roda 3.76.0 → 3.77.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG +4 -0
  3. data/doc/release_notes/3.77.0.txt +8 -0
  4. data/lib/roda/plugins/route_csrf.rb +21 -2
  5. data/lib/roda/version.rb +1 -1
  6. metadata +4 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1f4eee948a9994645560f635fd228d2f46f3f466da782a476d7046b2b0b9f026
4
- data.tar.gz: 4abb6bed043b264c59e17b1120771822a26292f24037a283c08003168c72e602
3
+ metadata.gz: 8afa46b8055c19e63e1efeebf444b422cd810701c759936d476797515630245d
4
+ data.tar.gz: 4e857447435707de1d586857126795e2a1191f685ca8893e99cd1c78aeb50c02
5
5
  SHA512:
6
- metadata.gz: 112d90a74ed25ae0bb608a2e89d2f6fa757912287feb3a68d312ef4b8fd317bdb8f04eb76f529090d14a92c322d869ededa831f8db5d20bce8a66cd973a71584
7
- data.tar.gz: 22ddb0a055b5849c6dcd3ec93426e495198434cf1e9cf9adbae1c22ece9b788c0ea7332122b9ad525954e2b946b0eef873de3b0466fe5b844407dec6c9844c84
6
+ metadata.gz: 2ecfeb211d574d46bdc31995c3551afb97af50acf8567cce83b46808e87ff797a5ef7c769e42c0477ed6a6d9271040b818da72e77c91e4f91f9760201d2cd5ca
7
+ data.tar.gz: 45e67fbd1da64839c6dc5a8dc0975a0dca5f67a77c83ae79a62ab22e7d9cf0002cb8b8f6a22661bdaf97ad973b6bc6ff928af2e416a96c35b12150e9fe0eaf4d
data/CHANGELOG CHANGED
@@ -1,3 +1,7 @@
1
+ = 3.77.0 (2024-02-12)
2
+
3
+ * Support formaction/formmethod attributes in forms in route_csrf plugin (jeremyevans)
4
+
1
5
  = 3.76.0 (2024-01-12)
2
6
 
3
7
  * Support :filter plugin option in error_mail and error_email for filtering parameters, environment variables, and session values (jeremyevans) (#346)
data/doc/release_notes/3.77.0.txt ADDED
@@ -0,0 +1,8 @@
1
+ = New Features
2
+
3
+ * The route_csrf plugin now supports formaction/formmethod attributes
4
+ in forms. A csrf_formaction_tag method has been added for creating
5
+ a hidden input for a particular path and method. When a form is
6
+ submitted, the check_csrf! method will fix check for a path-specific
7
+ csrf token (set by the hidden tag added by the csrf_formaction_tag
8
+ method), before checking for the default csrf token.
data/lib/roda/plugins/route_csrf.rb CHANGED
@@ -42,6 +42,9 @@ class Roda
42
42
  # This plugin supports the following options:
43
43
  #
44
44
  # :field :: Form input parameter name for CSRF token (default: '_csrf')
45
+ # :formaction_field :: Form input parameter name for path-specific CSRF tokens (used by the
46
+ # +csrf_formaction_tag+ method). If present, this parameter should be
47
+ # submitted as a hash, keyed by path, with CSRF token values.
45
48
  # :header :: HTTP header name for CSRF token (default: 'X-CSRF-Token')
46
49
  # :key :: Session key for CSRF secret (default: '_roda_csrf_secret')
47
50
  # :require_request_specific_tokens :: Whether request-specific tokens are required (default: true).
@@ -86,6 +89,10 @@ class Roda
86
89
  # override any of the plugin options for this specific call.
87
90
  # The :token option can be used to specify the provided CSRF token
88
91
  # (instead of looking for the token in the submitted parameters).
92
+ # csrf_formaction_tag(path, method='POST') :: An HTML hidden input tag string containing the CSRF token, suitable
93
+ # for placing in an HTML form that has inputs that use formaction
94
+ # attributes to change the endpoint to which the form is submitted.
95
+ # Takes the same arguments as csrf_token.
89
96
  # csrf_field :: The field name to use for the hidden tag containing the CSRF token.
90
97
  # csrf_path(action) :: This takes an argument that would be the value of the HTML form's
91
98
  # action attribute, and returns a path you can pass to csrf_token
@@ -152,6 +159,7 @@ class Roda
152
159
  # Default CSRF option values
153
160
  DEFAULTS = {
154
161
  :field => '_csrf'.freeze,
162
+ :formaction_field => '_csrfs'.freeze,
155
163
  :header => 'X-CSRF-Token'.freeze,
156
164
  :key => '_roda_csrf_secret'.freeze,
157
165
  :require_request_specific_tokens => true,
@@ -252,6 +260,14 @@ class Roda
252
260
  end
253
261
  end
254
262
 
263
+ # An HTML hidden input tag string containing the CSRF token, used for inputs
264
+ # with formaction, so the same form can be used to submit to multiple endpoints
265
+ # depending on which button was clicked. See csrf_token for arguments, but the
266
+ # path argument is required.
267
+ def csrf_formaction_tag(path, *args)
268
+ "<input type=\"hidden\" name=\"#{csrf_options[:formaction_field]}[#{Rack::Utils.escape_html(path)}]\" value=\"#{csrf_token(path, *args)}\" \/>"
269
+ end
270
+
255
271
  # An HTML hidden input tag string containing the CSRF token. See csrf_token for
256
272
  # arguments.
257
273
  def csrf_tag(*args)
@@ -291,6 +307,8 @@ class Roda
291
307
  return
292
308
  end
293
309
 
310
+ path = @_request.path
311
+
294
312
  unless encoded_token = opts[:token]
295
313
  encoded_token = case opts[:check_header]
296
314
  when :only
@@ -298,7 +316,8 @@ class Roda
298
316
  when true
299
317
  return (csrf_invalid_message(opts.merge(:check_header=>false)) && csrf_invalid_message(opts.merge(:check_header=>:only)))
300
318
  else
301
- @_request.params[opts[:field]]
319
+ params = @_request.params
320
+ ((formactions = params[opts[:formaction_field]]).is_a?(Hash) && (formactions[path])) || params[opts[:field]]
302
321
  end
303
322
  end
304
323
 
@@ -326,7 +345,7 @@ class Roda
326
345
 
327
346
  random_data = submitted_hmac.slice!(0...31)
328
347
 
329
- if csrf_compare(csrf_hmac(random_data, method, @_request.path), submitted_hmac)
348
+ if csrf_compare(csrf_hmac(random_data, method, path), submitted_hmac)
330
349
  return
331
350
  end
332
351
 
data/lib/roda/version.rb CHANGED
@@ -4,7 +4,7 @@ class Roda
4
4
  RodaMajorVersion = 3
5
5
 
6
6
  # The minor version of Roda, updated for new feature releases of Roda.
7
- RodaMinorVersion = 76
7
+ RodaMinorVersion = 77
8
8
 
9
9
  # The patch version of Roda, updated only for bug fixes from the last
10
10
  # feature release.
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: roda
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.76.0
4
+ version: 3.77.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jeremy Evans
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2024-01-12 00:00:00.000000000 Z
11
+ date: 2024-02-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack
@@ -250,6 +250,7 @@ extra_rdoc_files:
250
250
  - doc/release_notes/3.74.0.txt
251
251
  - doc/release_notes/3.75.0.txt
252
252
  - doc/release_notes/3.76.0.txt
253
+ - doc/release_notes/3.77.0.txt
253
254
  - doc/release_notes/3.8.0.txt
254
255
  - doc/release_notes/3.9.0.txt
255
256
  files:
@@ -333,6 +334,7 @@ files:
333
334
  - doc/release_notes/3.74.0.txt
334
335
  - doc/release_notes/3.75.0.txt
335
336
  - doc/release_notes/3.76.0.txt
337
+ - doc/release_notes/3.77.0.txt
336
338
  - doc/release_notes/3.8.0.txt
337
339
  - doc/release_notes/3.9.0.txt
338
340
  - lib/roda.rb