ class Roda
     # and request path even if they have access to a token that is not
     # specific to request method and request path.  To get this security
     # benefit, you must ensure an attacker does not have access to the
-    # session.  Rack::Session::Cookie uses signed sessions, not encrypted
+    # session.  Rack::Session::Cookie versions shipped with Rack before
+    # Rack 3 use signed sessions, not encrypted
     # sessions, so if the attacker has the ability to read cookie data
-    # and you are using Rack::Session::Cookie, it will still be possible
+    # and you are using one of those Rack::Session::Cookie versions,
+    # it will still be possible
     # for an attacker to generate valid CSRF tokens specific to arbitrary
     # request method and request path.  Roda's session plugin uses
     # encrypted sessions and therefore is safe even if the attacker can

data/lib/roda/plugins/sessions.rb

@@ -40,7 +40,8 @@ class Roda
     #
     # Session secrets can be rotated.  See options below.
     #
-    # The sessions plugin can transparently upgrade sessions from Rack::Session::Cookie
+    # The sessions plugin can transparently upgrade sessions from versions of Rack::Session::Cookie
+    # shipped with Rack before Rack 3,
     # if the default Rack::Session::Cookie coder and HMAC are used, see options below.
     # It is recommended to only enable transparent upgrades for a brief transition period,
     # and remove support for them once old sessions have converted or timed out.

data/lib/roda/response.rb

@@ -10,19 +10,15 @@ class Roda
   # headers used internally by Roda can be lower case on Rack 3, so that it is
   # possible to use a plain hash of response headers instead of using Rack::Headers.
   module RodaResponseHeaders
-    headers = %w'Allow Cache-Control Content-Disposition Content-Encoding Content-Length
-       Content-Security-Policy Content-Security-Policy-Report-Only Content-Type
-       ETag Expires Last-Modified Link Location Set-Cookie Transfer-Encoding Vary'.freeze.each(&:freeze)
+    downcase = defined?(Rack::Headers) && Rack::Headers.is_a?(Class)
 
-    if defined?(Rack::Headers) && Rack::Headers.is_a?(Class)
-      headers.each do |mixed_case|
-        const_set(mixed_case.gsub('-', '_').upcase!.to_sym, mixed_case.downcase.freeze)
-      end
-    else
-      headers.each do |mixed_case|
-        const_set(mixed_case.gsub('-', '_').upcase!.to_sym, mixed_case.freeze)
+    %w'Allow Cache-Control Content-Disposition Content-Encoding Content-Length
+       Content-Security-Policy Content-Security-Policy-Report-Only Content-Type
+       ETag Expires Last-Modified Link Location Set-Cookie Transfer-Encoding Vary'.
+      each do |value|
+        value = value.downcase if downcase
+        const_set(value.gsub('-', '_').upcase!.to_sym, value.freeze)
       end
-    end
   end
 
   # Base class used for Roda responses.  The instance methods for this

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 73
+  RodaMinorVersion = 75
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.73.0
+  version: 3.75.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-13 00:00:00.000000000 Z
+date: 2023-12-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -247,6 +247,8 @@ extra_rdoc_files:
 - doc/release_notes/3.71.0.txt
 - doc/release_notes/3.72.0.txt
 - doc/release_notes/3.73.0.txt
+- doc/release_notes/3.74.0.txt
+- doc/release_notes/3.75.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 files:
@@ -327,6 +329,8 @@ files:
 - doc/release_notes/3.71.0.txt
 - doc/release_notes/3.72.0.txt
 - doc/release_notes/3.73.0.txt
+- doc/release_notes/3.74.0.txt
+- doc/release_notes/3.75.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 - lib/roda.rb
@@ -355,6 +359,7 @@ files:
 - lib/roda/plugins/common_logger.rb
 - lib/roda/plugins/content_for.rb
 - lib/roda/plugins/content_security_policy.rb
+- lib/roda/plugins/cookie_flags.rb
 - lib/roda/plugins/cookies.rb
 - lib/roda/plugins/csrf.rb
 - lib/roda/plugins/custom_block_results.rb
@@ -428,6 +433,7 @@ files:
 - lib/roda/plugins/public.rb
 - lib/roda/plugins/r.rb
 - lib/roda/plugins/recheck_precompiled_assets.rb
+- lib/roda/plugins/redirect_http_to_https.rb
 - lib/roda/plugins/relative_path.rb
 - lib/roda/plugins/render.rb
 - lib/roda/plugins/render_coverage.rb