Module: Otto::Security::ValidationHelpers

Included in:
Middleware::ValidationMiddleware
Defined in:
lib/otto/helpers/validation.rb

Overview

Validation helper methods providing input validation and sanitization

Instance Method Summary collapse

Instance Method Details

#sanitize_filename(filename) ⇒ Object 



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'lib/otto/helpers/validation.rb', line 41

def sanitize_filename(filename)
  return nil if filename.nil?
  return 'file' if filename.empty?

  # Use Facets File.sanitize for basic filesystem-safe filename
  clean_name = File.sanitize(filename.to_s)

  # Handle edge cases and improve on Facets behavior to match test expectations
  if clean_name.nil? || clean_name.empty?
    clean_name = 'file'
  else
    # Additional cleanup that Facets doesn't do but our tests expect
    clean_name = clean_name.gsub(/_{2,}/, '_')        # Collapse multiple underscores
    clean_name = clean_name.gsub(/^_+|_+$/, '')       # Remove leading/trailing underscores
    clean_name = 'file' if clean_name.empty?          # Handle case where only underscores remain
  end

  # Ensure reasonable length (255 is filesystem limit, leave some padding)
  clean_name = clean_name[0..99] if clean_name.length > 100

  clean_name
end

#validate_input(input, max_length: 1000, allow_html: false) ⇒ Object 



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
# File 'lib/otto/helpers/validation.rb', line 12

def validate_input(input, max_length: 1000, allow_html: false)
  return input if input.nil?

  input_str = input.to_s
  return input_str if input_str.empty?

  # Check length
  if input_str.length > max_length
    raise Otto::Security::ValidationError, "Input too long (#{input_str.length} > #{max_length})"
  end

  # Use Loofah for HTML sanitization and validation
  unless allow_html
    # Check for script injection first (these should always be rejected)
    raise Otto::Security::ValidationError, 'Dangerous content detected' if looks_like_script_injection?(input_str)

    # Use Loofah to sanitize less dangerous HTML content
    sanitized_input = Loofah.fragment(input_str).scrub!(:whitewash).to_s
    input_str       = sanitized_input
  end

  # Always check for SQL injection
  ValidationMiddleware::SQL_INJECTION_PATTERNS.each do |pattern|
    raise Otto::Security::ValidationError, 'Potential SQL injection detected' if input_str.match?(pattern)
  end

  input_str
end