http.rb 0.22.0 → 0.23.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG +12 -1
- data/lib/HTTP/RETRY.rb +2 -1
- data/lib/HTTP/VERSION.rb +1 -1
- data/lib/HTTP/request.rb +4 -3
- data/test/HTTP/RETRY_test.rb +14 -0
- data/test/HTTP/get_test.rb +63 -0
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b1e4577389b2272eb97f9912694fc3e2951c64cf83758c9a6f05b544dab99f3f
|
|
4
|
+
data.tar.gz: 13574567a8fabe8ac8693cda1cd183703eb8d7f57f94da20ffe249feb4b1a52b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f15f20fb2292d31e28da282fd138463234a2cead1e153a963c32a298b3fee441fcd50958203be30a103eb2c176da18f4beccdd6b362624e1c2769c1ee5b351f8
|
|
7
|
+
data.tar.gz: c8062c4c3f8ea7ffba22ac31f5e53288b8b36941651df1d087b18ec6e9bff46178e45afd421fc6218a910d61dc32e6cf410182336d058f28136b302589e1869a
|
data/CHANGELOG
CHANGED
|
@@ -2,6 +2,17 @@
|
|
|
2
2
|
|
|
3
3
|
## 20260522
|
|
4
4
|
|
|
5
|
+
0.23.0: Fix cross-scheme redirect SSL leak; clamp negative Retry-After.
|
|
6
|
+
|
|
7
|
+
1. ~ HTTP.request: Compute http-object SSL configuration via options.merge instead of mutating the caller's options hash with auto-derived use_ssl and verify_mode. The previous ||= writes meant an HTTPS→HTTP redirect carried use_ssl: true through to the recursive call against the HTTP host, attempting an SSL handshake on the plain-HTTP port. Cross-scheme redirects in both directions now re-derive use_ssl from each URI.
|
|
8
|
+
2. ~ HTTP.retry_after: Clamp the HTTP-date branch via delta && [delta, 0].max. A past Retry-After HTTP-date previously returned a negative delta; Kernel.sleep raises ArgumentError on negatives.
|
|
9
|
+
3. ~ test/HTTP/get_test.rb: + cross-scheme redirection specs (HTTPS→HTTP and HTTP→HTTPS) using a Net::HTTP.new stub to capture each Net::HTTP instance and assert use_ssl? per hop.
|
|
10
|
+
4. ~ test/HTTP/RETRY_test.rb: + specs for past-date Retry-After (clamps to 0) and negative-integer Retry-After (returns nil).
|
|
11
|
+
5. ~ HTTP::VERSION: /0.22.0/0.23.0/
|
|
12
|
+
6. ~ CHANGELOG: + 0.23.0 entry; fix 0.13.2 date typo (202503030 → 20250330).
|
|
13
|
+
|
|
14
|
+
## 20260522
|
|
15
|
+
|
|
5
16
|
0.22.0: Convert specs from RSpec to Minitest.
|
|
6
17
|
|
|
7
18
|
1. ~ spec/ → test/: All spec files moved to test/ and rewritten in Minitest spec style with `let`, double-quoted descriptions, and `_(...).must_*` expectations. On the TODO since at least 0.17.0; completed before 1.0 to ship into stability on the test framework that's here to stay.
|
|
@@ -206,7 +217,7 @@
|
|
|
206
217
|
2. ~ HTTP::VERSION: /0.13.2/0.13.3/
|
|
207
218
|
3. ~ http.rb.gemspec: Change date.
|
|
208
219
|
|
|
209
|
-
##
|
|
220
|
+
## 20250330
|
|
210
221
|
|
|
211
222
|
0.13.2: Change repo name to match gem name (/HTTP/http.rb/); + Use HTTP::VERSION; /require/require_relative/
|
|
212
223
|
|
data/lib/HTTP/RETRY.rb
CHANGED
|
@@ -69,7 +69,8 @@ module HTTP
|
|
|
69
69
|
header.to_i
|
|
70
70
|
else
|
|
71
71
|
# Malformed HTTP-date — fall through to caller's backoff.
|
|
72
|
-
Time.httpdate(header) - Time.now rescue nil
|
|
72
|
+
delta = Time.httpdate(header) - Time.now rescue nil
|
|
73
|
+
delta && [delta, 0].max
|
|
73
74
|
end
|
|
74
75
|
end
|
|
75
76
|
module_function :retry_after
|
data/lib/HTTP/VERSION.rb
CHANGED
data/lib/HTTP/request.rb
CHANGED
|
@@ -17,9 +17,10 @@ module HTTP
|
|
|
17
17
|
http = Net::HTTP.new(uri.host, uri.port)
|
|
18
18
|
no_redirect = options.delete(:no_redirect)
|
|
19
19
|
config = retry_config(options)
|
|
20
|
-
options
|
|
21
|
-
|
|
22
|
-
|
|
20
|
+
http.options = options.merge(
|
|
21
|
+
use_ssl: (options[:use_ssl] || uri.use_ssl?),
|
|
22
|
+
verify_mode: (options[:verify_mode] || OpenSSL::SSL::VERIFY_PEER)
|
|
23
|
+
)
|
|
23
24
|
request_object.headers = headers
|
|
24
25
|
request_object.basic_auth(uri.user, uri.password) if uri.user
|
|
25
26
|
verb = request_object.method.downcase.to_sym
|
data/test/HTTP/RETRY_test.rb
CHANGED
|
@@ -267,6 +267,20 @@ describe HTTP, ".retry_after" do
|
|
|
267
267
|
response = MockResponse.new(headers_hash: {'Retry-After' => 'not a date'})
|
|
268
268
|
_(HTTP.retry_after(response)).must_be_nil
|
|
269
269
|
end
|
|
270
|
+
|
|
271
|
+
it "clamps to 0 when the Retry-After HTTP-date is in the past" do
|
|
272
|
+
base = Time.utc(2026, 5, 22, 12, 0, 0)
|
|
273
|
+
retry_at_header = (base - 60).httpdate
|
|
274
|
+
response = MockResponse.new(headers_hash: {'Retry-After' => retry_at_header})
|
|
275
|
+
Time.stub(:now, base) do
|
|
276
|
+
_(HTTP.retry_after(response)).must_equal(0)
|
|
277
|
+
end
|
|
278
|
+
end
|
|
279
|
+
|
|
280
|
+
it "returns nil for a negative integer Retry-After" do
|
|
281
|
+
response = MockResponse.new(headers_hash: {'Retry-After' => '-5'})
|
|
282
|
+
_(HTTP.retry_after(response)).must_be_nil
|
|
283
|
+
end
|
|
270
284
|
end
|
|
271
285
|
|
|
272
286
|
describe HTTP, ".backoff_delay" do
|
data/test/HTTP/get_test.rb
CHANGED
|
@@ -269,6 +269,69 @@ describe ".get" do
|
|
|
269
269
|
end
|
|
270
270
|
end
|
|
271
271
|
|
|
272
|
+
describe "with cross-scheme redirection" do
|
|
273
|
+
def capture_http_objects
|
|
274
|
+
http_objects = []
|
|
275
|
+
original_new = Net::HTTP.method(:new)
|
|
276
|
+
Net::HTTP.stub(:new, ->(*args){
|
|
277
|
+
http_object = original_new.call(*args)
|
|
278
|
+
http_objects << http_object
|
|
279
|
+
http_object
|
|
280
|
+
}) do
|
|
281
|
+
yield
|
|
282
|
+
end
|
|
283
|
+
http_objects
|
|
284
|
+
end
|
|
285
|
+
|
|
286
|
+
describe "from HTTPS to HTTP" do
|
|
287
|
+
let(:request_uri){'https://example.com/path'}
|
|
288
|
+
let(:redirect_uri){'http://redirected.com'}
|
|
289
|
+
|
|
290
|
+
before do
|
|
291
|
+
stub_request(:get, request_uri).
|
|
292
|
+
to_return(status: 301, body: '', headers: {'location' => redirect_uri})
|
|
293
|
+
stub_request(:get, redirect_uri).
|
|
294
|
+
to_return(status: 200, body: '', headers: {})
|
|
295
|
+
end
|
|
296
|
+
|
|
297
|
+
it "follows the redirect without carrying use_ssl over to the HTTP host" do
|
|
298
|
+
http_objects = capture_http_objects do
|
|
299
|
+
response = HTTP.get(request_uri)
|
|
300
|
+
_(response.success?).must_equal(true)
|
|
301
|
+
end
|
|
302
|
+
_(http_objects.size).must_equal(2)
|
|
303
|
+
_(http_objects[0].use_ssl?).must_equal(true)
|
|
304
|
+
_(http_objects[1].use_ssl?).must_equal(false)
|
|
305
|
+
assert_requested(:get, request_uri)
|
|
306
|
+
assert_requested(:get, redirect_uri)
|
|
307
|
+
end
|
|
308
|
+
end
|
|
309
|
+
|
|
310
|
+
describe "from HTTP to HTTPS" do
|
|
311
|
+
let(:request_uri){'http://example.com/path'}
|
|
312
|
+
let(:redirect_uri){'https://redirected.com'}
|
|
313
|
+
|
|
314
|
+
before do
|
|
315
|
+
stub_request(:get, request_uri).
|
|
316
|
+
to_return(status: 301, body: '', headers: {'location' => redirect_uri})
|
|
317
|
+
stub_request(:get, redirect_uri).
|
|
318
|
+
to_return(status: 200, body: '', headers: {})
|
|
319
|
+
end
|
|
320
|
+
|
|
321
|
+
it "enables use_ssl on the redirected HTTPS request" do
|
|
322
|
+
http_objects = capture_http_objects do
|
|
323
|
+
response = HTTP.get(request_uri)
|
|
324
|
+
_(response.success?).must_equal(true)
|
|
325
|
+
end
|
|
326
|
+
_(http_objects.size).must_equal(2)
|
|
327
|
+
_(http_objects[0].use_ssl?).must_equal(false)
|
|
328
|
+
_(http_objects[1].use_ssl?).must_equal(true)
|
|
329
|
+
assert_requested(:get, request_uri)
|
|
330
|
+
assert_requested(:get, redirect_uri)
|
|
331
|
+
end
|
|
332
|
+
end
|
|
333
|
+
end
|
|
334
|
+
|
|
272
335
|
describe "no_redirect true" do
|
|
273
336
|
let(:request_uri){'http://example.com/path'}
|
|
274
337
|
let(:redirect_uri){'http://redirected.com'}
|