secure_boundary 0.1.0

Input validation, request limits, CORS, Fetch Metadata, and browser boundary protections.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384

//! HTTP body/query/path extractors implementing the four-stage validation pipeline.
//!
//! Stages:
//! 1. **Transport validity** — body size limits, `Content-Type` check
//! 2. **Syntactic validity** — JSON parsing, unknown-field rejection via serde
//! 3. **Semantic validity** — [`SecureValidate`] trait
//! 4. **Authz-adjacent invariants** — future extension point
//!
//! Use `.into_inner()` to consume the validated value. `Deref<Target=T>` is
//! intentionally **not** implemented.
//!
//! The [`SecureJson`], [`SecureQuery`], and [`SecurePath`] new-types are
//! framework-neutral and live here unconditionally. The axum-specific
//! `FromRequest` / `FromRequestParts` implementations are gated on the
//! `axum` feature (default). The matching Actix-web 4 implementation for
//! `SecureJson<T>` lives under the crate's `actix` module (behind the
//! `actix-web` feature).

#[cfg(any(feature = "axum", feature = "actix-web"))]
use serde::de::DeserializeOwned;

#[cfg(any(feature = "axum", feature = "actix-web"))]
use crate::{
    attack_signal::{BoundaryViolation, ViolationKind},
    error::BoundaryRejection,
    limits::RequestLimits,
    validate::{SecureValidate, ValidationContext},
};

/// A JSON body extractor that applies the four-stage validation pipeline.
///
/// Use `.into_inner()` to consume the validated inner value.
/// `Deref<Target=T>` is not implemented by design.
///
/// # Examples
///
/// ```no_run
/// use secure_boundary::extract::SecureJson;
/// use secure_boundary::validate::{SecureValidate, ValidationContext};
///
/// #[derive(serde::Deserialize)]
/// #[serde(deny_unknown_fields)]
/// struct CreateItem {
///     name: String,
/// }
///
/// impl SecureValidate for CreateItem {
///     fn validate_syntax(&self, _: &ValidationContext) -> Result<(), &'static str> {
///         if self.name.is_empty() { Err("name_empty") } else { Ok(()) }
///     }
///     fn validate_semantics(&self, _: &ValidationContext) -> Result<(), &'static str> { Ok(()) }
/// }
///
/// async fn handler(json: SecureJson<CreateItem>) {
///     let item = json.into_inner();
///     println!("created: {}", item.name);
/// }
/// ```
pub struct SecureJson<T>(T);

impl<T> SecureJson<T> {
    /// Constructs a [`SecureJson`] directly from an already-validated value.
    ///
    /// Primarily useful inside framework adapters after the four-stage
    /// validation pipeline has completed.
    #[cfg(any(feature = "axum", feature = "actix-web"))]
    #[must_use]
    pub(crate) fn from_validated(value: T) -> Self {
        Self(value)
    }

    /// Consumes the extractor and returns the validated inner value.
    #[must_use]
    pub fn into_inner(self) -> T {
        self.0
    }
}

/// A query parameter extractor that applies syntactic and semantic validation.
///
/// Use `.into_inner()` to consume the validated inner value.
///
/// # Examples
///
/// ```no_run
/// use secure_boundary::extract::SecureQuery;
/// use secure_boundary::validate::{SecureValidate, ValidationContext};
///
/// #[derive(serde::Deserialize)]
/// struct Pagination {
///     page: u32,
/// }
///
/// impl SecureValidate for Pagination {
///     fn validate_syntax(&self, _: &ValidationContext) -> Result<(), &'static str> { Ok(()) }
///     fn validate_semantics(&self, _: &ValidationContext) -> Result<(), &'static str> { Ok(()) }
/// }
///
/// async fn handler(query: SecureQuery<Pagination>) {
///     let pg = query.into_inner();
///     println!("page: {}", pg.page);
/// }
/// ```
pub struct SecureQuery<T>(T);

impl<T> SecureQuery<T> {
    /// Consumes the extractor and returns the validated inner value.
    #[must_use]
    pub fn into_inner(self) -> T {
        self.0
    }
}

/// A path parameter extractor that applies syntactic and semantic validation.
///
/// Use `.into_inner()` to consume the validated inner value.
///
/// # Examples
///
/// ```no_run
/// use secure_boundary::extract::SecurePath;
/// use secure_boundary::validate::{SecureValidate, ValidationContext};
///
/// #[derive(serde::Deserialize)]
/// struct ItemPath {
///     id: u64,
/// }
///
/// impl SecureValidate for ItemPath {
///     fn validate_syntax(&self, _: &ValidationContext) -> Result<(), &'static str> { Ok(()) }
///     fn validate_semantics(&self, _: &ValidationContext) -> Result<(), &'static str> { Ok(()) }
/// }
///
/// async fn handler(path: SecurePath<ItemPath>) {
///     let p = path.into_inner();
///     println!("item id: {}", p.id);
/// }
/// ```
pub struct SecurePath<T>(T);

impl<T> SecurePath<T> {
    /// Consumes the extractor and returns the validated inner value.
    #[must_use]
    pub fn into_inner(self) -> T {
        self.0
    }
}

// Runs the full four-stage JSON validation pipeline against a byte buffer.
//
// Called by every framework-specific `SecureJson<T>` adapter after that
// adapter has (a) confirmed `Content-Type: application/json` and (b)
// collected the request body into bytes. All `BoundaryViolation` emission
// and `BoundaryRejection` mapping happens here so axum and actix-web
// paths agree on outcomes byte-for-byte.
//
// This helper is `pub(crate)` — external consumers use the framework
// extractors.
#[cfg(any(feature = "axum", feature = "actix-web"))]
pub(crate) fn validate_json_bytes<T>(
    bytes: &[u8],
    limits: &RequestLimits,
    ctx: &ValidationContext,
) -> Result<T, BoundaryRejection>
where
    T: DeserializeOwned + SecureValidate,
{
    // Stage 1 (cont): Body size limit
    if bytes.len() > limits.max_body_bytes {
        BoundaryViolation::new(ViolationKind::BodyTooLarge, "body_too_large").emit();
        return Err(BoundaryRejection::BodyTooLarge);
    }

    // Stage 1 (cont): Nesting depth and field count limits
    check_json_limits(bytes, limits.max_nesting_depth, limits.max_field_count)?;

    // Stage 2: Syntactic validity — parse JSON (respects #[serde(deny_unknown_fields)])
    let value: T = serde_json::from_slice(bytes).map_err(|_| {
        BoundaryViolation::new(ViolationKind::SyntaxViolation, "malformed_json").emit();
        BoundaryRejection::MalformedBody
    })?;

    // Stage 3: Semantic validity — SecureValidate trait
    value.validate_syntax(ctx).map_err(|code| {
        BoundaryViolation::new(ViolationKind::SyntaxViolation, code).emit();
        BoundaryRejection::SyntaxViolation { code }
    })?;

    value.validate_semantics(ctx).map_err(|code| {
        BoundaryViolation::new(ViolationKind::SemanticViolation, code).emit();
        BoundaryRejection::SemanticViolation { code }
    })?;

    Ok(value)
}

/// Runs the syntactic+semantic `SecureValidate` pipeline against a value
/// that is already parsed (e.g. via axum's `Query` or `Path` extractor).
///
/// Used by the query/path extractor adapters to keep emission semantics
/// identical between frameworks.
#[cfg(feature = "axum")]
pub(crate) fn validate_parsed<T>(value: T, ctx: &ValidationContext) -> Result<T, BoundaryRejection>
where
    T: SecureValidate,
{
    value.validate_syntax(ctx).map_err(|code| {
        BoundaryViolation::new(ViolationKind::SyntaxViolation, code).emit();
        BoundaryRejection::SyntaxViolation { code }
    })?;

    value.validate_semantics(ctx).map_err(|code| {
        BoundaryViolation::new(ViolationKind::SemanticViolation, code).emit();
        BoundaryRejection::SemanticViolation { code }
    })?;

    Ok(value)
}

#[cfg(feature = "axum")]
mod axum_impl {
    use super::{
        validate_json_bytes, validate_parsed, BoundaryRejection, BoundaryViolation,
        DeserializeOwned, RequestLimits, SecurePath, SecureQuery, SecureValidate,
        ValidationContext, ViolationKind,
    };
    use crate::attack_signal;
    use axum::{
        extract::{FromRequest, FromRequestParts, Path, Query, Request},
        http::request::Parts,
    };
    use http_body_util::BodyExt;

    impl<T, S> FromRequest<S> for super::SecureJson<T>
    where
        T: DeserializeOwned + SecureValidate,
        S: Send + Sync,
    {
        type Rejection = BoundaryRejection;

        async fn from_request(req: Request, _state: &S) -> Result<Self, Self::Rejection> {
            // Allow per-route limit overrides via Extension<RequestLimits>.
            let limits = req
                .extensions()
                .get::<RequestLimits>()
                .cloned()
                .unwrap_or_default();
            let ctx = ValidationContext::new();

            // Stage 1: Transport validity — Content-Type check
            let content_type = req
                .headers()
                .get("content-type")
                .and_then(|v| v.to_str().ok())
                .unwrap_or("");

            if !content_type.starts_with("application/json") {
                attack_signal::BoundaryViolation::new(
                    attack_signal::ViolationKind::InvalidContentType,
                    "invalid_content_type",
                )
                .emit();
                return Err(BoundaryRejection::InvalidContentType);
            }

            // Collect body bytes
            let bytes = req
                .into_body()
                .collect()
                .await
                .map_err(|_| BoundaryRejection::MalformedBody)?
                .to_bytes();

            let value = validate_json_bytes::<T>(&bytes, &limits, &ctx)?;
            Ok(super::SecureJson::from_validated(value))
        }
    }

    impl<T, S> FromRequestParts<S> for SecureQuery<T>
    where
        T: DeserializeOwned + SecureValidate,
        S: Send + Sync,
    {
        type Rejection = BoundaryRejection;

        async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
            let ctx = ValidationContext::new();

            let query = Query::<T>::from_request_parts(parts, state)
                .await
                .map_err(|_| {
                    BoundaryViolation::new(ViolationKind::InvalidQueryParam, "invalid_query")
                        .emit();
                    BoundaryRejection::InvalidParameter
                })?;

            let value = validate_parsed(query.0, &ctx)?;
            Ok(SecureQuery(value))
        }
    }

    impl<T, S> FromRequestParts<S> for SecurePath<T>
    where
        T: DeserializeOwned + SecureValidate + Send,
        S: Send + Sync,
    {
        type Rejection = BoundaryRejection;

        async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
            let ctx = ValidationContext::new();

            let path = Path::<T>::from_request_parts(parts, state)
                .await
                .map_err(|_| {
                    BoundaryViolation::new(ViolationKind::InvalidPathParam, "invalid_path").emit();
                    BoundaryRejection::InvalidParameter
                })?;

            let value = validate_parsed(path.0, &ctx)?;
            Ok(SecurePath(value))
        }
    }
}

/// Scans raw JSON bytes and enforces nesting depth and field count limits.
///
/// Uses a single-pass byte scanner that correctly skips string contents
/// (handling escape sequences), counting `{`/`[` for depth and `:` for fields.
///
/// # Errors
///
/// Returns [`BoundaryRejection::NestingTooDeep`] or [`BoundaryRejection::TooManyFields`]
/// when the respective limit is exceeded.
#[cfg(any(feature = "axum", feature = "actix-web"))]
fn check_json_limits(
    bytes: &[u8],
    max_depth: usize,
    max_fields: usize,
) -> Result<(), BoundaryRejection> {
    let mut depth: usize = 0;
    let mut field_count: usize = 0;
    let mut in_string = false;
    let mut escape = false;

    for &b in bytes {
        if escape {
            escape = false;
            continue;
        }
        if in_string {
            if b == b'\\' {
                escape = true;
            } else if b == b'"' {
                in_string = false;
            }
            continue;
        }
        match b {
            b'"' => {
                in_string = true;
            }
            b'{' | b'[' => {
                depth += 1;
                if depth > max_depth {
                    BoundaryViolation::new(ViolationKind::NestingTooDeep, "nesting_too_deep")
                        .emit();
                    return Err(BoundaryRejection::NestingTooDeep);
                }
            }
            b'}' | b']' => {
                depth = depth.saturating_sub(1);
            }
            b':' => {
                field_count += 1;
                if field_count > max_fields {
                    BoundaryViolation::new(ViolationKind::TooManyFields, "too_many_fields").emit();
                    return Err(BoundaryRejection::TooManyFields);
                }
            }
            _ => {}
        }
    }
    Ok(())
}