Module: Otto::Security::ValidationHelpers

Included in:
Middleware::ValidationMiddleware
Defined in:
lib/otto/helpers/validation.rb

Overview

Validation helper methods providing input validation and sanitization

Instance Method Summary collapse

Instance Method Details

#sanitize_filename(filename) ⇒ Object 



49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
# File 'lib/otto/helpers/validation.rb', line 49

def sanitize_filename(filename)
  return nil if filename.nil?
  return 'file' if filename.empty?

  clean_name = basic_filename_sanitize(filename.to_s)

  if clean_name.nil? || clean_name.empty?
    clean_name = 'file'
  else
    clean_name = clean_name.gsub(/_{2,}/, '_')
    clean_name = clean_name.gsub(/^_+|_+$/, '')
    clean_name = 'file' if clean_name.empty? || clean_name.match?(FILENAME_DOT_ONLY)
  end

  clean_name = clean_name[0..99] if clean_name.length > 100

  clean_name
end

#validate_input(input, max_length: 1000, allow_html: false) ⇒ Object 



20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'lib/otto/helpers/validation.rb', line 20

def validate_input(input, max_length: 1000, allow_html: false)
  return input if input.nil?

  input_str = input.to_s
  return input_str if input_str.empty?

  # Check length
  if input_str.length > max_length
    raise Otto::Security::ValidationError, "Input too long (#{input_str.length} > #{max_length})"
  end

  # Use Loofah for HTML sanitization and validation
  unless allow_html
    # Check for script injection first (these should always be rejected)
    raise Otto::Security::ValidationError, 'Dangerous content detected' if looks_like_script_injection?(input_str)

    # Use Loofah to sanitize less dangerous HTML content
    sanitized_input = Loofah.fragment(input_str).scrub!(:whitewash).to_s
    input_str       = sanitized_input
  end

  # Always check for SQL injection
  ValidationMiddleware::SQL_INJECTION_PATTERNS.each do |pattern|
    raise Otto::Security::ValidationError, 'Potential SQL injection detected' if input_str.match?(pattern)
  end

  input_str
end