roda 3.76.0 → 3.77.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG +4 -0
- data/doc/release_notes/3.77.0.txt +8 -0
- data/lib/roda/plugins/route_csrf.rb +21 -2
- data/lib/roda/version.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8afa46b8055c19e63e1efeebf444b422cd810701c759936d476797515630245d
|
|
4
|
+
data.tar.gz: 4e857447435707de1d586857126795e2a1191f685ca8893e99cd1c78aeb50c02
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2ecfeb211d574d46bdc31995c3551afb97af50acf8567cce83b46808e87ff797a5ef7c769e42c0477ed6a6d9271040b818da72e77c91e4f91f9760201d2cd5ca
|
|
7
|
+
data.tar.gz: 45e67fbd1da64839c6dc5a8dc0975a0dca5f67a77c83ae79a62ab22e7d9cf0002cb8b8f6a22661bdaf97ad973b6bc6ff928af2e416a96c35b12150e9fe0eaf4d
|
data/CHANGELOG
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
= 3.77.0 (2024-02-12)
|
|
2
|
+
|
|
3
|
+
* Support formaction/formmethod attributes in forms in route_csrf plugin (jeremyevans)
|
|
4
|
+
|
|
1
5
|
= 3.76.0 (2024-01-12)
|
|
2
6
|
|
|
3
7
|
* Support :filter plugin option in error_mail and error_email for filtering parameters, environment variables, and session values (jeremyevans) (#346)
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
= New Features
|
|
2
|
+
|
|
3
|
+
* The route_csrf plugin now supports formaction/formmethod attributes
|
|
4
|
+
in forms. A csrf_formaction_tag method has been added for creating
|
|
5
|
+
a hidden input for a particular path and method. When a form is
|
|
6
|
+
submitted, the check_csrf! method will fix check for a path-specific
|
|
7
|
+
csrf token (set by the hidden tag added by the csrf_formaction_tag
|
|
8
|
+
method), before checking for the default csrf token.
|
|
@@ -42,6 +42,9 @@ class Roda
|
|
|
42
42
|
# This plugin supports the following options:
|
|
43
43
|
#
|
|
44
44
|
# :field :: Form input parameter name for CSRF token (default: '_csrf')
|
|
45
|
+
# :formaction_field :: Form input parameter name for path-specific CSRF tokens (used by the
|
|
46
|
+
# +csrf_formaction_tag+ method). If present, this parameter should be
|
|
47
|
+
# submitted as a hash, keyed by path, with CSRF token values.
|
|
45
48
|
# :header :: HTTP header name for CSRF token (default: 'X-CSRF-Token')
|
|
46
49
|
# :key :: Session key for CSRF secret (default: '_roda_csrf_secret')
|
|
47
50
|
# :require_request_specific_tokens :: Whether request-specific tokens are required (default: true).
|
|
@@ -86,6 +89,10 @@ class Roda
|
|
|
86
89
|
# override any of the plugin options for this specific call.
|
|
87
90
|
# The :token option can be used to specify the provided CSRF token
|
|
88
91
|
# (instead of looking for the token in the submitted parameters).
|
|
92
|
+
# csrf_formaction_tag(path, method='POST') :: An HTML hidden input tag string containing the CSRF token, suitable
|
|
93
|
+
# for placing in an HTML form that has inputs that use formaction
|
|
94
|
+
# attributes to change the endpoint to which the form is submitted.
|
|
95
|
+
# Takes the same arguments as csrf_token.
|
|
89
96
|
# csrf_field :: The field name to use for the hidden tag containing the CSRF token.
|
|
90
97
|
# csrf_path(action) :: This takes an argument that would be the value of the HTML form's
|
|
91
98
|
# action attribute, and returns a path you can pass to csrf_token
|
|
@@ -152,6 +159,7 @@ class Roda
|
|
|
152
159
|
# Default CSRF option values
|
|
153
160
|
DEFAULTS = {
|
|
154
161
|
:field => '_csrf'.freeze,
|
|
162
|
+
:formaction_field => '_csrfs'.freeze,
|
|
155
163
|
:header => 'X-CSRF-Token'.freeze,
|
|
156
164
|
:key => '_roda_csrf_secret'.freeze,
|
|
157
165
|
:require_request_specific_tokens => true,
|
|
@@ -252,6 +260,14 @@ class Roda
|
|
|
252
260
|
end
|
|
253
261
|
end
|
|
254
262
|
|
|
263
|
+
# An HTML hidden input tag string containing the CSRF token, used for inputs
|
|
264
|
+
# with formaction, so the same form can be used to submit to multiple endpoints
|
|
265
|
+
# depending on which button was clicked. See csrf_token for arguments, but the
|
|
266
|
+
# path argument is required.
|
|
267
|
+
def csrf_formaction_tag(path, *args)
|
|
268
|
+
"<input type=\"hidden\" name=\"#{csrf_options[:formaction_field]}[#{Rack::Utils.escape_html(path)}]\" value=\"#{csrf_token(path, *args)}\" \/>"
|
|
269
|
+
end
|
|
270
|
+
|
|
255
271
|
# An HTML hidden input tag string containing the CSRF token. See csrf_token for
|
|
256
272
|
# arguments.
|
|
257
273
|
def csrf_tag(*args)
|
|
@@ -291,6 +307,8 @@ class Roda
|
|
|
291
307
|
return
|
|
292
308
|
end
|
|
293
309
|
|
|
310
|
+
path = @_request.path
|
|
311
|
+
|
|
294
312
|
unless encoded_token = opts[:token]
|
|
295
313
|
encoded_token = case opts[:check_header]
|
|
296
314
|
when :only
|
|
@@ -298,7 +316,8 @@ class Roda
|
|
|
298
316
|
when true
|
|
299
317
|
return (csrf_invalid_message(opts.merge(:check_header=>false)) && csrf_invalid_message(opts.merge(:check_header=>:only)))
|
|
300
318
|
else
|
|
301
|
-
@_request.params
|
|
319
|
+
params = @_request.params
|
|
320
|
+
((formactions = params[opts[:formaction_field]]).is_a?(Hash) && (formactions[path])) || params[opts[:field]]
|
|
302
321
|
end
|
|
303
322
|
end
|
|
304
323
|
|
|
@@ -326,7 +345,7 @@ class Roda
|
|
|
326
345
|
|
|
327
346
|
random_data = submitted_hmac.slice!(0...31)
|
|
328
347
|
|
|
329
|
-
if csrf_compare(csrf_hmac(random_data, method,
|
|
348
|
+
if csrf_compare(csrf_hmac(random_data, method, path), submitted_hmac)
|
|
330
349
|
return
|
|
331
350
|
end
|
|
332
351
|
|
data/lib/roda/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: roda
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.77.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jeremy Evans
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-02-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -250,6 +250,7 @@ extra_rdoc_files:
|
|
|
250
250
|
- doc/release_notes/3.74.0.txt
|
|
251
251
|
- doc/release_notes/3.75.0.txt
|
|
252
252
|
- doc/release_notes/3.76.0.txt
|
|
253
|
+
- doc/release_notes/3.77.0.txt
|
|
253
254
|
- doc/release_notes/3.8.0.txt
|
|
254
255
|
- doc/release_notes/3.9.0.txt
|
|
255
256
|
files:
|
|
@@ -333,6 +334,7 @@ files:
|
|
|
333
334
|
- doc/release_notes/3.74.0.txt
|
|
334
335
|
- doc/release_notes/3.75.0.txt
|
|
335
336
|
- doc/release_notes/3.76.0.txt
|
|
337
|
+
- doc/release_notes/3.77.0.txt
|
|
336
338
|
- doc/release_notes/3.8.0.txt
|
|
337
339
|
- doc/release_notes/3.9.0.txt
|
|
338
340
|
- lib/roda.rb
|