faraday 2.14.0 → 2.14.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/faraday/connection.rb +3 -2
- data/lib/faraday/logging/formatter.rb +1 -1
- data/lib/faraday/version.rb +1 -1
- data/spec/faraday/connection_spec.rb +33 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8d5ef64533c80aaabadd55b5ea342b102fd652f5918039c7deff3b26c4ad4a67
|
|
4
|
+
data.tar.gz: 81ebbac6eb08b7f85ee7d8673e3274bbe110c0a865604a3df7294814ba469eb8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 50080c6a64a9c7b0775da8c3d63ece38a3e0946f36500665ee9be6fc547fc1a5313897ffe87fb1f08f802b6a69b8b11f46fb3a2a751ba8c00aab6910cebadbb4
|
|
7
|
+
data.tar.gz: '093b793d6b3f0ca6951a4c71ffd1f4b2603a1ea7d6efce304b165ae8124dd7cb64f7aa46b455a0ee5c9ba8e0f91ec931484dcdd7d2082dbae64448ee7aa6b2d7'
|
data/lib/faraday/connection.rb
CHANGED
|
@@ -481,8 +481,9 @@ module Faraday
|
|
|
481
481
|
if url && !base.path.end_with?('/')
|
|
482
482
|
base.path = "#{base.path}/" # ensure trailing slash
|
|
483
483
|
end
|
|
484
|
-
# Ensure relative url will be parsed correctly (such as `service:search` )
|
|
485
|
-
url = "./#{url}" if url.respond_to?(:start_with?) &&
|
|
484
|
+
# Ensure relative url will be parsed correctly (such as `service:search` or `//evil.com`)
|
|
485
|
+
url = "./#{url}" if url.respond_to?(:start_with?) &&
|
|
486
|
+
(!url.start_with?('http://', 'https://', '/', './', '../') || url.start_with?('//'))
|
|
486
487
|
uri = url ? base + url : base
|
|
487
488
|
if params
|
|
488
489
|
uri.query = params.to_query(params_encoder || options.params_encoder)
|
|
@@ -63,7 +63,7 @@ module Faraday
|
|
|
63
63
|
|
|
64
64
|
def dump_body(body)
|
|
65
65
|
if body.respond_to?(:to_str)
|
|
66
|
-
body.to_str.encode(Encoding::UTF_8, undef: :replace, invalid: :replace)
|
|
66
|
+
body.to_str.encode(::Encoding::UTF_8, undef: :replace, invalid: :replace)
|
|
67
67
|
else
|
|
68
68
|
pretty_inspect(body)
|
|
69
69
|
end
|
data/lib/faraday/version.rb
CHANGED
|
@@ -311,6 +311,39 @@ RSpec.describe Faraday::Connection do
|
|
|
311
311
|
end
|
|
312
312
|
end
|
|
313
313
|
|
|
314
|
+
context 'with protocol-relative URL (GHSA-33mh-2634-fwr2)' do
|
|
315
|
+
it 'does not allow host override with //evil.com/path' do
|
|
316
|
+
conn.url_prefix = 'http://httpbingo.org/api'
|
|
317
|
+
uri = conn.build_exclusive_url('//evil.com/path')
|
|
318
|
+
expect(uri.host).to eq('httpbingo.org')
|
|
319
|
+
end
|
|
320
|
+
|
|
321
|
+
it 'does not allow host override with //evil.com:8080/path' do
|
|
322
|
+
conn.url_prefix = 'http://httpbingo.org/api'
|
|
323
|
+
uri = conn.build_exclusive_url('//evil.com:8080/path')
|
|
324
|
+
expect(uri.host).to eq('httpbingo.org')
|
|
325
|
+
end
|
|
326
|
+
|
|
327
|
+
it 'does not allow host override with //user:pass@evil.com/path' do
|
|
328
|
+
conn.url_prefix = 'http://httpbingo.org/api'
|
|
329
|
+
uri = conn.build_exclusive_url('//user:pass@evil.com/path')
|
|
330
|
+
expect(uri.host).to eq('httpbingo.org')
|
|
331
|
+
end
|
|
332
|
+
|
|
333
|
+
it 'does not allow host override with ///evil.com' do
|
|
334
|
+
conn.url_prefix = 'http://httpbingo.org/api'
|
|
335
|
+
uri = conn.build_exclusive_url('///evil.com')
|
|
336
|
+
expect(uri.host).to eq('httpbingo.org')
|
|
337
|
+
end
|
|
338
|
+
|
|
339
|
+
it 'still allows single-slash absolute paths' do
|
|
340
|
+
conn.url_prefix = 'http://httpbingo.org/api'
|
|
341
|
+
uri = conn.build_exclusive_url('/safe/path')
|
|
342
|
+
expect(uri.host).to eq('httpbingo.org')
|
|
343
|
+
expect(uri.path).to eq('/safe/path')
|
|
344
|
+
end
|
|
345
|
+
end
|
|
346
|
+
|
|
314
347
|
context 'with a custom `default_uri_parser`' do
|
|
315
348
|
let(:url) { 'http://httpbingo.org' }
|
|
316
349
|
let(:parser) { Addressable::URI }
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: faraday
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.14.
|
|
4
|
+
version: 2.14.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- "@technoweenie"
|
|
@@ -144,7 +144,7 @@ licenses:
|
|
|
144
144
|
- MIT
|
|
145
145
|
metadata:
|
|
146
146
|
homepage_uri: https://lostisland.github.io/faraday
|
|
147
|
-
changelog_uri: https://github.com/lostisland/faraday/releases/tag/v2.14.
|
|
147
|
+
changelog_uri: https://github.com/lostisland/faraday/releases/tag/v2.14.1
|
|
148
148
|
source_code_uri: https://github.com/lostisland/faraday
|
|
149
149
|
bug_tracker_uri: https://github.com/lostisland/faraday/issues
|
|
150
150
|
rubygems_mfa_required: 'true'
|