tep 0.11.0

data/lib/tep/session.rb

@@ -0,0 +1,98 @@
+# Tep::Session -- string-keyed string store, persisted in a signed
+# cookie. Format: `urlencoded_payload.hexhmac` where the signature
+# covers exactly the urlencoded payload. Forgery-resistant given a
+# strong secret; payload is *visible* to clients (not encrypted).
+#
+# To enable: set `Tep.session_secret` to a long random string at app
+# load time (e.g. `Tep.session_secret = ENV.fetch("TEP_SESSION_SECRET")`).
+# When unset, sessions silently no-op (read-only Bag, no Set-Cookie).
+module Tep
+  COOKIE_NAME = "tep.session"
+
+  class Session
+    attr_accessor :data, :dirty
+
+    def initialize
+      @data  = Tep.str_hash
+      @dirty = false
+    end
+
+    # Spinel doesn't dispatch user-defined `[]` / `[]=` on user
+    # classes -- and emitting them at all forces those methods to
+    # default-typed mrb_int params for callers we don't have, which
+    # mismatches the underlying String/String slots. So Session
+    # exposes only named methods; the translator rewrites
+    # `session[k] = v` to `session.set(k, v)` and `session[k]` to
+    # `session.get(k)` for source compatibility with Sinatra.
+    def get(k);    @data[k];                          end
+    def set(k, v); @data[k] = v; @dirty = true;       end
+    def has?(k);   @data.key?(k);                     end
+    def length;    @data.length;                      end
+    def clear;     @data = Tep.str_hash; @dirty = true; end
+
+    # Verify + decode an inbound cookie value. Returns true on
+    # success (data populated), false on missing / tampered.
+    def load_from(cookie_value, secret)
+      if cookie_value.length == 0 || secret.length == 0
+        return false
+      end
+      dot = cookie_value.rindex(".")
+      if dot.nil?
+        return false
+      end
+      payload = cookie_value[0, dot]
+      sig     = cookie_value[dot + 1, cookie_value.length - dot - 1]
+      expect  = Crypto.sp_crypto_hmac_sha256_hex(secret, payload)
+      if !Tep.timing_safe_eq(sig, expect)
+        return false
+      end
+      Url.parse_query(payload).each do |k, v|
+        @data[k] = v
+      end
+      true
+    end
+
+    # Serialize + sign for the response cookie. Caller decides when
+    # to call this (typically only when @dirty).
+    def to_cookie_value(secret)
+      payload = ""
+      first = true
+      @data.each do |k, v|
+        if !first
+          payload = payload + "&"
+        end
+        payload = payload + Url.escape(k) + "=" + Url.escape(v)
+        first = false
+      end
+      payload + "." + Crypto.sp_crypto_hmac_sha256_hex(secret, payload)
+    end
+  end
+
+  # Constant-time string equality. Avoids leaking the matching prefix
+  # length via early-exit timing. spinel doesn't have a stdlib
+  # crypto-safe compare, so we roll our own.
+  def self.timing_safe_eq(a, b)
+    if a.length != b.length
+      return false
+    end
+    diff = 0
+    i = 0
+    n = a.length
+    while i < n
+      # getbyte(i), NOT bytes[i]: `String#bytes` allocates a fresh
+      # array on EVERY iteration (O(n^2) garbage). Besides being slow,
+      # that allocation storm drives the GC hard enough to free `b` --
+      # the HMAC string returned from the Crypto FFI call, held only in
+      # an argument local -- mid-loop, so a valid cookie fails its
+      # signature check ~5% of the time under load (a #1052-family
+      # heap-local rooting gap in spinel, open on master cc94707; the
+      # real fix is upstream, tracked at tep#157). getbyte allocates
+      # nothing, removing the dominant GC trigger here (cuts the flake
+      # ~3x); the residual lives at other unrooted-local sites in the
+      # decode path and clears only when spinel roots heap locals.
+      diff = diff | (a.getbyte(i) ^ b.getbyte(i))
+      i += 1
+    end
+    diff == 0
+  end
+end

data/lib/tep/shell.rb

@@ -0,0 +1,62 @@
+# Tep::Shell -- minimal popen-based shell-out + /proc-style file
+# reads. The pair covers ~all of what a "system dashboard" needs
+# without dragging in an Open3-equivalent.
+#
+# Security note
+# -------------
+# `run(cmd)` passes its argument verbatim to `/bin/sh -c`. NEVER
+# interpolate untrusted input into the command string -- you'll get
+# a textbook command injection. The same is true of every other
+# popen-style API in any language; we don't pretend otherwise.
+#
+# When you need to feed user-controllable values to a command, build
+# the argv yourself, write to a temp file, or use an explicit allow-
+# list of acceptable inputs.
+module Tep
+  class Shell
+    DEFAULT_MAX = 65535
+
+    # Run `cmd` via /bin/sh -c; return up to DEFAULT_MAX bytes of
+    # stdout as a string. Stderr is inherited (visible on the
+    # server's console / log). The command's exit status is
+    # discarded -- callers that need it can append `; echo "EX=$?"`
+    # and parse the tail.
+    # `+ ""` forces a Ruby-side copy of the static C buffer; see
+    # `read` below.
+    def self.run(cmd)
+      Sock.sphttp_shell_capture(cmd, DEFAULT_MAX) + ""
+    end
+
+    # As above but with a caller-chosen byte cap. Lower caps are
+    # cheaper memory-wise; higher caps (up to the sphttp internal
+    # buffer of ~64KB) let longer outputs through.
+    def self.run_limited(cmd, max_bytes)
+      Sock.sphttp_shell_capture(cmd, max_bytes) + ""
+    end
+
+    # Read a file's contents. Useful for /proc/loadavg, /proc/meminfo,
+    # /sys/class/thermal/.../temp, and similar small-text endpoints.
+    # Returns "" on open failure (spinel's File.read swallows fopen
+    # errors and returns the empty string -- matches the prior
+    # sphttp_file_read behaviour).
+    def self.read(path)
+      File.read(path)
+    end
+
+    # Bounded read: slice after the fact. The cap is mostly a
+    # defensive cue -- callers that need it should be reading
+    # bounded /proc files anyway.
+    def self.read_limited(path, max_bytes)
+      out = File.read(path)
+      out.length > max_bytes ? out[0, max_bytes] : out
+    end
+
+    # Write `data` to `path` (truncate + rewrite). Returns the byte
+    # count for symmetry with the old FFI shape; spinel's File.write
+    # is void, so we recover it from data.length.
+    def self.write(path, data)
+      File.write(path, data)
+      data.length
+    end
+  end
+end