ruchy 4.2.0

A systems scripting language that transpiles to idiomatic Rust with extreme quality engineering
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

//! URL validation helpers for import statements

use super::super::{bail, Result};

/// Validate URL imports for safe operation
pub(in crate::frontend::parser) fn validate_url_import(url: &str) -> Result<()> {
    validate_url_scheme(url)?;
    validate_url_extension(url)?;
    validate_url_path_safety(url)?;
    validate_url_no_suspicious_patterns(url)?;
    Ok(())
}

/// Validate URL uses HTTPS (except for localhost)
/// Extracted to reduce complexity
pub fn validate_url_scheme(url: &str) -> Result<()> {
    if is_valid_url_scheme(url) {
        Ok(())
    } else {
        bail!("URL imports must use HTTPS for security (except for localhost). Got: {url}")
    }
}

/// Check if URL has valid scheme
pub fn is_valid_url_scheme(url: &str) -> bool {
    url.starts_with("https://")
        || url.starts_with("http://localhost")
        || url.starts_with("http://127.0.0.1")
}

/// Validate URL has correct file extension
pub fn validate_url_extension(url: &str) -> Result<()> {
    if url.ends_with(".ruchy") || url.ends_with(".rchy") {
        Ok(())
    } else {
        bail!("URL imports must reference .ruchy or .rchy files. Got: {url}")
    }
}

/// Validate URL doesn't contain path traversal
pub fn validate_url_path_safety(url: &str) -> Result<()> {
    if url.contains("..") || url.contains("/.") {
        bail!("URL imports cannot contain path traversal sequences (.. or /.): {url}")
    }
    Ok(())
}

/// Validate URL doesn't contain suspicious patterns
pub fn validate_url_no_suspicious_patterns(url: &str) -> Result<()> {
    const SUSPICIOUS_PATTERNS: &[&str] = &["javascript:", "data:", "file:"];
    for pattern in SUSPICIOUS_PATTERNS {
        if url.contains(pattern) {
            bail!("Invalid URL scheme for import");
        }
    }
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_validate_url_import_valid_https() {
        assert!(validate_url_import("https://example.com/module.ruchy").is_ok());
        assert!(validate_url_import("https://cdn.example.com/lib.rchy").is_ok());
    }

    #[test]
    fn test_validate_url_import_valid_localhost() {
        assert!(validate_url_import("http://localhost/test.ruchy").is_ok());
        assert!(validate_url_import("http://127.0.0.1/module.ruchy").is_ok());
    }

    #[test]
    fn test_validate_url_scheme_https() {
        assert!(validate_url_scheme("https://example.com/test.ruchy").is_ok());
    }

    #[test]
    fn test_validate_url_scheme_http_rejected() {
        assert!(validate_url_scheme("http://example.com/test.ruchy").is_err());
    }

    #[test]
    fn test_validate_url_scheme_localhost() {
        assert!(validate_url_scheme("http://localhost/test.ruchy").is_ok());
        assert!(validate_url_scheme("http://127.0.0.1/test.ruchy").is_ok());
    }

    #[test]
    fn test_is_valid_url_scheme() {
        assert!(is_valid_url_scheme("https://example.com"));
        assert!(is_valid_url_scheme("http://localhost"));
        assert!(is_valid_url_scheme("http://127.0.0.1"));
        assert!(!is_valid_url_scheme("http://evil.com"));
        assert!(!is_valid_url_scheme("ftp://example.com"));
    }

    #[test]
    fn test_validate_url_extension_valid() {
        assert!(validate_url_extension("https://example.com/mod.ruchy").is_ok());
        assert!(validate_url_extension("https://example.com/mod.rchy").is_ok());
    }

    #[test]
    fn test_validate_url_extension_invalid() {
        assert!(validate_url_extension("https://example.com/mod.js").is_err());
        assert!(validate_url_extension("https://example.com/mod.py").is_err());
        assert!(validate_url_extension("https://example.com/mod").is_err());
    }

    #[test]
    fn test_validate_url_path_safety_valid() {
        assert!(validate_url_path_safety("https://example.com/modules/test.ruchy").is_ok());
    }

    #[test]
    fn test_validate_url_path_safety_traversal() {
        assert!(validate_url_path_safety("https://example.com/../etc/passwd.ruchy").is_err());
        assert!(validate_url_path_safety("https://example.com/.hidden/test.ruchy").is_err());
    }

    #[test]
    fn test_validate_url_no_suspicious_patterns_valid() {
        assert!(validate_url_no_suspicious_patterns("https://example.com/test.ruchy").is_ok());
    }

    #[test]
    fn test_validate_url_no_suspicious_patterns_javascript() {
        assert!(validate_url_no_suspicious_patterns("javascript:alert(1)").is_err());
    }

    #[test]
    fn test_validate_url_no_suspicious_patterns_data() {
        assert!(validate_url_no_suspicious_patterns("data:text/html,<script>").is_err());
    }

    #[test]
    fn test_validate_url_no_suspicious_patterns_file() {
        assert!(validate_url_no_suspicious_patterns("file:///etc/passwd").is_err());
    }
}