Class: Otto::Security::Middleware::ValidationMiddleware

Inherits:

Object

• Object
• Otto::Security::Middleware::ValidationMiddleware

Includes:

ValidationHelpers

Defined in:

lib/otto/security/middleware/validation_middleware.rb

Overview

ValidationMiddleware provides input validation and sanitization for web requests Uses Loofah for HTML/XSS sanitization and Facets for filename sanitization

Constant Summary

INVALID_CHARACTERS =

Character validation patterns

/[\x00-\x1f\x7f-\xff]/n

NULL_BYTE =

/\0/

Instance Method Summary

• #call(env) ⇒ Object
• #initialize(app, config = nil) ⇒ ValidationMiddleware constructor

  HTML/XSS sanitization is handled by Loofah library for better security coverage.

Methods included from ValidationHelpers

#sanitize_filename, #validate_input

Constructor Details

#initialize(app, config = nil) ⇒ ValidationMiddleware

HTML/XSS sanitization is handled by Loofah library for better security coverage

NOTE: There is deliberately no SQL-injection pattern matching here. Input-validation blocklists for SQL are bypassable theater and produce false positives on legitimate input; the correct defense is parameterized queries / prepared statements at the data-access layer.

# File 'lib/otto/security/middleware/validation_middleware.rb', line 25

def initialize(app, config = nil)
  @app    = app
  @config = config || Otto::Security::Config.new
end

Instance Method Details

#call(env) ⇒ Object

# File 'lib/otto/security/middleware/validation_middleware.rb', line 30

def call(env)
  return @app.call(env) unless @config.input_validation

  request = Otto::Request.new(env)

  begin
    # Validate request size
    validate_request_size(request)

    # Validate content type
    validate_content_type(request)

    # Validate and sanitize parameters
    begin
      validate_parameters(request) if request.params
    rescue Rack::QueryParser::QueryLimitError => e
      # Handle Rack's built-in query parsing limits
      raise Otto::Security::ValidationError, "Parameter structure too complex: #{e.message}"
    end

    # Validate headers
    validate_headers(request)

    @app.call(env)
  rescue Otto::Security::ValidationError => e
    # Log validation failure
    Otto.structured_log(:warn, "Input validation failed",
      Otto::LoggingHelpers.request_context(env).merge(
        error: e.message
      )
    )
    validation_error_response(e.message)
  rescue Otto::Security::RequestTooLargeError => e
    # Log request size violation
    Otto.structured_log(:warn, "Request too large",
      Otto::LoggingHelpers.request_context(env).merge(
        error: e.message,
        content_length: request.env['CONTENT_LENGTH']
      )
    )
    request_too_large_response(e.message)
  end
end