faraday 1.10.4 → 1.10.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/faraday/connection.rb +2 -0
- data/lib/faraday/version.rb +1 -1
- data/spec/faraday/connection_spec.rb +33 -0
- metadata +7 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: efc660709daf1320a9c5da2a957444e0bfab26fd8ee011f949b324c915083018
|
|
4
|
+
data.tar.gz: 2579fcc8e6470a92fd973b9472e1e746ef482000a6c013d04e8e607f9cd1b3e0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 99a0d80605467ff74c10abc92fab4aba09972e71319e2f8112ae3b064b323be0f2c0b9e4a68090e4181daa68a8e7e1e58546a886e0a6b4570ef7c292bc8ceb02
|
|
7
|
+
data.tar.gz: 0c17e2e5471b0ceaa5b60912ecaa3396bdd720da239939956cdf67c71be8d2c379df8ec425db3af823a6fd26b3bc3228f84297dc4ff8a0d7aba7e039fb000354
|
data/lib/faraday/connection.rb
CHANGED
|
@@ -545,6 +545,8 @@ module Faraday
|
|
|
545
545
|
if url && base.path && base.path !~ %r{/$}
|
|
546
546
|
base.path = "#{base.path}/" # ensure trailing slash
|
|
547
547
|
end
|
|
548
|
+
# Ensure protocol-relative URLs are handled correctly (CVE-2026-25765)
|
|
549
|
+
url = "./#{url}" if url.respond_to?(:start_with?) && url.start_with?('//')
|
|
548
550
|
url = url && URI.parse(url.to_s).opaque ? url.to_s.gsub(':', '%3A') : url
|
|
549
551
|
uri = url ? base + url : base
|
|
550
552
|
if params
|
data/lib/faraday/version.rb
CHANGED
|
@@ -307,6 +307,39 @@ RSpec.describe Faraday::Connection do
|
|
|
307
307
|
expect(uri.to_s).to eq('http://service.com/api/service%3Asearch?limit=400')
|
|
308
308
|
end
|
|
309
309
|
end
|
|
310
|
+
|
|
311
|
+
context 'with protocol-relative URL (CVE-2026-25765)' do
|
|
312
|
+
it 'does not allow host override with //evil.com/path' do
|
|
313
|
+
conn.url_prefix = 'http://httpbingo.org/api'
|
|
314
|
+
uri = conn.build_exclusive_url('//evil.com/path')
|
|
315
|
+
expect(uri.host).to eq('httpbingo.org')
|
|
316
|
+
end
|
|
317
|
+
|
|
318
|
+
it 'does not allow host override with //evil.com:8080/path' do
|
|
319
|
+
conn.url_prefix = 'http://httpbingo.org/api'
|
|
320
|
+
uri = conn.build_exclusive_url('//evil.com:8080/path')
|
|
321
|
+
expect(uri.host).to eq('httpbingo.org')
|
|
322
|
+
end
|
|
323
|
+
|
|
324
|
+
it 'does not allow host override with //user:pass@evil.com/path' do
|
|
325
|
+
conn.url_prefix = 'http://httpbingo.org/api'
|
|
326
|
+
uri = conn.build_exclusive_url('//user:pass@evil.com/path')
|
|
327
|
+
expect(uri.host).to eq('httpbingo.org')
|
|
328
|
+
end
|
|
329
|
+
|
|
330
|
+
it 'does not allow host override with ///evil.com' do
|
|
331
|
+
conn.url_prefix = 'http://httpbingo.org/api'
|
|
332
|
+
uri = conn.build_exclusive_url('///evil.com')
|
|
333
|
+
expect(uri.host).to eq('httpbingo.org')
|
|
334
|
+
end
|
|
335
|
+
|
|
336
|
+
it 'still allows single-slash absolute paths' do
|
|
337
|
+
conn.url_prefix = 'http://httpbingo.org/api'
|
|
338
|
+
uri = conn.build_exclusive_url('/safe/path')
|
|
339
|
+
expect(uri.host).to eq('httpbingo.org')
|
|
340
|
+
expect(uri.path).to eq('/safe/path')
|
|
341
|
+
end
|
|
342
|
+
end
|
|
310
343
|
end
|
|
311
344
|
|
|
312
345
|
describe '#build_url' do
|
metadata
CHANGED
|
@@ -1,16 +1,16 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: faraday
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.10.
|
|
4
|
+
version: 1.10.5
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- "@technoweenie"
|
|
8
8
|
- "@iMacTia"
|
|
9
9
|
- "@olleolleolle"
|
|
10
|
-
autorequire:
|
|
10
|
+
autorequire:
|
|
11
11
|
bindir: bin
|
|
12
12
|
cert_chain: []
|
|
13
|
-
date:
|
|
13
|
+
date: 2026-02-12 00:00:00.000000000 Z
|
|
14
14
|
dependencies:
|
|
15
15
|
- !ruby/object:Gem::Dependency
|
|
16
16
|
name: faraday-em_http
|
|
@@ -166,7 +166,7 @@ dependencies:
|
|
|
166
166
|
- - ">="
|
|
167
167
|
- !ruby/object:Gem::Version
|
|
168
168
|
version: 0.0.4
|
|
169
|
-
description:
|
|
169
|
+
description:
|
|
170
170
|
email: technoweenie@gmail.com
|
|
171
171
|
executables: []
|
|
172
172
|
extensions: []
|
|
@@ -268,10 +268,10 @@ licenses:
|
|
|
268
268
|
- MIT
|
|
269
269
|
metadata:
|
|
270
270
|
homepage_uri: https://lostisland.github.io/faraday
|
|
271
|
-
changelog_uri: https://github.com/lostisland/faraday/releases/tag/v1.10.
|
|
271
|
+
changelog_uri: https://github.com/lostisland/faraday/releases/tag/v1.10.5
|
|
272
272
|
source_code_uri: https://github.com/lostisland/faraday
|
|
273
273
|
bug_tracker_uri: https://github.com/lostisland/faraday/issues
|
|
274
|
-
post_install_message:
|
|
274
|
+
post_install_message:
|
|
275
275
|
rdoc_options: []
|
|
276
276
|
require_paths:
|
|
277
277
|
- lib
|
|
@@ -288,7 +288,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
288
288
|
version: '0'
|
|
289
289
|
requirements: []
|
|
290
290
|
rubygems_version: 3.1.6
|
|
291
|
-
signing_key:
|
|
291
|
+
signing_key:
|
|
292
292
|
specification_version: 4
|
|
293
293
|
summary: HTTP/REST API client library.
|
|
294
294
|
test_files: []
|