roda 2.11.0 → 2.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8838cf12ea385cc60fd7a700596ea8e5b7d6f048
-  data.tar.gz: 17e8862408a8cfec0f55a4ff6bc845bef02df74b
+  metadata.gz: cfcafebba5d38f3d4346b485721c5625aa0df988
+  data.tar.gz: c3e1918167a29a21c0a0936cf5296778dba0f052
 SHA512:
-  metadata.gz: 3dc1d418979beb8c3410d4eb15c4e5c8355c501dc39ec091c80409f6c30e1a4e3d5dfbf41263965a11174915753ed66c9385a55549d6a97603e96f1eb46ae41a
-  data.tar.gz: fdf05f0931a18f622c0c75e0bc596cb7421a584b0e67ac9d381bdb5932f78658ee3caf38d5ca7eba827893e21dcc2efd935b12b4c1ce9504082bf6927c1f0979
+  metadata.gz: a9c3d4d68c0f1e45f1c16edc923eced0070f4e1be5f9fa27465e0e8f398e1b49b0ee8e4dc5daade672f01530487846217b59b7e157f2e3c1f4c7a4fc4955072d
+  data.tar.gz: ee4d4ea602738536680bc27eec01502105dcb7e6bbccd7aa22cfc305eadf701b0980b2ee43bc37fe3a645434595091c408d99cb1e747675980fc5c5d83dc834f

data/CHANGELOG

@@ -1,3 +1,13 @@
+= 2.12.0 (2016-03-15)
+
+* Allow error handler access to the request's remaining_path (jeremyevans)
+
+* Add optimized_string_matchers plugin, containing optimized matchers for single string arguments (jeremyevans)
+
+* Optimize string matching code for strings without placeholders for up to a 60% performance increase (jeremyevans)
+
+* Optimize symbol matching code for up to a 60% performance increase (jeremyevans)
+
 = 2.11.0 (2016-02-16)
 
 * Support :scope option in render plugin, for specifying object in which to evaluate the template (jeremyevans)

data/README.rdoc

@@ -782,6 +782,38 @@ Example:
       'X-XSS-Protection'=>'1; mode=block'
   end
 
+=== Rendering Templates Derived From User Input
+
+Roda's rendering plugin assumes that template paths given to it are trusted.  If you provide a path
+to the +render+/+view+ methods that is derived from user input, you are opening yourself
+for people rendering arbitrary files on the system that that have a file name ending in the
+default template extension.  For example, if you do:
+
+  class App < Roda
+    plugin :render
+    route do |r|
+      view(r['page'])
+    end
+  end
+
+Then attackers can submit a <tt>page</tt> parameter such as <tt>'../../../../tmp/upload'</tt>
+to render the <tt>/tmp/upload.erb</tt> file.  If you have another part of your system that
+allows users to create files with arbitrary extensions (even temporary files), then it may
+be possible to combine these two issues into a remote code execution exploit.
+
+If you do want to allow users to choose which template to use, you should use a whitelist:
+
+  class App < Roda
+    plugin :render
+    ALLOWED_PAGES = %w'page1 page2 page3'
+    route do |r|
+      page = r['page']
+      if ALLOWED_PAGES.include?(page)
+        view(page)
+      end
+    end
+  end
+
 == Reloading
 
 Most rack-based reloaders will work with Roda, including:

data/Rakefile

@@ -58,7 +58,7 @@ end
 desc "Make local version of website, with rdoc"
 task :website => [:website_base, :website_rdoc]
 
-desc "Make local version of website"
+desc "Serve local version of website via rackup"
 task :serve => :website do
   sh %{#{FileUtils::RUBY} -C www -S rackup}
 end

data/doc/release_notes/2.12.0.txt

@@ -0,0 +1,40 @@
+= New Features
+
+* An optimized_string_matchers plugin has been added, which contains
+  optimized matchers for single strings.  r.on_branch is an optimized
+  version of r.on and r.is_exactly is optimized version of r.is:
+
+    plugin :optimized_string_matchers
+
+    route do |r|
+      r.on_branch "x" do
+        # matches /x and paths starting with /x/
+        r.is_exactly "y" do
+          # matches /x/y
+        end
+      end
+    end
+ 
+  Both of these methods will work even if the strings have placeholders,
+  but no captures will be yielded to the blocks.
+
+* The error_handler plugin now has access to the request's
+  remaining_path when handling an error.  You can then compare the
+  remaining_path to path_info to see how much of request was already
+  routed, which can be useful when reporting errors.
+
+= Other Improvements
+
+* String matching for strings without placeholders is now 60% faster
+  as it uses optimized string operations instead of a regexp match.
+
+* Symbol matching is now 60% faster as it uses optimized string
+  operations instead of a regexp match. 
+
+= Backwards Compatibility
+
+* The match methods no longer automatically reset the remaining_path
+  via ensure.  This means that using non-local jumps out of the code
+  such as begin/rescue and throw/catch will not reset remaining_path
+  automatically.  Users that want to reset remaining path in
+  such cases should use their own ensure blocks.

data/lib/roda.rb

@@ -326,6 +326,7 @@ class Roda
         REQUEST_METHOD = "REQUEST_METHOD".freeze
         EMPTY_STRING = "".freeze
         SLASH = "/".freeze
+        COLON = ":".freeze
         SEGMENT = "([^\\/]+)".freeze
         TERM_INSPECT = "TERM".freeze
         GET_REQUEST_METHOD = 'GET'.freeze
@@ -676,12 +677,43 @@ class Roda
         # string so that regexp metacharacters are not matched, and recognizes
         # colon tokens for placeholders.
         def _match_string(str)
-          consume(self.class.cached_matcher(str){Regexp.escape(str).gsub(/:(\w+)/){|m| _match_symbol_regexp($1)}})
+          if str.index(COLON)
+            consume(self.class.cached_matcher(str){Regexp.escape(str).gsub(/:(\w+)/){|m| _match_symbol_regexp($1)}})
+          else
+            rp = @remaining_path
+            if rp.start_with?("/#{str}")
+              last = str.length + 1
+              case rp[last]
+              when SLASH
+                @remaining_path = rp[last, rp.length]
+              when nil
+                @remaining_path = EMPTY_STRING
+              when Integer
+                # :nocov:
+                # Ruby 1.8 support
+                if rp[last].chr == SLASH
+                  @remaining_path = rp[last, rp.length]
+                end
+                # :nocov:
+              end
+            end
+          end
         end
 
         # Match the given symbol if any segment matches.
         def _match_symbol(sym)
-          consume(self.class.cached_matcher(sym){_match_symbol_regexp(sym)})
+          rp = @remaining_path
+          if rp[0, 1] == SLASH
+            if last = rp.index('/', 1)
+              if last > 1
+                @captures << rp[1, last-1]
+                @remaining_path = rp[last, rp.length]
+              end
+            elsif rp.length > 1
+              @captures << rp[1,rp.length]
+              @remaining_path = EMPTY_STRING
+            end
+          end
         end
 
         # The regular expression to use for matching symbols.  By default, any non-empty
@@ -760,11 +792,13 @@ class Roda
           # nesting matchers won't mess with each other's captures.
           @captures.clear
 
-          return unless match_all(args)
-          block_result(yield(*captures))
-          throw :halt, response.finish
-        ensure
-          @remaining_path = path
+          if match_all(args)
+            block_result(yield(*captures))
+            throw :halt, response.finish
+          else
+            @remaining_path = path
+            false
+          end
         end
         
         # Attempt to match the argument to the given request, handling
@@ -773,12 +807,12 @@ class Roda
           case matcher
           when String
             _match_string(matcher)
-          when Regexp
-            _match_regexp(matcher)
           when Symbol
             _match_symbol(matcher)
           when TERM
             empty_path?
+          when Regexp
+            _match_regexp(matcher)
           when Hash
             _match_hash(matcher)
           when Array

data/lib/roda/plugins/assets.rb

@@ -9,13 +9,16 @@ class Roda
     #
     # This uses the render plugin for rendering the assets, and the render
     # plugin uses tilt internally, so you can use any template engine
-    # supported by tilt for you assets.  Tilt ships with support for
+    # supported by tilt for your assets.  Tilt ships with support for
     # the following asset template engines, assuming the necessary libaries
     # are installed:
     #
     # css :: Less, Sass, Scss
     # js :: CoffeeScript
     #
+    # You can also use opal as a javascript template engine, assuming it is
+    # installed.
+    #
     # == Usage
     #
     # When loading the plugin, use the :css and :js options
@@ -28,12 +31,13 @@ class Roda
     #   assets/css/some_file.scss
     #   assets/js/some_file.coffee
     #
-    # If you want to change the paths where asset files are stored, see the
+    # The values for the :css and :js options can be arrays to load multiple
+    # files. If you want to change the paths where asset files are stored, see the
     # Options section below.
     #
     # === Serving
     #
-    # In your routes, call the r.assets method to add a route to your assets,
+    # In your routes, call the +r.assets+ method to add a route to your assets,
     # which will make your app serve the rendered assets:
     #
     #   route do |r|
@@ -126,9 +130,12 @@ class Roda
     # === Asset Compression
     #
     # If you have the yuicompressor gem installed and working, it will be used
-    # automatically to compress your javascript and css assets.  Otherwise,
-    # the assets will just be concatenated together and not compressed during
-    # compilation.
+    # automatically to compress your javascript and css assets.  For javascript
+    # assets, if yuicompressor is not available, the plugin will check for
+    # closure_compiler, uglifier, and minjs and use the first one that works.
+    # If no compressors are available, the assets will just be concatenated
+    # together and not compressed during compilation.  You can use the
+    # :css_compressor and :js_compressor options to specify the compressor to use.
     #
     # === With Asset Groups
     #
@@ -143,7 +150,7 @@ class Roda
     #
     # === Serving
     #
-    # If you call +r.assets+ when compiling assets, will serve the compiled asset
+    # When compiling assets, +r.assets+ will serve the compiled asset
     # files.  However, it is recommended to have the main webserver (e.g. nginx)
     # serve the compiled files, instead of relying on the application.
     #
@@ -165,7 +172,7 @@ class Roda
     # when loading the plugin.  The value of this option should be the filename
     # where the compiled asset metadata is stored.  
     #
-    # If the compiled assset metadata file does not exist when the assets plugin
+    # If the compiled asset metadata file does not exist when the assets plugin
     # is loaded, the plugin will run in non-compiled mode.  However, when you call
     # compile_assets, it will write the compiled asset metadata file after
     # compiling the assets.

data/lib/roda/plugins/class_level_routing.rb

@@ -79,6 +79,8 @@ class Roda
         # If the normal routing tree doesn't handle an action, try each class level route
         # to see if it matches.
         def call
+          req = @_request
+          rp = req.remaining_path
           result = super
 
           if result[0] == 404 && (v = result[2]).is_a?(Array) && v.empty?
@@ -87,6 +89,7 @@ class Roda
             @_response = self.class::RodaResponse.new
             super do |r|
               opts[:class_level_routes].each do |meth, args, blk|
+                req.instance_variable_set(:@remaining_path, rp)
                 r.send(meth, *args) do |*a|
                   instance_exec(*a, &blk)
                 end

data/lib/roda/plugins/match_affix.rb

@@ -44,6 +44,15 @@ class Roda
           /\A#{roda_class.opts[:match_prefix] || PREFIX}(?:#{pattern})#{roda_class.opts[:match_suffix] || SUFFIX}/
         end
       end
+
+      module RequestMethods
+        private
+
+        # Use regexps for all string matches, so that the prefix and suffix matches work.
+        def _match_string(str)
+          consume(self.class.cached_matcher(str){Regexp.escape(str).gsub(/:(\w+)/){|m| _match_symbol_regexp($1)}})
+        end
+      end
     end
 
     register_plugin(:match_affix, MatchAffix)

data/lib/roda/plugins/optimized_string_matchers.rb

@@ -0,0 +1,51 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The optimized_string_matchers plugin adds two optimized matcher methods,
+    # +r.on_branch+ and +r.is_exactly+.  +r.on_branch+ is an optimized version of
+    # +r.on+ that only accepts a single string, and +r.is_exactly+ is an
+    # optimized version of +r.is+ that only accepts a single string.
+    #
+    #   plugin :optimized_string_matchers
+    #
+    #   route do |r|
+    #     r.on_branch "x" do
+    #       # matches /x and paths starting with /x/
+    #       r.is_exactly "y" do
+    #         # matches /x/y
+    #       end
+    #     end
+    #   end
+    #
+    # Note that both of these methods only work with plain strings, not
+    # with strings with embedded colons for capturing.  Matching will work
+    # correctly in such cases, but the captures will not be yielded to the
+    # match blocks.
+    module OptimizedStringMatchers
+      EMPTY_STRING = ''.freeze
+
+      module RequestMethods
+        # Optimized version of +on+ that only supports a single string.
+        def on_branch(s)
+          always{yield} if _match_string(s)
+        end
+
+        # Optimized version of +is+ that only supports a single string.
+        def is_exactly(s)
+          rp = @remaining_path
+          if _match_string(s)
+            if @remaining_path == EMPTY_STRING
+              always{yield}
+            else
+              @remaining_path = rp
+            end
+          end
+        end
+      end
+    end
+
+    register_plugin(:optimized_string_matchers, OptimizedStringMatchers)
+  end
+end

data/lib/roda/plugins/pass.rb

@@ -10,7 +10,7 @@ class Roda
     #
     #   route do |r|
     #     r.on "foo/:bar" do |bar|
-    #       pass if bar == 'baz'
+    #       r.pass if bar == 'baz'
     #       "/foo/#{bar} (not baz)"
     #     end
     #
@@ -34,7 +34,10 @@ class Roda
 
         # Handle passing inside the match block.
         def if_match(_)
-          catch(:pass){super}
+          rp = @remaining_path
+          ret = catch(:pass){super}
+          @remaining_path = rp
+          ret
         end
       end
     end

data/lib/roda/plugins/symbol_matchers.rb

@@ -44,6 +44,9 @@ class Roda
     #   r.is "album:opt" do |id| end
     #   # matches /album (yielding nil) and /album/foo (yielding "foo")
     #   # does not match /album/ or /album/foo/bar
+    #
+    # If using this plugin with the params_capturing plugin, this plugin should
+    # be loaded first.
     module SymbolMatchers
       def self.configure(app)
         app.symbol_matcher(:d, /(\d+)/)
@@ -64,8 +67,21 @@ class Roda
       module RequestMethods
         private
 
-        # Allow for symbol specific regexps, by using match_symbol_#{s} if
-        # defined.  If not defined, calls super for the default behavior.
+        # Use regular expressions to the symbol-specific regular expression
+        # if the symbol is registered.  Otherwise, call super for the default
+        # behavior.
+        def _match_symbol(s)
+          meth = :"match_symbol_#{s}"
+          if respond_to?(meth)
+            re = send(meth)
+            consume(self.class.cached_matcher(re){re})
+          else
+            super
+          end
+        end
+
+        # Return the symbol-specific regular expression if one is registered.
+        # Otherwise, call super for the default behavior.
         def _match_symbol_regexp(s)
           meth = :"match_symbol_#{s}"
           if respond_to?(meth)

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 2
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 11
+  RodaMinorVersion = 12
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

data/spec/plugin/error_handler_spec.rb

@@ -118,4 +118,25 @@ describe "error_handler plugin" do
 
     proc{req}.must_raise(ArgumentError)
   end
+
+  it "has access to current remaining_path" do
+    app(:bare) do
+      plugin :error_handler do |e|
+        request.remaining_path
+      end
+
+      route do |r|
+        r.on('a') do
+          raise ArgumentError, "bad idea"
+        end
+
+        raise ArgumentError, "bad idea"
+      end
+    end
+
+    body.must_equal '/'
+    body('/b').must_equal '/b'
+    body('/a').must_equal ''
+    body('/a/c').must_equal '/c'
+  end
 end

data/spec/plugin/optimized_string_matchers_spec.rb

@@ -0,0 +1,40 @@
+require File.expand_path("spec_helper", File.dirname(File.dirname(__FILE__)))
+
+describe "optimized_string_matchers plugin" do 
+  it "should support on_branch and is_exactly match methods" do
+    app(:optimized_string_matchers) do |r|
+      r.on_branch "e" do
+        r.is_exactly "f" do
+          "ef"
+        end
+
+        "ee"
+      end
+
+      r.on_branch "a/:b" do |*b|
+        r.is_exactly ":c" do |*c|
+          "c-#{c.length}"
+        end
+
+        "a-#{b.length}"
+      end
+
+      "cc"
+    end
+
+    body.must_equal 'cc'
+    body('/a').must_equal 'cc'
+    body('/a/').must_equal 'cc'
+    body('/a/b/').must_equal 'a-0'
+    body('/a/b/').must_equal 'a-0'
+    body('/a/b/c').must_equal 'c-0'
+    body('/a/b/c/').must_equal 'a-0'
+    body('/a/b/c/d').must_equal 'a-0'
+    body('/e').must_equal 'ee'
+    body('/eb').must_equal 'cc'
+    body('/e/').must_equal 'ee'
+    body('/e/f').must_equal 'ef'
+    body('/e/f/').must_equal 'ee'
+    body('/e/fe').must_equal 'ee'
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 2.11.0
+  version: 2.12.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-02-16 00:00:00.000000000 Z
+date: 2016-03-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -177,6 +177,7 @@ extra_rdoc_files:
 - doc/release_notes/2.9.0.txt
 - doc/release_notes/2.10.0.txt
 - doc/release_notes/2.11.0.txt
+- doc/release_notes/2.12.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -191,6 +192,7 @@ files:
 - doc/release_notes/2.1.0.txt
 - doc/release_notes/2.10.0.txt
 - doc/release_notes/2.11.0.txt
+- doc/release_notes/2.12.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
@@ -242,6 +244,7 @@ files:
 - lib/roda/plugins/named_templates.rb
 - lib/roda/plugins/not_allowed.rb
 - lib/roda/plugins/not_found.rb
+- lib/roda/plugins/optimized_string_matchers.rb
 - lib/roda/plugins/padrino_render.rb
 - lib/roda/plugins/param_matchers.rb
 - lib/roda/plugins/params_capturing.rb
@@ -320,6 +323,7 @@ files:
 - spec/plugin/named_templates_spec.rb
 - spec/plugin/not_allowed_spec.rb
 - spec/plugin/not_found_spec.rb
+- spec/plugin/optimized_string_matchers_spec.rb
 - spec/plugin/padrino_render_spec.rb
 - spec/plugin/param_matchers_spec.rb
 - spec/plugin/params_capturing_spec.rb