roda 2.12.0 → 2.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cfcafebba5d38f3d4346b485721c5625aa0df988
-  data.tar.gz: c3e1918167a29a21c0a0936cf5296778dba0f052
+  metadata.gz: 2f3983563024d2c3f03d3a9edcf291f9a6f128ee
+  data.tar.gz: 4ac86dfd93b62b8e4f79f19788cf9dbd110df8f2
 SHA512:
-  metadata.gz: a9c3d4d68c0f1e45f1c16edc923eced0070f4e1be5f9fa27465e0e8f398e1b49b0ee8e4dc5daade672f01530487846217b59b7e157f2e3c1f4c7a4fc4955072d
-  data.tar.gz: ee4d4ea602738536680bc27eec01502105dcb7e6bbccd7aa22cfc305eadf701b0980b2ee43bc37fe3a645434595091c408d99cb1e747675980fc5c5d83dc834f
+  metadata.gz: 807d5d4fcc03d18823d045b18cb8cf6ce532ea8501254c2f0ce7f245742e4ea6495e399c0e33ae1f7939726b0cb511bc7cc0d9620ec5d19099df86523d9c9847
+  data.tar.gz: cc40d28a3152b29755e7949304a4b3bd3a83147ce3975fe0fba829c332641651134727157726425da90feec610f8acfa6b1efd6ba5e8362c14ba97fb2dfe93a9

data/CHANGELOG

@@ -1,3 +1,7 @@
+= 2.13.0 (2016-04-14)
+
+* Add :check_paths and :allowed_paths to render plugin options to avoid security issues with template rendering (jeremyevans)
+
 = 2.12.0 (2016-03-15)
 
 * Allow error handler access to the request's remaining_path (jeremyevans)

data/README.rdoc

@@ -1,6 +1,7 @@
 = Roda
 
-Roda is a routing tree web framework toolkit.
+Roda is a routing tree web toolkit, designed for building fast and
+maintainable web applications in ruby.
 
 = Installation
 
@@ -29,9 +30,8 @@ code.
 
 === Reliability
 
-Roda is one of the first ruby web frameworks where immutability
-is supported and encouraged.  Roda apps are designed to be frozen
-in production, which eliminates possible thread safety issues.
+Roda supports and encourages immutability.  Roda apps are designed
+to be frozen in production, which eliminates possible thread safety issues.
 Additionally, Roda limits the instance variables, constants, and
 methods that it uses, so that they do not conflict with the ones
 you use for your application.
@@ -45,8 +45,8 @@ to get the default behavior.
 === Performance
 
 Roda has low per-request overhead, and the use of a routing tree
-and intelligent caching of internal datastructures makes it one
-of the fastest ruby web frameworks.
+and intelligent caching of internal datastructures makes it 
+significantly faster than popular ruby web frameworks.
 
 == Usage
 
@@ -143,7 +143,7 @@ The +.app+ is an optimization, which saves a few method calls for every request.
 
 == The Routing Tree
 
-Roda is called a routing tree web framework because the way most sites are structured,
+Roda is called a routing tree web toolkit because the way most sites are structured,
 routing takes the form of a tree (based on the URL structure of the site).
 In general:
 
@@ -211,8 +211,7 @@ you can easily handle this in the routing tree:
   end
 
 Being able to operate on the request at any point during the routing
-is one of the major advantages of Roda, as compared to frameworks
-that do not use a routing tree.
+is one of the major advantages of Roda.
 
 == Matchers
 
@@ -784,10 +783,10 @@ Example:
 
 === Rendering Templates Derived From User Input
 
-Roda's rendering plugin assumes that template paths given to it are trusted.  If you provide a path
-to the +render+/+view+ methods that is derived from user input, you are opening yourself
-for people rendering arbitrary files on the system that that have a file name ending in the
-default template extension.  For example, if you do:
+Roda's rendering plugin assumes that template paths given to it are trusted by default.
+If you provide a path to the +render+/+view+ methods that is derived from user input, you
+are opening yourself for people rendering arbitrary files on the system that that have a
+file name ending in the default template extension.  For example, if you do:
 
   class App < Roda
     plugin :render
@@ -801,18 +800,14 @@ to render the <tt>/tmp/upload.erb</tt> file.  If you have another part of your s
 allows users to create files with arbitrary extensions (even temporary files), then it may
 be possible to combine these two issues into a remote code execution exploit.
 
-If you do want to allow users to choose which template to use, you should use a whitelist:
-
-  class App < Roda
-    plugin :render
-    ALLOWED_PAGES = %w'page1 page2 page3'
-    route do |r|
-      page = r['page']
-      if ALLOWED_PAGES.include?(page)
-        view(page)
-      end
-    end
-  end
+To mitigate against this issue, you can use the <tt>:check_paths => true</tt> render
+option, which will check that the full path of the template to be rendered begins with the
++:views+ directory, and raises an exception if not.  You can also use the +:allowed_paths+
+render option to specify which paths are allowed.  While
+<tt>:check_paths => true</tt> is not currently the default, it will become the default in
+Roda 3.  Note that when specifying the +:path+ option when rendering a template, Roda will
+not check paths, as it assumes that users and libraries that use this option will be checking
+such paths manually.
 
 == Reloading
 
@@ -828,9 +823,6 @@ Most rack-based reloaders will work with Roda, including:
 
 By design, Roda has a very small core, providing only the essentials.
 All nonessential features are added via plugins.
-This is why Roda is referred to as a routing tree web framework toolkit.
-Using a combination of Roda plugins,
-you can build the routing tree web framework that suits your needs.
 
 Roda's plugins can override any Roda method and call +super+
 to get the default behavior, which makes Roda very extensible.
@@ -921,8 +913,7 @@ you can then introspect.
 
 == Inspiration
 
-Roda was inspired by {Sinatra}[http://www.sinatrarb.com] and {Cuba}[http://cuba.is],
-two other Ruby web frameworks.
+Roda was inspired by {Sinatra}[http://www.sinatrarb.com] and {Cuba}[http://cuba.is].
 It started out as a fork of Cuba, from which it borrows the idea of using a routing tree
 (which Cuba in turn took from {Rum}[https://github.com/chneukirchen/rum]).
 From Sinatra, it takes the ideas that route blocks should return the request bodies

data/Rakefile

@@ -17,7 +17,7 @@ end
 
 ### RDoc
 
-RDOC_DEFAULT_OPTS = ["--line-numbers", "--inline-source", '--title', 'Roda: Routing tree web framework toolkit']
+RDOC_DEFAULT_OPTS = ["--line-numbers", "--inline-source", '--title', 'Roda: Routing tree web toolkit']
 
 begin
   gem 'hanna-nouveau'

data/doc/release_notes/2.13.0.txt

@@ -0,0 +1,10 @@
+= New Features
+
+* The render plugin now supports :check_paths and :allowed_paths
+  options.  Setting :check_paths to true will turn on path checking of
+  template files.  By default, template files are required to be in
+  the :views directory, otherwise an exception will be raised.  Using
+  the :check_paths option can prevent security issues when template
+  names are derived from user input.  The :allowed_paths option
+  overrides which path prefixes are allowed. In Roda 3, :check_paths
+  will default to true.

data/lib/roda/plugins/render.rb

@@ -28,10 +28,14 @@ class Roda
     #
     # The following plugin options are supported:
     #
+    # :allowed_paths :: Set the template paths to allow if +:check_paths+ is true.
+    #                   Defaults to the +:views+ directory.
     # :cache :: nil/false to not cache templates (useful for development), defaults
     #           to true unless RACK_ENV is development to automatically use the
     #           default template cache.
     # :cache_class :: A class to use as the template cache instead of the default.
+    # :check_paths :: Check template paths start with one of the entries in +:allowed_paths+,
+    #                 and raise a RodaError if the path doesn't.
     # :engine :: The tilt engine to use for rendering, also the default file extension for
     #            templates, defaults to 'erb'.
     # :escape :: Use Roda's Erubis escaping support, which makes <tt><%= %></tt> escape output,
@@ -137,6 +141,8 @@ class Roda
         opts = app.opts[:render]
         opts[:engine] = (opts[:engine] || opts[:ext] || "erb").dup.freeze
         opts[:views] = File.expand_path(opts[:views]||"views", app.opts[:root]).freeze
+        opts[:allowed_paths] ||= [opts[:views]].freeze
+        opts[:allowed_paths] = opts[:allowed_paths].map{|f| ::File.expand_path(f)}.uniq.freeze
 
         if opts.fetch(:cache, ENV['RACK_ENV'] != 'development')
           if cache_class = opts[:cache_class]
@@ -352,7 +358,14 @@ class Roda
 
         # The template path for the given options.
         def template_path(opts)
-          "#{opts[:views]}/#{template_name(opts)}.#{opts[:engine]}"
+          path = "#{opts[:views]}/#{template_name(opts)}.#{opts[:engine]}"
+          if opts.fetch(:check_paths){render_opts[:check_paths]}
+            full_path = ::File.expand_path(path)
+            unless render_opts[:allowed_paths].any?{|f| full_path.start_with?(f)}
+              raise RodaError, "attempt to render path not in allowed_paths: #{path} (allowed: #{render_opts[:allowed_paths].join(', ')})"
+            end
+          end
+          path
         end
 
         # If a layout should be used, return a hash of options for

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 2
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 12
+  RodaMinorVersion = 13
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

data/spec/plugin/render_spec.rb

@@ -9,7 +9,7 @@ else
 describe "render plugin" do
   before do
     app(:bare) do
-      plugin :render, :views=>"./spec/views"
+      plugin :render, :views=>"./spec/views", :check_paths=>true
 
       route do |r|
         r.on "home" do
@@ -437,6 +437,62 @@ describe "render plugin" do
 
     Class.new(app).render_opts[:cache].must_equal false
   end
+
+  it "with :check_paths=>true" do
+    render_opts = {}
+    app(:bare) do
+      plugin :render, :views=>"./spec/views", :check_paths=>true
+      
+      route do |r|
+        r.get 'a' do
+          render("a", render_opts)
+        end
+
+        r.get 'c' do
+          render("about/_test", :locals=>{:title=>'a'})
+        end
+
+        render("b", render_opts)
+      end
+    end
+
+    body.strip.must_equal "b"
+    req("/a")
+    req("/c")
+
+    app.plugin :render, :allowed_paths=>[]
+    proc{req}.must_raise Roda::RodaError
+    proc{req("/a")}.must_raise Roda::RodaError
+    proc{req("/c")}.must_raise Roda::RodaError
+
+    app.plugin :render, :allowed_paths=>['spec/views/about']
+    proc{req}.must_raise Roda::RodaError
+    proc{req("/a")}.must_raise Roda::RodaError
+    req("/c")
+
+    app.plugin :render, :allowed_paths=>%w'spec/views/about spec/views/b'
+    body.strip.must_equal "b"
+    proc{req("/a")}.must_raise Roda::RodaError
+    req("/c")
+
+    render_opts[:check_paths] = true
+    app.plugin :render, :check_paths=>false
+    body.strip.must_equal "b"
+    proc{req("/a")}.must_raise Roda::RodaError
+    req("/c")
+
+    render_opts.delete(:check_paths)
+    app.plugin :render
+    body.strip.must_equal "b"
+    req("/a")
+    req("/c")
+
+    render_opts[:check_paths] = true
+    body.strip.must_equal "b"
+    proc{req("/a")}.must_raise Roda::RodaError
+    req("/c")
+  end
+
   it "with a cache_class set" do
     app(:bare) do
       test_cache = Class.new(Roda::RodaCache) do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 2.12.0
+  version: 2.13.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-15 00:00:00.000000000 Z
+date: 2016-04-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -178,6 +178,7 @@ extra_rdoc_files:
 - doc/release_notes/2.10.0.txt
 - doc/release_notes/2.11.0.txt
 - doc/release_notes/2.12.0.txt
+- doc/release_notes/2.13.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -193,6 +194,7 @@ files:
 - doc/release_notes/2.10.0.txt
 - doc/release_notes/2.11.0.txt
 - doc/release_notes/2.12.0.txt
+- doc/release_notes/2.13.0.txt
 - doc/release_notes/2.2.0.txt
 - doc/release_notes/2.3.0.txt
 - doc/release_notes/2.4.0.txt
@@ -394,5 +396,5 @@ rubyforge_project:
 rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
-summary: Routing tree web framework toolkit
+summary: Routing tree web toolkit
 test_files: []