ruby_routes 1.1.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 15debcef313430cfc799afcb9ba0b6f9bd8292226d023d7e854afc608d5ede64
-  data.tar.gz: 1d7c971980a984738c6239cc1727376b74ab61ae824ee054a92f254451574bcf
+  metadata.gz: 4017abab11dd0945bcfe1659b2ed1456c2cf82a8993db55d094d283c48c8ebd0
+  data.tar.gz: 07f0aba728bf81cdfdc245e20a212f1775b2314a826c88f0e25b8ff2b608c195
 SHA512:
-  metadata.gz: 8f272672f91127b65fab8ed4ae2eacfb95fe55310fc4bcd017b5656a0eb475e05255884f19416520ce8b36ec6ff51602561b6f9519befc1f7cf7448bca4ab3f9
-  data.tar.gz: c3cc386c128531ef9bb268bb904c806e1632c3d88609fd3de5077d8143f0fa56a1089ea0915de3bf2e1116c0d0d812402877480d6edc702f8923d3ee3252ef9a
+  metadata.gz: a4aa77ba441b9e87cdcb31cae5b5f12babaf93396e400723d5f845392ac132520c4398e19d49d0755e05fc305791b54a3676a460ba8c73cd4b5ee55647fb2589
+  data.tar.gz: a3b883c253731dfad5eaf34a28fb89684d0f9fa921127f6e428225743a93d87934508e49f59c3710964cc8a444b729f9278872aa8d991c4302abbb7ff8645b66

data/README.md

@@ -8,7 +8,7 @@ A lightweight, flexible routing system for Ruby that provides a Rails-like DSL f
 - **HTTP Method Support**: GET, POST, PUT, PATCH, DELETE, and custom methods
 - **RESTful Resources**: Automatic generation of RESTful routes
 - **Nested Routes**: Support for nested resources and namespaces
-- **Route Constraints**: Add constraints to routes (regex, etc.)
+- **Secure Route Constraints**: Powerful constraint system with built-in security ([see CONSTRAINTS.md](CONSTRAINTS.md))
 - **Named Routes**: Generate URLs from route names
 - **Path Generation**: Build URLs with parameters
 - **Scope Support**: Group routes with common options
@@ -116,14 +116,91 @@ end
 # etc.
 ```
 
-### Scopes and Constraints
+### Route Constraints
+
+Ruby Routes provides a powerful and secure constraint system to validate route parameters. **For security reasons, Proc constraints are deprecated** - use the secure alternatives below.
+
+#### Built-in Constraint Types
 
 ```ruby
 router = RubyRoutes.draw do
-  scope constraints: { id: /\d+/ } do
-    get '/users/:id', to: 'users#show'
-  end
+  # Integer validation
+  get '/users/:id', to: 'users#show', constraints: { id: :int }
+  
+  # UUID validation
+  get '/resources/:uuid', to: 'resources#show', constraints: { uuid: :uuid }
+  
+  # Email validation
+  get '/users/:email', to: 'users#show', constraints: { email: :email }
   
+  # URL-friendly slug validation
+  get '/posts/:slug', to: 'posts#show', constraints: { slug: :slug }
+  
+  # Alphabetic characters only
+  get '/categories/:name', to: 'categories#show', constraints: { name: :alpha }
+  
+  # Alphanumeric characters only
+  get '/codes/:code', to: 'codes#show', constraints: { code: :alphanumeric }
+end
+```
+
+#### Hash-based Constraints (Recommended)
+
+```ruby
+router = RubyRoutes.draw do
+  # Length constraints
+  get '/users/:username', to: 'users#show',
+      constraints: { 
+        username: { 
+          min_length: 3, 
+          max_length: 20,
+          format: /\A[a-zA-Z0-9_]+\z/
+        } 
+      }
+
+  # Allowed values (whitelist)
+  get '/posts/:status', to: 'posts#show',
+      constraints: { 
+        status: { in: %w[draft published archived] }
+      }
+
+  # Numeric ranges
+  get '/products/:price', to: 'products#show',
+      constraints: { 
+        price: { range: 1..10000 }
+      }
+end
+```
+
+#### Regular Expression Constraints
+
+```ruby
+router = RubyRoutes.draw do
+  # Custom regex pattern (with ReDoS protection)
+  get '/products/:sku', to: 'products#show', 
+      constraints: { sku: /\A[A-Z]{2}\d{4}\z/ }
+end
+```
+
+#### ⚠️ Security Notice: Proc Constraints Deprecated
+
+```ruby
+# ❌ DEPRECATED - Security risk!
+get '/users/:id', to: 'users#show',
+    constraints: { id: ->(value) { value.to_i > 0 } }
+
+# ✅ Use secure alternatives instead:
+get '/users/:id', to: 'users#show',
+    constraints: { id: { range: 1..Float::INFINITY } }
+```
+
+**📚 For complete constraint documentation, see [CONSTRAINTS.md](CONSTRAINTS.md)**  
+**🔄 For migration help, see [MIGRATION_GUIDE.md](MIGRATION_GUIDE.md)**
+
+### Scopes
+
+```ruby
+router = RubyRoutes.draw do
   scope defaults: { format: 'html' } do
     get '/posts', to: 'posts#index'
   end
@@ -273,13 +350,38 @@ Creates a new router instance and yields to the block for route definition.
 - `find_route(method, path)` - Finds a specific route
 - `find_named_route(name)` - Finds a named route
 
-## Examples
+## Documentation
+
+### Core Documentation
+- **[CONSTRAINTS.md](CONSTRAINTS.md)** - Complete guide to route constraints and security best practices
+- **[MIGRATION_GUIDE.md](MIGRATION_GUIDE.md)** - Step-by-step guide for migrating from deprecated Proc constraints
+
+### Examples
 
 See the `examples/` directory for more detailed examples:
 
 - `examples/basic_usage.rb` - Basic routing examples
 - `examples/rack_integration.rb` - Full Rack application example
 
+## Security
+
+Ruby Routes prioritizes security and has implemented several protections:
+
+### 🔒 Security Features
+- **XSS Protection**: All HTML output is properly escaped
+- **ReDoS Protection**: Regular expression constraints have timeout protection
+- **Secure Constraints**: Deprecated dangerous Proc constraints in favor of secure alternatives
+- **Thread Safety**: All caching and shared resources are thread-safe
+- **Input Validation**: Comprehensive parameter validation before reaching application code
+
+### ⚠️ Important Security Notice
+**Proc constraints are deprecated due to security risks** and will be removed in a future version. They allow arbitrary code execution which can be exploited for:
+- Code injection attacks
+- Denial of service attacks
+- System compromise
+
+**Migration Required**: If you're using Proc constraints, please migrate to secure alternatives using our [Migration Guide](MIGRATION_GUIDE.md).
+
 ## Testing
 
 Run the test suite:
@@ -288,6 +390,8 @@ Run the test suite:
 bundle exec rspec
 ```
 
+The test suite includes comprehensive security tests to ensure all protections are working correctly.
+
 ## Contributing
 
 1. Fork the repository

data/lib/ruby_routes/constant.rb

@@ -42,9 +42,9 @@ module RubyRoutes
 
     # Descriptor factories for segment classification (O(1) dispatch by first byte).
     DESCRIPTOR_FACTORIES = {
-      42 => ->(s) { { type: :splat,  name: (s[1..-1] || 'splat') } }, # '*'
-      58 => ->(s) { { type: :param,  name:   s[1..-1] } },             # ':'
-      :default => ->(s) { { type: :static, value:  s } }
+      42 => ->(s) { { type: :splat,  name: (s[1..-1] || 'splat').freeze } }, # '*'
+      58 => ->(s) { { type: :param,  name:   s[1..-1].freeze } },             # ':'
+      :default => ->(s) { { type: :static, value:  s.freeze } }  # Intern static values
     }.freeze
 
     def self.segment_descriptor(raw)

data/lib/ruby_routes/route.rb

@@ -1,4 +1,6 @@
 require 'uri'
+require 'timeout'
+require 'set'
 require_relative 'route/small_lru'
 
 module RubyRoutes
@@ -71,6 +73,12 @@ module RubyRoutes
         raise RubyRoutes::RouteNotFound, "Missing params: #{missing_params.to_a.join(', ')}"
       end
 
+      # Check for nil values in required params
+      nil_params = @required_params_set.select { |param| merged[param].nil? }
+      unless nil_params.empty?
+        raise RubyRoutes::RouteNotFound, "Missing or nil params: #{nil_params.to_a.join(', ')}"
+      end
+
       # Cache lookup
       cache_key = build_cache_key_fast(merged)
       if (cached = @gen_cache.get(cache_key))
@@ -95,19 +103,28 @@ module RubyRoutes
     ROOT_PATH = '/'.freeze
     UNRESERVED_RE = /\A[a-zA-Z0-9\-._~]+\z/.freeze
     QUERY_CACHE_SIZE = 128
-
-    # Fast method normalization
+    
+    # Common HTTP methods - interned for performance
+    HTTP_GET = 'GET'.freeze
+    HTTP_POST = 'POST'.freeze
+    HTTP_PUT = 'PUT'.freeze
+    HTTP_PATCH = 'PATCH'.freeze
+    HTTP_DELETE = 'DELETE'.freeze
+    HTTP_HEAD = 'HEAD'.freeze
+    HTTP_OPTIONS = 'OPTIONS'.freeze
+
+    # Fast method normalization using interned constants
     def normalize_method(method)
       case method
-      when :get then 'GET'
-      when :post then 'POST'
-      when :put then 'PUT'
-      when :patch then 'PATCH'
-      when :delete then 'DELETE'
-      when :head then 'HEAD'
-      when :options then 'OPTIONS'
-      else method.to_s.upcase
-      end.freeze
+      when :get then HTTP_GET
+      when :post then HTTP_POST
+      when :put then HTTP_PUT
+      when :patch then HTTP_PATCH
+      when :delete then HTTP_DELETE
+      when :head then HTTP_HEAD
+      when :options then HTTP_OPTIONS
+      else method.to_s.upcase.freeze
+      end
     end
 
     # Pre-compile all route data at initialization
@@ -178,9 +195,20 @@ module RubyRoutes
     end
 
     def get_thread_local_hash
-      hash = Thread.current[:ruby_routes_params] ||= {}
-      hash.clear
-      hash
+      # Use a pool of hashes to reduce allocations
+      pool = Thread.current[:ruby_routes_hash_pool] ||= []
+      if pool.empty?
+        {}
+      else
+        hash = pool.pop
+        hash.clear
+        hash
+      end
+    end
+
+    def return_hash_to_pool(hash)
+      pool = Thread.current[:ruby_routes_hash_pool] ||= []
+      pool.push(hash) if pool.size < 5  # Keep pool small to avoid memory bloat
     end
 
     def merge_defaults_fast(result)
@@ -194,7 +222,17 @@ module RubyRoutes
 
       # Fast path normalization
       path_parts = split_path_fast(request_path)
-      return nil if @compiled_segments.size != path_parts.size
+      
+      # Check if we have a wildcard/splat segment
+      has_splat = @compiled_segments.any? { |seg| seg[:type] == :splat }
+      
+      if has_splat
+        # For wildcard routes, path can have more parts than segments
+        return nil if path_parts.size < @compiled_segments.size - 1
+      else
+        # For non-wildcard routes, size must match exactly
+        return nil if @compiled_segments.size != path_parts.size
+      end
 
       extract_params_from_parts(path_parts)
     end
@@ -230,10 +268,18 @@ module RubyRoutes
       return @defaults if params.empty?
 
       merged = get_thread_local_merged_hash
+      
+      # Merge defaults first if they exist
       merged.update(@defaults) unless @defaults.empty?
 
-      # Convert param keys to strings efficiently
-      params.each { |k, v| merged[k.to_s] = v }
+      # Use merge! with transform_keys for better performance
+      if params.respond_to?(:transform_keys)
+        merged.merge!(params.transform_keys(&:to_s))
+      else
+        # Fallback for older Ruby versions
+        params.each { |k, v| merged[k.to_s] = v }
+      end
+      
       merged
     end
 
@@ -245,67 +291,59 @@ module RubyRoutes
 
     # Fast cache key building with minimal allocations
     def build_cache_key_fast(merged)
-      # Use instance variable buffer to avoid repeated allocations
-      @cache_key_buffer ||= String.new(capacity: 128)
-      @cache_key_buffer.clear
+      return '' if @required_params.empty?
 
-      return @cache_key_buffer.dup if @required_params.empty?
-
-      @required_params.each_with_index do |name, idx|
-        @cache_key_buffer << '|' unless idx.zero?
+      # Use array join which is faster than string concatenation
+      parts = @required_params.map do |name|
         value = merged[name]
-        @cache_key_buffer << (value.is_a?(Array) ? value.join('/') : value.to_s) if value
+        value.is_a?(Array) ? value.join('/') : value.to_s
       end
-      @cache_key_buffer.dup
+      parts.join('|')
     end
 
     # Optimized path generation
     def generate_path_string(merged)
       return ROOT_PATH if @compiled_segments.empty?
 
-      buffer = String.new(capacity: 128)
-      buffer << '/'
-
-      @compiled_segments.each_with_index do |seg, idx|
-        buffer << '/' unless idx.zero?
-
+      # Pre-allocate array for parts to avoid string buffer operations
+      parts = []
+      
+      @compiled_segments.each do |seg|
         case seg[:type]
         when :static
-          buffer << seg[:value]
+          parts << seg[:value]
         when :param
           value = merged.fetch(seg[:name]).to_s
-          buffer << encode_segment_fast(value)
+          parts << encode_segment_fast(value)
         when :splat
           value = merged.fetch(seg[:name], '')
-          append_splat_value(buffer, value)
+          parts << format_splat_value(value)
         end
       end
 
-      buffer == '/' ? ROOT_PATH : buffer
+      # Single join operation is faster than multiple string concatenations
+      path = "/#{parts.join('/')}"
+      path == '/' ? ROOT_PATH : path
     end
 
-    def append_splat_value(buffer, value)
+    def format_splat_value(value)
       case value
       when Array
-        value.each_with_index do |part, idx|
-          buffer << '/' unless idx.zero?
-          buffer << encode_segment_fast(part.to_s)
-        end
+        value.map { |part| encode_segment_fast(part.to_s) }.join('/')
       when String
-        parts = value.split('/')
-        parts.each_with_index do |part, idx|
-          buffer << '/' unless idx.zero?
-          buffer << encode_segment_fast(part)
-        end
+        value.split('/').map { |part| encode_segment_fast(part) }.join('/')
       else
-        buffer << encode_segment_fast(value.to_s)
+        encode_segment_fast(value.to_s)
       end
     end
 
-    # Fast segment encoding
+    # Fast segment encoding with caching for common values
     def encode_segment_fast(str)
       return str if UNRESERVED_RE.match?(str)
-      URI.encode_www_form_component(str)
+      
+      # Cache encoded segments to avoid repeated encoding
+      @encoding_cache ||= {}
+      @encoding_cache[str] ||= URI.encode_www_form_component(str)
     end
 
     # Optimized query params with caching
@@ -348,22 +386,110 @@ module RubyRoutes
     def validate_constraints_fast!(params)
       @constraints.each do |param, constraint|
         value = params[param.to_s]
-        next unless value
+        # Only skip validation if the parameter is completely missing from params
+        # Empty strings and nil values should still be validated
+        next unless params.key?(param.to_s)
 
         case constraint
         when Regexp
-          raise ConstraintViolation unless constraint.match?(value)
+          # Protect against ReDoS attacks with timeout
+          begin
+            Timeout.timeout(0.1) do
+              raise RubyRoutes::ConstraintViolation unless constraint.match?(value.to_s)
+            end
+          rescue Timeout::Error
+            raise RubyRoutes::ConstraintViolation, "Regex constraint timed out (potential ReDoS attack)"
+          end
         when Proc
-          raise ConstraintViolation unless constraint.call(value)
+          # DEPRECATED: Proc constraints are deprecated due to security risks
+          warn_proc_constraint_deprecation(param)
+          
+          # For backward compatibility, still execute but with strict timeout
+          begin
+            Timeout.timeout(0.05) do  # Reduced timeout for security
+              raise RubyRoutes::ConstraintViolation unless constraint.call(value.to_s)
+            end
+          rescue Timeout::Error
+            raise RubyRoutes::ConstraintViolation, "Proc constraint timed out (consider using secure alternatives)"
+          rescue => e
+            raise RubyRoutes::ConstraintViolation, "Proc constraint failed: #{e.message}"
+          end
         when :int
-          raise ConstraintViolation unless value.match?(/\A\d+\z/)
+          value_str = value.to_s
+          raise RubyRoutes::ConstraintViolation unless value_str.match?(/\A\d+\z/)
         when :uuid
-          raise ConstraintViolation unless value.length == 36 &&
-                 value.match?(/\A[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\z/i)
+          value_str = value.to_s
+          raise RubyRoutes::ConstraintViolation unless value_str.length == 36 &&
+                 value_str.match?(/\A[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\z/i)
+        when :email
+          value_str = value.to_s
+          raise RubyRoutes::ConstraintViolation unless value_str.match?(/\A[^@\s]+@[^@\s]+\.[^@\s]+\z/)
+        when :slug
+          value_str = value.to_s
+          raise RubyRoutes::ConstraintViolation unless value_str.match?(/\A[a-z0-9]+(?:-[a-z0-9]+)*\z/)
+        when :alpha
+          value_str = value.to_s
+          raise RubyRoutes::ConstraintViolation unless value_str.match?(/\A[a-zA-Z]+\z/)
+        when :alphanumeric
+          value_str = value.to_s
+          raise RubyRoutes::ConstraintViolation unless value_str.match?(/\A[a-zA-Z0-9]+\z/)
+        when Hash
+          # Secure hash-based constraints for common patterns
+          validate_hash_constraint!(constraint, value_str = value.to_s)
         end
       end
     end
 
+    def warn_proc_constraint_deprecation(param)
+      return if @proc_warnings_shown&.include?(param)
+      
+      @proc_warnings_shown ||= Set.new
+      @proc_warnings_shown << param
+      
+      warn <<~WARNING
+        [DEPRECATION] Proc constraints are deprecated due to security risks.
+        
+        Parameter: #{param}
+        Route: #{@path}
+        
+        Secure alternatives:
+        - Use regex: constraints: { #{param}: /\\A\\d+\\z/ }
+        - Use built-in types: constraints: { #{param}: :int }
+        - Use hash constraints: constraints: { #{param}: { min_length: 3, format: /\\A[a-z]+\\z/ } }
+        
+        Available built-in types: :int, :uuid, :email, :slug, :alpha, :alphanumeric
+        
+        This warning will become an error in a future version.
+      WARNING
+    end
+
+    def validate_hash_constraint!(constraint, value)
+      # Secure hash-based constraints
+      if constraint[:min_length] && value.length < constraint[:min_length]
+        raise RubyRoutes::ConstraintViolation, "Value too short (minimum #{constraint[:min_length]} characters)"
+      end
+      
+      if constraint[:max_length] && value.length > constraint[:max_length]
+        raise RubyRoutes::ConstraintViolation, "Value too long (maximum #{constraint[:max_length]} characters)"
+      end
+      
+      if constraint[:format] && !value.match?(constraint[:format])
+        raise RubyRoutes::ConstraintViolation, "Value does not match required format"
+      end
+      
+      if constraint[:in] && !constraint[:in].include?(value)
+        raise RubyRoutes::ConstraintViolation, "Value not in allowed list"
+      end
+      
+      if constraint[:not_in] && constraint[:not_in].include?(value)
+        raise RubyRoutes::ConstraintViolation, "Value in forbidden list"
+      end
+      
+      if constraint[:range] && !constraint[:range].cover?(value.to_i)
+        raise RubyRoutes::ConstraintViolation, "Value not in allowed range"
+      end
+    end
+
     def validate_route!
       raise InvalidRoute, "Controller is required" if @controller.nil?
       raise InvalidRoute, "Action is required" if @action.nil?

data/lib/ruby_routes/route_set.rb

@@ -42,16 +42,10 @@ module RubyRoutes
       # Optimized cache key: avoid string interpolation when possible
       cache_key = build_cache_key(method_up, request_path)
 
-      # Cache hit: return immediately
-      if (cached = @recognition_cache[cache_key])
+      # Cache hit: return immediately (cached result includes full structure)
+      if (cached_result = @recognition_cache[cache_key])
         @cache_hits += 1
-        cached_route, cached_params = cached
-        return {
-          route: cached_route,
-          params: cached_params,
-          controller: cached_route.controller,
-          action: cached_route.action
-        }
+        return cached_result
       end
 
       @cache_misses += 1
@@ -71,17 +65,17 @@ module RubyRoutes
         merge_query_params(route, request_path, params)
       end
 
-      # Create return hash and cache entry
+      # Create return hash and cache the complete result
       result_params = params.dup
-      cache_entry = [route, result_params.freeze]
-      insert_cache_entry(cache_key, cache_entry)
-
-      {
+      result = {
         route: route,
         params: result_params,
         controller: route.controller,
         action: route.action
-      }
+      }.freeze
+      
+      insert_cache_entry(cache_key, result)
+      result
     end
 
     def recognize_path(path, method = :get)
@@ -141,7 +135,7 @@ module RubyRoutes
 
     private
 
-    # Method lookup table to avoid repeated upcasing
+    # Method lookup table to avoid repeated upcasing with interned strings
     def method_lookup(method)
       @method_cache ||= Hash.new { |h, k| h[k] = k.to_s.upcase.freeze }
       @method_cache[method]
@@ -149,29 +143,21 @@ module RubyRoutes
 
     # Optimized cache key building - avoid string interpolation
     def build_cache_key(method, path)
-      # Use frozen string concatenation to avoid allocations
-      @cache_key_buffer ||= String.new(capacity: 256)
-      @cache_key_buffer.clear
-      @cache_key_buffer << method << ':' << path
-      @cache_key_buffer.dup.freeze
+      # Use string interpolation which is faster than buffer + dup + freeze
+      # String interpolation creates a new string directly without intermediate allocations
+      "#{method}:#{path}".freeze
     end
 
     # Get thread-local params hash, reusing when possible
     def get_thread_local_params
-      # Use object pool to reduce GC pressure
-      @params_pool ||= []
-      if @params_pool.empty?
-        {}
-      else
-        hash = @params_pool.pop
-        hash.clear
-        hash
-      end
+      # Use single thread-local hash that gets cleared, avoiding pool management overhead
+      hash = Thread.current[:ruby_routes_params_hash] ||= {}
+      hash.clear
+      hash
     end
 
     def return_params_to_pool(params)
-      @params_pool ||= []
-      @params_pool.push(params) if @params_pool.size < 10
+      # No-op since we're using a single reusable hash per thread
     end
 
     # Fast defaults merging

data/lib/ruby_routes/router.rb

@@ -5,6 +5,7 @@ module RubyRoutes
     def initialize(&block)
       @route_set = RouteSet.new
       @scope_stack = []
+      @concerns = {}
       instance_eval(&block) if block_given?
     end
 
@@ -36,19 +37,20 @@ module RubyRoutes
     # Resources routing (Rails-like)
     def resources(name, options = {}, &block)
       singular = name.to_s.singularize
-      plural = name.to_s.pluralize
+      plural = (options[:path] || name.to_s.pluralize)
+      controller = options[:controller] || plural
 
       # Collection routes
-      get "/#{plural}", options.merge(to: "#{plural}#index")
-      get "/#{plural}/new", options.merge(to: "#{plural}#new")
-      post "/#{plural}", options.merge(to: "#{plural}#create")
+      get "/#{plural}", options.merge(to: "#{controller}#index")
+      get "/#{plural}/new", options.merge(to: "#{controller}#new")
+      post "/#{plural}", options.merge(to: "#{controller}#create")
 
       # Member routes
-      get "/#{plural}/:id", options.merge(to: "#{plural}#show")
-      get "/#{plural}/:id/edit", options.merge(to: "#{plural}#edit")
-      put "/#{plural}/:id", options.merge(to: "#{plural}#update")
-      patch "/#{plural}/:id", options.merge(to: "#{plural}#update")
-      delete "/#{plural}/:id", options.merge(to: "#{plural}#destroy")
+      get "/#{plural}/:id", options.merge(to: "#{controller}#show")
+      get "/#{plural}/:id/edit", options.merge(to: "#{controller}#edit")
+      put "/#{plural}/:id", options.merge(to: "#{controller}#update")
+      patch "/#{plural}/:id", options.merge(to: "#{controller}#update")
+      delete "/#{plural}/:id", options.merge(to: "#{controller}#destroy")
 
       # Nested resources if specified
       if options[:nested]
@@ -63,7 +65,6 @@ module RubyRoutes
         get "/#{plural}/:id/#{nested_plural}/:nested_id/edit", options.merge(to: "#{nested_plural}#edit")
         put "/#{plural}/:id/#{nested_plural}/:nested_id", options.merge(to: "#{nested_plural}#update")
         patch "/#{plural}/:id/#{nested_plural}/:nested_id", options.merge(to: "#{nested_plural}#update")
-        delete "/#{plural}/:id/#{nested_plural}/:nested_id", options.merge(to: "#{nested_plural}#update")
         delete "/#{plural}/:id/#{nested_plural}/:nested_id", options.merge(to: "#{nested_plural}#destroy")
       end
 
@@ -131,7 +132,6 @@ module RubyRoutes
     end
 
     def concern(name, &block)
-      @concerns ||= {}
       @concerns[name] = block
     end
 

data/lib/ruby_routes/url_helpers.rb

@@ -1,3 +1,5 @@
+require 'cgi'
+
 module RubyRoutes
   module UrlHelpers
     def self.included(base)
@@ -33,16 +35,33 @@ module RubyRoutes
 
     def link_to(name, text, params = {})
       path = path_to(name, params)
-      "<a href=\"#{path}\">#{text}</a>"
+      safe_path = CGI.escapeHTML(path.to_s)
+      safe_text = CGI.escapeHTML(text.to_s)
+      "<a href=\"#{safe_path}\">#{safe_text}</a>"
     end
 
     def button_to(name, text, params = {})
-      path = path_to(name, params)
-      method = params.delete(:method) || :post
+      local_params = params ? params.dup : {}
+      method = local_params.delete(:method) || :post
+      method = method.to_s.downcase
+      path = path_to(name, local_params)
+
+      # HTML forms only support GET and POST
+      # For other methods, use POST with _method hidden field
+      form_method = (method == 'get') ? 'get' : 'post'
+      
+      safe_path = CGI.escapeHTML(path.to_s)
+      safe_form_method = CGI.escapeHTML(form_method)
+      html = "<form action=\"#{safe_path}\" method=\"#{safe_form_method}\">"
+      
+      # Add _method hidden field for non-GET/POST methods
+      if method != 'get' && method != 'post'
+        safe_method = CGI.escapeHTML(method)
+        html += "<input type=\"hidden\" name=\"_method\" value=\"#{safe_method}\">"
+      end
 
-      html = "<form action=\"#{path}\" method=\"#{method}\">"
-      html += "<input type=\"hidden\" name=\"_method\" value=\"#{method}\">" if method != :get
-      html += "<button type=\"submit\">#{text}</button>"
+      safe_text = CGI.escapeHTML(text.to_s)
+      html += "<button type=\"submit\">#{safe_text}</button>"
       html += "</form>"
       html
     end

data/lib/ruby_routes/version.rb

@@ -1,3 +1,3 @@
 module RubyRoutes
-  VERSION = "1.1.0"
+  VERSION = "2.0.0"
 end

data/lib/ruby_routes.rb

@@ -11,6 +11,7 @@ module RubyRoutes
   class Error < StandardError; end
   class RouteNotFound < Error; end
   class InvalidRoute < Error; end
+  class ConstraintViolation < Error; end
 
   # Create a new router instance
   def self.new(&block)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby_routes
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Yosef Benny Widyokarsono