addressable 2.7.0 → 2.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 73a7a5a0dfea976017780e3b434e97aa58216019
-  data.tar.gz: a708925a0882de04f840e9e54d279eb954775921
+SHA256:
+  metadata.gz: 03a21b1eab156a16e90bd7963af85980edfbddc8f3dbe052766303dba76cc000
+  data.tar.gz: 03eca5d86f4c70f9320000f36e3cff4fd8023342a4e0ac855d0ef1ec89ee6183
 SHA512:
-  metadata.gz: c311a5594d7f1051df67287badef72551c52c6bc47598017099d5e8b5c2a9638144bcc6d635b418dfc1970e185cf31016ad54f681c7156d440223ef62f060bc5
-  data.tar.gz: 78527879654347fcf16be86684e1b37ca240c5a80d3baf2217cfdfb501cd6255de47a7cc8058c10e98e558b073981a27be06672f4dec8cf7d18e88a34609e6a1
+  metadata.gz: d504f9475ad823f5bb077b9c039a2c91c83e52c20896247a7289b61725c61b1ddefe8ae06155fb018fc67087cf04276081b42105a18394b45e2374ad0b2fadb0
+  data.tar.gz: b81766fbcb9335d5ca94403b62d3b2a6fae31b66cd3c05f48e1885eaf07883bfa1321b6930271fe1415135aec687af51312a26ce27bd4b83b2ac6424dec597c9

data/CHANGELOG.md

@@ -1,7 +1,18 @@
+# Addressable 2.8.0
+- fixes ReDoS vulnerability in Addressable::Template#match
+- no longer replaces `+` with spaces in queries for non-http(s) schemes
+- fixed encoding ipv6 literals
+- the `:compacted` flag for `normalized_query` now dedupes parameters
+- fix broken `escape_component` alias
+- dropping support for Ruby 2.0 and 2.1
+- adding Ruby 3.0 compatibility for development tasks
+- drop support for `rack-mount` and remove Addressable::Template#generate
+- performance improvements
+- switch CI/CD to GitHub Actions
+
 # Addressable 2.7.0
 - added `:compacted` flag to `normalized_query`
 - `heuristic_parse` handles `mailto:` more intuitively
-- refactored validation to use a prepended module
 - dropped explicit support for JRuby 9.0.5.0
 - compatibility w/ public_suffix 4.x
 - performance improvements

data/Gemfile

@@ -1,12 +1,19 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
-gemspec
+gemspec(path: __FILE__ == "(eval)" ? ".." : ".")
 
 group :test do
   gem 'rspec', '~> 3.8'
   gem 'rspec-its', '~> 1.3'
 end
 
+group :coverage do
+  gem "coveralls", "> 0.7", require: false, platforms: :mri
+  gem "simplecov", require: false
+end
+
 group :development do
   gem 'launchy', '~> 2.4', '>= 2.4.3'
   gem 'redcarpet', :platform => :mri_19
@@ -14,19 +21,8 @@ group :development do
 end
 
 group :test, :development do
-  gem 'rake', '> 10.0', '< 12'
-  gem 'simplecov', :require => false
-  gem 'coveralls', :require => false, :platforms => [
-    :ruby_20, :ruby_21, :ruby_22, :ruby_23
-  ]
-  # Used to test compatibility.
-  gem 'rack-mount', git: 'https://github.com/sporkmonger/rack-mount.git', require: 'rack/mount'
-
-  if RUBY_VERSION.start_with?('2.0', '2.1')
-    gem 'rack', '< 2', :require => false
-  else
-    gem 'rack', :require => false
-  end
+  gem 'memory_profiler'
+  gem "rake", ">= 12.3.3"
 end
 
-gem 'idn-ruby', :platform => [:mri_20, :mri_21, :mri_22, :mri_23, :mri_24]
+gem "idn-ruby", platform: :mri

data/README.md

@@ -7,15 +7,15 @@
   <dt>License</dt><dd>Apache 2.0</dd>
 </dl>
 
-[![Gem Version](http://img.shields.io/gem/dt/addressable.svg)][gem]
-[![Build Status](https://secure.travis-ci.org/sporkmonger/addressable.svg?branch=master)][travis]
+[![Gem Version](https://img.shields.io/gem/dt/addressable.svg)][gem]
+[![Build Status](https://github.com/sporkmonger/addressable/workflows/CI/badge.svg)][actions]
 [![Test Coverage Status](https://img.shields.io/coveralls/sporkmonger/addressable.svg)][coveralls]
-[![Documentation Coverage Status](http://inch-ci.org/github/sporkmonger/addressable.svg?branch=master)][inch]
+[![Documentation Coverage Status](https://inch-ci.org/github/sporkmonger/addressable.svg?branch=master)][inch]
 
 [gem]: https://rubygems.org/gems/addressable
-[travis]: http://travis-ci.org/sporkmonger/addressable
+[actions]: https://github.com/sporkmonger/addressable/actions
 [coveralls]: https://coveralls.io/r/sporkmonger/addressable
-[inch]: http://inch-ci.org/github/sporkmonger/addressable
+[inch]: https://inch-ci.org/github/sporkmonger/addressable
 
 # Description
 
@@ -98,7 +98,7 @@ You may optionally turn on native IDN support by installing libidn and the
 idn gem:
 
 ```console
-$ sudo apt-get install idn # Debian/Ubuntu
+$ sudo apt-get install libidn11-dev # Debian/Ubuntu
 $ brew install libidn # OS X
 $ gem install idn-ruby
 ```
@@ -110,7 +110,7 @@ dependency using a pessimistic version constraint covering the major and minor
 values:
 
 ```ruby
-spec.add_dependency 'addressable', '~> 2.5'
+spec.add_dependency 'addressable', '~> 2.7'
 ```
 
 If you need a specific bug fix, you can also specify minimum tiny versions

data/addressable.gemspec

@@ -0,0 +1,37 @@
+# -*- encoding: utf-8 -*-
+# stub: addressable 2.8.0 ruby lib
+
+Gem::Specification.new do |s|
+  s.name = "addressable".freeze
+  s.version = "2.8.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib".freeze]
+  s.authors = ["Bob Aman".freeze]
+  s.date = "2021-07-03"
+  s.description = "Addressable is an alternative implementation to the URI implementation that is\npart of Ruby's standard library. It is flexible, offers heuristic parsing, and\nadditionally provides extensive support for IRIs and URI templates.\n".freeze
+  s.email = "bob@sporkmonger.com".freeze
+  s.extra_rdoc_files = ["README.md".freeze]
+  s.files = ["CHANGELOG.md".freeze, "Gemfile".freeze, "LICENSE.txt".freeze, "README.md".freeze, "Rakefile".freeze, "addressable.gemspec".freeze, "data/unicode.data".freeze, "lib/addressable.rb".freeze, "lib/addressable/idna.rb".freeze, "lib/addressable/idna/native.rb".freeze, "lib/addressable/idna/pure.rb".freeze, "lib/addressable/template.rb".freeze, "lib/addressable/uri.rb".freeze, "lib/addressable/version.rb".freeze, "spec/addressable/idna_spec.rb".freeze, "spec/addressable/net_http_compat_spec.rb".freeze, "spec/addressable/security_spec.rb".freeze, "spec/addressable/template_spec.rb".freeze, "spec/addressable/uri_spec.rb".freeze, "spec/spec_helper.rb".freeze, "tasks/clobber.rake".freeze, "tasks/gem.rake".freeze, "tasks/git.rake".freeze, "tasks/metrics.rake".freeze, "tasks/profile.rake".freeze, "tasks/rspec.rake".freeze, "tasks/yard.rake".freeze]
+  s.homepage = "https://github.com/sporkmonger/addressable".freeze
+  s.licenses = ["Apache-2.0".freeze]
+  s.rdoc_options = ["--main".freeze, "README.md".freeze]
+  s.required_ruby_version = Gem::Requirement.new(">= 2.0".freeze)
+  s.rubygems_version = "3.0.3".freeze
+  s.summary = "URI Implementation".freeze
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 4
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<public_suffix>.freeze, [">= 2.0.2", "< 5.0"])
+      s.add_development_dependency(%q<bundler>.freeze, [">= 1.0", "< 3.0"])
+    else
+      s.add_dependency(%q<public_suffix>.freeze, [">= 2.0.2", "< 5.0"])
+      s.add_dependency(%q<bundler>.freeze, [">= 1.0", "< 3.0"])
+    end
+  else
+    s.add_dependency(%q<public_suffix>.freeze, [">= 2.0.2", "< 5.0"])
+    s.add_dependency(%q<bundler>.freeze, [">= 1.0", "< 3.0"])
+  end
+end

data/lib/addressable/idna/pure.rb

@@ -178,44 +178,46 @@ module Addressable
       end
 
       p = []
-      ucs4_to_utf8 = lambda do |ch|
-        if ch < 128
-          p << ch
-        elsif ch < 2048
-          p << (ch >> 6 | 192)
-          p << (ch & 63 | 128)
-        elsif ch < 0x10000
-          p << (ch >> 12 | 224)
-          p << (ch >> 6 & 63 | 128)
-          p << (ch & 63 | 128)
-        elsif ch < 0x200000
-          p << (ch >> 18 | 240)
-          p << (ch >> 12 & 63 | 128)
-          p << (ch >> 6 & 63 | 128)
-          p << (ch & 63 | 128)
-        elsif ch < 0x4000000
-          p << (ch >> 24 | 248)
-          p << (ch >> 18 & 63 | 128)
-          p << (ch >> 12 & 63 | 128)
-          p << (ch >> 6 & 63 | 128)
-          p << (ch & 63 | 128)
-        elsif ch < 0x80000000
-          p << (ch >> 30 | 252)
-          p << (ch >> 24 & 63 | 128)
-          p << (ch >> 18 & 63 | 128)
-          p << (ch >> 12 & 63 | 128)
-          p << (ch >> 6 & 63 | 128)
-          p << (ch & 63 | 128)
-        end
-      end
 
-      ucs4_to_utf8.call(ch_one)
-      ucs4_to_utf8.call(ch_two)
+      ucs4_to_utf8(ch_one, p)
+      ucs4_to_utf8(ch_two, p)
 
       return lookup_unicode_composition(p)
     end
     private_class_method :unicode_compose_pair
 
+    def self.ucs4_to_utf8(char, buffer)
+      if char < 128
+        buffer << char
+      elsif char < 2048
+        buffer << (char >> 6 | 192)
+        buffer << (char & 63 | 128)
+      elsif char < 0x10000
+        buffer << (char >> 12 | 224)
+        buffer << (char >> 6 & 63 | 128)
+        buffer << (char & 63 | 128)
+      elsif char < 0x200000
+        buffer << (char >> 18 | 240)
+        buffer << (char >> 12 & 63 | 128)
+        buffer << (char >> 6 & 63 | 128)
+        buffer << (char & 63 | 128)
+      elsif char < 0x4000000
+        buffer << (char >> 24 | 248)
+        buffer << (char >> 18 & 63 | 128)
+        buffer << (char >> 12 & 63 | 128)
+        buffer << (char >> 6 & 63 | 128)
+        buffer << (char & 63 | 128)
+      elsif char < 0x80000000
+        buffer << (char >> 30 | 252)
+        buffer << (char >> 24 & 63 | 128)
+        buffer << (char >> 18 & 63 | 128)
+        buffer << (char >> 12 & 63 | 128)
+        buffer << (char >> 6 & 63 | 128)
+        buffer << (char & 63 | 128)
+      end
+    end
+    private_class_method :ucs4_to_utf8
+
     def self.unicode_sort_canonical(unpacked)
       unpacked = unpacked.dup
       i = 1

data/lib/addressable/template.rb

@@ -37,7 +37,7 @@ module Addressable
       Addressable::URI::CharacterClasses::DIGIT + '_'
 
     var_char =
-      "(?:(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
+      "(?>(?:[#{variable_char_class}]|%[a-fA-F0-9][a-fA-F0-9])+)"
     RESERVED =
       "(?:[#{anything}]|%[a-fA-F0-9][a-fA-F0-9])"
     UNRESERVED =
@@ -412,7 +412,7 @@ module Addressable
     #   match.captures
     #   #=> ["a", ["b", "c"]]
     def match(uri, processor=nil)
-      uri = Addressable::URI.parse(uri)
+      uri = Addressable::URI.parse(uri) unless uri.is_a?(Addressable::URI)
       mapping = {}
 
       # First, we need to process the pattern, and extract the values.
@@ -653,40 +653,6 @@ module Addressable
       self.to_regexp.named_captures
     end
 
-    ##
-    # Generates a route result for a given set of parameters.
-    # Should only be used by rack-mount.
-    #
-    # @param params [Hash] The set of parameters used to expand the template.
-    # @param recall [Hash] Default parameters used to expand the template.
-    # @param options [Hash] Either a `:processor` or a `:parameterize` block.
-    #
-    # @api private
-    def generate(params={}, recall={}, options={})
-      merged = recall.merge(params)
-      if options[:processor]
-        processor = options[:processor]
-      elsif options[:parameterize]
-        # TODO: This is sending me into fits trying to shoe-horn this into
-        # the existing API. I think I've got this backwards and processors
-        # should be a set of 4 optional blocks named :validate, :transform,
-        # :match, and :restore. Having to use a singleton here is a huge
-        # code smell.
-        processor = Object.new
-        class <<processor
-          attr_accessor :block
-          def transform(name, value)
-            block.call(name, value)
-          end
-        end
-        processor.block = options[:parameterize]
-      else
-        processor = nil
-      end
-      result = self.expand(merged, processor)
-      result.to_s if result
-    end
-
   private
     def ordered_variable_defaults
       @ordered_variable_defaults ||= begin
@@ -973,15 +939,35 @@ module Addressable
       end
     end
 
+    ##
+    # Generates the <tt>Regexp</tt> that parses a template pattern. Memoizes the
+    # value if template processor not set (processors may not be deterministic)
+    #
+    # @param [String] pattern The URI template pattern.
+    # @param [#match] processor The template processor to use.
+    #
+    # @return [Array, Regexp]
+    #   An array of expansion variables nad a regular expression which may be
+    #   used to parse a template pattern
+    def parse_template_pattern(pattern, processor = nil)
+      if processor.nil? && pattern == @pattern
+        @cached_template_parse ||=
+          parse_new_template_pattern(pattern, processor)
+      else
+        parse_new_template_pattern(pattern, processor)
+      end
+    end
+
     ##
     # Generates the <tt>Regexp</tt> that parses a template pattern.
     #
     # @param [String] pattern The URI template pattern.
     # @param [#match] processor The template processor to use.
     #
-    # @return [Regexp]
-    #   A regular expression which may be used to parse a template pattern.
-    def parse_template_pattern(pattern, processor=nil)
+    # @return [Array, Regexp]
+    #   An array of expansion variables nad a regular expression which may be
+    #   used to parse a template pattern
+    def parse_new_template_pattern(pattern, processor = nil)
       # Escape the pattern. The two gsubs restore the escaped curly braces
       # back to their original form. Basically, escape everything that isn't
       # within an expansion.

data/lib/addressable/uri.rb

@@ -48,12 +48,21 @@ module Addressable
       PCHAR = UNRESERVED + SUB_DELIMS + "\\:\\@"
       SCHEME = ALPHA + DIGIT + "\\-\\+\\."
       HOST = UNRESERVED + SUB_DELIMS + "\\[\\:\\]"
-      AUTHORITY = PCHAR
+      AUTHORITY = PCHAR + "\\[\\:\\]"
       PATH = PCHAR + "\\/"
       QUERY = PCHAR + "\\/\\?"
       FRAGMENT = PCHAR + "\\/\\?"
     end
 
+    module NormalizeCharacterClasses
+      HOST = /[^#{CharacterClasses::HOST}]/
+      UNRESERVED = /[^#{CharacterClasses::UNRESERVED}]/
+      PCHAR = /[^#{CharacterClasses::PCHAR}]/
+      SCHEME = /[^#{CharacterClasses::SCHEME}]/
+      FRAGMENT = /[^#{CharacterClasses::FRAGMENT}]/
+      QUERY = %r{[^a-zA-Z0-9\-\.\_\~\!\$\'\(\)\*\+\,\=\:\@\/\?%]|%(?!2B|2b)}
+    end
+
     SLASH = '/'
     EMPTY_STR = ''
 
@@ -73,7 +82,7 @@ module Addressable
       "wais" => 210,
       "ldap" => 389,
       "prospero" => 1525
-    }
+    }.freeze
 
     ##
     # Returns a URI object based on the parsed string.
@@ -421,7 +430,7 @@ module Addressable
     end
 
     class << self
-      alias_method :encode_component, :encode_component
+      alias_method :escape_component, :encode_component
     end
 
     ##
@@ -463,7 +472,11 @@ module Addressable
       uri = uri.dup
       # Seriously, only use UTF-8. I'm really not kidding!
       uri.force_encoding("utf-8")
-      leave_encoded = leave_encoded.dup.force_encoding("utf-8")
+
+      unless leave_encoded.empty?
+        leave_encoded = leave_encoded.dup.force_encoding("utf-8")
+      end
+
       result = uri.gsub(/%[0-9a-f]{2}/iu) do |sequence|
         c = sequence[1..3].to_i(16).chr
         c.force_encoding("utf-8")
@@ -554,7 +567,11 @@ module Addressable
           end.flatten.join('|')})"
         end
 
-        character_class = /[^#{character_class}]#{leave_re}/
+        character_class = if leave_re
+                            /[^#{character_class}]#{leave_re}/
+                          else
+                            /[^#{character_class}]/
+                          end
       end
       # We can't perform regexps on invalid UTF sequences, but
       # here we need to, so switch to ASCII.
@@ -878,7 +895,7 @@ module Addressable
         else
           Addressable::URI.normalize_component(
             self.scheme.strip.downcase,
-            Addressable::URI::CharacterClasses::SCHEME
+            Addressable::URI::NormalizeCharacterClasses::SCHEME
           )
         end
       end
@@ -898,7 +915,7 @@ module Addressable
         new_scheme = new_scheme.to_str
       end
       if new_scheme && new_scheme !~ /\A[a-z][a-z0-9\.\+\-]*\z/i
-        raise InvalidURIError, "Invalid scheme format: #{new_scheme}"
+        raise InvalidURIError, "Invalid scheme format: '#{new_scheme}'"
       end
       @scheme = new_scheme
       @scheme = nil if @scheme.to_s.strip.empty?
@@ -933,7 +950,7 @@ module Addressable
         else
           Addressable::URI.normalize_component(
             self.user.strip,
-            Addressable::URI::CharacterClasses::UNRESERVED
+            Addressable::URI::NormalizeCharacterClasses::UNRESERVED
           )
         end
       end
@@ -990,7 +1007,7 @@ module Addressable
         else
           Addressable::URI.normalize_component(
             self.password.strip,
-            Addressable::URI::CharacterClasses::UNRESERVED
+            Addressable::URI::NormalizeCharacterClasses::UNRESERVED
           )
         end
       end
@@ -1114,6 +1131,7 @@ module Addressable
     # @return [String] The host component, normalized.
     def normalized_host
       return nil unless self.host
+
       @normalized_host ||= begin
         if !self.host.strip.empty?
           result = ::Addressable::IDNA.to_ascii(
@@ -1125,14 +1143,17 @@ module Addressable
           end
           result = Addressable::URI.normalize_component(
             result,
-            CharacterClasses::HOST)
+            NormalizeCharacterClasses::HOST
+          )
           result
         else
           EMPTY_STR.dup
         end
       end
       # All normalized values should be UTF-8
-      @normalized_host.force_encoding(Encoding::UTF_8) if @normalized_host
+      if @normalized_host && !@normalized_host.empty?
+        @normalized_host.force_encoding(Encoding::UTF_8)
+      end
       @normalized_host
     end
 
@@ -1537,7 +1558,7 @@ module Addressable
         result = path.strip.split(SLASH, -1).map do |segment|
           Addressable::URI.normalize_component(
             segment,
-            Addressable::URI::CharacterClasses::PCHAR
+            Addressable::URI::NormalizeCharacterClasses::PCHAR
           )
         end.join(SLASH)
 
@@ -1612,11 +1633,15 @@ module Addressable
         modified_query_class = Addressable::URI::CharacterClasses::QUERY.dup
         # Make sure possible key-value pair delimiters are escaped.
         modified_query_class.sub!("\\&", "").sub!("\\;", "")
-        pairs = (self.query || "").split("&", -1)
-        pairs.delete_if(&:empty?) if flags.include?(:compacted)
+        pairs = (query || "").split("&", -1)
+        pairs.delete_if(&:empty?).uniq! if flags.include?(:compacted)
         pairs.sort! if flags.include?(:sorted)
         component = pairs.map do |pair|
-          Addressable::URI.normalize_component(pair, modified_query_class, "+")
+          Addressable::URI.normalize_component(
+            pair,
+            Addressable::URI::NormalizeCharacterClasses::QUERY,
+            "+"
+          )
         end.join("&")
         component == "" ? nil : component
       end
@@ -1675,11 +1700,13 @@ module Addressable
         # so it's best to make all changes in-place.
         pair[0] = URI.unencode_component(pair[0])
         if pair[1].respond_to?(:to_str)
+          value = pair[1].to_str
           # I loathe the fact that I have to do this. Stupid HTML 4.01.
           # Treating '+' as a space was just an unbelievably bad idea.
           # There was nothing wrong with '%20'!
           # If it ain't broke, don't fix it!
-          pair[1] = URI.unencode_component(pair[1].to_str.tr("+", " "))
+          value = value.tr("+", " ") if ["http", "https", nil].include?(scheme)
+          pair[1] = URI.unencode_component(value)
         end
         if return_type == Hash
           accu[pair[0]] = pair[1]
@@ -1810,7 +1837,7 @@ module Addressable
       @normalized_fragment ||= begin
         component = Addressable::URI.normalize_component(
           self.fragment,
-          Addressable::URI::CharacterClasses::FRAGMENT
+          Addressable::URI::NormalizeCharacterClasses::FRAGMENT
         )
         component == "" ? nil : component
       end