wsv 0.8.0

data/lib/wsv/server.rb

@@ -0,0 +1,217 @@
+# frozen_string_literal: true
+
+require "socket"
+require_relative "app"
+require_relative "request"
+require_relative "response"
+
+module Wsv
+  class Server
+    DEFAULT_READ_TIMEOUT = 10
+    DEFAULT_MAX_CONNECTIONS = 8
+    DRAIN_TIMEOUT = 5
+
+    attr_reader :host, :port, :root
+
+    def initialize(
+      host:,
+      port:,
+      root:,
+      out: $stdout,
+      err: $stderr,
+      read_timeout: DEFAULT_READ_TIMEOUT,
+      max_connections: DEFAULT_MAX_CONNECTIONS
+    )
+      @host = host
+      @port = port
+      @root = File.realpath(root)
+      @out = out
+      @err = err
+      @read_timeout = read_timeout
+      @max_connections = max_connections
+      @app = App.new(@root)
+      @running = false
+      @mutex = Mutex.new
+      @active = 0
+    end
+
+    def start
+      @server = TCPServer.new(host, port)
+      @running = true
+      log_startup
+      trap_signals
+      accept_loop
+    ensure
+      close
+    end
+
+    def stop
+      @running = false
+      close
+    end
+
+    def handle(client)
+      reader = DeadlineReader.new(client, Time.now + @read_timeout)
+      request = Request.parse(reader)
+      case request
+      when :empty
+        nil
+      when :malformed
+        write_response(client, Response.text(400))
+      else
+        write_response(client, @app.call(request))
+      end
+    rescue Request::TooLarge => e
+      write_response(client, Response.text(e.status_code))
+    rescue IO::TimeoutError
+      write_response(client, Response.text(408))
+    rescue StandardError => e
+      @err.puts "wsv: #{e.class}: #{e.message}"
+      write_response(client, Response.text(400))
+    ensure
+      graceful_close(client)
+    end
+
+    private
+
+    def write_response(client, response)
+      return if client.closed?
+
+      response.write_to(client)
+    rescue Errno::EPIPE, Errno::ECONNRESET, IOError
+      nil
+    end
+
+    def graceful_close(client)
+      return if client.closed?
+
+      drain_recv(client)
+    rescue StandardError
+      nil
+    ensure
+      begin
+        client.close unless client.closed?
+      rescue StandardError
+        nil
+      end
+    end
+
+    def drain_recv(client)
+      deadline = Time.now + DRAIN_TIMEOUT
+      loop do
+        return if Time.now >= deadline
+
+        chunk = client.read_nonblock(8192, exception: false)
+        case chunk
+        when nil, :wait_writable
+          return
+        when :wait_readable
+          remaining = deadline - Time.now
+          return if remaining <= 0
+          return unless client.wait_readable([remaining, 0.2].min)
+        end
+      end
+    end
+
+    class DeadlineReader
+      def initialize(io, deadline)
+        @io = io
+        @deadline = deadline
+      end
+
+      def gets(limit)
+        remaining = @deadline - Time.now
+        raise IO::TimeoutError if remaining <= 0
+
+        @io.timeout = remaining
+        @io.gets(limit)
+      end
+    end
+
+    def accept_loop
+      while @running
+        client = nil
+        begin
+          client = @server.accept
+        rescue IOError, Errno::EBADF
+          break
+        rescue StandardError => e
+          @err.puts "wsv: accept error: #{e.class}: #{e.message}"
+          sleep 0.05
+          next
+        end
+
+        begin
+          spawn_handler(client)
+        rescue StandardError => e
+          @err.puts "wsv: dispatch error: #{e.class}: #{e.message}"
+          begin
+            client.close
+          rescue StandardError
+            nil
+          end
+        end
+      end
+    end
+
+    def spawn_handler(client)
+      accepted = @mutex.synchronize do
+        next false if @active >= @max_connections
+
+        @active += 1
+        true
+      end
+
+      return reject(client) unless accepted
+
+      Thread.new do
+        Thread.current.report_on_exception = false
+        handle(client)
+      ensure
+        @mutex.synchronize { @active -= 1 }
+      end
+    end
+
+    def reject(client)
+      write_response(client, Response.text(503))
+    ensure
+      graceful_close(client)
+    end
+
+    def close
+      @server&.close unless @server&.closed?
+    end
+
+    def trap_signals
+      %w[INT TERM].each do |signal|
+        Signal.trap(signal) do
+          @out.puts "\nStopping wsv."
+          stop
+        end
+      end
+    rescue ArgumentError
+      nil
+    end
+
+    def log_startup
+      @out.puts "Serving: #{root}"
+      @out.puts "Bind:    #{url_for(host)}"
+      @out.puts "Local:   #{url_for('127.0.0.1')}" unless localhost?(host)
+      @out.puts "Stop:    Ctrl-C"
+      warn_public_bind unless localhost?(host)
+    end
+
+    def warn_public_bind
+      @err.puts "WARNING: binding to #{host} exposes #{root} on your network."
+      @err.puts "         Pass --host 127.0.0.1 (or omit --host) for local-only access."
+    end
+
+    def url_for(display_host)
+      "http://#{display_host}:#{port}/"
+    end
+
+    def localhost?(display_host)
+      ["127.0.0.1", "localhost", "::1"].include?(display_host)
+    end
+  end
+end

data/lib/wsv/status.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Wsv
+  module Status
+    REASONS = {
+      200 => "OK",
+      301 => "Moved Permanently",
+      400 => "Bad Request",
+      403 => "Forbidden",
+      404 => "Not Found",
+      405 => "Method Not Allowed",
+      408 => "Request Timeout",
+      414 => "URI Too Long",
+      431 => "Request Header Fields Too Large",
+      503 => "Service Unavailable"
+    }.freeze
+
+    def self.reason(code)
+      REASONS.fetch(code)
+    end
+  end
+end

data/lib/wsv/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Wsv
+  VERSION = "0.8.0"
+end

data/lib/wsv.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require_relative "wsv/version"
+require_relative "wsv/status"
+require_relative "wsv/mime_types"
+require_relative "wsv/path_resolver"
+require_relative "wsv/request"
+require_relative "wsv/response"
+require_relative "wsv/app"
+require_relative "wsv/server"
+require_relative "wsv/cli"
+
+module Wsv
+end

data/test/app_test.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require_relative "test_helper"
+
+class AppTest < Minitest::Test
+  def setup
+    @dir = Dir.mktmpdir
+    @app = Wsv::App.new(File.realpath(@dir))
+  end
+
+  def teardown
+    FileUtils.remove_entry(@dir)
+  end
+
+  def test_returns_file_response
+    File.write(File.join(@dir, "hello.txt"), "hi")
+
+    response = @app.call(req("GET", "/hello.txt"))
+
+    assert_equal 200, response.status
+    assert_equal "text/plain; charset=utf-8", response.headers["Content-Type"]
+    assert_equal "2", response.headers["Content-Length"]
+    assert_equal "hi", response.body
+  end
+
+  def test_method_not_allowed
+    response = @app.call(req("POST", "/"))
+
+    assert_equal 405, response.status
+    assert_equal "GET, HEAD", response.headers["Allow"]
+  end
+
+  def test_dotfile_forbidden
+    File.write(File.join(@dir, ".env"), "secret")
+
+    response = @app.call(req("GET", "/.env"))
+
+    assert_equal 403, response.status
+  end
+
+  def test_path_traversal_forbidden
+    response = @app.call(req("GET", "/../etc/passwd"))
+
+    assert_equal 403, response.status
+  end
+
+  def test_url_encoded_traversal_forbidden
+    response = @app.call(req("GET", "/%2e%2e/passwd"))
+
+    assert_equal 403, response.status
+  end
+
+  def test_redirect_preserves_query
+    FileUtils.mkdir_p(File.join(@dir, "docs"))
+    File.write(File.join(@dir, "docs", "index.html"), "x")
+
+    response = @app.call(req("GET", "/docs?q=1"))
+
+    assert_equal 301, response.status
+    assert_equal "/docs/?q=1", response.headers["Location"]
+  end
+
+  def test_head_omits_body_but_keeps_content_length
+    File.write(File.join(@dir, "x.txt"), "hi")
+
+    response = @app.call(req("HEAD", "/x.txt"))
+
+    assert_equal "", response.body
+    assert_equal "2", response.headers["Content-Length"]
+  end
+
+  private
+
+  def req(method, target)
+    Wsv::Request.new(method: method, target: target, version: "HTTP/1.1", headers: {})
+  end
+end

data/test/cli_test.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require_relative "test_helper"
+
+class CLITest < Minitest::Test
+  def test_defaults
+    Dir.mktmpdir do |dir|
+      Dir.chdir(dir) do
+        options = Wsv::CLI.new([]).parse_options([])
+
+        assert_equal "127.0.0.1", options[:host]
+        assert_equal 8000, options[:port]
+        assert_equal File.realpath(dir), options[:directory]
+      end
+    end
+  end
+
+  def test_host_port_and_directory
+    Dir.mktmpdir do |dir|
+      options = Wsv::CLI.new([]).parse_options(["-h", "127.0.0.1", "-p", "3000", dir])
+
+      assert_equal "127.0.0.1", options[:host]
+      assert_equal 3000, options[:port]
+      assert_equal dir, options[:directory]
+    end
+  end
+
+  def test_long_host_port_and_directory
+    Dir.mktmpdir do |dir|
+      options = Wsv::CLI.new([]).parse_options(["--host", "localhost", "--port", "4567", dir])
+
+      assert_equal "localhost", options[:host]
+      assert_equal 4567, options[:port]
+      assert_equal dir, options[:directory]
+    end
+  end
+
+  def test_help
+    out = StringIO.new
+    code = Wsv::CLI.new(["--help"], out: out).run
+
+    assert_equal 0, code
+    assert_includes out.string, "Usage: wsv"
+    assert_includes out.string, "--host HOST"
+  end
+
+  def test_version
+    out = StringIO.new
+    code = Wsv::CLI.new(["--version"], out: out).run
+
+    assert_equal 0, code
+    assert_equal "#{Wsv::VERSION}\n", out.string
+  end
+
+  def test_invalid_port
+    err = StringIO.new
+    code = Wsv::CLI.new(["-p", "0"], err: err).run
+
+    assert_equal 1, code
+    assert_includes err.string, "port must be between 1 and 65535"
+  end
+
+  def test_missing_directory
+    err = StringIO.new
+    missing = File.join(Dir.tmpdir, "wsv-missing-#{Time.now.to_i}-#{$$}")
+    code = Wsv::CLI.new([missing], err: err).run
+
+    assert_equal 1, code
+    assert_includes err.string, "directory does not exist"
+  end
+end

data/test/path_resolver_test.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+require_relative "test_helper"
+
+class PathResolverTest < Minitest::Test
+  def setup
+    @dir = Dir.mktmpdir
+    @root = File.realpath(@dir)
+    @resolver = Wsv::PathResolver.new(@root)
+  end
+
+  def teardown
+    FileUtils.remove_entry(@dir)
+  end
+
+  def test_resolves_existing_file
+    path = File.join(@dir, "hello.txt")
+    File.write(path, "hi")
+
+    result = @resolver.resolve("/hello.txt")
+
+    assert_predicate result, :file?
+    assert_equal File.realpath(path), result.file
+  end
+
+  def test_returns_404_for_missing_file
+    result = @resolver.resolve("/nope.txt")
+
+    assert_predicate result, :error?
+    assert_equal 404, result.status
+  end
+
+  def test_redirects_directory_without_trailing_slash
+    FileUtils.mkdir_p(File.join(@dir, "docs"))
+    File.write(File.join(@dir, "docs", "index.html"), "x")
+
+    result = @resolver.resolve("/docs")
+
+    assert_predicate result, :redirect?
+  end
+
+  def test_serves_index_for_directory_with_trailing_slash
+    FileUtils.mkdir_p(File.join(@dir, "docs"))
+    index = File.join(@dir, "docs", "index.html")
+    File.write(index, "x")
+
+    result = @resolver.resolve("/docs/")
+
+    assert_predicate result, :file?
+    assert_equal File.realpath(index), result.file
+  end
+
+  def test_directory_without_index_is_404
+    FileUtils.mkdir_p(File.join(@dir, "assets"))
+
+    result = @resolver.resolve("/assets/")
+
+    assert_predicate result, :error?
+    assert_equal 404, result.status
+  end
+
+  def test_rejects_path_traversal
+    result = @resolver.resolve("/../etc/passwd")
+
+    assert_predicate result, :error?
+    assert_equal 403, result.status
+  end
+
+  def test_rejects_dotfile_at_root
+    File.write(File.join(@dir, ".env"), "secret")
+
+    result = @resolver.resolve("/.env")
+
+    assert_predicate result, :error?
+    assert_equal 403, result.status
+  end
+
+  def test_rejects_dot_directory
+    FileUtils.mkdir_p(File.join(@dir, ".git"))
+    File.write(File.join(@dir, ".git", "config"), "x")
+
+    result = @resolver.resolve("/.git/config")
+
+    assert_predicate result, :error?
+    assert_equal 403, result.status
+  end
+
+  def test_rejects_dotfile_in_subdir
+    FileUtils.mkdir_p(File.join(@dir, "sub"))
+    File.write(File.join(@dir, "sub", ".secret"), "x")
+
+    result = @resolver.resolve("/sub/.secret")
+
+    assert_predicate result, :error?
+    assert_equal 403, result.status
+  end
+
+  def test_rejects_url_encoded_traversal
+    result = @resolver.resolve("/%2e%2e/etc/passwd")
+
+    assert_predicate result, :error?
+    assert_equal 403, result.status
+  end
+
+  def test_rejects_url_encoded_dotfile
+    File.write(File.join(@dir, ".env"), "secret")
+
+    result = @resolver.resolve("/%2eenv")
+
+    assert_predicate result, :error?
+    assert_equal 403, result.status
+  end
+
+  def test_preserves_literal_plus_in_path
+    File.write(File.join(@dir, "foo+bar.txt"), "x")
+
+    result = @resolver.resolve("/foo+bar.txt")
+
+    assert_predicate result, :file?
+    assert_equal File.realpath(File.join(@dir, "foo+bar.txt")), result.file
+  end
+
+  def test_returns_400_for_invalid_uri
+    result = @resolver.resolve("http://[invalid")
+
+    assert_predicate result, :error?
+    assert_equal 400, result.status
+  end
+
+  def test_rejects_symlink_to_dotfile
+    File.write(File.join(@dir, ".env"), "secret")
+    File.symlink(".env", File.join(@dir, "config"))
+
+    result = @resolver.resolve("/config")
+
+    assert_predicate result, :error?
+    assert_equal 403, result.status
+  end
+
+  def test_rejects_symlink_to_dot_directory
+    FileUtils.mkdir_p(File.join(@dir, ".git"))
+    File.write(File.join(@dir, ".git", "HEAD"), "ref")
+    File.symlink(".git", File.join(@dir, "gitstuff"))
+
+    result = @resolver.resolve("/gitstuff/HEAD")
+
+    assert_predicate result, :error?
+    assert_equal 403, result.status
+  end
+
+  def test_allows_internal_symlink_to_regular_file
+    File.write(File.join(@dir, "real.txt"), "data")
+    File.symlink("real.txt", File.join(@dir, "alias.txt"))
+
+    result = @resolver.resolve("/alias.txt")
+
+    assert_predicate result, :file?
+    assert_equal File.realpath(File.join(@dir, "real.txt")), result.file
+  end
+
+  def test_handles_symlink_loop
+    File.symlink("b", File.join(@dir, "a"))
+    File.symlink("a", File.join(@dir, "b"))
+
+    result = @resolver.resolve("/a")
+
+    assert_predicate result, :error?
+    assert_equal 404, result.status
+  end
+
+  def test_rejects_symlink_outside_root
+    outside = File.join(File.dirname(@dir), "wsv-outside-#{$$}")
+    File.write(outside, "leaked")
+    File.symlink(outside, File.join(@dir, "link"))
+
+    result = @resolver.resolve("/link")
+
+    assert_predicate result, :error?
+    assert_equal 403, result.status
+  ensure
+    FileUtils.rm_f(outside) if outside
+  end
+end

data/test/request_test.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require_relative "test_helper"
+
+class RequestTest < Minitest::Test
+  def test_parse_simple_get
+    io = StringIO.new("GET / HTTP/1.1\r\nHost: localhost\r\n\r\n")
+
+    request = Wsv::Request.parse(io)
+
+    assert_equal "GET", request.method
+    assert_equal "/", request.target
+    assert_equal "HTTP/1.1", request.version
+    assert_equal "localhost", request.headers["host"]
+  end
+
+  def test_parse_empty_returns_symbol
+    assert_equal :empty, Wsv::Request.parse(StringIO.new(""))
+  end
+
+  def test_parse_malformed_returns_symbol
+    assert_equal :malformed, Wsv::Request.parse(StringIO.new("garbage line\r\n"))
+  end
+
+  def test_request_line_too_long_raises_414
+    long_path = "/#{'a' * 9000}"
+    io = StringIO.new("GET #{long_path} HTTP/1.1\r\nHost: x\r\n\r\n")
+
+    error = assert_raises(Wsv::Request::TooLarge) { Wsv::Request.parse(io) }
+
+    assert_equal 414, error.status_code
+  end
+
+  def test_too_many_headers_raises_431
+    headers = (1..200).map { |i| "X-Custom-#{i}: x\r\n" }.join
+    io = StringIO.new("GET / HTTP/1.1\r\n#{headers}\r\n")
+
+    error = assert_raises(Wsv::Request::TooLarge) { Wsv::Request.parse(io) }
+
+    assert_equal 431, error.status_code
+  end
+
+  def test_header_total_too_large_raises_431
+    big_value = "a" * 5000
+    headers = (1..5).map { |i| "X-Big-#{i}: #{big_value}\r\n" }.join
+    io = StringIO.new("GET / HTTP/1.1\r\n#{headers}\r\n")
+
+    error = assert_raises(Wsv::Request::TooLarge) { Wsv::Request.parse(io) }
+
+    assert_equal 431, error.status_code
+  end
+
+  def test_single_header_line_too_long_raises_431
+    big_header = "X-Long: #{'z' * 9000}\r\n"
+    io = StringIO.new("GET / HTTP/1.1\r\n#{big_header}\r\n")
+
+    error = assert_raises(Wsv::Request::TooLarge) { Wsv::Request.parse(io) }
+
+    assert_equal 431, error.status_code
+  end
+end

data/test/response_test.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require_relative "test_helper"
+
+class ResponseTest < Minitest::Test
+  def test_rejects_crlf_in_header_value
+    assert_raises(ArgumentError) do
+      Wsv::Response.new(status: 200, headers: { "X-Foo" => "bad\r\nInjected: yes" })
+    end
+  end
+
+  def test_rejects_lf_in_header_value
+    assert_raises(ArgumentError) do
+      Wsv::Response.new(status: 200, headers: { "X-Foo" => "bad\nthing" })
+    end
+  end
+
+  def test_rejects_crlf_in_header_name
+    assert_raises(ArgumentError) do
+      Wsv::Response.new(status: 200, headers: { "X-Bad\r\n" => "value" })
+    end
+  end
+
+  def test_rejects_colon_in_header_name
+    assert_raises(ArgumentError) do
+      Wsv::Response.new(status: 200, headers: { "X-Foo: extra" => "value" })
+    end
+  end
+
+  def test_accepts_normal_headers
+    Wsv::Response.new(
+      status: 200,
+      headers: {
+        "Content-Type" => "text/html; charset=utf-8",
+        "Allow" => "GET, HEAD",
+        "Location" => "/docs/?q=1"
+      }
+    )
+  end
+
+  def test_text_factory_produces_writable_response
+    response = Wsv::Response.text(404)
+    io = StringIO.new
+    response.write_to(io)
+
+    assert_includes io.string, "HTTP/1.1 404 Not Found"
+  end
+end