http.rb 0.22.0 → 0.24.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5535114ce1c4c4612aaef5e7eb88777a4807ab671d2f474d38175e3398d37358
-  data.tar.gz: e72a5ce3ea83170a4bafc2d6179912d20ff88c8d945d9f8d06f40dae387b6961
+  metadata.gz: 192aecaee0d22accbabb0b03b00f987cf7902c4958d6d5dab823515f4e681408
+  data.tar.gz: 1adb47bbf1b800b6e3fa9f7767db4a5b63f0b23abe12547056e564bda0c76713
 SHA512:
-  metadata.gz: cf30ba6e2171e8a005b398cbb467f8437d0653b15f066f610e87bf5d301464695bcd751dbf4b064ded581761c1c2abad25e71418d24d2c4a3001706f1e41f8dc
-  data.tar.gz: f62e33d69f7e107c43d717f33bd9130538f0b4ff96a8f337145dfe11fb3ee3dac25ee83fec6777d301fa0eadeb0282760057a58da4736cd2adee0eba47c6552d
+  metadata.gz: 608a398a78d14c9ba1a40db7478510b5a25cc073898a9fa1759c783b3aec8b9f6846597662972f15552f561a6f9e8269485053aab2f707e874f0c753a98144df
+  data.tar.gz: 8d9e7449e938c01bad80526aa566cc9886c76df5020cbc556dd458e1acb6f0c2af1b23d3b53dc872df39ec6f27f1c828bbe5bcdc9cfea31c4b5cd3167e129c1d

data/CHANGELOG

@@ -2,6 +2,27 @@
 
 ## 20260522
 
+0.24.0: ok? predicate now means 200 specifically.
+
+1. ~ Net::HTTPResponse::StatusPredicates: ok? is now defined as @code == '200' rather than aliased to successful?. The alias semantics (any 2xx) misled — "OK" is the reason-phrase for 200 specifically, not the 2xx class. Migration: callers wanting any-2xx should use successful? (or its alias success?).
+2. + test/Net/HTTPResponse/StatusPredicates_test.rb: Specs for ok? against 200, other 2xx codes, and a 4xx code.
+3. ~ README.md: Status-predicate section rewritten — single coherent reference for the predicate set, with ok? listed as 200-specific.
+4. ~ HTTP::VERSION: /0.23.0/0.24.0/
+5. ~ CHANGELOG: + 0.24.0 entry
+
+## 20260522
+
+0.23.0: Fix cross-scheme redirect SSL leak; clamp negative Retry-After.
+
+1. ~ HTTP.request: Compute http-object SSL configuration via options.merge instead of mutating the caller's options hash with auto-derived use_ssl and verify_mode. The previous ||= writes meant an HTTPS→HTTP redirect carried use_ssl: true through to the recursive call against the HTTP host, attempting an SSL handshake on the plain-HTTP port. Cross-scheme redirects in both directions now re-derive use_ssl from each URI.
+2. ~ HTTP.retry_after: Clamp the HTTP-date branch via delta && [delta, 0].max. A past Retry-After HTTP-date previously returned a negative delta; Kernel.sleep raises ArgumentError on negatives.
+3. ~ test/HTTP/get_test.rb: + cross-scheme redirection specs (HTTPS→HTTP and HTTP→HTTPS) using a Net::HTTP.new stub to capture each Net::HTTP instance and assert use_ssl? per hop.
+4. ~ test/HTTP/RETRY_test.rb: + specs for past-date Retry-After (clamps to 0) and negative-integer Retry-After (returns nil).
+5. ~ HTTP::VERSION: /0.22.0/0.23.0/
+6. ~ CHANGELOG: + 0.23.0 entry; fix 0.13.2 date typo (202503030 → 20250330).
+
+## 20260522
+
 0.22.0: Convert specs from RSpec to Minitest.
 
 1. ~ spec/ → test/: All spec files moved to test/ and rewritten in Minitest spec style with `let`, double-quoted descriptions, and `_(...).must_*` expectations. On the TODO since at least 0.17.0; completed before 1.0 to ship into stability on the test framework that's here to stay.
@@ -206,7 +227,7 @@
 2. ~ HTTP::VERSION: /0.13.2/0.13.3/
 3. ~ http.rb.gemspec: Change date.
 
-## 202503030
+## 20250330
 
 0.13.2: Change repo name to match gem name (/HTTP/http.rb/); + Use HTTP::VERSION; /require/require_relative/
 

data/README.md

@@ -114,48 +114,35 @@ options = {
 
 ### Response status predicate methods
 
+Every response carries predicates for each status class:
+
 ```ruby
-# 1xx
-response = HTTP.get('http://example.com')
-response.informational?
-# => true
+response.informational?   # 1xx
+response.successful?      # 2xx (aliased as success?)
+response.redirection?     # 3xx
+response.client_error?    # 4xx
+response.server_error?    # 5xx
+response.error?           # 4xx or 5xx
+response.ok?              # 200 specifically
+```
 
-# 2xx
-response = HTTP.get('http://example.com')
-response.success?
-# => true
+Redirects are followed by default, so a 3xx is only surfaced when `no_redirect` is set:
 
-# 3xx
-response = HTTP.get('http://example.com', {}, {}, {no_redirect: true})
+```ruby
+response = HTTP.get('http://example.com/moved', {}, {}, {no_redirect: true})
 response.redirection?
 # => true
-response.success?
+response.successful?
 # => false
+```
 
-response = HTTP.get('http://example.com', {}, {}, {no_redirect: false})
-response.redirection?
-# => false
-response.success?
-# => true
+Without `no_redirect`, the redirect is followed and `response` is the final destination:
 
-response = HTTP.get('http://example.com')
+```ruby
+response = HTTP.get('http://example.com/moved')
 response.redirection?
 # => false
-response.success?
-# => true
-
-# 4xx
-response = HTTP.get('http://example.com')
-response.client_error?
-# => true
-response.error?
-# => true
-
-# 5xx
-response = HTTP.get('http://example.com')
-response.server_error?
-# => true
-response.error?
+response.successful?
 # => true
 ```
 

data/lib/HTTP/RETRY.rb

@@ -69,7 +69,8 @@ module HTTP
       header.to_i
     else
       # Malformed HTTP-date — fall through to caller's backoff.
-      Time.httpdate(header) - Time.now rescue nil
+      delta = Time.httpdate(header) - Time.now rescue nil
+      delta && [delta, 0].max
     end
   end
   module_function :retry_after

data/lib/HTTP/VERSION.rb

@@ -2,5 +2,5 @@
 # HTTP::VERSION
 
 module HTTP
-  VERSION = '0.22.0'
+  VERSION = '0.24.0'
 end

data/lib/HTTP/request.rb

@@ -17,9 +17,10 @@ module HTTP
     http = Net::HTTP.new(uri.host, uri.port)
     no_redirect = options.delete(:no_redirect)
     config = retry_config(options)
-    options[:use_ssl] ||= uri.use_ssl?
-    options[:verify_mode] ||= OpenSSL::SSL::VERIFY_PEER
-    http.options = options
+    http.options = options.merge(
+      use_ssl: (options[:use_ssl] || uri.use_ssl?),
+      verify_mode: (options[:verify_mode] || OpenSSL::SSL::VERIFY_PEER)
+    )
     request_object.headers = headers
     request_object.basic_auth(uri.user, uri.password) if uri.user
     verb = request_object.method.downcase.to_sym

data/lib/Net/HTTPResponse/StatusPredicates.rb

@@ -12,7 +12,10 @@ module Net
         @code =~ /^2/ ? true : false
       end
       alias_method :success?, :successful?
-      alias_method :ok?, :successful?
+
+      def ok?
+        @code == '200'
+      end
 
       def redirection?
         @code =~ /^3/ ? true : false

data/test/HTTP/RETRY_test.rb

@@ -267,6 +267,20 @@ describe HTTP, ".retry_after" do
     response = MockResponse.new(headers_hash: {'Retry-After' => 'not a date'})
     _(HTTP.retry_after(response)).must_be_nil
   end
+
+  it "clamps to 0 when the Retry-After HTTP-date is in the past" do
+    base = Time.utc(2026, 5, 22, 12, 0, 0)
+    retry_at_header = (base - 60).httpdate
+    response = MockResponse.new(headers_hash: {'Retry-After' => retry_at_header})
+    Time.stub(:now, base) do
+      _(HTTP.retry_after(response)).must_equal(0)
+    end
+  end
+
+  it "returns nil for a negative integer Retry-After" do
+    response = MockResponse.new(headers_hash: {'Retry-After' => '-5'})
+    _(HTTP.retry_after(response)).must_be_nil
+  end
 end
 
 describe HTTP, ".backoff_delay" do

data/test/HTTP/get_test.rb

@@ -269,6 +269,69 @@ describe ".get" do
     end
   end
 
+  describe "with cross-scheme redirection" do
+    def capture_http_objects
+      http_objects = []
+      original_new = Net::HTTP.method(:new)
+      Net::HTTP.stub(:new, ->(*args){
+        http_object = original_new.call(*args)
+        http_objects << http_object
+        http_object
+      }) do
+        yield
+      end
+      http_objects
+    end
+
+    describe "from HTTPS to HTTP" do
+      let(:request_uri){'https://example.com/path'}
+      let(:redirect_uri){'http://redirected.com'}
+
+      before do
+        stub_request(:get, request_uri).
+          to_return(status: 301, body: '', headers: {'location' => redirect_uri})
+        stub_request(:get, redirect_uri).
+          to_return(status: 200, body: '', headers: {})
+      end
+
+      it "follows the redirect without carrying use_ssl over to the HTTP host" do
+        http_objects = capture_http_objects do
+          response = HTTP.get(request_uri)
+          _(response.success?).must_equal(true)
+        end
+        _(http_objects.size).must_equal(2)
+        _(http_objects[0].use_ssl?).must_equal(true)
+        _(http_objects[1].use_ssl?).must_equal(false)
+        assert_requested(:get, request_uri)
+        assert_requested(:get, redirect_uri)
+      end
+    end
+
+    describe "from HTTP to HTTPS" do
+      let(:request_uri){'http://example.com/path'}
+      let(:redirect_uri){'https://redirected.com'}
+
+      before do
+        stub_request(:get, request_uri).
+          to_return(status: 301, body: '', headers: {'location' => redirect_uri})
+        stub_request(:get, redirect_uri).
+          to_return(status: 200, body: '', headers: {})
+      end
+
+      it "enables use_ssl on the redirected HTTPS request" do
+        http_objects = capture_http_objects do
+          response = HTTP.get(request_uri)
+          _(response.success?).must_equal(true)
+        end
+        _(http_objects.size).must_equal(2)
+        _(http_objects[0].use_ssl?).must_equal(false)
+        _(http_objects[1].use_ssl?).must_equal(true)
+        assert_requested(:get, request_uri)
+        assert_requested(:get, redirect_uri)
+      end
+    end
+  end
+
   describe "no_redirect true" do
     let(:request_uri){'http://example.com/path'}
     let(:redirect_uri){'http://redirected.com'}

data/test/Net/HTTPResponse/StatusPredicates_test.rb

@@ -0,0 +1,28 @@
+# test/Net/HTTPResponse/StatusPredicates_test.rb
+
+require_relative '../../helper'
+
+describe Net::HTTPResponse::StatusPredicates do
+  let(:response_class) do
+    Class.new do
+      include Net::HTTPResponse::StatusPredicates
+      def initialize(code); @code = code; end
+    end
+  end
+
+  describe "#ok?" do
+    it "returns true for 200" do
+      _(response_class.new('200').ok?).must_equal(true)
+    end
+
+    it "returns false for other 2xx codes" do
+      ['201', '202', '204'].each do |code|
+        _(response_class.new(code).ok?).must_equal(false)
+      end
+    end
+
+    it "returns false for non-2xx codes" do
+      _(response_class.new('404').ok?).must_equal(false)
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: http.rb
 version: !ruby/object:Gem::Version
-  version: 0.22.0
+  version: 0.24.0
 platform: ruby
 authors:
 - thoran
@@ -117,6 +117,7 @@ files:
 - test/HTTP/post_test.rb
 - test/HTTP/put_test.rb
 - test/HTTP/trace_test.rb
+- test/Net/HTTPResponse/StatusPredicates_test.rb
 - test/helper.rb
 homepage: http://github.com/thoran/HTTP
 licenses: