faraday 2.9.2 → 2.14.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d2795a487e8f0330545b6b9720029b597b0f0f36d33ed47bf3a7ab5ec8e2d583
-  data.tar.gz: a892c9ceebf1a9b5499ca7c6f20a1f6bb3c8a632bcf953f83af0ac17814c0691
+  metadata.gz: 8d5ef64533c80aaabadd55b5ea342b102fd652f5918039c7deff3b26c4ad4a67
+  data.tar.gz: 81ebbac6eb08b7f85ee7d8673e3274bbe110c0a865604a3df7294814ba469eb8
 SHA512:
-  metadata.gz: dc55e018b7b5cec1d5538194841c74a643182d0bb6bc3a73bf5ca1c3c7c88f84998f8b4f90165bffe22b01422e3d90c7bbf6c035714c563bb09265bd34029169
-  data.tar.gz: 05c24fe02e969616d069ba3b02fa7fddfb5c70cb504bfd39ca60983d12aaa47207f985c1e5a1a24d29c71c6cecbe899eb2252f4a8f9458d8681e06584d7016fc
+  metadata.gz: 50080c6a64a9c7b0775da8c3d63ece38a3e0946f36500665ee9be6fc547fc1a5313897ffe87fb1f08f802b6a69b8b11f46fb3a2a751ba8c00aab6910cebadbb4
+  data.tar.gz: '093b793d6b3f0ca6951a4c71ffd1f4b2603a1ea7d6efce304b165ae8124dd7cb64f7aa46b455a0ee5c9ba8e0f91ec931484dcdd7d2082dbae64448ee7aa6b2d7'

data/CHANGELOG.md

@@ -517,7 +517,7 @@ Breaking changes:
 - Drop support for Ruby 1.8
 
 Features:
-- Include wrapped exception/reponse in ClientErrors
+- Include wrapped exception/response in ClientErrors
 - Add `response.reason_phrase`
 - Provide option to selectively skip logging request/response headers
 - Add regex support for pattern matching in `test` adapter

data/lib/faraday/connection.rb

@@ -314,15 +314,23 @@ module Faraday
     #
     # @yield a block to execute multiple requests.
     # @return [void]
-    def in_parallel(manager = nil)
+    def in_parallel(manager = nil, &block)
       @parallel_manager = manager || default_parallel_manager do
         warn 'Warning: `in_parallel` called but no parallel-capable adapter ' \
              'on Faraday stack'
         warn caller[2, 10].join("\n")
         nil
       end
-      yield
-      @parallel_manager&.run
+      return yield unless @parallel_manager
+
+      if @parallel_manager.respond_to?(:execute)
+        # Execute is the new method that is responsible for executing the block.
+        @parallel_manager.execute(&block)
+      else
+        # TODO: Old behaviour, deprecate and remove in 3.0
+        yield
+        @parallel_manager.run
+      end
     ensure
       @parallel_manager = nil
     end
@@ -473,8 +481,9 @@ module Faraday
       if url && !base.path.end_with?('/')
         base.path = "#{base.path}/" # ensure trailing slash
       end
-      # Ensure relative url will be parsed correctly (such as `service:search` )
-      url = "./#{url}" if url.respond_to?(:start_with?) && !url.start_with?('http://', 'https://', '/', './', '../')
+      # Ensure relative url will be parsed correctly (such as `service:search` or `//evil.com`)
+      url = "./#{url}" if url.respond_to?(:start_with?) &&
+                          (!url.start_with?('http://', 'https://', '/', './', '../') || url.start_with?('//'))
       uri = url ? base + url : base
       if params
         uri.query = params.to_query(params_encoder || options.params_encoder)

data/lib/faraday/encoders/flat_params_encoder.rb

@@ -76,9 +76,9 @@ module Faraday
 
       empty_accumulator = {}
 
-      split_query = (query.split('&').map do |pair|
+      split_query = query.split('&').filter_map do |pair|
         pair.split('=', 2) if pair && !pair.empty?
-      end).compact
+      end
       split_query.each_with_object(empty_accumulator.dup) do |pair, accu|
         pair[0] = unescape(pair[0])
         pair[1] = true if pair[1].nil?

data/lib/faraday/error.rb

@@ -79,12 +79,46 @@ module Faraday
 
     # Pulls out potential parent exception and response hash.
     def exc_msg_and_response(exc, response = nil)
-      return [exc, exc.message, response] if exc.respond_to?(:backtrace)
+      case exc
+      when Exception
+        [exc, exc.message, response]
+      when Hash
+        [nil, build_error_message_from_hash(exc), exc]
+      when Faraday::Env
+        [nil, build_error_message_from_env(exc), exc]
+      else
+        [nil, exc.to_s, response]
+      end
+    end
+
+    private
+
+    def build_error_message_from_hash(hash)
+      # Be defensive with external Hash objects - they might be missing keys
+      status = hash.fetch(:status, nil)
+      request = hash.fetch(:request, nil)
+
+      return fallback_error_message(status) if request.nil?
+
+      method = request.fetch(:method, nil)
+      url = request.fetch(:url, nil)
+      build_status_error_message(status, method, url)
+    end
+
+    def build_error_message_from_env(env)
+      # Faraday::Env is internal - we can make reasonable assumptions about its structure
+      build_status_error_message(env.status, env.method, env.url)
+    end
 
-      return [nil, "the server responded with status #{exc[:status]}", exc] \
-        if exc.respond_to?(:each_key)
+    def build_status_error_message(status, method, url)
+      method_str = method ? method.to_s.upcase : ''
+      url_str = url ? url.to_s : ''
+      "the server responded with status #{status} for #{method_str} #{url_str}"
+    end
 
-      [nil, exc.to_s, response]
+    def fallback_error_message(status)
+      "the server responded with status #{status} - method and url are not available " \
+        'due to include_request: false on Faraday::Response::RaiseError middleware'
     end
   end
 
@@ -121,9 +155,12 @@ module Faraday
   end
 
   # Raised by Faraday::Response::RaiseError in case of a 422 response.
-  class UnprocessableEntityError < ClientError
+  class UnprocessableContentError < ClientError
   end
 
+  # Used to provide compatibility with legacy error name.
+  UnprocessableEntityError = UnprocessableContentError
+
   # Raised by Faraday::Response::RaiseError in case of a 429 response.
   class TooManyRequestsError < ClientError
   end
@@ -158,4 +195,8 @@ module Faraday
   # Raised by middlewares that parse the response, like the JSON response middleware.
   class ParsingError < Error
   end
+
+  # Raised by Faraday::Middleware and subclasses when invalid default_options are used
+  class InitializationError < Error
+  end
 end

data/lib/faraday/logging/formatter.rb

@@ -23,8 +23,8 @@ module Faraday
       def_delegators :@logger, :debug, :info, :warn, :error, :fatal
 
       def request(env)
-        public_send(log_level, 'request') do
-          "#{env.method.upcase} #{apply_filters(env.url.to_s)}"
+        public_send(log_level) do
+          "request: #{env.method.upcase} #{apply_filters(env.url.to_s)}"
         end
 
         log_headers('request', env.request_headers) if log_headers?(:request)
@@ -32,7 +32,7 @@ module Faraday
       end
 
       def response(env)
-        public_send(log_level, 'response') { "Status #{env.status}" }
+        public_send(log_level) { "response: Status #{env.status}" }
 
         log_headers('response', env.response_headers) if log_headers?(:response)
         log_body('response', env[:body]) if env[:body] && log_body?(:response)
@@ -41,7 +41,7 @@ module Faraday
       def exception(exc)
         return unless log_errors?
 
-        public_send(log_level, 'error') { exc.full_message }
+        public_send(log_level) { "error: #{exc.full_message}" }
 
         log_headers('error', exc.response_headers) if exc.respond_to?(:response_headers) && log_headers?(:error)
         return unless exc.respond_to?(:response_body) && exc.response_body && log_body?(:error)
@@ -63,7 +63,7 @@ module Faraday
 
       def dump_body(body)
         if body.respond_to?(:to_str)
-          body.to_str
+          body.to_str.encode(::Encoding::UTF_8, undef: :replace, invalid: :replace)
         else
           pretty_inspect(body)
         end
@@ -107,11 +107,11 @@ module Faraday
       end
 
       def log_headers(type, headers)
-        public_send(log_level, type) { apply_filters(dump_headers(headers)) }
+        public_send(log_level) { "#{type}: #{apply_filters(dump_headers(headers))}" }
       end
 
       def log_body(type, body)
-        public_send(log_level, type) { apply_filters(dump_body(body)) }
+        public_send(log_level) { "#{type}: #{apply_filters(dump_body(body))}" }
       end
     end
   end

data/lib/faraday/middleware.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'monitor'
+
 module Faraday
   # Middleware is the basic base class of any Faraday middleware.
   class Middleware
@@ -7,9 +9,46 @@ module Faraday
 
     attr_reader :app, :options
 
+    DEFAULT_OPTIONS = {}.freeze
+    LOCK = Mutex.new
+
     def initialize(app = nil, options = {})
       @app = app
-      @options = options
+      @options = self.class.default_options.merge(options)
+    end
+
+    class << self
+      # Faraday::Middleware::default_options= allows user to set default options at the Faraday::Middleware
+      # class level.
+      #
+      # @example Set the Faraday::Response::RaiseError option, `include_request` to `false`
+      # my_app/config/initializers/my_faraday_middleware.rb
+      #
+      # Faraday::Response::RaiseError.default_options = { include_request: false }
+      #
+      def default_options=(options = {})
+        validate_default_options(options)
+        LOCK.synchronize do
+          @default_options = default_options.merge(options)
+        end
+      end
+
+      # default_options attr_reader that initializes class instance variable
+      # with the values of any Faraday::Middleware defaults, and merges with
+      # subclass defaults
+      def default_options
+        @default_options ||= DEFAULT_OPTIONS.merge(self::DEFAULT_OPTIONS)
+      end
+
+      private
+
+      def validate_default_options(options)
+        invalid_keys = options.keys.reject { |opt| self::DEFAULT_OPTIONS.key?(opt) }
+        return unless invalid_keys.any?
+
+        raise(Faraday::InitializationError,
+              "Invalid options provided. Keys not found in #{self}::DEFAULT_OPTIONS: #{invalid_keys.join(', ')}")
+      end
     end
 
     def call(env)

data/lib/faraday/options/env.rb

@@ -60,7 +60,7 @@ module Faraday
                     :reason_phrase, :response_body) do
     const_set(:ContentLength, 'Content-Length')
     const_set(:StatusesWithoutBody, Set.new([204, 304]))
-    const_set(:SuccessfulStatuses, (200..299))
+    const_set(:SuccessfulStatuses, 200..299)
 
     # A Set of HTTP verbs that typically send a body.  If no body is set for
     # these requests, the Content-Length header is set to 0.

data/lib/faraday/options/proxy_options.rb

@@ -22,8 +22,10 @@ module Faraday
       when URI
         value = { uri: value }
       when Hash, Options
-        if (uri = value.delete(:uri))
-          value[:uri] = Utils.URI(uri)
+        if value[:uri]
+          value = value.dup.tap do |duped|
+            duped[:uri] = Utils.URI(duped[:uri])
+          end
         end
       end
 

data/lib/faraday/options/ssl_options.rb

@@ -11,6 +11,9 @@ module Faraday
   #   #   @return [Boolean] whether to enable hostname verification on server certificates
   #   #           during the handshake or not (see https://github.com/ruby/openssl/pull/60)
   #   #
+  #   # @!attribute hostname
+  #   #   @return [String] Server hostname used for SNI (see https://ruby-doc.org/stdlib-2.5.1/libdoc/openssl/rdoc/OpenSSL/SSL/SSLSocket.html#method-i-hostname-3D)
+  #   #
   #   # @!attribute ca_file
   #   #   @return [String] CA file
   #   #
@@ -46,12 +49,15 @@ module Faraday
   #   #
   #   # @!attribute max_version
   #   #   @return [String, Symbol] maximum SSL version (see https://ruby-doc.org/stdlib-2.5.1/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html#method-i-max_version-3D)
+  #   #
+  #   # @!attribute ciphers
+  #   #   @return [String] cipher list in OpenSSL format (see https://ruby-doc.org/stdlib-2.5.1/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html#method-i-ciphers-3D)
   #   class SSLOptions < Options; end
-  SSLOptions = Options.new(:verify, :verify_hostname,
+  SSLOptions = Options.new(:verify, :verify_hostname, :hostname,
                            :ca_file, :ca_path, :verify_mode,
                            :cert_store, :client_cert, :client_key,
                            :certificate, :private_key, :verify_depth,
-                           :version, :min_version, :max_version) do
+                           :version, :min_version, :max_version, :ciphers) do
     # @return [Boolean] true if should verify
     def verify?
       verify != false

data/lib/faraday/rack_builder.rb

@@ -27,10 +27,11 @@ module Faraday
 
       attr_reader :name
 
-      ruby2_keywords def initialize(klass, *args, &block)
+      def initialize(klass, *args, **kwargs, &block)
         @name = klass.to_s
         REGISTRY.set(klass) if klass.respond_to?(:name)
         @args = args
+        @kwargs = kwargs
         @block = block
       end
 
@@ -53,7 +54,7 @@ module Faraday
       end
 
       def build(app = nil)
-        klass.new(app, *@args, &@block)
+        klass.new(app, *@args, **@kwargs, &@block)
       end
     end
 
@@ -88,52 +89,52 @@ module Faraday
       @handlers.frozen?
     end
 
-    ruby2_keywords def use(klass, *args, &block)
+    def use(klass, ...)
       if klass.is_a? Symbol
-        use_symbol(Faraday::Middleware, klass, *args, &block)
+        use_symbol(Faraday::Middleware, klass, ...)
       else
         raise_if_locked
         raise_if_adapter(klass)
-        @handlers << self.class::Handler.new(klass, *args, &block)
+        @handlers << self.class::Handler.new(klass, ...)
       end
     end
 
-    ruby2_keywords def request(key, *args, &block)
-      use_symbol(Faraday::Request, key, *args, &block)
+    def request(key, ...)
+      use_symbol(Faraday::Request, key, ...)
     end
 
-    ruby2_keywords def response(key, *args, &block)
-      use_symbol(Faraday::Response, key, *args, &block)
+    def response(...)
+      use_symbol(Faraday::Response, ...)
     end
 
-    ruby2_keywords def adapter(klass = NO_ARGUMENT, *args, &block)
+    def adapter(klass = NO_ARGUMENT, *args, **kwargs, &block)
       return @adapter if klass == NO_ARGUMENT || klass.nil?
 
       klass = Faraday::Adapter.lookup_middleware(klass) if klass.is_a?(Symbol)
-      @adapter = self.class::Handler.new(klass, *args, &block)
+      @adapter = self.class::Handler.new(klass, *args, **kwargs, &block)
     end
 
     ## methods to push onto the various positions in the stack:
 
-    ruby2_keywords def insert(index, *args, &block)
+    def insert(index, ...)
       raise_if_locked
       index = assert_index(index)
-      handler = self.class::Handler.new(*args, &block)
+      handler = self.class::Handler.new(...)
       @handlers.insert(index, handler)
     end
 
     alias insert_before insert
 
-    ruby2_keywords def insert_after(index, *args, &block)
+    def insert_after(index, ...)
       index = assert_index(index)
-      insert(index + 1, *args, &block)
+      insert(index + 1, ...)
     end
 
-    ruby2_keywords def swap(index, *args, &block)
+    def swap(index, ...)
       raise_if_locked
       index = assert_index(index)
       @handlers.delete_at(index)
-      insert(index, *args, &block)
+      insert(index, ...)
     end
 
     def delete(handler)
@@ -220,7 +221,7 @@ module Faraday
     end
 
     def raise_if_adapter(klass)
-      return unless is_adapter?(klass)
+      return unless klass <= Faraday::Adapter
 
       raise 'Adapter should be set using the `adapter` method, not `use`'
     end
@@ -233,12 +234,8 @@ module Faraday
       !@adapter.nil?
     end
 
-    def is_adapter?(klass) # rubocop:disable Naming/PredicateName
-      klass <= Faraday::Adapter
-    end
-
-    ruby2_keywords def use_symbol(mod, key, *args, &block)
-      use(mod.lookup_middleware(key), *args, &block)
+    def use_symbol(mod, key, ...)
+      use(mod.lookup_middleware(key), ...)
     end
 
     def assert_index(index)

data/lib/faraday/response/logger.rb

@@ -10,11 +10,13 @@ module Faraday
     # lifecycle to a given Logger object. By default, this logs to STDOUT. See
     # Faraday::Logging::Formatter to see specifically what is logged.
     class Logger < Middleware
+      DEFAULT_OPTIONS = { formatter: Logging::Formatter }.merge(Logging::Formatter::DEFAULT_OPTIONS).freeze
+
       def initialize(app, logger = nil, options = {})
-        super(app)
+        super(app, options)
         logger ||= ::Logger.new($stdout)
-        formatter_class = options.delete(:formatter) || Logging::Formatter
-        @formatter = formatter_class.new(logger: logger, options: options)
+        formatter_class = @options.delete(:formatter)
+        @formatter = formatter_class.new(logger: logger, options: @options)
         yield @formatter if block_given?
       end
 

data/lib/faraday/response/raise_error.rb

@@ -8,30 +8,30 @@ module Faraday
       # rubocop:disable Naming/ConstantName
       ClientErrorStatuses = (400...500)
       ServerErrorStatuses = (500...600)
+      ClientErrorStatusesWithCustomExceptions = {
+        400 => Faraday::BadRequestError,
+        401 => Faraday::UnauthorizedError,
+        403 => Faraday::ForbiddenError,
+        404 => Faraday::ResourceNotFound,
+        408 => Faraday::RequestTimeoutError,
+        409 => Faraday::ConflictError,
+        422 => Faraday::UnprocessableContentError,
+        429 => Faraday::TooManyRequestsError
+      }.freeze
       # rubocop:enable Naming/ConstantName
 
+      DEFAULT_OPTIONS = { include_request: true, allowed_statuses: [] }.freeze
+
       def on_complete(env)
+        return if Array(options[:allowed_statuses]).include?(env[:status])
+
         case env[:status]
-        when 400
-          raise Faraday::BadRequestError, response_values(env)
-        when 401
-          raise Faraday::UnauthorizedError, response_values(env)
-        when 403
-          raise Faraday::ForbiddenError, response_values(env)
-        when 404
-          raise Faraday::ResourceNotFound, response_values(env)
+        when *ClientErrorStatusesWithCustomExceptions.keys
+          raise ClientErrorStatusesWithCustomExceptions[env[:status]], response_values(env)
         when 407
           # mimic the behavior that we get with proxy requests with HTTPS
           msg = %(407 "Proxy Authentication Required")
           raise Faraday::ProxyAuthError.new(msg, response_values(env))
-        when 408
-          raise Faraday::RequestTimeoutError, response_values(env)
-        when 409
-          raise Faraday::ConflictError, response_values(env)
-        when 422
-          raise Faraday::UnprocessableEntityError, response_values(env)
-        when 429
-          raise Faraday::TooManyRequestsError, response_values(env)
         when ClientErrorStatuses
           raise Faraday::ClientError, response_values(env)
         when ServerErrorStatuses
@@ -58,7 +58,7 @@ module Faraday
 
         # Include the request data by default. If the middleware was explicitly
         # configured to _not_ include request data, then omit it.
-        return response unless options.fetch(:include_request, true)
+        return response unless options[:include_request]
 
         response.merge(
           request: {

data/lib/faraday/response.rb

@@ -33,6 +33,10 @@ module Faraday
       finished? ? env.body : nil
     end
 
+    def url
+      finished? ? env.url : nil
+    end
+
     def finished?
       !!env
     end
@@ -60,9 +64,9 @@ module Faraday
 
     def to_hash
       {
-        status: env.status, body: env.body,
-        response_headers: env.response_headers,
-        url: env.url
+        status: status, body: body,
+        response_headers: headers,
+        url: url
       }
     end
 

data/lib/faraday/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Faraday
-  VERSION = '2.9.2'
+  VERSION = '2.14.1'
 end

data/lib/faraday.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
-require 'cgi'
+require 'cgi/escape'
+require 'cgi/util' if RUBY_VERSION < '3.5'
 require 'date'
 require 'set'
 require 'forwardable'

data/spec/faraday/connection_spec.rb

@@ -311,6 +311,39 @@ RSpec.describe Faraday::Connection do
       end
     end
 
+    context 'with protocol-relative URL (GHSA-33mh-2634-fwr2)' do
+      it 'does not allow host override with //evil.com/path' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('//evil.com/path')
+        expect(uri.host).to eq('httpbingo.org')
+      end
+
+      it 'does not allow host override with //evil.com:8080/path' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('//evil.com:8080/path')
+        expect(uri.host).to eq('httpbingo.org')
+      end
+
+      it 'does not allow host override with //user:pass@evil.com/path' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('//user:pass@evil.com/path')
+        expect(uri.host).to eq('httpbingo.org')
+      end
+
+      it 'does not allow host override with ///evil.com' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('///evil.com')
+        expect(uri.host).to eq('httpbingo.org')
+      end
+
+      it 'still allows single-slash absolute paths' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('/safe/path')
+        expect(uri.host).to eq('httpbingo.org')
+        expect(uri.path).to eq('/safe/path')
+      end
+    end
+
     context 'with a custom `default_uri_parser`' do
       let(:url) { 'http://httpbingo.org' }
       let(:parser) { Addressable::URI }