Class: Otto

Inherits:

Object

• Object
• Otto

Extended by:

ClassMethods

Defined in:

lib/otto.rb,
lib/otto/route.rb,
lib/otto/static.rb,
lib/otto/version.rb,
lib/otto/design_system.rb,
lib/otto/security/csrf.rb,
lib/otto/helpers/request.rb,
lib/otto/security/config.rb,
lib/otto/helpers/response.rb,
lib/otto/security/validator.rb

Overview

lib/otto/helpers/response.rb

Defined Under Namespace

Modules: ClassMethods, DesignSystem, RequestHelpers, ResponseHelpers, Security, Static Classes: Route

Constant Summary

LIB_HOME =

__dir__

VERSION =

'1.3.0'.freeze

Class Attribute Summary

• .debug ⇒ Object

  Returns the value of attribute debug.

• .logger ⇒ Object

  Returns the value of attribute logger.

Instance Attribute Summary

• #middleware_stack ⇒ Object

  Returns the value of attribute middleware_stack.

• #not_found ⇒ Object

  Returns the value of attribute not_found.

• #option ⇒ Object (also: #options) readonly

  Returns the value of attribute option.

• #route_definitions ⇒ Object readonly

  Returns the value of attribute route_definitions.

• #routes ⇒ Object readonly

  Returns the value of attribute routes.

• #routes_literal ⇒ Object readonly

  Returns the value of attribute routes_literal.

• #routes_static ⇒ Object readonly

  Returns the value of attribute routes_static.

• #security_config ⇒ Object readonly

  Returns the value of attribute security_config.

• #server_error ⇒ Object

  Returns the value of attribute server_error.

• #static_route ⇒ Object readonly

  Returns the value of attribute static_route.

Instance Method Summary

• #add_static_path(path) ⇒ Object
• #add_trusted_proxy(proxy) ⇒ Object

  Add a trusted proxy server for accurate client IP detection.

• #call(env) ⇒ Object
• #determine_locale(env) ⇒ Object
• #enable_csp!(policy = "default-src 'self'") ⇒ Object

  Enable Content Security Policy (CSP) header to prevent XSS attacks.

• #enable_csrf_protection! ⇒ Object

  Enable CSRF protection for POST, PUT, DELETE, and PATCH requests.

• #enable_frame_protection!(option = 'SAMEORIGIN') ⇒ Object

  Enable X-Frame-Options header to prevent clickjacking attacks.

• #enable_hsts!(max_age: 31_536_000, include_subdomains: true) ⇒ Object

  Enable HTTP Strict Transport Security (HSTS) header.

• #enable_request_validation! ⇒ Object

  Enable request validation including input sanitization, size limits, and protection against XSS and SQL injection attacks.

• #handle_request(env) ⇒ Object
• #initialize(path = nil, opts = {}) ⇒ Otto constructor

  A new instance of Otto.

• #load(path) ⇒ Object
• #safe_dir?(path) ⇒ Boolean
• #safe_file?(path) ⇒ Boolean
• #set_security_headers(headers) ⇒ Object

  Set custom security headers that will be added to all responses.

• #uri(route_definition, params = {}) ⇒ Object

  Return the URI path for the given route_definition e.g.

• #use(middleware) ⇒ Object

  Add middleware to the stack.

Methods included from ClassMethods

default, env?, path

Constructor Details

#initialize(path = nil, opts = {}) ⇒ Otto

Returns a new instance of Otto.

# File 'lib/otto.rb', line 49

def initialize(path = nil, opts = {})
  @routes_static     = { GET: {} }
  @routes            = { GET: [] }
  @routes_literal    = { GET: {} }
  @route_definitions = {}
  @option            = {
    public: nil,
    locale: 'en',
  }.merge(opts)
  @security_config   = Otto::Security::Config.new
  @middleware_stack  = []

  # Configure security based on options
  configure_security(opts)

  Otto.logger.debug "new Otto: #{opts}" if Otto.debug
  load(path) unless path.nil?
  super()
end

Class Attribute Details

.debug ⇒ Object

Returns the value of attribute debug.

# File 'lib/otto.rb', line 470

def debug
  @debug
end

.logger ⇒ Object

Returns the value of attribute logger.

# File 'lib/otto.rb', line 470

def logger
  @logger
end

Instance Attribute Details

#middleware_stack ⇒ Object

Returns the value of attribute middleware_stack.

# File 'lib/otto.rb', line 47

def middleware_stack
  @middleware_stack
end

#not_found ⇒ Object

Returns the value of attribute not_found.

# File 'lib/otto.rb', line 47

def not_found
  @not_found
end

#option ⇒ Object (readonly) Also known as: options

Returns the value of attribute option.

# File 'lib/otto.rb', line 46

def option
  @option
end

#route_definitions ⇒ Object (readonly)

Returns the value of attribute route_definitions.

# File 'lib/otto.rb', line 46

def route_definitions
  @route_definitions
end

#routes ⇒ Object (readonly)

Returns the value of attribute routes.

# File 'lib/otto.rb', line 46

def routes
  @routes
end

#routes_literal ⇒ Object (readonly)

Returns the value of attribute routes_literal.

# File 'lib/otto.rb', line 46

def routes_literal
  @routes_literal
end

#routes_static ⇒ Object (readonly)

Returns the value of attribute routes_static.

# File 'lib/otto.rb', line 46

def routes_static
  @routes_static
end

#security_config ⇒ Object (readonly)

Returns the value of attribute security_config.

# File 'lib/otto.rb', line 46

def security_config
  @security_config
end

#server_error ⇒ Object

Returns the value of attribute server_error.

# File 'lib/otto.rb', line 47

def server_error
  @server_error
end

#static_route ⇒ Object (readonly)

Returns the value of attribute static_route.

# File 'lib/otto.rb', line 46

def static_route
  @static_route
end

Instance Method Details

#add_static_path(path) ⇒ Object

# File 'lib/otto.rb', line 132

def add_static_path(path)
  return unless safe_file?(path)

  base_path                      = File.split(path).first
  # Files in the root directory can refer to themselves
  base_path                      = path if base_path == '/'
  File.join(option[:public], base_path)
  Otto.logger.debug "new static route: #{base_path} (#{path})" if Otto.debug
  routes_static[:GET][base_path] = base_path
end

#add_trusted_proxy(proxy) ⇒ Object

Add a trusted proxy server for accurate client IP detection. Only requests from trusted proxies will have their forwarded headers honored.

Examples:

otto.add_trusted_proxy('10.0.0.0/8')
otto.add_trusted_proxy(/^172\.16\./)

Parameters:

• proxy (String, Regexp) —

  IP address, CIDR range, or regex pattern

# File 'lib/otto.rb', line 325

def add_trusted_proxy(proxy)
  @security_config.add_trusted_proxy(proxy)
end

#call(env) ⇒ Object

# File 'lib/otto.rb', line 143

def call(env)
  # Apply middleware stack
  app = ->(e) { handle_request(e) }
  @middleware_stack.reverse_each do |middleware|
    app = middleware.new(app, @security_config)
  end

  begin
    app.call(env)
  rescue StandardError => ex
    handle_error(ex, env)
  end
end

#determine_locale(env) ⇒ Object

# File 'lib/otto.rb', line 266

def determine_locale(env)
  accept_langs = env['HTTP_ACCEPT_LANGUAGE']
  accept_langs = option[:locale] if accept_langs.to_s.empty?
  locales      = []
  unless accept_langs.empty?
    locales = accept_langs.split(',').map do |l|
      l += ';q=1.0' unless /;q=\d+(?:\.\d+)?$/.match?(l)
      l.split(';q=')
    end.sort_by do |_locale, qvalue|
      qvalue.to_f
    end.collect do |locale, _qvalue|
      locale
    end.reverse
  end
  Otto.logger.debug "locale: #{locales} (#{accept_langs})" if Otto.debug
  locales.empty? ? nil : locales
end

#enable_csp!(policy = "default-src 'self'") ⇒ Object

Enable Content Security Policy (CSP) header to prevent XSS attacks. The default policy only allows resources from the same origin.

Examples:

otto.enable_csp!("default-src 'self'; script-src 'self' 'unsafe-inline'")

Parameters:

• policy (String) (defaults to: "default-src 'self'") —

  CSP policy string (default: “default-src ‘self’”)

# File 'lib/otto.rb', line 360

def enable_csp!(policy = "default-src 'self'")
  @security_config.enable_csp!(policy)
end

#enable_csrf_protection! ⇒ Object

Enable CSRF protection for POST, PUT, DELETE, and PATCH requests. This will automatically add CSRF tokens to HTML forms and validate them on unsafe HTTP methods.

Examples:

otto.enable_csrf_protection!

# File 'lib/otto.rb', line 299

def enable_csrf_protection!
  return if middleware_enabled?(Otto::Security::CSRFMiddleware)

  @security_config.enable_csrf_protection!
  use Otto::Security::CSRFMiddleware
end

#enable_frame_protection!(option = 'SAMEORIGIN') ⇒ Object

Enable X-Frame-Options header to prevent clickjacking attacks.

Examples:

otto.enable_frame_protection!('DENY')

Parameters:

• option (String) (defaults to: 'SAMEORIGIN') —

  Frame options: ‘DENY’, ‘SAMEORIGIN’, or ‘ALLOW-FROM uri’

# File 'lib/otto.rb', line 369

def enable_frame_protection!(option = 'SAMEORIGIN')
  @security_config.enable_frame_protection!(option)
end

#enable_hsts!(max_age: 31_536_000, include_subdomains: true) ⇒ Object

Enable HTTP Strict Transport Security (HSTS) header. WARNING: This can make your domain inaccessible if HTTPS is not properly configured. Only enable this when you’re certain HTTPS is working correctly.

Examples:

otto.enable_hsts!(max_age: 86400, include_subdomains: false)

Parameters:

• max_age (Integer) (defaults to: 31_536_000) —

  Maximum age in seconds (default: 1 year)

• include_subdomains (Boolean) (defaults to: true) —

  Apply to all subdomains (default: true)

# File 'lib/otto.rb', line 350

def enable_hsts!(max_age: 31_536_000, include_subdomains: true)
  @security_config.enable_hsts!(max_age: max_age, include_subdomains: include_subdomains)
end

#enable_request_validation! ⇒ Object

Enable request validation including input sanitization, size limits, and protection against XSS and SQL injection attacks.

Examples:

otto.enable_request_validation!

# File 'lib/otto.rb', line 311

def enable_request_validation!
  return if middleware_enabled?(Otto::Security::ValidationMiddleware)

  @security_config.input_validation = true
  use Otto::Security::ValidationMiddleware
end

#handle_request(env) ⇒ Object

# File 'lib/otto.rb', line 157

def handle_request(env)
  locale             = determine_locale env
  env['rack.locale'] = locale
  @static_route    ||= Rack::Files.new(option[:public]) if option[:public] && safe_dir?(option[:public])
  path_info          = Rack::Utils.unescape(env['PATH_INFO'])
  path_info          = '/' if path_info.to_s.empty?

  begin
    path_info_clean = path_info
      .encode(
        'UTF-8', # Target encoding
        invalid: :replace, # Replace invalid byte sequences
        undef: :replace,   # Replace characters undefined in UTF-8
        replace: '',        # Use empty string for replacement
      )
      .gsub(%r{/$}, '') # Remove trailing slash, if present
  rescue ArgumentError => ex
    # Log the error but don't expose details
    Otto.logger.error '[Otto.handle_request] Path encoding error'
    Otto.logger.debug "[Otto.handle_request] Error details: #{ex.message}" if Otto.debug
    # Set a default value or use the original path_info
    path_info_clean = path_info
  end

  base_path      = File.split(path_info).first
  # Files in the root directory can refer to themselves
  base_path      = path_info if base_path == '/'
  http_verb      = env['REQUEST_METHOD'].upcase.to_sym
  literal_routes = routes_literal[http_verb] || {}
  literal_routes.merge! routes_literal[:GET] if http_verb == :HEAD
  if static_route && http_verb == :GET && routes_static[:GET].member?(base_path)
    # Otto.logger.debug " request: #{path_info} (static)"
    static_route.call(env)
  elsif literal_routes.has_key?(path_info_clean)
    route = literal_routes[path_info_clean]
    # Otto.logger.debug " request: #{http_verb} #{path_info} (literal route: #{route.verb} #{route.path})"
    route.call(env)
  elsif static_route && http_verb == :GET && safe_file?(path_info)
    Otto.logger.debug " new static route: #{base_path} (#{path_info})" if Otto.debug
    routes_static[:GET][base_path] = base_path
    static_route.call(env)
  else
    extra_params  = {}
    found_route   = nil
    valid_routes  = routes[http_verb] || []
    valid_routes.push(*routes[:GET]) if http_verb == :HEAD
    valid_routes.each do |route|
      # Otto.logger.debug " request: #{http_verb} #{path_info} (trying route: #{route.verb} #{route.pattern})"
      next unless (match = route.pattern.match(path_info))

      values       = match.captures.to_a
      # The first capture returned is the entire matched string b/c
      # we wrapped the entire regex in parens. We don't need it to
      # the full match.
      values.shift
      extra_params =
        if route.keys.any?
          route.keys.zip(values).each_with_object({}) do |(k, v), hash|
            if k == 'splat'
              (hash[k] ||= []) << v
            else
              hash[k] = v
            end
          end
        elsif values.any?
          { 'captures' => values }
        else
          {}
        end
      found_route  = route
      break
    end
    found_route ||= literal_routes['/404']
    if found_route
      found_route.call env, extra_params
    else
      @not_found || Otto::Static.not_found
    end
  end
end

#load(path) ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/otto.rb', line 70

def load(path)
  path = File.expand_path(path)
  raise ArgumentError, "Bad path: #{path}" unless File.exist?(path)

  raw = File.readlines(path).select { |line| line =~ /^\w/ }.collect { |line| line.strip.split(/\s+/) }
  raw.each do |entry|
    verb, path, definition                  = *entry
    route                                   = Otto::Route.new verb, path, definition
    route.otto                              = self
    path_clean                              = path.gsub(%r{/$}, '')
    @route_definitions[route.definition]    = route
    Otto.logger.debug "route: #{route.pattern}" if Otto.debug
    @routes[route.verb]                   ||= []
    @routes[route.verb] << route
    @routes_literal[route.verb]           ||= {}
    @routes_literal[route.verb][path_clean] = route
  rescue StandardError
    Otto.logger.error "Bad route in #{path}: #{entry}"
  end
  self
end

#safe_dir?(path) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/otto.rb', line 117

def safe_dir?(path)
  return false if path.nil? || path.empty?

  # Clean and expand the path
  clean_path = path.delete("\0").strip
  return false if clean_path.empty?

  expanded_path = File.expand_path(clean_path)

  # Check directory exists, is readable, and has proper ownership
  File.directory?(expanded_path) &&
    File.readable?(expanded_path) &&
    (File.owned?(expanded_path) || File.grpowned?(expanded_path))
end

#safe_file?(path) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/otto.rb', line 92

def safe_file?(path)
  return false if option[:public].nil? || option[:public].empty?
  return false if path.nil? || path.empty?

  # Normalize and resolve the public directory path
  public_dir = File.expand_path(option[:public])
  return false unless File.directory?(public_dir)

  # Clean the requested path - remove null bytes and normalize
  clean_path = path.delete("\0").strip
  return false if clean_path.empty?

  # Join and expand to get the full resolved path
  requested_path = File.expand_path(File.join(public_dir, clean_path))

  # Ensure the resolved path is within the public directory (prevents path traversal)
  return false unless requested_path.start_with?(public_dir + File::SEPARATOR)

  # Check file exists, is readable, and is not a directory
  File.exist?(requested_path) &&
    File.readable?(requested_path) &&
    !File.directory?(requested_path) &&
    (File.owned?(requested_path) || File.grpowned?(requested_path))
end

#set_security_headers(headers) ⇒ Object

Set custom security headers that will be added to all responses. These merge with the default security headers.

Examples:

otto.set_security_headers({
  'content-security-policy' => "default-src 'self'",
  'strict-transport-security' => 'max-age=31536000'
})

Parameters:

• headers (Hash) —

  Hash of header name => value pairs

# File 'lib/otto.rb', line 338

def set_security_headers(headers)
  @security_config.security_headers.merge!(headers)
end

#uri(route_definition, params = {}) ⇒ Object

Return the URI path for the given route_definition e.g.

Otto.default.path 'YourClass.somemethod'  #=> /some/path

# File 'lib/otto.rb', line 243

def uri(route_definition, params = {})
  # raise RuntimeError, "Not working"
  route = @route_definitions[route_definition]
  return if route.nil?

  local_params = params.clone
  local_path   = route.path.clone

  local_params.each_pair do |k, v|
    next unless local_path.match(":#{k}")

    local_path.gsub!(":#{k}", v.to_s)
    local_params.delete(k)
  end

  uri = URI::HTTP.new(nil, nil, nil, nil, nil, local_path, nil, nil, nil)
  unless local_params.empty?
    query_string = local_params.map { |k, v| "#{URI.encode_www_form_component(k)}=#{URI.encode_www_form_component(v)}" }.join('&')
    uri.query    = query_string
  end
  uri.to_s
end

#use(middleware) ⇒ Object

Add middleware to the stack

Parameters:

• middleware (Class) —

  The middleware class to add

• args (Array) —

  Additional arguments for the middleware

• block (Proc) —

  Optional block for middleware configuration

# File 'lib/otto.rb', line 289

def use(middleware, *, &)
  @middleware_stack << middleware
end