wsv 0.8.0 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3439ce5afffd7bfe4dc3e2a18da2d3f9d15ffd10b28e9cc4bb33f5c3e14ada12
-  data.tar.gz: 98e65904c83834cc8e910931f1884f52e652346bad94612a8ba31933e607ff8c
+  metadata.gz: 3d932b12a288921b6935081095a656825c9efaaabb9d086350104c6d92c76d42
+  data.tar.gz: 91c097132033a2030f4e5e9f8f4aa9c799078e7006320cbfff566ea88ae6c1b9
 SHA512:
-  metadata.gz: 382457dc4151007dca51ab8a550021b06bfe4f4127d5ff40c3c9da7e566b3987ec16b57838b8ce5e30a210d538b87231b9f0f0e5e8b5ef91ef20cc5fdc8f9395
-  data.tar.gz: 2b6210d0c5063c4ba5a8b6c3d723cfe5db3abe9c41b20b6c56a99d64cac0a9b961d694fe2a7b2458250441102ed959034f13f7be169fa0a8102ef46405d8a4f4
+  metadata.gz: a272e137f58400e80dd58d4d32f6dd1f998ee5eb148c281d95674be1b087ea72c966ea4d3b84381b28589181d0e3e1a787accea3133e899f2dd8490c04ace055
+  data.tar.gz: 7250c73ce5e90e6c85d598b5966bdc01467bc5aeff6869c3e63e2031a8f7c7d2baa8d873f0e347bf76d55e7e567787ba041cd3c4b790a2d192b5ff8fc806d2de

data/CHANGELOG.md

@@ -1,6 +1,39 @@
 # Changelog
 
-## Unreleased
+## 0.9.0
+
+- Normalize the redirect `Location` to an origin-form path. Previously, an
+  absolute-form request target such as `GET http://example.test/docs HTTP/1.1`
+  produced `Location: http://example.test/docs/`; now it always emits
+  `Location: /docs/`.
+- Reject control characters (C0 0x00-0x1F and 0x7F DEL) in the
+  decoded request path with `400`. RFC 3986 disallows them in URL paths;
+  this prevents NUL-byte `ArgumentError` from leaking out of
+  `Wsv::PathResolver` and provides defence-in-depth against CR/LF
+  smuggling alongside the existing response-header validation.
+- Document the local-FS TOCTOU limitation in README's security model:
+  another local process with write access to the served directory can swap
+  files between path resolution and `File.open`. This is acknowledged as
+  out-of-scope for a development tool.
+- Decrement the in-flight connection counter when `Thread.new` itself raises
+  `ThreadError` (e.g. OS thread limit reached). The dispatch returns `503`
+  for the rejected client and the server continues accepting subsequent
+  connections instead of permanently leaking a slot.
+- Stream file responses through `IO.copy_stream` instead of buffering the
+  whole file in memory. Reduces RSS for large files and uses `sendfile(2)`
+  on Linux when available. `Response#body` still materializes to a String
+  for callers; the change is internal to the wire path.
+- Support `Range` requests for static files (`206 Partial Content` with
+  `Content-Range`). Open-ended (`bytes=N-`), suffix (`bytes=-N`), and
+  bounded (`bytes=N-M`) forms are supported. Unsatisfiable ranges return
+  `416`; invalid syntax falls through to a normal `200`.
+- Honour `If-Modified-Since` and return `304 Not Modified` when the file's
+  mtime (truncated to seconds) is at or before the supplied date.
+- Advertise `Accept-Ranges: bytes` on `200` and `206` file responses.
+- Document the public API contract in README: the CLI is the SemVer
+  surface. Ruby classes under `lib/wsv/` are implementation details.
+
+## 0.8.0
 
 - Bound request size: 8 KiB request line, 8 KiB per header line, 16 KiB total
   headers, 100 header lines. Returns 414 / 431 when exceeded.

data/README.md

@@ -46,8 +46,10 @@ Options:
 - Serves `index.html` for directories that contain it.
 - Does not render directory listings.
 - Supports `GET` and `HEAD`.
+- Supports `Range` requests (`206 Partial Content` with `Content-Range`).
+- Honours `If-Modified-Since` and returns `304 Not Modified` when applicable.
 - Rejects paths that resolve outside the served directory.
-- Sends `Cache-Control: no-cache` for local development.
+- Sends `Cache-Control: no-cache` so the browser revalidates each request.
 
 ## Security model
 
@@ -84,14 +86,41 @@ Within that scope it tries to behave defensively:
 
 - Authentication, authorization, or rate limiting.
 - TLS / HTTPS.
-- Range requests, conditional `GET`, or HTTP keep-alive.
+- HTTP keep-alive (each response sets `Connection: close`).
+- ETags / `If-None-Match`.
 - Production-grade DoS resistance under hostile network load.
+- Defend against TOCTOU attacks from other local processes that can write
+  to the served directory. Path resolution (canonicalisation, dotfile
+  checks, within-root verification) happens before each file is opened;
+  another process that can swap files in the served directory between
+  resolution and read could redirect a request elsewhere on the same
+  machine.
 - Protect a directory you should not be sharing in the first place. The
   bound is the directory you pass on the command line; if it contains
   secrets, do not run `wsv` against it.
 
 If you need any of the above, use a real production server.
 
+## Public API and stability
+
+`wsv` follows [Semantic Versioning](https://semver.org/). The public API
+that SemVer covers is the CLI:
+
+- The flags listed above (`-h` / `--host`, `-p` / `--port`, `--help`,
+  `--version`) and their meanings.
+- The directory argument and the default behaviour when it is omitted.
+- Process exit codes (`0` for success, `1` for usage / setup errors).
+
+Within a major version, `wsv` will not silently change the default bind
+host, default port, the dotfile-blocking rule, or the security posture in
+ways that would surprise an existing user.
+
+The Ruby classes inside `lib/wsv/` (`Wsv::Server`, `Wsv::App`,
+`Wsv::PathResolver`, `Wsv::Request`, `Wsv::Response`, `Wsv::MimeTypes`,
+`Wsv::Status`) are implementation details. They may change at any
+time, including in patch releases. If you want to embed `wsv` as a
+library, pin a specific version.
+
 ## License
 
 MIT

data/lib/wsv/app.rb

@@ -1,11 +1,14 @@
 # frozen_string_literal: true
 
+require "time"
+require "uri"
 require_relative "path_resolver"
 require_relative "response"
 
 module Wsv
   class App
     ALLOWED_METHODS = %w[GET HEAD].freeze
+    RANGE_PATTERN = /\Abytes=(\d+)?-(\d+)?\z/
 
     def initialize(root)
       @resolver = PathResolver.new(root)
@@ -24,15 +27,80 @@ module Wsv
       return Response.text(result.status, head: head) if result.error?
       return Response.redirect(redirect_location(raw_path, query), head: head) if result.redirect?
 
-      Response.file(result.file, head: head)
+      file_response(result.file, request, head: head)
     end
 
     private
 
+    def file_response(file, request, head:)
+      return Response.not_modified if not_modified?(file, request.headers["if-modified-since"])
+
+      size = File.size(file)
+      range = parse_range(request.headers["range"], size)
+      case range
+      when :unsatisfiable
+        Response.range_not_satisfiable(size, head: head)
+      when nil
+        Response.file(file, head: head)
+      else
+        Response.file(file, head: head, range: range)
+      end
+    end
+
+    def not_modified?(file, header_value)
+      return false unless header_value
+
+      since = Time.httpdate(header_value)
+      File.mtime(file).to_i <= since.to_i
+    rescue ArgumentError
+      false
+    end
+
+    def parse_range(header_value, file_size)
+      return nil if header_value.nil? || header_value.empty?
+
+      match = header_value.match(RANGE_PATTERN)
+      return nil unless match
+
+      first, last = match.captures
+      if first.nil? && last.nil?
+        nil
+      elsif first.nil?
+        suffix_range(last.to_i, file_size)
+      elsif last.nil?
+        open_range(first.to_i, file_size)
+      else
+        bounded_range(first.to_i, last.to_i, file_size)
+      end
+    end
+
+    def suffix_range(suffix, file_size)
+      return :unsatisfiable if suffix.zero? || file_size.zero?
+
+      [file_size - suffix, 0].max..(file_size - 1)
+    end
+
+    def open_range(first, file_size)
+      return :unsatisfiable if first >= file_size
+
+      first..(file_size - 1)
+    end
+
+    def bounded_range(first, last, file_size)
+      return :unsatisfiable if first > last || first >= file_size
+
+      last = file_size - 1 if last >= file_size
+      first..last
+    end
+
     def redirect_location(raw_path, query)
-      location = raw_path.end_with?("/") ? raw_path : "#{raw_path}/"
+      path = URI(raw_path.to_s).path
+      path = "/" if path.empty?
+      location = path.end_with?("/") ? path : "#{path}/"
       location += "?#{query}" if query && !query.empty?
       location
+    rescue URI::InvalidURIError
+      "/"
     end
   end
 end

data/lib/wsv/path_resolver.rb

@@ -4,6 +4,10 @@ require "uri"
 
 module Wsv
   class PathResolver
+    # RFC 3986 disallows control characters in URL paths. Reject them after
+    # percent-decoding so callers cannot smuggle CR/LF, NUL, etc. through.
+    INVALID_PATH_CHARS = /[\u0000-\u001f\u007f]/
+
     class Result
       attr_reader :status, :file
 
@@ -77,7 +81,10 @@ module Wsv
 
     def decode(raw_path)
       path = URI(raw_path.to_s).path
-      percent_decode(path)
+      decoded = percent_decode(path)
+      return nil if decoded.nil? || decoded.match?(INVALID_PATH_CHARS)
+
+      decoded
     rescue URI::InvalidURIError
       nil
     end

data/lib/wsv/request/parser.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Wsv
+  class Request
+    class Parser
+      REQUEST_LINE_LIMIT = 8192
+      HEADER_LINE_LIMIT = 8192
+      HEADER_COUNT_LIMIT = 100
+      HEADER_TOTAL_LIMIT = 16_384
+
+      def initialize(io)
+        @io = io
+      end
+
+      def parse
+        line = @io.gets(REQUEST_LINE_LIMIT)
+        return :empty unless line
+        raise TooLarge, 414 if line.bytesize >= REQUEST_LINE_LIMIT && !line.end_with?("\n")
+
+        method, target, version = line.split(/\s+/, 3)
+        version = version&.strip
+        return :malformed unless method && target && version&.start_with?("HTTP/")
+
+        Request.new(method: method, target: target, version: version, headers: read_headers)
+      end
+
+      private
+
+      def read_headers
+        headers = {}
+        total = 0
+        count = 0
+        while (line = @io.gets(HEADER_LINE_LIMIT))
+          raise TooLarge, 431 if line.bytesize >= HEADER_LINE_LIMIT && !line.end_with?("\n")
+
+          stripped = line.delete_suffix("\r\n").delete_suffix("\n").delete_suffix("\r")
+          break if stripped.empty?
+
+          count += 1
+          raise TooLarge, 431 if count > HEADER_COUNT_LIMIT
+
+          total += line.bytesize
+          raise TooLarge, 431 if total > HEADER_TOTAL_LIMIT
+
+          name, value = stripped.split(":", 2)
+          headers[name.downcase] = value.strip if name && value
+        end
+        headers
+      end
+    end
+  end
+end

data/lib/wsv/request.rb

@@ -1,12 +1,9 @@
 # frozen_string_literal: true
 
+require_relative "request/parser"
+
 module Wsv
   class Request
-    REQUEST_LINE_LIMIT = 8192
-    HEADER_LINE_LIMIT = 8192
-    HEADER_COUNT_LIMIT = 100
-    HEADER_TOTAL_LIMIT = 16384
-
     class TooLarge < StandardError
       attr_reader :status_code
 
@@ -30,39 +27,7 @@ module Wsv
     end
 
     def self.parse(io)
-      line = io.gets(REQUEST_LINE_LIMIT)
-      return :empty unless line
-      raise TooLarge, 414 if line.bytesize >= REQUEST_LINE_LIMIT && !line.end_with?("\n")
-
-      method, target, version = line.split(/\s+/, 3)
-      version = version&.strip
-      return :malformed unless method && target && version&.start_with?("HTTP/")
-
-      headers = read_headers(io)
-      new(method: method, target: target, version: version, headers: headers)
-    end
-
-    def self.read_headers(io)
-      headers = {}
-      total = 0
-      count = 0
-      while (line = io.gets(HEADER_LINE_LIMIT))
-        raise TooLarge, 431 if line.bytesize >= HEADER_LINE_LIMIT && !line.end_with?("\n")
-
-        stripped = line.delete_suffix("\r\n").delete_suffix("\n").delete_suffix("\r")
-        break if stripped.empty?
-
-        count += 1
-        raise TooLarge, 431 if count > HEADER_COUNT_LIMIT
-
-        total += line.bytesize
-        raise TooLarge, 431 if total > HEADER_TOTAL_LIMIT
-
-        name, value = stripped.split(":", 2)
-        headers[name.downcase] = value.strip if name && value
-      end
-      headers
+      Parser.new(io).parse
     end
-    private_class_method :read_headers
   end
 end

data/lib/wsv/response/file_body.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Wsv
+  class Response
+    class FileBody
+      def initialize(path, offset: 0, length: nil)
+        @path = path
+        @offset = offset
+        @length = length || (File.size(path) - offset)
+      end
+
+      def to_s
+        File.open(@path, "rb") do |f|
+          f.seek(@offset)
+          f.read(@length)
+        end
+      end
+
+      def bytesize
+        @length
+      end
+
+      def write_to(io)
+        File.open(@path, "rb") do |f|
+          f.seek(@offset)
+          IO.copy_stream(f, io, @length)
+        end
+      end
+    end
+  end
+end

data/lib/wsv/response/file_builder.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+require "time"
+require_relative "../mime_types"
+
+module Wsv
+  class Response
+    class FileBuilder
+      def initialize(path, head: false, range: nil)
+        @path = path
+        @head = head
+        @range = range
+      end
+
+      def build
+        if @range
+          Response.new(status: 206, headers: range_headers, body: range_body)
+        else
+          Response.new(status: 200, headers: full_headers, body: full_body)
+        end
+      end
+
+      private
+
+      def size
+        @size ||= File.size(@path)
+      end
+
+      def base_headers
+        {
+          "Content-Type" => MimeTypes.for_file(@path),
+          "Last-Modified" => File.mtime(@path).httpdate,
+          "Cache-Control" => "no-cache",
+          "Accept-Ranges" => "bytes"
+        }
+      end
+
+      def range_headers
+        base_headers.merge(
+          "Content-Length" => @range.size.to_s,
+          "Content-Range" => "bytes #{@range.begin}-#{@range.end}/#{size}"
+        )
+      end
+
+      def full_headers
+        base_headers.merge("Content-Length" => size.to_s)
+      end
+
+      def range_body
+        return StringBody.new("") if @head
+
+        FileBody.new(@path, offset: @range.begin, length: @range.size)
+      end
+
+      def full_body
+        return StringBody.new("") if @head
+
+        FileBody.new(@path)
+      end
+    end
+  end
+end

data/lib/wsv/response/string_body.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Wsv
+  class Response
+    class StringBody
+      def initialize(string)
+        @string = string
+      end
+
+      def to_s
+        @string
+      end
+
+      def bytesize
+        @string.bytesize
+      end
+
+      def write_to(io)
+        io.write(@string) unless @string.empty?
+      end
+    end
+  end
+end

data/lib/wsv/response/text_builder.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Wsv
+  class Response
+    class TextBuilder
+      def initialize(status, head: false, headers: {})
+        @status = status
+        @head = head
+        @extra_headers = headers
+      end
+
+      def build
+        Response.new(status: @status, headers: response_headers, body: response_body)
+      end
+
+      private
+
+      def response_body
+        @head ? "" : message
+      end
+
+      def message
+        @message ||= "#{@status} #{Status.reason(@status)}\n"
+      end
+
+      def response_headers
+        {
+          "Content-Type" => "text/plain; charset=utf-8",
+          "Content-Length" => message.bytesize.to_s,
+          "Cache-Control" => "no-cache"
+        }.merge(@extra_headers)
+      end
+    end
+  end
+end

data/lib/wsv/response.rb

@@ -1,9 +1,11 @@
 # frozen_string_literal: true
 
-require "time"
-require_relative "mime_types"
 require_relative "status"
 require_relative "version"
+require_relative "response/string_body"
+require_relative "response/file_body"
+require_relative "response/text_builder"
+require_relative "response/file_builder"
 
 module Wsv
   class Response
@@ -12,16 +14,17 @@ module Wsv
     INVALID_HEADER_NAME = /[\s:]/
     INVALID_HEADER_VALUE = /[\r\n]/
 
-    attr_reader :status, :headers, :body
+    attr_reader :status, :headers
 
     def initialize(status:, headers: {}, body: "")
-      headers.each do |name, value|
-        raise ArgumentError, "invalid header name: #{name.inspect}" if name.to_s.match?(INVALID_HEADER_NAME)
-        raise ArgumentError, "invalid header value: #{value.inspect}" if value.to_s.match?(INVALID_HEADER_VALUE)
-      end
+      validate_headers(headers)
       @status = status
       @headers = headers
-      @body = body
+      @body = body.is_a?(String) ? StringBody.new(body) : body
+    end
+
+    def body
+      @body.to_s
     end
 
     def reason
@@ -34,34 +37,36 @@ module Wsv
       io.write "Connection: close\r\n"
       headers.each { |name, value| io.write "#{name}: #{value}\r\n" }
       io.write "\r\n"
-      io.write body
+      @body.write_to(io)
     end
 
-    def self.text(status, headers: {}, head: false)
-      body = "#{status} #{Status.reason(status)}\n"
-      base = {
-        "Content-Type" => "text/plain; charset=utf-8",
-        "Content-Length" => body.bytesize.to_s,
-        "Cache-Control" => "no-cache"
-      }
-      new(status: status, headers: base.merge(headers), body: head ? "" : body)
+    def self.text(status, **)
+      TextBuilder.new(status, **).build
     end
 
-    def self.file(path, head: false)
-      new(
-        status: 200,
-        headers: {
-          "Content-Type" => MimeTypes.for_file(path),
-          "Content-Length" => File.size(path).to_s,
-          "Last-Modified" => File.mtime(path).httpdate,
-          "Cache-Control" => "no-cache"
-        },
-        body: head ? "" : File.binread(path)
-      )
+    def self.file(path, **)
+      FileBuilder.new(path, **).build
     end
 
     def self.redirect(location, head: false)
-      text(301, headers: { "Location" => location }, head: head)
+      TextBuilder.new(301, head: head, headers: { "Location" => location }).build
+    end
+
+    def self.not_modified
+      new(status: 304, headers: { "Cache-Control" => "no-cache" }, body: "")
+    end
+
+    def self.range_not_satisfiable(file_size, head: false)
+      TextBuilder.new(416, head: head, headers: { "Content-Range" => "bytes */#{file_size}" }).build
+    end
+
+    private
+
+    def validate_headers(headers)
+      headers.each do |name, value|
+        raise ArgumentError, "invalid header name: #{name.inspect}" if name.to_s.match?(INVALID_HEADER_NAME)
+        raise ArgumentError, "invalid header value: #{value.inspect}" if value.to_s.match?(INVALID_HEADER_VALUE)
+      end
     end
   end
 end

data/lib/wsv/server.rb

@@ -164,11 +164,17 @@ module Wsv
 
       return reject(client) unless accepted
 
-      Thread.new do
-        Thread.current.report_on_exception = false
-        handle(client)
-      ensure
+      begin
+        Thread.new do
+          Thread.current.report_on_exception = false
+          handle(client)
+        ensure
+          @mutex.synchronize { @active -= 1 }
+        end
+      rescue ThreadError => e
+        @err.puts "wsv: thread error: #{e.message}"
         @mutex.synchronize { @active -= 1 }
+        reject(client)
       end
     end
 

data/lib/wsv/status.rb

@@ -4,13 +4,16 @@ module Wsv
   module Status
     REASONS = {
       200 => "OK",
+      206 => "Partial Content",
       301 => "Moved Permanently",
+      304 => "Not Modified",
       400 => "Bad Request",
       403 => "Forbidden",
       404 => "Not Found",
       405 => "Method Not Allowed",
       408 => "Request Timeout",
       414 => "URI Too Long",
+      416 => "Range Not Satisfiable",
       431 => "Request Header Fields Too Large",
       503 => "Service Unavailable"
     }.freeze

data/lib/wsv/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Wsv
-  VERSION = "0.8.0"
+  VERSION = "0.9.0"
 end

data/test/app_test.rb

@@ -60,6 +60,16 @@ class AppTest < Minitest::Test
     assert_equal "/docs/?q=1", response.headers["Location"]
   end
 
+  def test_redirect_normalizes_absolute_form_target_to_origin_form
+    FileUtils.mkdir_p(File.join(@dir, "docs"))
+    File.write(File.join(@dir, "docs", "index.html"), "x")
+
+    response = @app.call(req("GET", "http://example.test/docs"))
+
+    assert_equal 301, response.status
+    assert_equal "/docs/", response.headers["Location"]
+  end
+
   def test_head_omits_body_but_keeps_content_length
     File.write(File.join(@dir, "x.txt"), "hi")
 
@@ -69,9 +79,159 @@ class AppTest < Minitest::Test
     assert_equal "2", response.headers["Content-Length"]
   end
 
+  def test_advertises_accept_ranges_on_200
+    File.write(File.join(@dir, "x.txt"), "hi")
+
+    response = @app.call(req("GET", "/x.txt"))
+
+    assert_equal "bytes", response.headers["Accept-Ranges"]
+  end
+
+  def test_returns_304_when_if_modified_since_matches
+    path = File.join(@dir, "x.txt")
+    File.write(path, "hi")
+
+    response = @app.call(req("GET", "/x.txt", "if-modified-since" => File.mtime(path).httpdate))
+
+    assert_equal 304, response.status
+    assert_equal "", response.body
+    refute response.headers.key?("Content-Length")
+  end
+
+  def test_returns_200_when_if_modified_since_is_older
+    path = File.join(@dir, "x.txt")
+    File.write(path, "hi")
+    older = (File.mtime(path) - 3600).httpdate
+
+    response = @app.call(req("GET", "/x.txt", "if-modified-since" => older))
+
+    assert_equal 200, response.status
+    assert_equal "hi", response.body
+  end
+
+  def test_invalid_if_modified_since_is_ignored
+    File.write(File.join(@dir, "x.txt"), "hi")
+
+    response = @app.call(req("GET", "/x.txt", "if-modified-since" => "not a date"))
+
+    assert_equal 200, response.status
+  end
+
+  def test_serves_byte_range
+    File.write(File.join(@dir, "data.bin"), "abcdefghij")
+
+    response = @app.call(req("GET", "/data.bin", "range" => "bytes=2-5"))
+
+    assert_equal 206, response.status
+    assert_equal "cdef", response.body
+    assert_equal "4", response.headers["Content-Length"]
+    assert_equal "bytes 2-5/10", response.headers["Content-Range"]
+  end
+
+  def test_serves_open_ended_range
+    File.write(File.join(@dir, "data.bin"), "abcdefghij")
+
+    response = @app.call(req("GET", "/data.bin", "range" => "bytes=7-"))
+
+    assert_equal 206, response.status
+    assert_equal "hij", response.body
+    assert_equal "bytes 7-9/10", response.headers["Content-Range"]
+  end
+
+  def test_serves_suffix_range
+    File.write(File.join(@dir, "data.bin"), "abcdefghij")
+
+    response = @app.call(req("GET", "/data.bin", "range" => "bytes=-3"))
+
+    assert_equal 206, response.status
+    assert_equal "hij", response.body
+    assert_equal "bytes 7-9/10", response.headers["Content-Range"]
+  end
+
+  def test_clamps_range_end_to_file_size
+    File.write(File.join(@dir, "data.bin"), "abcdefghij")
+
+    response = @app.call(req("GET", "/data.bin", "range" => "bytes=5-99"))
+
+    assert_equal 206, response.status
+    assert_equal "fghij", response.body
+    assert_equal "bytes 5-9/10", response.headers["Content-Range"]
+  end
+
+  def test_unsatisfiable_range_returns_416
+    File.write(File.join(@dir, "data.bin"), "abc")
+
+    response = @app.call(req("GET", "/data.bin", "range" => "bytes=10-20"))
+
+    assert_equal 416, response.status
+    assert_equal "bytes */3", response.headers["Content-Range"]
+  end
+
+  def test_invalid_range_syntax_serves_full_content
+    File.write(File.join(@dir, "data.bin"), "abc")
+
+    response = @app.call(req("GET", "/data.bin", "range" => "bytes=garbage"))
+
+    assert_equal 200, response.status
+    assert_equal "abc", response.body
+  end
+
+  def test_head_with_range_omits_body_but_keeps_headers
+    File.write(File.join(@dir, "data.bin"), "abcdefghij")
+
+    response = @app.call(req("HEAD", "/data.bin", "range" => "bytes=0-2"))
+
+    assert_equal 206, response.status
+    assert_equal "", response.body
+    assert_equal "3", response.headers["Content-Length"]
+  end
+
+  def test_serves_single_byte_range
+    File.write(File.join(@dir, "data.bin"), "abcdefghij")
+
+    response = @app.call(req("GET", "/data.bin", "range" => "bytes=0-0"))
+
+    assert_equal 206, response.status
+    assert_equal "a", response.body
+    assert_equal "1", response.headers["Content-Length"]
+    assert_equal "bytes 0-0/10", response.headers["Content-Range"]
+  end
+
+  def test_inverted_range_returns_416
+    File.write(File.join(@dir, "data.bin"), "abcdefghij")
+
+    response = @app.call(req("GET", "/data.bin", "range" => "bytes=5-3"))
+
+    assert_equal 416, response.status
+    assert_equal "bytes */10", response.headers["Content-Range"]
+  end
+
+  def test_206_preserves_caching_headers
+    path = File.join(@dir, "data.bin")
+    File.write(path, "abcdefghij")
+
+    response = @app.call(req("GET", "/data.bin", "range" => "bytes=2-5"))
+
+    assert_equal 206, response.status
+    assert_equal Wsv::MimeTypes.for_file("data.bin"), response.headers["Content-Type"]
+    assert_equal File.mtime(path).httpdate, response.headers["Last-Modified"]
+    assert_equal "no-cache", response.headers["Cache-Control"]
+    assert_equal "bytes", response.headers["Accept-Ranges"]
+  end
+
+  def test_multipart_range_falls_through_to_200
+    File.write(File.join(@dir, "data.bin"), "abcdefghij")
+
+    response = @app.call(req("GET", "/data.bin", "range" => "bytes=0-2,5-7"))
+
+    assert_equal 200, response.status
+    assert_equal "abcdefghij", response.body
+    refute response.headers.key?("Content-Range")
+  end
+
   private
 
-  def req(method, target)
-    Wsv::Request.new(method: method, target: target, version: "HTTP/1.1", headers: {})
+  def req(method, target, headers = {})
+    Wsv::Request.new(method: method, target: target, version: "HTTP/1.1", headers: headers)
   end
 end

data/test/path_resolver_test.rb

@@ -127,6 +127,41 @@ class PathResolverTest < Minitest::Test
     assert_equal 400, result.status
   end
 
+  def test_returns_400_for_nul_byte_in_path
+    result = @resolver.resolve("/foo%00bar")
+
+    assert_predicate result, :error?
+    assert_equal 400, result.status
+  end
+
+  def test_returns_400_for_cr_in_path
+    result = @resolver.resolve("/foo%0Dbar")
+
+    assert_predicate result, :error?
+    assert_equal 400, result.status
+  end
+
+  def test_returns_400_for_lf_in_path
+    result = @resolver.resolve("/foo%0Abar")
+
+    assert_predicate result, :error?
+    assert_equal 400, result.status
+  end
+
+  def test_returns_400_for_tab_in_path
+    result = @resolver.resolve("/foo%09bar")
+
+    assert_predicate result, :error?
+    assert_equal 400, result.status
+  end
+
+  def test_returns_400_for_del_in_path
+    result = @resolver.resolve("/foo%7Fbar")
+
+    assert_predicate result, :error?
+    assert_equal 400, result.status
+  end
+
   def test_rejects_symlink_to_dotfile
     File.write(File.join(@dir, ".env"), "secret")
     File.symlink(".env", File.join(@dir, "config"))

data/test/response_test.rb

@@ -45,4 +45,45 @@ class ResponseTest < Minitest::Test
 
     assert_includes io.string, "HTTP/1.1 404 Not Found"
   end
+
+  def test_file_response_streams_via_io_copy_stream
+    Dir.mktmpdir do |dir|
+      path = File.join(dir, "data.bin")
+      File.binwrite(path, "abcdefghij")
+
+      response = Wsv::Response.file(path)
+      io = StringIO.new
+      response.write_to(io)
+
+      assert_includes io.string, "HTTP/1.1 200 OK"
+      assert io.string.end_with?("abcdefghij"), "expected file bytes at end of response"
+    end
+  end
+
+  def test_file_response_does_not_eagerly_read_file
+    Dir.mktmpdir do |dir|
+      path = File.join(dir, "data.bin")
+      File.binwrite(path, "abcdefghij")
+
+      response = Wsv::Response.file(path)
+      File.delete(path)
+
+      assert_equal 200, response.status
+      assert_equal "10", response.headers["Content-Length"]
+    end
+  end
+
+  def test_file_response_streams_byte_range
+    Dir.mktmpdir do |dir|
+      path = File.join(dir, "data.bin")
+      File.binwrite(path, "abcdefghij")
+
+      response = Wsv::Response.file(path, range: 2..5)
+      io = StringIO.new
+      response.write_to(io)
+
+      assert_includes io.string, "HTTP/1.1 206 Partial Content"
+      assert io.string.end_with?("cdef"), "expected only the requested range"
+    end
+  end
 end

data/test/server_test.rb

@@ -226,6 +226,33 @@ class ServerTest < Minitest::Test
     socket&.close
   end
 
+  def test_serves_byte_range_e2e
+    File.write(File.join(@dir, "data.bin"), "abcdefghij")
+    start_server
+
+    uri = URI("http://127.0.0.1:#{@server.port}/data.bin")
+    response = Net::HTTP.start(uri.host, uri.port) do |http|
+      http.get(uri.path, "Range" => "bytes=2-5")
+    end
+
+    assert_equal "206", response.code
+    assert_equal "cdef", response.body
+    assert_equal "bytes 2-5/10", response["content-range"]
+  end
+
+  def test_returns_304_when_if_modified_since_matches_e2e
+    path = File.join(@dir, "x.txt")
+    File.write(path, "hi")
+    start_server
+
+    uri = URI("http://127.0.0.1:#{@server.port}/x.txt")
+    response = Net::HTTP.start(uri.host, uri.port) do |http|
+      http.get(uri.path, "If-Modified-Since" => File.mtime(path).httpdate)
+    end
+
+    assert_equal "304", response.code
+  end
+
   def test_unsupported_method
     start_server
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: wsv
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.9.0
 platform: ruby
 authors:
 - takahashim
@@ -27,7 +27,12 @@ files:
 - lib/wsv/mime_types.rb
 - lib/wsv/path_resolver.rb
 - lib/wsv/request.rb
+- lib/wsv/request/parser.rb
 - lib/wsv/response.rb
+- lib/wsv/response/file_body.rb
+- lib/wsv/response/file_builder.rb
+- lib/wsv/response/string_body.rb
+- lib/wsv/response/text_builder.rb
 - lib/wsv/server.rb
 - lib/wsv/status.rb
 - lib/wsv/version.rb