roda 3.98.0 → 3.100.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a9be24f058ca3ba9ce75b21d49af505eb2bd1dbfc40b2bfc1841bcce1c02e100
-  data.tar.gz: 1ee920f5d61b7fee7d049e0849a3fee48b3d926a141d16c4fe7ce58171b60fe3
+  metadata.gz: 40eb39afa6860fdb8612711cf75ce0f5dfcb73fa3af2837fd2d2a0a0f2a2739f
+  data.tar.gz: 0f3b1d45dd9d78c0840e705d61344abcd11312b1d8d0e1cdf5c2cd249ba50bc9
 SHA512:
-  metadata.gz: 3a1d64641747146ee096ecc99cb2407b75d0f1182cb732a174721354248a762a4bb362a4fb19337725430941da079c87944b16d7cc1f72f8a5aa072eae3abdad
-  data.tar.gz: d5e8e3f3b720c33c41cd17d953b96851abe6032974e665856aa5896e2b1c6d436eb67372464ce4f44e30eb471e512bfa7c692d7cfaac31944d8bfed60eb72bbd
+  metadata.gz: 3640eeb3784285b94ef078c79eccdd69feebfcab19ee0ec0d6858e7959343511af1c173d590043221484ea99b3dd7ef7a2345a1dc26808e683b5781f6f6a4626
+  data.tar.gz: 4c739d613fcff7aa56f5dff3c6d83c26ace1a040aebb2f6ed4808086814f93b4f7858b4a968188fecc7e09eb0b7224ff62e44dcd32db6d1e9f22a09fa74ae029

data/lib/roda/plugins/run_require_slash.rb

@@ -9,7 +9,7 @@ class Roda
     # dispatching to the application with an environment that would violate the
     # Rack SPEC.
     #
-    # You are unlikely to want to use this plugin unless are consuming partial
+    # You are unlikely to want to use this plugin unless you are consuming partial
     # segments of the request path, or using the match_affix plugin to change
     # how routing is done:
     #
@@ -23,10 +23,10 @@ class Roda
     #   end
     #
     #   # with run_require_slash: 
-    #   # GET /a/b/e => App not dispatched to
+    #   # GET /a/b/e => Not dispatched to application
     #   # GET /a/b => App gets "" as PATH_INFO
     #
-    #   # with run_require_slash: 
+    #   # without run_require_slash: 
     #   # GET /a/b/e => App gets "e" as PATH_INFO, violating rack SPEC
     #   # GET /a/b => App gets "" as PATH_INFO
     module RunRequireSlash

data/lib/roda/plugins/sec_fetch_site_csrf.rb

@@ -0,0 +1,131 @@
+# frozen-string-literal: true
+
+class Roda
+  module RodaPlugins
+    # The sec_fetch_site plugin allows for CSRF protection using the
+    # Sec-Fetch-Site header added in modern browsers. It allows for CSRF
+    # protection without the use of CSRF tokens, which can simplify
+    # form creation.
+    #
+    # The protection offered by the sec_fetch_site plugin is weaker than
+    # the protection offered by the route_csrf plugin with default settings,
+    # since it doesn't support per-request tokens. Be aware you are trading
+    # security for simplicity when using the sec_fetch_site plugin instead
+    # of the route_csrf plugin.  Other caveats in using the sec_fetch_site
+    # plugin:
+    #
+    # * Not all browsers set the Sec-Fetch-Site header. Some browsers
+    #   didn't start setting the header until 2023. In these cases, you
+    #   need to decide how to handle the request. The default is to deny
+    #   the request, though you can use the :allow_missing option to allow
+    #   it.
+    #
+    # * Sec-Fetch-Site headers are not set for http requests, only https
+    #   requests, so this doesn't offer protection for http requests.
+    #
+    # * It isn't possible to share a CSRF secret between applications in
+    #   different origins to allow cross-site requests between the
+    #   applications.
+    #
+    # This plugin adds the +check_sec_fetch_site!+ method to the routing
+    # block scope. You should call this method at the appropriate place
+    # in the routing tree to enforce the CSRF protection. The method can
+    # accept a block to override the :csrf_failure plugin option behavior
+    # on a per-call basis.
+    #
+    # When loading the plugin with no options:
+    #
+    #   plugin :sec_fetch_site_csrf
+    #
+    # Only same-origin requests are allowed by default.
+    #
+    # This plugin supports the following options:
+    #
+    # :allow_missing :: Whether to allow requests lacking the Sec-Fetch-Site
+    #                   header (false by default).
+    # :allow_none :: Whether to allow requests where Sec-Fetch-Value is none
+    #                (false by default).
+    # :allow_same_site :: Whether to allow requests where Sec-Fetch-Value is
+    #                     same-site (false by default)
+    # :check_request_methods :: Which request methods require CSRF protection
+    #                           (default: <tt>['POST', 'DELETE', 'PATCH', 'PUT']</tt>)
+    # :csrf_failure :: The action to taken if a request does not have a valid header
+    #                  (default: :raise).  Options:
+    #                  :raise :: raise a Roda::RodaPlugins::SecFetchSiteCsrf::CsrfFailure
+    #                            exception
+    #                  :empty_403 :: return a blank 403 page
+    #                  :clear_session :: clear the current session
+    #
+    # The plugin also supports a block, in which case failures will call the block
+    # as a routing block (the block should accept the request object).
+    module SecFetchSiteCsrf
+      DEFAULTS = {
+        :csrf_failure => :raise,
+        :check_request_methods => %w'POST DELETE PATCH PUT'.freeze.each(&:freeze)
+      }.freeze
+
+      # Exception class raised when :csrf_failure option is :raise and
+      # the Sec-Fetch-Site header is not considered valid.
+      class CsrfFailure < RodaError; end
+
+      def self.configure(app, opts=OPTS, &block)
+        options = app.opts[:sec_fetch_site_csrf] = (app.opts[:sec_fetch_site_csrf] || DEFAULTS).merge(opts)
+
+        allowed_values = options[:allowed_values] = ["same-origin"]
+        allowed_values << "same-site" if opts[:allow_same_site]
+        allowed_values << "none" if opts[:allow_none]
+        allowed_values << nil if opts[:allow_missing]
+        allowed_values.freeze
+
+        if block
+          options[:csrf_failure] = :method
+          app.define_roda_method(:_roda_sec_fetch_site_csrf_failure, 1, &app.send(:convert_route_block, block))
+        end
+
+        case options[:csrf_failure]
+        when :raise, :empty_403, :clear_session, :method
+          # nothing
+        else
+          raise RodaError, "Unsupported :csrf_failure plugin option: #{options[:csrf_failure].inspect}"
+        end
+
+        options.freeze
+      end
+
+      module InstanceMethods
+        # Check that the Sec-Fetch-Site header is valid, if the request requires it.
+        # If the header is valid or the request does not require the header, return nil.
+        # Otherwise, if a block is given, treat it as a routing block and yield to it, and
+        # if a block is not given, use the plugin :csrf_failure option to determine how to
+        # handle it.
+        def check_sec_fetch_site!(&block)
+          plugin_opts = self.class.opts[:sec_fetch_site_csrf]
+          return unless plugin_opts[:check_request_methods].include?(request.request_method)
+
+          sec_fetch_site = env["HTTP_SEC_FETCH_SITE"]
+          return if plugin_opts[:allowed_values].include?(sec_fetch_site)
+
+          @_request.on(&block) if block
+          
+          case failure_action = plugin_opts[:csrf_failure]
+          when :raise
+            raise CsrfFailure, "potential cross-site request, Sec-Fetch-Site value: #{sec_fetch_site.inspect}"
+          when :empty_403
+            @_response.status = 403
+            headers = @_response.headers
+            headers.clear
+            headers[RodaResponseHeaders::CONTENT_TYPE] = 'text/html'
+            headers[RodaResponseHeaders::CONTENT_LENGTH] ='0'
+            throw :halt, @_response.finish_with_body([])
+          when :clear_session
+            session.clear
+          else # when :method
+            @_request.on{_roda_sec_fetch_site_csrf_failure(@_request)}
+          end
+        end
+      end
+    end
+
+    register_plugin(:sec_fetch_site_csrf, SecFetchSiteCsrf)
+  end
+end

data/lib/roda/request.rb

@@ -12,6 +12,7 @@ else
   end
 end
 
+require 'set'
 require_relative "cache"
 
 class Roda
@@ -489,6 +490,21 @@ class Roda
           end
         end
 
+        # Match only if the next segment in the path is one of the
+        # set's elements, and yield the next segment.
+        def _match_set(set)
+          rp = @remaining_path
+          if key = _match_class_String
+            if set.include?(@captures[-1])
+              true
+            else
+              @remaining_path = rp
+              @captures.pop
+              false
+            end
+          end
+        end
+
         # Match the given symbol if any segment matches.
         def _match_symbol(sym=nil)
           rp = @remaining_path
@@ -629,6 +645,8 @@ class Roda
             _match_array(matcher)
           when Hash
             _match_hash(matcher)
+          when Set
+            _match_set(matcher)
           when Symbol
             _match_symbol(matcher)
           when false, nil

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 98
+  RodaMinorVersion = 100
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.98.0
+  version: 3.100.0
 platform: ruby
 authors:
 - Jeremy Evans
@@ -284,6 +284,7 @@ files:
 - lib/roda/plugins/run_append_slash.rb
 - lib/roda/plugins/run_handler.rb
 - lib/roda/plugins/run_require_slash.rb
+- lib/roda/plugins/sec_fetch_site_csrf.rb
 - lib/roda/plugins/sessions.rb
 - lib/roda/plugins/shared_vars.rb
 - lib/roda/plugins/sinatra_helpers.rb
@@ -331,7 +332,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Routing tree web toolkit
 test_files: []