faraday 2.14.1 → 2.14.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d5ef64533c80aaabadd55b5ea342b102fd652f5918039c7deff3b26c4ad4a67
-  data.tar.gz: 81ebbac6eb08b7f85ee7d8673e3274bbe110c0a865604a3df7294814ba469eb8
+  metadata.gz: ecc5e9592d7434d7e39bc5cc827be5b62af99e258582468c8b6fd78e0122bf7e
+  data.tar.gz: 4f5728ac524a3456a800c8d0159b4569173b1c841f80fae7d0d2704e261b6588
 SHA512:
-  metadata.gz: 50080c6a64a9c7b0775da8c3d63ece38a3e0946f36500665ee9be6fc547fc1a5313897ffe87fb1f08f802b6a69b8b11f46fb3a2a751ba8c00aab6910cebadbb4
-  data.tar.gz: '093b793d6b3f0ca6951a4c71ffd1f4b2603a1ea7d6efce304b165ae8124dd7cb64f7aa46b455a0ee5c9ba8e0f91ec931484dcdd7d2082dbae64448ee7aa6b2d7'
+  metadata.gz: 12567175cd7d08a95ccf8203bffcb9bebf8d1b52f279ce034c3f3e17dc5efc81e08259c2992ff792560ed626dd59ae305c163cb43018860b3c0ae833c3f68855
+  data.tar.gz: bb786c688b4629c6bc43e4715715fcd42de120eee3802a3614eca60e17627ff77f40298af500a431158b1f1de8bd0d0bd58817a8793bab92e11bac9aa9b482f2

data/examples/client_test.rb

@@ -26,7 +26,7 @@ class Client
 end
 
 # Example API client test
-class ClientTest < Test::Unit::TestCase
+class ClientTest < Test::Unit::TestCase # rubocop:disable Style/OneClassPerFile
   def test_httpbingo_name
     stubs = Faraday::Adapter::Test::Stubs.new
     stubs.get('/api') do |env|

data/lib/faraday/adapter/test.rb

@@ -127,6 +127,14 @@ module Faraday
           new_stub(:options, path, headers, &block)
         end
 
+        # Removes all stubs, including the ones that have already been consumed.
+        def clear
+          @stubs_mutex.synchronize do
+            @stack.clear
+            @consumed.clear
+          end
+        end
+
         # Raises an error if any of the stubbed calls have not been made.
         def verify_stubbed_calls
           failed_stubs = []

data/lib/faraday/adapter.rb

@@ -8,6 +8,12 @@ module Faraday
 
     CONTENT_LENGTH = 'Content-Length'
 
+    TIMEOUT_KEYS = {
+      read: :read_timeout,
+      open: :open_timeout,
+      write: :write_timeout
+    }.freeze
+
     # This module marks an Adapter as supporting parallel requests.
     module Parallelism
       attr_writer :supports_parallel
@@ -23,6 +29,7 @@ module Faraday
     end
 
     extend Parallelism
+
     self.supports_parallel = false
 
     def initialize(_app = nil, opts = {}, &block)
@@ -89,12 +96,6 @@ module Faraday
       end
       options[key] || options[:timeout]
     end
-
-    TIMEOUT_KEYS = {
-      read: :read_timeout,
-      open: :open_timeout,
-      write: :write_timeout
-    }.freeze
   end
 end
 

data/lib/faraday/connection.rb

@@ -481,9 +481,11 @@ module Faraday
       if url && !base.path.end_with?('/')
         base.path = "#{base.path}/" # ensure trailing slash
       end
+      url = url.to_s if url.respond_to?(:host)
       # Ensure relative url will be parsed correctly (such as `service:search` or `//evil.com`)
       url = "./#{url}" if url.respond_to?(:start_with?) &&
-                          (!url.start_with?('http://', 'https://', '/', './', '../') || url.start_with?('//'))
+                          (url.start_with?('//') ||
+                           !url.start_with?('http://', 'https://', '/', './', '../'))
       uri = url ? base + url : base
       if params
         uri.query = params.to_query(params_encoder || options.params_encoder)

data/lib/faraday/encoders/flat_params_encoder.rb

@@ -6,6 +6,7 @@ module Faraday
   module FlatParamsEncoder
     class << self
       extend Forwardable
+
       def_delegators :'Faraday::Utils', :escape, :unescape
     end
 

data/lib/faraday/encoders/nested_params_encoder.rb

@@ -106,6 +106,8 @@ module Faraday
 
     def decode_pair(key, value, context)
       subkeys = key.scan(SUBKEYS_REGEX)
+      validate_params_depth!(subkeys.length)
+
       subkeys.each_with_index do |subkey, i|
         is_array = subkey =~ /[\[\]]+\Z/
         subkey = Regexp.last_match.pre_match if is_array
@@ -145,6 +147,12 @@ module Faraday
       is_array ? context << value : context[subkey] = value
     end
 
+    def validate_params_depth!(depth)
+      return unless @param_depth_limit && depth > @param_depth_limit
+
+      raise Faraday::Error, "exceeded nested parameter depth limit of #{@param_depth_limit}"
+    end
+
     # Internal: convert a nested hash with purely numeric keys into an array.
     # FIXME: this is not compatible with Rack::Utils.parse_nested_query
     # @!visibility private
@@ -167,15 +175,17 @@ module Faraday
   # for your requests.
   module NestedParamsEncoder
     class << self
-      attr_accessor :sort_params, :array_indices
+      attr_accessor :sort_params, :array_indices, :param_depth_limit
 
       extend Forwardable
+
       def_delegators :'Faraday::Utils', :escape, :unescape
     end
 
     # Useful default for OAuth and caching.
     @sort_params = true
     @array_indices = false
+    @param_depth_limit = 100
 
     extend EncodeMethods
     extend DecodeMethods

data/lib/faraday/error.rb

@@ -172,7 +172,7 @@ module Faraday
   # A unified client error for timeouts.
   class TimeoutError < ServerError
     def initialize(exc = 'timeout', response = nil)
-      super(exc, response)
+      super
     end
   end
 

data/lib/faraday/middleware.rb

@@ -65,7 +65,7 @@ module Faraday
       if app.respond_to?(:close)
         app.close
       else
-        warn "#{app} does not implement \#close!"
+        warn "#{app} does not implement #close!"
       end
     end
   end

data/lib/faraday/options/env.rb

@@ -78,7 +78,7 @@ module Faraday
     # @param value [Object] a value fitting Option.from(v).
     # @return [Env] from given value
     def self.from(value)
-      env = super(value)
+      env = super
       if value.respond_to?(:custom_members)
         env.custom_members.update(value.custom_members)
       end
@@ -90,7 +90,7 @@ module Faraday
       return self[current_body] if key == :body
 
       if in_member_set?(key)
-        super(key)
+        super
       else
         custom_members[key]
       end
@@ -105,7 +105,7 @@ module Faraday
       end
 
       if in_member_set?(key)
-        super(key, value)
+        super
       else
         custom_members[key] = value
       end

data/lib/faraday/options/proxy_options.rb

@@ -7,6 +7,7 @@ module Faraday
   #   class ProxyOptions < Options; end
   ProxyOptions = Options.new(:uri, :user, :password) do
     extend Forwardable
+
     def_delegators :uri, :scheme, :scheme=, :host, :host=, :port, :port=,
                    :path, :path=
 
@@ -29,7 +30,7 @@ module Faraday
         end
       end
 
-      super(value)
+      super
     end
 
     memoized(:user) { uri&.user && Utils.unescape(uri.user) }

data/lib/faraday/options/request_options.rb

@@ -12,7 +12,7 @@ module Faraday
       if key && key.to_sym == :proxy
         super(key, value ? ProxyOptions.from(value) : nil)
       else
-        super(key, value)
+        super
       end
     end
 

data/lib/faraday/options.rb

@@ -186,7 +186,7 @@ module Faraday
     def [](key)
       key = key.to_sym
       if (method = self.class.memoized_attributes[key])
-        super(key) || (self[key] = instance_eval(&method))
+        super || (self[key] = instance_eval(&method))
       else
         super
       end

data/lib/faraday/rack_builder.rb

@@ -15,6 +15,11 @@ module Faraday
     # Used to detect missing arguments
     NO_ARGUMENT = Object.new
 
+    LOCK_ERR = "can't modify middleware stack after making a request"
+    MISSING_ADAPTER_ERROR = "An attempt to run a request with a Faraday::Connection without adapter has been made.\n" \
+                            "Please set Faraday.default_adapter or provide one when initializing the connection.\n" \
+                            'For more info, check https://lostisland.github.io/faraday/usage/.'
+
     attr_accessor :handlers
 
     # Error raised when trying to modify the stack after calling `lock!`
@@ -211,11 +216,6 @@ module Faraday
 
     private
 
-    LOCK_ERR = "can't modify middleware stack after making a request"
-    MISSING_ADAPTER_ERROR = "An attempt to run a request with a Faraday::Connection without adapter has been made.\n" \
-                            "Please set Faraday.default_adapter or provide one when initializing the connection.\n" \
-                            'For more info, check https://lostisland.github.io/faraday/usage/.'
-
     def raise_if_locked
       raise StackLocked, LOCK_ERR if locked?
     end

data/lib/faraday/utils/headers.rb

@@ -51,7 +51,7 @@ module Faraday
 
       def [](key)
         key = KeyMap[key]
-        super(key) || super(@names[key.downcase])
+        super || super(@names[key.downcase])
       end
 
       def []=(key, val)
@@ -59,13 +59,13 @@ module Faraday
         key = (@names[key.downcase] ||= key)
         # join multiple values with a comma
         val = val.to_ary.join(', ') if val.respond_to?(:to_ary)
-        super(key, val)
+        super
       end
 
       def fetch(key, ...)
         key = KeyMap[key]
         key = @names.fetch(key.downcase, key)
-        super(key, ...)
+        super
       end
 
       def delete(key)
@@ -74,13 +74,13 @@ module Faraday
         return unless key
 
         @names.delete key.downcase
-        super(key)
+        super
       end
 
       def dig(key, *rest)
         key = KeyMap[key]
         key = @names.fetch(key.downcase, key)
-        super(key, *rest)
+        super
       end
 
       def include?(key)

data/lib/faraday/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Faraday
-  VERSION = '2.14.1'
+  VERSION = '2.14.3'
 end

data/spec/faraday/adapter/test_spec.rb

@@ -439,4 +439,22 @@ RSpec.describe Faraday::Adapter::Test do
       end
     end
   end
+
+  describe '#clear' do
+    it 'removes pending stubs' do
+      stubs.clear
+      expect { connection.get('/hello') }.to raise_error(described_class::Stubs::NotFound)
+    end
+
+    it 'removes already consumed stubs' do
+      expect(connection.get('/hello').body).to eq('hello')
+      stubs.clear
+      expect { connection.get('/hello') }.to raise_error(described_class::Stubs::NotFound)
+    end
+
+    it 'leaves the stubs empty' do
+      stubs.clear
+      expect(stubs).to be_empty
+    end
+  end
 end

data/spec/faraday/connection_spec.rb

@@ -318,6 +318,13 @@ RSpec.describe Faraday::Connection do
         expect(uri.host).to eq('httpbingo.org')
       end
 
+      it 'does not allow host override with URI("//evil.com/path")' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url(URI('//evil.com/path?token=1'))
+        expect(uri.host).to eq('httpbingo.org')
+        expect(uri.query).to eq('token=1')
+      end
+
       it 'does not allow host override with //evil.com:8080/path' do
         conn.url_prefix = 'http://httpbingo.org/api'
         uri = conn.build_exclusive_url('//evil.com:8080/path')
@@ -373,6 +380,18 @@ RSpec.describe Faraday::Connection do
       url = conn.build_url(nil, b: 2, c: 3)
       expect(url.to_s).to eq('http://httpbingo.org/nigiri?a=1&b=2&c=3')
     end
+
+    it 'raises a controlled error when URL query params exceed the nested depth limit' do
+      original_param_depth_limit = Faraday::NestedParamsEncoder.param_depth_limit
+      Faraday::NestedParamsEncoder.param_depth_limit = 2
+
+      expect { conn.build_url('/nigiri?a[b][c]=1') }.to raise_error(
+        Faraday::Error,
+        'exceeded nested parameter depth limit of 2'
+      )
+    ensure
+      Faraday::NestedParamsEncoder.param_depth_limit = original_param_depth_limit
+    end
   end
 
   describe '#build_request' do

data/spec/faraday/middleware_spec.rb

@@ -52,14 +52,14 @@ RSpec.describe Faraday::Middleware do
   end
 
   describe '#close' do
-    context "with app that doesn't support \#close" do
+    context "with app that doesn't support #close" do
       it 'should issue warning' do
         is_expected.to receive(:warn)
         subject.close
       end
     end
 
-    context "with app that supports \#close" do
+    context 'with app that supports #close' do
       it 'should issue warning' do
         expect(app).to receive(:close)
         is_expected.to_not receive(:warn)

data/spec/faraday/params_encoders/nested_spec.rb

@@ -5,6 +5,13 @@ require 'rack/utils'
 RSpec.describe Faraday::NestedParamsEncoder do
   it_behaves_like 'a params encoder'
 
+  around do |example|
+    original_param_depth_limit = described_class.param_depth_limit
+    example.run
+  ensure
+    described_class.param_depth_limit = original_param_depth_limit
+  end
+
   it 'decodes arrays' do
     query    = 'a[1]=one&a[2]=two&a[3]=three'
     expected = { 'a' => %w[one two three] }
@@ -53,6 +60,27 @@ RSpec.describe Faraday::NestedParamsEncoder do
     expect(subject.decode(query)).to eq(expected)
   end
 
+  it 'allows nested params within the configured depth limit' do
+    described_class.param_depth_limit = 3
+
+    expect(subject.decode('a[b][c]=1')).to eq({ 'a' => { 'b' => { 'c' => '1' } } })
+  end
+
+  it 'raises a controlled error when nested params exceed the depth limit' do
+    described_class.param_depth_limit = 2
+
+    expect { subject.decode('a[b][c]=1') }.to raise_error(
+      Faraday::Error,
+      'exceeded nested parameter depth limit of 2'
+    )
+  end
+
+  it 'allows disabling the nested params depth limit' do
+    described_class.param_depth_limit = nil
+
+    expect(subject.decode('a[b][c][d]=1')).to eq({ 'a' => { 'b' => { 'c' => { 'd' => '1' } } } })
+  end
+
   it 'decodes nested final value overrides any type' do
     query    = 'a[b][c]=1&a[b]=2'
     expected = { 'a' => { 'b' => '2' } }

data/spec/faraday/request_spec.rb

@@ -31,6 +31,15 @@ RSpec.describe Faraday::Request do
     it { expect(subject.to_env(conn).url.to_s).to eq('http://httpbingo.org/api/foo.json?a=1') }
   end
 
+  context 'when setting the url on setup with a protocol-relative URI' do
+    let(:block) { proc { |req| req.url URI.parse('//evil.com/path?token=1') } }
+    let(:url) { subject.to_env(conn).url }
+
+    it { expect(url.host).to eq('httpbingo.org') }
+    it { expect(url.path).to eq('/api///evil.com/path') }
+    it { expect(url.query).to eq('token=1') }
+  end
+
   context 'when setting the url on setup with a string path and params' do
     let(:block) { proc { |req| req.url 'foo.json', 'a' => 1 } }
 

data/spec/faraday/response/json_spec.rb

@@ -106,7 +106,7 @@ RSpec.describe Faraday::Response::Json, type: :response do
     end
 
     it 'passes relevant options to JSON parse' do
-      expect(::JSON).to receive(:parse)
+      expect(JSON).to receive(:parse)
         .with(body, options[:parser_options])
         .and_return(result)
 

data/spec/faraday/response/logger_spec.rb

@@ -218,7 +218,7 @@ RSpec.describe Faraday::Response::Logger do
 
     it 'logs response body object' do
       conn.get '/rubbles', nil, accept: 'text/html'
-      expect(string_io.string).to match(%([\"Barney\", \"Betty\", \"Bam Bam\"]\n))
+      expect(string_io.string).to match(%(["Barney", "Betty", "Bam Bam"]\n))
     end
 
     it 'logs filter body' do

data/spec/faraday/utils_spec.rb

@@ -33,7 +33,7 @@ RSpec.describe Faraday::Utils do
     end
 
     it 'parses with URI' do
-      with_default_uri_parser(::URI) do
+      with_default_uri_parser(URI) do
         uri = normalize(url)
         expect(uri.host).to eq('example.com')
       end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: faraday
 version: !ruby/object:Gem::Version
-  version: 2.14.1
+  version: 2.14.3
 platform: ruby
 authors:
 - "@technoweenie"
@@ -144,7 +144,7 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://lostisland.github.io/faraday
-  changelog_uri: https://github.com/lostisland/faraday/releases/tag/v2.14.1
+  changelog_uri: https://github.com/lostisland/faraday/releases/tag/v2.14.3
   source_code_uri: https://github.com/lostisland/faraday
   bug_tracker_uri: https://github.com/lostisland/faraday/issues
   rubygems_mfa_required: 'true'