diff --git a/CHANGELOG b/CHANGELOG index 8e4f7d00..1eb83175 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,7 @@ += master + +* Remove dependency on base64 library from sessions and route_csrf plugin, as it will not be part of the standard library in Ruby 3.4+ (jeremyevans) + = 3.72.0 (2023-09-12) * Add invalid_request_body plugin for custom handling of invalid request bodies (jeremyevans) diff --git a/lib/roda/plugins/_base64.rb b/lib/roda/plugins/_base64.rb new file mode 100644 index 00000000..b7a9b05c --- /dev/null +++ b/lib/roda/plugins/_base64.rb @@ -0,0 +1,40 @@ +# frozen-string-literal: true + +# +class Roda + module RodaPlugins + module Base64_ + class << self + if RUBY_VERSION >= '2.4' + def decode64(str) + str.unpack1("m0") + end + # :nocov: + else + def decode64(str) + str.unpack("m0")[0] + end + # :nocov: + end + + def urlsafe_encode64(bin) + str = [bin].pack("m0") + str.tr!("+/", "-_") + str + end + + def urlsafe_decode64(str) + if str.length % 4 == 0 + str = str.tr("-_", "+/") + else + str = str.ljust((str.length + 3) & ~3, "=") + str.tr!("-_", "+/") + end + decode64(str) + end + end + end + + register_plugin(:_base64, Base64_) + end +end diff --git a/lib/roda/plugins/route_csrf.rb b/lib/roda/plugins/route_csrf.rb index deee9bcd..9188b721 100644 --- a/lib/roda/plugins/route_csrf.rb +++ b/lib/roda/plugins/route_csrf.rb @@ -1,6 +1,5 @@ # frozen-string-literal: true -require 'base64' require 'openssl' require 'securerandom' require 'uri' @@ -163,6 +162,10 @@ module RouteCsrf # a valid CSRF token was not provided. class InvalidToken < RodaError; end + def self.load_dependencies(app, opts=OPTS) + app.plugin :_base64 + end + def self.configure(app, opts=OPTS, &block) options = app.opts[:route_csrf] = (app.opts[:route_csrf] || DEFAULTS).merge(opts) if block || opts[:csrf_failure].is_a?(Proc) @@ -260,7 +263,7 @@ def csrf_tag(*args) def csrf_token(path=nil, method=('POST' if path)) token = SecureRandom.random_bytes(31) token << csrf_hmac(token, method, path) - Base64.strict_encode64(token) + [token].pack("m0") end # Whether request-specific CSRF tokens should be used by default. @@ -314,7 +317,7 @@ def csrf_invalid_message(opts) end begin - submitted_hmac = Base64.strict_decode64(encoded_token) + submitted_hmac = Base64_.decode64(encoded_token) rescue ArgumentError return "encoded token is not valid base64" end @@ -354,7 +357,7 @@ def csrf_hmac(random_data, method, path) # JSON is used for session serialization). def csrf_secret key = session[csrf_options[:key]] ||= SecureRandom.base64(32) - Base64.strict_decode64(key) + Base64_.decode64(key) end end end diff --git a/lib/roda/plugins/sessions.rb b/lib/roda/plugins/sessions.rb index 7d5984c3..7ec901ea 100644 --- a/lib/roda/plugins/sessions.rb +++ b/lib/roda/plugins/sessions.rb @@ -10,7 +10,6 @@ # :nocov: end -require 'base64' require 'json' require 'securerandom' require 'zlib' @@ -171,6 +170,10 @@ def self.split_secret(name, secret) [cipher_secret.freeze, hmac_secret.freeze] end + def self.load_dependencies(app, opts=OPTS) + app.plugin :_base64 + end + # Configure the plugin, see Sessions for details on options. def self.configure(app, opts=OPTS) opts = (app.opts[:sessions] || DEFAULT_OPTIONS).merge(opts) @@ -344,7 +347,7 @@ def _deserialize_session(data) opts = roda_class.opts[:sessions] begin - data = Base64.urlsafe_decode64(data) + data = Base64_.urlsafe_decode64(data) rescue ArgumentError return _session_serialization_error("Unable to decode session: invalid base64") end @@ -493,7 +496,7 @@ def _serialize_session(session) data << encrypted_data data << OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, opts[:hmac_secret], data+opts[:key]) - data = Base64.urlsafe_encode64(data) + data = Base64_.urlsafe_encode64(data) if data.bytesize >= 4096 raise CookieTooLarge, "attempted to create cookie larger than 4096 bytes" diff --git a/spec/plugin/sessions_spec.rb b/spec/plugin/sessions_spec.rb index d3b3907e..3d048fdf 100644 --- a/spec/plugin/sessions_spec.rb +++ b/spec/plugin/sessions_spec.rb @@ -1,4 +1,7 @@ require_relative "../spec_helper" +require_relative "../../lib/roda/plugins/_base64" + +base64 = Roda::RodaPlugins::Base64_ if RUBY_VERSION >= '2' [true, false].each do |per_cookie_cipher_secret| @@ -292,7 +295,7 @@ def errors end it "raises CookieTooLarge if cookie is too large" do - proc{req('/s/foo/'+Base64.urlsafe_encode64(SecureRandom.random_bytes(8192)))}.must_raise Roda::RodaPlugins::Sessions::CookieTooLarge + proc{req('/s/foo/'+base64.urlsafe_encode64(SecureRandom.random_bytes(8192)))}.must_raise Roda::RodaPlugins::Sessions::CookieTooLarge end it "ignores session cookies if session exceeds max time since create" do @@ -348,23 +351,23 @@ def errors body('/g/foo').must_equal '' errors.must_equal ["Unable to decode session: invalid base64"] - @cookie = k+Base64.urlsafe_encode64('') + @cookie = k+base64.urlsafe_encode64('') body('/g/foo').must_equal '' errors.must_equal ["Unable to decode session: no data"] - @cookie = k+Base64.urlsafe_encode64("\0" * 60) + @cookie = k+base64.urlsafe_encode64("\0" * 60) body('/g/foo').must_equal '' errors.must_equal ["Unable to decode session: data too short"] - @cookie = k+Base64.urlsafe_encode64("\1" * 92) + @cookie = k+base64.urlsafe_encode64("\1" * 92) body('/g/foo').must_equal '' errors.must_equal ["Unable to decode session: data too short"] - @cookie = k+Base64.urlsafe_encode64('1'*75) + @cookie = k+base64.urlsafe_encode64('1'*75) body('/g/foo').must_equal '' errors.must_equal ["Unable to decode session: version marker unsupported"] - @cookie = k+Base64.urlsafe_encode64("\0"*75) + @cookie = k+base64.urlsafe_encode64("\0"*75) body('/g/foo').must_equal '' errors.must_equal ["Not decoding session: HMAC invalid"] end