tina4ruby 3.13.36 → 3.13.38

data/lib/tina4/wsdl.rb

@@ -273,6 +273,14 @@ module Tina4
     def process_soap(xml_body)
       on_request(@request)
 
+      # SOAP 1.1 (§3) forbids a Document Type Declaration in a SOAP message.
+      # Rejecting any DOCTYPE/DTD up front also closes the XML entity-expansion
+      # (billion-laughs) and external-entity (XXE) attack surface — REXML expands
+      # internal entities, so a DTD is a live DoS vector. Reject before parsing.
+      if xml_body =~ /<!DOCTYPE/i
+        return soap_fault("Client", "DOCTYPE declarations are not allowed in SOAP messages")
+      end
+
       begin
         doc = REXML::Document.new(xml_body)
       rescue REXML::ParseException
@@ -309,7 +317,12 @@ module Tina4
         result = send(op_name.to_sym, *meta[:input].keys.map { |k| params[k.to_s] })
         result = on_result(result)
       rescue StandardError => e
-        return soap_fault("Server", e.message)
+        # Log the real cause, but only leak the detail to the client in debug
+        # mode — a resolver exception can carry internal state (DB credentials,
+        # file paths) that must not reach a SOAP client.
+        Tina4::Log.error("WSDL operation '#{op_name}' failed: #{e.message}")
+        detail = Tina4::Env.is_truthy(ENV["TINA4_DEBUG"]) ? e.message : "Internal server error"
+        return soap_fault("Server", detail)
       end
 
       soap_response(op_name, result)
@@ -473,6 +486,11 @@ module Tina4
       end
 
       def handle_soap_request(xml_body)
+        # SOAP 1.1 (§3) forbids a DOCTYPE/DTD. Reject before parsing — this
+        # closes the REXML internal-entity expansion (billion-laughs) and XXE
+        # surface. Mirrors the class-based process_soap path.
+        return _soap_fault("DOCTYPE declarations are not allowed in SOAP messages") if xml_body =~ /<!DOCTYPE/i
+
         doc = REXML::Document.new(xml_body)
 
         # Find Body element (namespace-agnostic)
@@ -500,7 +518,12 @@ module Tina4
         # Build SOAP response
         _build_soap_response(op_name, result)
       rescue StandardError => e
-        _soap_fault(e.message)
+        # Mask the real cause in production (parity with process_soap) — a
+        # handler exception can carry internal state that must not reach a
+        # SOAP client. Detail is logged; only surfaced under TINA4_DEBUG.
+        Tina4::Log.error("WSDL operation '#{op_name}' failed: #{e.message}")
+        detail = Tina4::Env.is_truthy(ENV["TINA4_DEBUG"]) ? e.message : "Internal server error"
+        _soap_fault(detail)
       end
 
       private

data/lib/tina4.rb

@@ -1,13 +1,5 @@
 # frozen_string_literal: true
 
-# ── Fast JSON: use oj if available, fall back to stdlib json ──────────
-begin
-  require "oj"
-  Oj.default_options = { mode: :compat, symbol_keys: false }
-rescue LoadError
-  # oj not installed — stdlib json is fine
-end
-
 # ── Core (always loaded) ──────────────────────────────────────────────
 require_relative "tina4/version"
 require_relative "tina4/constants"
@@ -108,6 +100,9 @@ module Tina4
   autoload :WebSocket,           File.expand_path("tina4/websocket", __dir__)
   autoload :WebSocketConnection, File.expand_path("tina4/websocket", __dir__)
   autoload :DevReload,           File.expand_path("tina4/websocket", __dir__)
+  autoload :WebSocketBackplane,  File.expand_path("tina4/websocket_backplane", __dir__)
+  autoload :RedisBackplane,      File.expand_path("tina4/websocket_backplane", __dir__)
+  autoload :NATSBackplane,       File.expand_path("tina4/websocket_backplane", __dir__)
   autoload :Testing,             File.expand_path("tina4/testing", __dir__)
   autoload :ScssCompiler,        File.expand_path("tina4/scss_compiler", __dir__)
   autoload :FakeData,            File.expand_path("tina4/seeder", __dir__)
@@ -188,13 +183,20 @@ module Tina4
       # Print banner
       print_banner
 
-      # Load environment
+      # Load environment. Precedence: real-env > .env.local > .env
+      # (.env.local loads first, both first-wins, so a real env var always wins).
       Tina4::Env.load_env(root_dir)
 
       # Setup debug logging
       Tina4::Log.configure(root_dir)
       Tina4::Log.info("Tina4 Ruby v#{VERSION} initializing...")
 
+      # Fail-safe dev secret: in dev (and NOT CI/prod) mint a per-machine
+      # random TINA4_SECRET into gitignored .env.local if it is blank; in
+      # CI/prod with a blank secret, emit the actionable warning. Runs once at
+      # boot after env load, before any auth use. Never crashes boot.
+      Tina4::Auth.ensure_dev_secret(root_dir)
+
       # Setup auth keys
       Tina4::Auth.setup(root_dir)
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tina4ruby
 version: !ruby/object:Gem::Version
-  version: 3.13.36
+  version: 3.13.38
 platform: ruby
 authors:
 - Tina4 Team
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-06-17 00:00:00.000000000 Z
+date: 2026-06-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -52,20 +52,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '6.0'
-- !ruby/object:Gem::Dependency
-  name: dotenv
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -80,20 +66,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.7'
-- !ruby/object:Gem::Dependency
-  name: bcrypt
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.1'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.1'
 - !ruby/object:Gem::Dependency
   name: net-smtp
   requirement: !ruby/object:Gem::Requirement
@@ -136,20 +108,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.7'
-- !ruby/object:Gem::Dependency
-  name: oj
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.16'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.16'
 - !ruby/object:Gem::Dependency
   name: rexml
   requirement: !ruby/object:Gem::Requirement
@@ -277,8 +235,9 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.50'
 description: 'TINA4: The Intelligent Native Application 4ramework for Ruby — Simple.
-  Fast. Human. Built for AI. Built for you. 54 built-in features, zero dependencies.
-  Full parity with Python, PHP, and Node.js.'
+  Fast. Human. Built for AI. Built for you. 54 built-in features, minimal dependencies
+  (Rack-based; the runtime gems are production-deployment essentials, not framework
+  bloat). Full parity with Python, PHP, and Node.js.'
 email:
 - info@tina4.com
 executables:
@@ -460,5 +419,5 @@ requirements: []
 rubygems_version: 3.4.19
 signing_key:
 specification_version: 4
-summary: Tina4 for Ruby — 54 built-in features, zero dependencies
+summary: Tina4 for Ruby — 54 built-in features, minimal dependencies
 test_files: []