roda 3.74.0 → 3.76.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ae3f95331c6c3d69453feb96a7dbd3629a6d5f52bd9d1862edecab893d95a36f
-  data.tar.gz: c5457f54b2ca5a9971f93a23db10abe3b6fd16a743e2651749ec14c480c248a3
+  metadata.gz: 1f4eee948a9994645560f635fd228d2f46f3f466da782a476d7046b2b0b9f026
+  data.tar.gz: 4abb6bed043b264c59e17b1120771822a26292f24037a283c08003168c72e602
 SHA512:
-  metadata.gz: f314713b33ec4400e5ef8849c6a3e30f1b5956b428dea55a5bf45855fef4a965f9b417063182cc4412effa592a7d311715cf4541826781675ca26bd20f202ca3
-  data.tar.gz: 735cb4cf3e5480be4462d88ccb0090001e7eca27bfe7338a923f5f190730095037ff0c77e1cbe3c875b137175bc7022b8d0611ccbf8b82426cbbaec5b7802149
+  metadata.gz: 112d90a74ed25ae0bb608a2e89d2f6fa757912287feb3a68d312ef4b8fd317bdb8f04eb76f529090d14a92c322d869ededa831f8db5d20bce8a66cd973a71584
+  data.tar.gz: 22ddb0a055b5849c6dcd3ec93426e495198434cf1e9cf9adbae1c22ece9b788c0ea7332122b9ad525954e2b946b0eef873de3b0466fe5b844407dec6c9844c84

data/CHANGELOG

@@ -1,3 +1,15 @@
+= 3.76.0 (2024-01-12)
+
+* Support :filter plugin option in error_mail and error_email for filtering parameters, environment variables, and session values (jeremyevans) (#346)
+
+* Set temporary name on Ruby 3.3 in middleware plugin for middleware class created (janko) (#344)
+
+* Add break plugin, for using break inside a routing block to return from the block and keep routing (jeremyevans)
+
+= 3.75.0 (2023-12-14)
+
+* Add cookie_flags plugin, for overriding, warning, or raising for incorrect cookie flags (jeremyevans)
+
 = 3.74.0 (2023-11-13)
 
 * Add redirect_http_to_https plugin, helping to ensure future requests from the browser are submitted via HTTPS (jeremyevans)

data/doc/release_notes/3.75.0.txt

@@ -0,0 +1,19 @@
+= New Features
+
+* A cookie_flags plugin has been added, for overriding, warning, or
+  raising for incorrect cookie flags. The plugin by default checks
+  whether the secure, httponly, and samesite=strict flags are set.
+  The default behavior is to add the appropriate flags if they are
+  not set, and change the samesite flag to strict if it is set to
+  something else.  You can configure the flag checking behavior
+  via the :httponly, :same_site, and :secure options.
+
+  You can configure the action the plugin takes via the :action option.
+  The default action is to modify the flags, but the :action option can
+  be set to :raise, :warn, or :warn_and_modify to override the behavior.
+
+  The recommended way to use the plugin is to use it during testing,
+  and specify action: :raise, so you can catch places where cookies
+  are set with the wrong flags.  Then you can fix those places to
+  use the correct flags, which is better than relying on the plugin
+  at runtime in production to fix incorrect flags.

data/doc/release_notes/3.76.0.txt

@@ -0,0 +1,18 @@
+= New Features
+
+* A break plugin has been added, allowing you to use break from
+  inside a routing block and continue routing after the block.  This
+  offers the same feature as the pass plugin, but using the standard
+  break keyword instead of the r.pass method.
+
+* The error_mail and error_email features now both accept a :filter
+  plugin option.  The value should respond to call with two arguments.
+  The first arguments is the key, and the second is the value, and
+  should return a truthy value if the value should be filtered.  This
+  will be used for filtering parameter values, ENV values, and session
+  values in the generated emails.
+
+= Other Improvements
+
+* On Ruby 3.3+, the middleware plugin sets a temporary class name for
+  the created middleware, based on the class name of the Roda app.

data/lib/roda/plugins/break.rb

@@ -0,0 +1,43 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The break plugin supports calling break inside a match block, to
+    # return from the block and continue in the routing tree, restoring
+    # the remaining path so that future matchers operating on the path
+    # operate as expected.
+    #
+    #   plugin :break
+    #
+    #   route do |r|
+    #     r.on "foo", :bar do |bar|
+    #       break if bar == 'baz'
+    #       "/foo/#{bar} (not baz)"
+    #     end
+    #
+    #     r.on "foo/baz" do
+    #       "/foo/baz"
+    #     end
+    #   end
+    #
+    # This provides the same basic feature as the pass plugin, but
+    # uses Ruby's standard control flow primative instead of a
+    # separate method.
+    module Break
+      module RequestMethods
+        private
+
+        # Handle break inside match blocks, restoring remaining path.
+        def if_match(_)
+          rp = @remaining_path
+          super
+        ensure
+          @remaining_path = rp
+        end
+      end
+    end
+
+    register_plugin(:break, Break)
+  end
+end

data/lib/roda/plugins/cookie_flags.rb

@@ -0,0 +1,157 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The cookie_flags plugin allows users to force specific cookie flags for
+    # all cookies set by the application.  It can also be used to warn or
+    # raise for unexpected cookie flags.
+    #
+    # The cookie_flags plugin deals with the following cookie flags:
+    #
+    # httponly :: Disallows access to the cookie from client-side scripts.
+    # samesite :: Restricts to which domains the cookie is sent.
+    # secure :: Instructs the browser to only transmit the cookie over HTTPS.
+    #
+    # This plugin ships in secure-by-default mode, where it enforces
+    # secure, httponly, samesite=strict cookies. You can disable enforcing
+    # specific flags using the following options:
+    #
+    # :httponly :: Set to false to not enforce httponly flag.
+    # :same_site :: Set to symbol or string to enforce a different samesite
+    #               setting, or false to not enforce a specific samesite setting.
+    # :secure :: Set to false to not enforce secure flag.
+    #
+    # For example, to enforce secure cookies and enforce samesite=lax, but not enforce
+    # an httponly flag:
+    #
+    #   plugin :cookie_flags, httponly: false, same_site: 'lax'
+    #
+    # In general, overriding cookie flags using this plugin should be considered a
+    # stop-gap solution.  Instead of overriding cookie flags, it's better to fix
+    # whatever is setting the cookie flags incorrectly.  You can use the :action
+    # option to modify the behavior:
+    #
+    #   # Issue warnings when modifying cookie flags
+    #   plugin :cookie_flags, action: :warn_and_modify
+    #
+    #   # Issue warnings for incorrect cookie flags without modifying cookie flags
+    #   plugin :cookie_flags, action: :warn
+    #
+    #   # Raise errors for incorrect cookie flags
+    #   plugin :cookie_flags, action: :raise
+    #
+    # The recommended way to use the plugin is to use it only during testing with
+    # <tt>action: :raise</tt>.  Then as long as you have fully covering tests, you
+    # can be sure the cookies set by your application use the correct flags.
+    #
+    # Note that this plugin only affects cookies set by the application, and does not
+    # affect cookies set by middleware the application is using.
+    module CookieFlags
+      # :nocov:
+      MATCH_METH = RUBY_VERSION >= '2.4' ? :match? : :match
+      # :nocov:
+      private_constant :MATCH_METH
+
+      DEFAULTS = {:secure=>true, :httponly=>true, :same_site=>'strict', :action=>:modify}.freeze
+      private_constant :DEFAULTS
+
+      # Error class raised for action: :raise when incorrect cookie flags are used.
+      class Error < RodaError
+      end
+
+      def self.configure(app, opts=OPTS)
+        previous = app.opts[:cookie_flags] || DEFAULTS
+        opts = app.opts[:cookie_flags] = previous.merge(opts)
+
+        case opts[:same_site]
+        when String, Symbol
+          opts[:same_site] = opts[:same_site].to_s.downcase.freeze
+          opts[:same_site_string] = "; samesite=#{opts[:same_site]}".freeze
+          opts[:secure] = true if opts[:same_site] == 'none'
+        end
+
+        opts.freeze
+      end
+
+      module InstanceMethods
+        private
+
+        def _handle_cookie_flags_array(cookies)
+          opts = self.class.opts[:cookie_flags]
+          needs_secure = opts[:secure]
+          needs_httponly = opts[:httponly]
+          if needs_same_site = opts[:same_site]
+            same_site_string = opts[:same_site_string]
+            same_site_regexp = /;\s*samesite\s*=\s*(\S+)\s*(?:\z|;)/i
+          end
+          action = opts[:action]
+
+          cookies.map do |cookie|
+            if needs_secure
+              add_secure = !/;\s*secure\s*(?:\z|;)/i.send(MATCH_METH, cookie)
+            end
+
+            if needs_httponly
+              add_httponly = !/;\s*httponly\s*(?:\z|;)/i.send(MATCH_METH, cookie)
+            end
+
+            if needs_same_site
+              has_same_site = same_site_regexp.match(cookie)
+              unless add_same_site = !has_same_site
+                update_same_site = needs_same_site != has_same_site[1].downcase
+              end
+            end
+
+            next cookie unless add_secure || add_httponly || add_same_site || update_same_site
+
+            case action
+            when :raise, :warn, :warn_and_modify
+              message = "Response contains cookie with unexpected flags: #{cookie.inspect}." \
+                   "Expecting the following cookie flags: "\
+                   "#{'secure ' if add_secure}#{'httponly ' if add_httponly}#{same_site_string[2..-1] if add_same_site || update_same_site}"
+
+              if action == :raise
+                raise Error, message
+              else
+                warn(message)
+                next cookie if action == :warn
+              end
+            end
+
+            if update_same_site
+              cookie = cookie.gsub(same_site_regexp, same_site_string)
+            else
+              cookie = cookie.dup
+              cookie << same_site_string if add_same_site
+            end
+
+            cookie << '; secure' if add_secure
+            cookie << '; httponly' if add_httponly
+
+            cookie
+          end
+        end
+
+        if Rack.release >= '3'
+          def _handle_cookie_flags(cookies)
+            cookies = [cookies] if cookies.is_a?(String)
+            _handle_cookie_flags_array(cookies)
+          end
+        else
+          def _handle_cookie_flags(cookie_string)
+            _handle_cookie_flags_array(cookie_string.split("\n")).join("\n")
+          end
+        end
+
+        # Handle cookie flags in response
+        def _roda_after_85__cookie_flags(res)
+          return unless res && (headers = res[1]) && (value = headers[RodaResponseHeaders::SET_COOKIE])
+          headers[RodaResponseHeaders::SET_COOKIE] = _handle_cookie_flags(value)
+        end
+      end
+    end
+
+    register_plugin(:cookie_flags, CookieFlags)
+  end
+end

data/lib/roda/plugins/error_email.rb

@@ -21,6 +21,9 @@ class Roda
     #
     # Options:
     #
+    # :filter :: Callable called with the key and value for each parameter, environment
+    #            variable, and session value.  If it returns true, the value of the
+    #            parameter is filtered in the email.
     # :from :: The From address to use in the email (required)
     # :headers :: A hash of additional headers to use in the email (default: empty hash)
     # :host :: The SMTP server to use to send the email (default: localhost)
@@ -38,6 +41,7 @@ class Roda
     # use an error reporting service instead of this plugin.
     module ErrorEmail
       DEFAULTS = {
+        :filter=>lambda{|k,v| false},
         :headers=>OPTS,
         :host=>'localhost',
         # :nocov:
@@ -52,7 +56,12 @@ class Roda
           {'From'=>h[:from], 'To'=>h[:to], 'Subject'=>"#{h[:prefix]}#{subject}"}
         end,
         :body=>lambda do |s, e|
-          format = lambda{|h| h.map{|k, v| "#{k.inspect} => #{v.inspect}"}.sort.join("\n")}
+          filter = s.opts[:error_email][:filter]
+          format = lambda do |h|
+            h = h.map{|k, v| "#{k.inspect} => #{filter.call(k, v) ? 'FILTERED' : v.inspect}"}
+            h.sort!
+            h.join("\n")
+          end 
 
           begin
             params = s.request.params

data/lib/roda/plugins/error_mail.rb

@@ -21,6 +21,9 @@ class Roda
     #
     # Options:
     #
+    # :filter :: Callable called with the key and value for each parameter, environment
+    #            variable, and session value.  If it returns true, the value of the
+    #            parameter is filtered in the email.
     # :from :: The From address to use in the email (required)
     # :headers :: A hash of additional headers to use in the email (default: empty hash)
     # :prefix :: A prefix to use in the email's subject line (default: no prefix)
@@ -36,9 +39,12 @@ class Roda
     # for low traffic web applications.  For high traffic web applications,
     # use an error reporting service instead of this plugin.
     module ErrorMail
+      DEFAULT_FILTER = lambda{|k,v| false}
+      private_constant :DEFAULT_FILTER
+
       # Set default opts for plugin.  See ErrorEmail module RDoc for options.
       def self.configure(app, opts=OPTS)
-        app.opts[:error_mail] = email_opts = (app.opts[:error_mail] || OPTS).merge(opts).freeze
+        app.opts[:error_mail] = email_opts = (app.opts[:error_mail] || {:filter=>DEFAULT_FILTER}).merge(opts).freeze
         unless email_opts[:to] && email_opts[:from]
           raise RodaError, "must provide :to and :from options to error_mail plugin"
         end
@@ -68,8 +74,13 @@ class Roda
             e.to_s
           end
           subject = "#{email_opts[:prefix]}#{subject}"
+          filter = email_opts[:filter]
 
-          format = lambda{|h| h.map{|k, v| "#{k.inspect} => #{v.inspect}"}.sort.join("\n")}
+          format = lambda do |h|
+            h = h.map{|k, v| "#{k.inspect} => #{filter.call(k, v) ? 'FILTERED' : v.inspect}"}
+            h.sort!
+            h.join("\n")
+          end 
 
           begin
             params = request.params

data/lib/roda/plugins/middleware.rb

@@ -134,6 +134,9 @@ class Roda
         # and store +app+ as the next middleware to call.
         def initialize(mid, app, *args, &block)
           @mid = Class.new(mid)
+          # :nocov:
+          @mid.set_temporary_name("#{mid.name}(middleware)") if mid.name && RUBY_VERSION >= "3.3"
+          # :nocov:
           if @mid.opts[:middleware_next_if_not_found]
             @mid.plugin(:not_found, &NEXT_PROC)
           end

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 74
+  RodaMinorVersion = 76
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.74.0
+  version: 3.76.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-13 00:00:00.000000000 Z
+date: 2024-01-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -248,6 +248,8 @@ extra_rdoc_files:
 - doc/release_notes/3.72.0.txt
 - doc/release_notes/3.73.0.txt
 - doc/release_notes/3.74.0.txt
+- doc/release_notes/3.75.0.txt
+- doc/release_notes/3.76.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 files:
@@ -329,6 +331,8 @@ files:
 - doc/release_notes/3.72.0.txt
 - doc/release_notes/3.73.0.txt
 - doc/release_notes/3.74.0.txt
+- doc/release_notes/3.75.0.txt
+- doc/release_notes/3.76.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 - lib/roda.rb
@@ -349,6 +353,7 @@ files:
 - lib/roda/plugins/autoload_named_routes.rb
 - lib/roda/plugins/backtracking_array.rb
 - lib/roda/plugins/branch_locals.rb
+- lib/roda/plugins/break.rb
 - lib/roda/plugins/caching.rb
 - lib/roda/plugins/capture_erb.rb
 - lib/roda/plugins/chunked.rb
@@ -357,6 +362,7 @@ files:
 - lib/roda/plugins/common_logger.rb
 - lib/roda/plugins/content_for.rb
 - lib/roda/plugins/content_security_policy.rb
+- lib/roda/plugins/cookie_flags.rb
 - lib/roda/plugins/cookies.rb
 - lib/roda/plugins/csrf.rb
 - lib/roda/plugins/custom_block_results.rb
@@ -491,7 +497,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: Routing tree web toolkit