roda 3.74.0 → 3.75.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ae3f95331c6c3d69453feb96a7dbd3629a6d5f52bd9d1862edecab893d95a36f
-  data.tar.gz: c5457f54b2ca5a9971f93a23db10abe3b6fd16a743e2651749ec14c480c248a3
+  metadata.gz: 4ebdbc5b5707ba21044b5f4c83445ff8fca6a3925488c72a5176cc662c2ad15b
+  data.tar.gz: ac528e50bfe1e778b5b4d32d16d12e117e87dc55b2f7cad1170b682e2f979586
 SHA512:
-  metadata.gz: f314713b33ec4400e5ef8849c6a3e30f1b5956b428dea55a5bf45855fef4a965f9b417063182cc4412effa592a7d311715cf4541826781675ca26bd20f202ca3
-  data.tar.gz: 735cb4cf3e5480be4462d88ccb0090001e7eca27bfe7338a923f5f190730095037ff0c77e1cbe3c875b137175bc7022b8d0611ccbf8b82426cbbaec5b7802149
+  metadata.gz: b7d13975d6c7705f1d7b184f27430320e1dfd5fea96e532f119f86b4c09fdb5c7e460107033d8d099c6ef8da354a514289981163d74cdb293b89074299a57eda
+  data.tar.gz: d16c1b3a2edd401a73b104bf9458fcb865e441f4de649dcfcb8144eb3102abcd6abee741ecbbbf1cad3b13d8efca7260d7785b7e5a2505f29541ad001de9b1e4

data/CHANGELOG

@@ -1,3 +1,7 @@
+= 3.75.0 (2023-12-14)
+
+* Add cookie_flags plugin, for overriding, warning, or raising for incorrect cookie flags (jeremyevans)
+
 = 3.74.0 (2023-11-13)
 
 * Add redirect_http_to_https plugin, helping to ensure future requests from the browser are submitted via HTTPS (jeremyevans)

data/doc/release_notes/3.75.0.txt

@@ -0,0 +1,19 @@
+= New Features
+
+* A cookie_flags plugin has been added, for overriding, warning, or
+  raising for incorrect cookie flags. The plugin by default checks
+  whether the secure, httponly, and samesite=strict flags are set.
+  The default behavior is to add the appropriate flags if they are
+  not set, and change the samesite flag to strict if it is set to
+  something else.  You can configure the flag checking behavior
+  via the :httponly, :same_site, and :secure options.
+
+  You can configure the action the plugin takes via the :action option.
+  The default action is to modify the flags, but the :action option can
+  be set to :raise, :warn, or :warn_and_modify to override the behavior.
+
+  The recommended way to use the plugin is to use it during testing,
+  and specify action: :raise, so you can catch places where cookies
+  are set with the wrong flags.  Then you can fix those places to
+  use the correct flags, which is better than relying on the plugin
+  at runtime in production to fix incorrect flags.

data/lib/roda/plugins/cookie_flags.rb

@@ -0,0 +1,157 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The cookie_flags plugin allows users to force specific cookie flags for
+    # all cookies set by the application.  It can also be used to warn or
+    # raise for unexpected cookie flags.
+    #
+    # The cookie_flags plugin deals with the following cookie flags:
+    #
+    # httponly :: Disallows access to the cookie from client-side scripts.
+    # samesite :: Restricts to which domains the cookie is sent.
+    # secure :: Instructs the browser to only transmit the cookie over HTTPS.
+    #
+    # This plugin ships in secure-by-default mode, where it enforces
+    # secure, httponly, samesite=strict cookies. You can disable enforcing
+    # specific flags using the following options:
+    #
+    # :httponly :: Set to false to not enforce httponly flag.
+    # :same_site :: Set to symbol or string to enforce a different samesite
+    #               setting, or false to not enforce a specific samesite setting.
+    # :secure :: Set to false to not enforce secure flag.
+    #
+    # For example, to enforce secure cookies and enforce samesite=lax, but not enforce
+    # an httponly flag:
+    #
+    #   plugin :cookie_flags, httponly: false, same_site: 'lax'
+    #
+    # In general, overriding cookie flags using this plugin should be considered a
+    # stop-gap solution.  Instead of overriding cookie flags, it's better to fix
+    # whatever is setting the cookie flags incorrectly.  You can use the :action
+    # option to modify the behavior:
+    #
+    #   # Issue warnings when modifying cookie flags
+    #   plugin :cookie_flags, action: :warn_and_modify
+    #
+    #   # Issue warnings for incorrect cookie flags without modifying cookie flags
+    #   plugin :cookie_flags, action: :warn
+    #
+    #   # Raise errors for incorrect cookie flags
+    #   plugin :cookie_flags, action: :raise
+    #
+    # The recommended way to use the plugin is to use it only during testing with
+    # <tt>action: :raise</tt>.  Then as long as you have fully covering tests, you
+    # can be sure the cookies set by your application use the correct flags.
+    #
+    # Note that this plugin only affects cookies set by the application, and does not
+    # affect cookies set by middleware the application is using.
+    module CookieFlags
+      # :nocov:
+      MATCH_METH = RUBY_VERSION >= '2.4' ? :match? : :match
+      # :nocov:
+      private_constant :MATCH_METH
+
+      DEFAULTS = {:secure=>true, :httponly=>true, :same_site=>'strict', :action=>:modify}.freeze
+      private_constant :DEFAULTS
+
+      # Error class raised for action: :raise when incorrect cookie flags are used.
+      class Error < RodaError
+      end
+
+      def self.configure(app, opts=OPTS)
+        previous = app.opts[:cookie_flags] || DEFAULTS
+        opts = app.opts[:cookie_flags] = previous.merge(opts)
+
+        case opts[:same_site]
+        when String, Symbol
+          opts[:same_site] = opts[:same_site].to_s.downcase.freeze
+          opts[:same_site_string] = "; samesite=#{opts[:same_site]}".freeze
+          opts[:secure] = true if opts[:same_site] == 'none'
+        end
+
+        opts.freeze
+      end
+
+      module InstanceMethods
+        private
+
+        def _handle_cookie_flags_array(cookies)
+          opts = self.class.opts[:cookie_flags]
+          needs_secure = opts[:secure]
+          needs_httponly = opts[:httponly]
+          if needs_same_site = opts[:same_site]
+            same_site_string = opts[:same_site_string]
+            same_site_regexp = /;\s*samesite\s*=\s*(\S+)\s*(?:\z|;)/i
+          end
+          action = opts[:action]
+
+          cookies.map do |cookie|
+            if needs_secure
+              add_secure = !/;\s*secure\s*(?:\z|;)/i.send(MATCH_METH, cookie)
+            end
+
+            if needs_httponly
+              add_httponly = !/;\s*httponly\s*(?:\z|;)/i.send(MATCH_METH, cookie)
+            end
+
+            if needs_same_site
+              has_same_site = same_site_regexp.match(cookie)
+              unless add_same_site = !has_same_site
+                update_same_site = needs_same_site != has_same_site[1].downcase
+              end
+            end
+
+            next cookie unless add_secure || add_httponly || add_same_site || update_same_site
+
+            case action
+            when :raise, :warn, :warn_and_modify
+              message = "Response contains cookie with unexpected flags: #{cookie.inspect}." \
+                   "Expecting the following cookie flags: "\
+                   "#{'secure ' if add_secure}#{'httponly ' if add_httponly}#{same_site_string[2..-1] if add_same_site || update_same_site}"
+
+              if action == :raise
+                raise Error, message
+              else
+                warn(message)
+                next cookie if action == :warn
+              end
+            end
+
+            if update_same_site
+              cookie = cookie.gsub(same_site_regexp, same_site_string)
+            else
+              cookie = cookie.dup
+              cookie << same_site_string if add_same_site
+            end
+
+            cookie << '; secure' if add_secure
+            cookie << '; httponly' if add_httponly
+
+            cookie
+          end
+        end
+
+        if Rack.release >= '3'
+          def _handle_cookie_flags(cookies)
+            cookies = [cookies] if cookies.is_a?(String)
+            _handle_cookie_flags_array(cookies)
+          end
+        else
+          def _handle_cookie_flags(cookie_string)
+            _handle_cookie_flags_array(cookie_string.split("\n")).join("\n")
+          end
+        end
+
+        # Handle cookie flags in response
+        def _roda_after_85__cookie_flags(res)
+          return unless res && (headers = res[1]) && (value = headers[RodaResponseHeaders::SET_COOKIE])
+          headers[RodaResponseHeaders::SET_COOKIE] = _handle_cookie_flags(value)
+        end
+      end
+    end
+
+    register_plugin(:cookie_flags, CookieFlags)
+  end
+end

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 74
+  RodaMinorVersion = 75
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.74.0
+  version: 3.75.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-13 00:00:00.000000000 Z
+date: 2023-12-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -248,6 +248,7 @@ extra_rdoc_files:
 - doc/release_notes/3.72.0.txt
 - doc/release_notes/3.73.0.txt
 - doc/release_notes/3.74.0.txt
+- doc/release_notes/3.75.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 files:
@@ -329,6 +330,7 @@ files:
 - doc/release_notes/3.72.0.txt
 - doc/release_notes/3.73.0.txt
 - doc/release_notes/3.74.0.txt
+- doc/release_notes/3.75.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 - lib/roda.rb
@@ -357,6 +359,7 @@ files:
 - lib/roda/plugins/common_logger.rb
 - lib/roda/plugins/content_for.rb
 - lib/roda/plugins/content_security_policy.rb
+- lib/roda/plugins/cookie_flags.rb
 - lib/roda/plugins/cookies.rb
 - lib/roda/plugins/csrf.rb
 - lib/roda/plugins/custom_block_results.rb