http 5.1.0 → 5.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3826a20981b5ed6a7e5f29fd99af814a8409dea3d556d8d4f1c1faeee0060211
-  data.tar.gz: 5f1a624d39059a53df7535df9d8094ec2eb17330ce113ee5f8201f028cb08a01
+  metadata.gz: 8593353cd2283b2ac49c557ff71d5f1a668066dbac59b3d2a6f59429b9b2f5e8
+  data.tar.gz: e9316b3c4dd519825eeaa255a4f86932ce4a9e7f374f9be8273ca4051f5b9c3d
 SHA512:
-  metadata.gz: f34965016796ff2864a48d86c45a95db18a5bd118921e9f5ab653b042d53f13332d155238b1b26d28be643b6dffea6f0bf9ac20bbc71bcab05e73e7358ca9b7d
-  data.tar.gz: dfcf6ad46848750d86cb9139b7b0ab9d4ae28624bc7c0d779450f3cfbd8de11dd6ba242855fee759210ffade294743746059157cd1eab4eb69125f644653f5e5
+  metadata.gz: 0ae34b411a233ca8601aebe2295f2a1d8e0bec7e742a95fdd6e075b4f7dd3c68d42448cfbac1146b645ee59424e91af8eb3878c43e7a7fb17c3569681cf4ccf3
+  data.tar.gz: a76bc0a41338e67677370014d803ea79e3a34078172cc81491f31b085613394c7290b2402e199a2e1de77c7fecf7e05fde8fc2d9924016105ce429751f202e85

data/.github/workflows/ci.yml

@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [ main ]
+    branches: [ main, 5-x-stable ]
   pull_request:
-    branches: [ main ]
+    branches: [ main, 5-x-stable ]
 
 env:
   BUNDLE_WITHOUT: "development"
@@ -16,11 +16,11 @@ jobs:
 
     strategy:
       matrix:
-        ruby: [ ruby-2.6, ruby-2.7, ruby-3.0, ruby-3.1 ]
+        ruby: [ ruby-2.6, ruby-2.7, ruby-3.0, ruby-3.1, ruby-3.2, ruby-3.3 ]
         os: [ ubuntu-latest ]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: ruby/setup-ruby@v1
         with:
@@ -30,29 +30,31 @@ jobs:
       - name: bundle exec rspec
         run: bundle exec rspec --format progress --force-colour
 
-      - name: Prepare Coveralls test coverage report
-        uses: coverallsapp/github-action@v1.1.2
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          flag-name: "${{ matrix.ruby }} @${{ matrix.os }}"
-          path-to-lcov: ./coverage/lcov/lcov.info
-          parallel: true
+  test-flaky:
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      matrix:
+        ruby: [ jruby-9.3 ]
+        os: [ ubuntu-latest ]
 
-  coveralls:
-    needs: test
-    runs-on: ubuntu-latest
     steps:
-      - name: Finalize Coveralls test coverage report
-        uses: coverallsapp/github-action@master
+      - uses: actions/checkout@v4
+
+      - uses: ruby/setup-ruby@v1
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          parallel-finished: true
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: bundle exec rspec
+        continue-on-error: true
+        run: bundle exec rspec --format progress --force-colour
 
   lint:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: ruby/setup-ruby@v1
         with:

data/.rubocop/metrics.yml

@@ -0,0 +1,4 @@
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*.rb'
+    - '*.gemspec'

data/.rubocop.yml

@@ -1,6 +1,7 @@
 inherit_from:
   - .rubocop_todo.yml
   - .rubocop/layout.yml
+  - .rubocop/metrics.yml
   - .rubocop/style.yml
 
 AllCops:

data/.rubocop_todo.yml

@@ -74,7 +74,7 @@ Metrics/AbcSize:
     - 'lib/http/request.rb'
     - 'lib/http/response.rb'
 
-# Offense count: 69
+# Offense count: 70
 # Configuration parameters: CountComments, Max, CountAsOne, ExcludedMethods, IgnoredMethods.
 # IgnoredMethods: refine
 Metrics/BlockLength:
@@ -98,6 +98,7 @@ Metrics/BlockLength:
     - 'spec/lib/http/response/parser_spec.rb'
     - 'spec/lib/http/response/status_spec.rb'
     - 'spec/lib/http/response_spec.rb'
+    - 'spec/lib/http/uri_spec.rb'
     - 'spec/lib/http_spec.rb'
     - 'spec/support/http_handling_shared.rb'
 

data/CHANGELOG.md

@@ -0,0 +1,41 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [5.2.0] - 2024-02-05
+
+### Added
+
+- Add `Connection#finished_request?`
+  ([#743](https://github.com/httprb/http/pull/743))
+- Add `Instrumentation#on_error`
+  ([#746](https://github.com/httprb/http/pull/746))
+- Add `base64` dependency (suppresses warnings on Ruby 3.0)
+  ([#759](https://github.com/httprb/http/pull/759))
+- Add `PURGE` HTTP verb
+  ([#757](https://github.com/httprb/http/pull/757))
+- Add Ruby-3.3 support
+
+### Changed
+
+- **BREAKING** Process features in reverse order
+  ([#766](https://github.com/httprb/http/pull/766))
+- **BREAKING** Downcase Content-Type charset name
+  ([#753](https://github.com/httprb/http/pull/753))
+- **BREAKING** Make URI normalization more conservative
+  ([#758](https://github.com/httprb/http/pull/758))
+
+### Fixed
+
+- Close sockets on initialize failure
+  ([#762](https://github.com/httprb/http/pull/762))
+- Prevent CRLF injection due to broken URL normalizer
+  ([#765](https://github.com/httprb/http/pull/765))
+
+[unreleased]: https://github.com/httprb/http/compare/v5.2.0...5-x-stable
+[5.2.0]: https://github.com/httprb/http/compare/v5.1.1...v5.2.0

data/{CHANGES.md → CHANGES_OLD.md}

@@ -1,3 +1,13 @@
+## 5.1.1 (2022-12-17)
+
+* [#731](https://github.com/httprb/http/pull/731)
+  Strip brackets from IPv6 addresses in `HTTP::URI`.
+  ([@jeraki])
+
+* [#722](https://github.com/httprb/http/pull/722)
+  Add `on_redirect` callback.
+  ([@benubois])
+
 ## 5.1.0 (2022-06-17)
 
 * Drop ruby-2.5 support.
@@ -44,7 +54,7 @@
   Use features on redirected requests.
   ([@nomis])
 
-* [#678](https://github.com/schwern)
+* [#678](https://github.com/httprb/http/pull/678)
   Restore `HTTP::Response` `:uri` option for backwards compatibility.
   ([@schwern])
 
@@ -988,3 +998,5 @@ end
 [@YuLeven]: https://github.com/YuLeven
 [@drwl]: https://github.com/drwl
 [@tkellogg]: https://github.com/tkellogg
+[@jeraki]: https://github.com/jeraki
+[@benubois]: https://github.com/benubois

data/README.md

@@ -110,10 +110,13 @@ and call `#readpartial` on it repeatedly until it returns `nil`:
 This library aims to support and is [tested against][build-link]
 the following Ruby  versions:
 
+- JRuby 9.3
 - Ruby 2.6
 - Ruby 2.7
 - Ruby 3.0
-- JRuby 9.2
+- Ruby 3.1
+- Ruby 3.2
+- Ruby 3.3
 
 If something doesn't work on one of these versions, it's a bug.
 
@@ -159,5 +162,5 @@ See LICENSE.txt for further details.
 [//]: # (links)
 
 [documentation]: https://github.com/httprb/http/wiki
-[requests]: http://docs.python-requests.org/en/latest/
+[requests]: https://docs.python-requests.org/en/latest/
 [llhttp]: https://llhttp.org/

data/SECURITY.md

@@ -1,5 +1,17 @@
 # Security Policy
 
+## Supported Versions
+
+Security updates are applied only to the most recent release.
+
 ## Reporting a Vulnerability
 
-Please report security issues to `bascule@gmail.com`
+If you have discovered a security vulnerability in this project, please report
+it privately. **Do not disclose it as a public issue.** This gives us time to
+work with you to fix the issue before public exposure, reducing the chance that
+the exploit will be used before a patch is released.
+
+Please disclose it at [security advisory](https://github.com/httprb/http/security/advisories/new).
+
+This project is maintained by a team of volunteers on a reasonable-effort basis.
+As such, please give us at least 90 days to work on a fix before public exposure.

data/http.gemspec

@@ -28,9 +28,10 @@ Gem::Specification.new do |gem|
   gem.required_ruby_version = ">= 2.6"
 
   gem.add_runtime_dependency "addressable",    "~> 2.8"
+  gem.add_runtime_dependency "base64",         "~> 0.1"
   gem.add_runtime_dependency "http-cookie",    "~> 1.0"
   gem.add_runtime_dependency "http-form_data", "~> 2.2"
-  gem.add_runtime_dependency "llhttp-ffi",     "~> 0.4.0"
+  gem.add_runtime_dependency "llhttp-ffi",     "~> 0.5.0"
 
   gem.add_development_dependency "bundler", "~> 2.0"
 
@@ -38,7 +39,7 @@ Gem::Specification.new do |gem|
     "source_code_uri"       => "https://github.com/httprb/http",
     "wiki_uri"              => "https://github.com/httprb/http/wiki",
     "bug_tracker_uri"       => "https://github.com/httprb/http/issues",
-    "changelog_uri"         => "https://github.com/httprb/http/blob/v#{HTTP::VERSION}/CHANGES.md",
+    "changelog_uri"         => "https://github.com/httprb/http/blob/v#{HTTP::VERSION}/CHANGELOG.md",
     "rubygems_mfa_required" => "true"
   }
 end

data/lib/http/client.rb

@@ -184,7 +184,7 @@ module HTTP
         form
       when opts.json
         body = MimeType[:json].encode opts.json
-        headers[Headers::CONTENT_TYPE] ||= "application/json; charset=#{body.encoding.name}"
+        headers[Headers::CONTENT_TYPE] ||= "application/json; charset=#{body.encoding.name.downcase}"
         body
       end
     end

data/lib/http/connection.rb

@@ -46,6 +46,9 @@ module HTTP
       reset_timer
     rescue IOError, SocketError, SystemCallError => e
       raise ConnectionError, "failed to connect: #{e}", e.backtrace
+    rescue TimeoutError
+      close
+      raise
     end
 
     # @see (HTTP::Response::Parser#status_code)
@@ -126,12 +129,16 @@ module HTTP
     # Close the connection
     # @return [void]
     def close
-      @socket.close unless @socket.closed?
+      @socket.close unless @socket&.closed?
 
       @pending_response = false
       @pending_request  = false
     end
 
+    def finished_request?
+      !@pending_request && !@pending_response
+    end
+
     # Whether we're keeping the conn alive
     # @return [Boolean]
     def keep_alive?

data/lib/http/features/instrumentation.rb

@@ -19,11 +19,12 @@ module HTTP
     #    and `finish` so the duration of the request can be calculated.
     #
     class Instrumentation < Feature
-      attr_reader :instrumenter, :name
+      attr_reader :instrumenter, :name, :error_name
 
       def initialize(instrumenter: NullInstrumenter.new, namespace: "http")
         @instrumenter = instrumenter
         @name = "request.#{namespace}"
+        @error_name = "error.#{namespace}"
       end
 
       def wrap_request(request)
@@ -39,6 +40,10 @@ module HTTP
         response
       end
 
+      def on_error(request, error)
+        instrumenter.instrument(error_name, :request => request, :error => error)
+      end
+
       HTTP::Options.register_feature(:instrumentation, self)
 
       class NullInstrumenter

data/lib/http/redirector.rb

@@ -40,8 +40,9 @@ module HTTP
     # @option opts [Boolean] :strict (true) redirector hops policy
     # @option opts [#to_i] :max_hops (5) maximum allowed amount of hops
     def initialize(opts = {})
-      @strict   = opts.fetch(:strict, true)
-      @max_hops = opts.fetch(:max_hops, 5).to_i
+      @strict      = opts.fetch(:strict, true)
+      @max_hops    = opts.fetch(:max_hops, 5).to_i
+      @on_redirect = opts.fetch(:on_redirect, nil)
     end
 
     # Follows redirects until non-redirect response found
@@ -65,6 +66,7 @@ module HTTP
         unless cookie_jar.empty?
           @request.headers.set(Headers::COOKIE, cookie_jar.cookies.map { |c| "#{c.name}=#{c.value}" }.join("; "))
         end
+        @on_redirect.call @response, @request if @on_redirect.respond_to?(:call)
         @response = yield @request
         collect_cookies_from_response
       end

data/lib/http/request.rb

@@ -49,7 +49,10 @@ module HTTP
       :search,
 
       # RFC 4791: Calendaring Extensions to WebDAV -- CalDAV
-      :mkcalendar
+      :mkcalendar,
+
+      # Implemented by several caching servers, like Squid, Varnish or Fastly
+      :purge
     ].freeze
 
     # Allowed schemes
@@ -172,7 +175,9 @@ module HTTP
           uri.omit(:fragment)
         else
           uri.request_uri
-        end
+        end.to_s
+
+      raise RequestError, "Invalid request URI: #{request_uri.inspect}" if request_uri.match?(/\s/)
 
       "#{verb.to_s.upcase} #{request_uri} HTTP/#{version}"
     end
@@ -230,7 +235,11 @@ module HTTP
 
     # @return [String] Default host (with port if needed) header value.
     def default_host_header_value
-      PORTS[@scheme] == port ? host : "#{host}:#{port}"
+      value = PORTS[@scheme] == port ? host : "#{host}:#{port}"
+
+      raise RequestError, "Invalid host: #{value.inspect}" if value.match?(/\s/)
+
+      value
     end
 
     def prepare_body(body)

data/lib/http/timeout/null.rb

@@ -1,15 +1,10 @@
 # frozen_string_literal: true
 
-require "forwardable"
 require "io/wait"
 
 module HTTP
   module Timeout
     class Null
-      extend Forwardable
-
-      def_delegators :@socket, :close, :closed?
-
       attr_reader :options, :socket
 
       def initialize(options = {})
@@ -27,6 +22,14 @@ module HTTP
         @socket.connect
       end
 
+      def close
+        @socket&.close
+      end
+
+      def closed?
+        @socket&.closed?
+      end
+
       # Configures the SSL connection and starts the connection
       def start_tls(host, ssl_socket_class, ssl_context)
         @socket = ssl_socket_class.new(socket, ssl_context)

data/lib/http/uri.rb

@@ -9,7 +9,6 @@ module HTTP
     def_delegators :@uri, :scheme, :normalized_scheme, :scheme=
     def_delegators :@uri, :user, :normalized_user, :user=
     def_delegators :@uri, :password, :normalized_password, :password=
-    def_delegators :@uri, :host, :normalized_host, :host=
     def_delegators :@uri, :authority, :normalized_authority, :authority=
     def_delegators :@uri, :origin, :origin=
     def_delegators :@uri, :normalized_port, :port=
@@ -20,12 +19,27 @@ module HTTP
     def_delegators :@uri, :fragment, :normalized_fragment, :fragment=
     def_delegators :@uri, :omit, :join, :normalize
 
+    # Host, either a domain name or IP address. If the host is an IPv6 address, it will be returned
+    # without brackets surrounding it.
+    #
+    # @return [String] The host of the URI
+    attr_reader :host
+
+    # Normalized host, either a domain name or IP address. If the host is an IPv6 address, it will
+    # be returned without brackets surrounding it.
+    #
+    # @return [String] The normalized host of the URI
+    attr_reader :normalized_host
+
     # @private
     HTTP_SCHEME = "http"
 
     # @private
     HTTPS_SCHEME = "https"
 
+    # @private
+    PERCENT_ENCODE = /[^\x21-\x7E]+/.freeze
+
     # @private
     NORMALIZER = lambda do |uri|
       uri = HTTP::URI.parse uri
@@ -33,8 +47,8 @@ module HTTP
       HTTP::URI.new(
         :scheme    => uri.normalized_scheme,
         :authority => uri.normalized_authority,
-        :path      => uri.normalized_path,
-        :query     => uri.query,
+        :path      => uri.path.empty? ? "/" : percent_encode(Addressable::URI.normalize_path(uri.path)),
+        :query     => percent_encode(uri.query),
         :fragment  => uri.normalized_fragment
       )
     end
@@ -60,6 +74,19 @@ module HTTP
       Addressable::URI.form_encode(form_values, sort)
     end
 
+    # Percent-encode all characters matching a regular expression.
+    #
+    # @param [String] string raw string
+    #
+    # @return [String] encoded value
+    #
+    # @private
+    def self.percent_encode(string)
+      string&.gsub(PERCENT_ENCODE) do |substr|
+        substr.encode(Encoding::UTF_8).bytes.map { |c| format("%%%02X", c) }.join
+      end
+    end
+
     # Creates an HTTP::URI instance from the given options
     #
     # @param [Hash, Addressable::URI] options_or_uri
@@ -83,6 +110,9 @@ module HTTP
       else
         raise TypeError, "expected Hash for options, got #{options_or_uri.class}"
       end
+
+      @host = process_ipv6_brackets(@uri.host)
+      @normalized_host = process_ipv6_brackets(@uri.normalized_host)
     end
 
     # Are these URI objects equal? Normalizes both URIs prior to comparison
@@ -110,6 +140,17 @@ module HTTP
       @hash ||= to_s.hash * -1
     end
 
+    # Sets the host component for the URI.
+    #
+    # @param [String, #to_str] new_host The new host component.
+    # @return [void]
+    def host=(new_host)
+      @uri.host = process_ipv6_brackets(new_host, :brackets => true)
+
+      @host = process_ipv6_brackets(@uri.host)
+      @normalized_host = process_ipv6_brackets(@uri.normalized_host)
+    end
+
     # Port number, either as specified or the default if unspecified
     #
     # @return [Integer] port number
@@ -146,5 +187,25 @@ module HTTP
     def inspect
       format("#<%s:0x%014x URI:%s>", self.class.name, object_id << 1, to_s)
     end
+
+    private
+
+    # Process a URI host, adding or removing surrounding brackets if the host is an IPv6 address.
+    #
+    # @param [Boolean] brackets When true, brackets will be added to IPv6 addresses if missing. When
+    #   false, they will be removed if present.
+    #
+    # @return [String] Host with IPv6 address brackets added or removed
+    def process_ipv6_brackets(raw_host, brackets: false)
+      ip = IPAddr.new(raw_host)
+
+      if ip.ipv6?
+        brackets ? "[#{ip}]" : ip.to_s
+      else
+        raw_host
+      end
+    rescue IPAddr::Error
+      raw_host
+    end
   end
 end

data/lib/http/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module HTTP
-  VERSION = "5.1.0"
+  VERSION = "5.2.0"
 end

data/spec/lib/http/client_spec.rb

@@ -1,10 +1,12 @@
 # coding: utf-8
 # frozen_string_literal: true
 
+require "cgi"
+require "logger"
+
 require "support/http_handling_shared"
 require "support/dummy_server"
 require "support/ssl_helper"
-require "logger"
 
 RSpec.describe HTTP::Client do
   run_server(:dummy) { DummyServer.new }
@@ -259,6 +261,7 @@ RSpec.describe HTTP::Client do
 
       expect(HTTP::Request).to receive(:new) do |opts|
         expect(opts[:body]).to eq '{"foo":"bar"}'
+        expect(opts[:headers]["Content-Type"]).to eq "application/json; charset=utf-8"
       end
 
       client.get("http://example.com/", :json => {:foo => :bar})

data/spec/lib/http/connection_spec.rb

@@ -8,11 +8,31 @@ RSpec.describe HTTP::Connection do
       :headers => {}
     )
   end
-  let(:socket) { double(:connect => nil) }
+  let(:socket) { double(:connect => nil, :close => nil) }
   let(:timeout_class) { double(:new => socket) }
   let(:opts) { HTTP::Options.new(:timeout_class => timeout_class) }
   let(:connection) { HTTP::Connection.new(req, opts) }
 
+  describe "#initialize times out" do
+    let(:req) do
+      HTTP::Request.new(
+        :verb    => :get,
+        :uri     => "https://example.com/",
+        :headers => {}
+      )
+    end
+
+    before do
+      expect(socket).to receive(:start_tls).and_raise(HTTP::TimeoutError)
+      expect(socket).to receive(:closed?) { false }
+      expect(socket).to receive(:close)
+    end
+
+    it "closes the connection" do
+      expect { connection }.to raise_error(HTTP::TimeoutError)
+    end
+  end
+
   describe "#read_headers!" do
     before do
       connection.instance_variable_set(:@pending_response, true)
@@ -58,9 +78,11 @@ RSpec.describe HTTP::Connection do
       connection.read_headers!
       buffer = String.new
       while (s = connection.readpartial(3))
+        expect(connection.finished_request?).to be false if s != ""
         buffer << s
       end
       expect(buffer).to eq "1234567890"
+      expect(connection.finished_request?).to be true
     end
   end
 end

data/spec/lib/http/features/instrumentation_spec.rb

@@ -59,4 +59,23 @@ RSpec.describe HTTP::Features::Instrumentation do
       expect(instrumenter.output[:finish]).to eq(:response => response)
     end
   end
+
+  describe "logging errors" do
+    let(:request) do
+      HTTP::Request.new(
+        :verb    => :post,
+        :uri     => "https://example.com/",
+        :headers => {:accept => "application/json"},
+        :body    => '{"hello": "world!"}'
+      )
+    end
+
+    let(:error) { HTTP::TimeoutError.new }
+
+    it "should log the error" do
+      feature.on_error(request, error)
+
+      expect(instrumenter.output[:finish]).to eq(:request => request, :error => error)
+    end
+  end
 end

data/spec/lib/http/options/headers_spec.rb

@@ -14,7 +14,11 @@ RSpec.describe HTTP::Options, "headers" do
   end
 
   it "accepts any object that respond to :to_hash" do
-    x = Struct.new(:to_hash).new("accept" => "json")
+    x = if RUBY_VERSION >= "3.2.0"
+          Data.define(:to_hash).new(:to_hash => { "accept" => "json" })
+        else
+          Struct.new(:to_hash).new({ "accept" => "json" })
+        end
     expect(opts.with_headers(x).headers["accept"]).to eq("json")
   end
 end

data/spec/lib/http/redirector_spec.rb

@@ -148,6 +148,32 @@ RSpec.describe HTTP::Redirector do
       expect(cookies["deleted"]).to eq nil
     end
 
+    context "with on_redirect callback" do
+      let(:options) do
+        {
+          :on_redirect => proc do |response, location|
+            @redirect_response = response
+            @redirect_location = location
+          end
+        }
+      end
+
+      it "calls on_redirect" do
+        req = HTTP::Request.new :verb => :head, :uri => "http://example.com"
+        hops = [
+          redirect_response(301, "http://example.com/1"),
+          redirect_response(301, "http://example.com/2"),
+          simple_response(200, "foo")
+        ]
+
+        redirector.perform(req, hops.shift) do |prev_req, _|
+          expect(@redirect_location.uri.to_s).to eq prev_req.uri.to_s
+          expect(@redirect_response.code).to eq 301
+          hops.shift
+        end
+      end
+    end
+
     context "following 300 redirect" do
       context "with strict mode" do
         let(:options) { {:strict => true} }

data/spec/lib/http/uri/normalizer_spec.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+RSpec.describe HTTP::URI::NORMALIZER do
+  describe "scheme" do
+    it "lower-cases scheme" do
+      expect(HTTP::URI::NORMALIZER.call("HttP://example.com").scheme).to eq "http"
+    end
+  end
+
+  describe "hostname" do
+    it "lower-cases hostname" do
+      expect(HTTP::URI::NORMALIZER.call("http://EXAMPLE.com").host).to eq "example.com"
+    end
+
+    it "decodes percent-encoded hostname" do
+      expect(HTTP::URI::NORMALIZER.call("http://ex%61mple.com").host).to eq "example.com"
+    end
+
+    it "removes trailing period in hostname" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com.").host).to eq "example.com"
+    end
+
+    it "IDN-encodes non-ASCII hostname" do
+      expect(HTTP::URI::NORMALIZER.call("http://exämple.com").host).to eq "xn--exmple-cua.com"
+    end
+  end
+
+  describe "path" do
+    it "ensures path is not empty" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com").path).to eq "/"
+    end
+
+    it "preserves double slashes in path" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com//a///b").path).to eq "//a///b"
+    end
+
+    it "resolves single-dot segments in path" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com/a/./b").path).to eq "/a/b"
+    end
+
+    it "resolves double-dot segments in path" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com/a/b/../c").path).to eq "/a/c"
+    end
+
+    it "resolves leading double-dot segments in path" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com/../a/b").path).to eq "/a/b"
+    end
+
+    it "percent-encodes control characters in path" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com/\x00\x7F\n").path).to eq "/%00%7F%0A"
+    end
+
+    it "percent-encodes space in path" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com/a b").path).to eq "/a%20b"
+    end
+
+    it "percent-encodes non-ASCII characters in path" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com/キョ").path).to eq "/%E3%82%AD%E3%83%A7"
+    end
+
+    it "does not percent-encode non-special characters in path" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com/~.-_!$&()*,;=:@{}").path).to eq "/~.-_!$&()*,;=:@{}"
+    end
+
+    it "preserves escape sequences in path" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com/%41").path).to eq "/%41"
+    end
+  end
+
+  describe "query" do
+    it "allows no query" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com").query).to be_nil
+    end
+
+    it "percent-encodes control characters in query" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com/?\x00\x7F\n").query).to eq "%00%7F%0A"
+    end
+
+    it "percent-encodes space in query" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com/?a b").query).to eq "a%20b"
+    end
+
+    it "percent-encodes non-ASCII characters in query" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com?キョ").query).to eq "%E3%82%AD%E3%83%A7"
+    end
+
+    it "does not percent-encode non-special characters in query" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com/?~.-_!$&()*,;=:@{}?").query).to eq "~.-_!$&()*,;=:@{}?"
+    end
+
+    it "preserves escape sequences in query" do
+      expect(HTTP::URI::NORMALIZER.call("http://example.com/?%41").query).to eq "%41"
+    end
+  end
+end

data/spec/lib/http/uri_spec.rb

@@ -1,11 +1,15 @@
 # frozen_string_literal: true
 
 RSpec.describe HTTP::URI do
+  let(:example_ipv6_address) { "2606:2800:220:1:248:1893:25c8:1946" }
+
   let(:example_http_uri_string)  { "http://example.com" }
   let(:example_https_uri_string) { "https://example.com" }
+  let(:example_ipv6_uri_string) { "https://[#{example_ipv6_address}]" }
 
   subject(:http_uri)  { described_class.parse(example_http_uri_string) }
   subject(:https_uri) { described_class.parse(example_https_uri_string) }
+  subject(:ipv6_uri) { described_class.parse(example_ipv6_uri_string) }
 
   it "knows URI schemes" do
     expect(http_uri.scheme).to eq "http"
@@ -20,6 +24,41 @@ RSpec.describe HTTP::URI do
     expect(https_uri.port).to eq 443
   end
 
+  describe "#host" do
+    it "strips brackets from IPv6 addresses" do
+      expect(ipv6_uri.host).to eq("2606:2800:220:1:248:1893:25c8:1946")
+    end
+  end
+
+  describe "#normalized_host" do
+    it "strips brackets from IPv6 addresses" do
+      expect(ipv6_uri.normalized_host).to eq("2606:2800:220:1:248:1893:25c8:1946")
+    end
+  end
+
+  describe "#host=" do
+    it "updates cached values for #host and #normalized_host" do
+      expect(http_uri.host).to eq("example.com")
+      expect(http_uri.normalized_host).to eq("example.com")
+
+      http_uri.host = "[#{example_ipv6_address}]"
+
+      expect(http_uri.host).to eq(example_ipv6_address)
+      expect(http_uri.normalized_host).to eq(example_ipv6_address)
+    end
+
+    it "ensures IPv6 addresses are bracketed in the inner Addressable::URI" do
+      expect(http_uri.host).to eq("example.com")
+      expect(http_uri.normalized_host).to eq("example.com")
+
+      http_uri.host = example_ipv6_address
+
+      expect(http_uri.host).to eq(example_ipv6_address)
+      expect(http_uri.normalized_host).to eq(example_ipv6_address)
+      expect(http_uri.instance_variable_get(:@uri).host).to eq("[#{example_ipv6_address}]")
+    end
+  end
+
   describe "#dup" do
     it "doesn't share internal value between duplicates" do
       duplicated_uri = http_uri.dup

data/spec/lib/http_spec.rb

@@ -460,20 +460,37 @@ RSpec.describe HTTP do
 
     context "with :normalize_uri" do
       it "normalizes URI" do
-        response = HTTP.get "#{dummy.endpoint}/hello world"
+        response = HTTP.get "#{dummy.endpoint}/héllö-wörld"
         expect(response.to_s).to eq("hello world")
       end
 
       it "uses the custom URI Normalizer method" do
         client = HTTP.use(:normalize_uri => {:normalizer => :itself.to_proc})
-        response = client.get("#{dummy.endpoint}/hello world")
+        response = client.get("#{dummy.endpoint}/héllö-wörld")
         expect(response.status).to eq(400)
       end
 
+      it "raises if custom URI Normalizer returns invalid path" do
+        client = HTTP.use(:normalize_uri => {:normalizer => :itself.to_proc})
+        expect { client.get("#{dummy.endpoint}/hello\nworld") }.
+          to raise_error HTTP::RequestError, 'Invalid request URI: "/hello\nworld"'
+      end
+
+      it "raises if custom URI Normalizer returns invalid host" do
+        normalizer = lambda do |uri|
+          uri.port = nil
+          uri.instance_variable_set(:@host, "example\ncom")
+          uri
+        end
+        client = HTTP.use(:normalize_uri => {:normalizer => normalizer})
+        expect { client.get(dummy.endpoint) }.
+          to raise_error HTTP::RequestError, 'Invalid host: "example\ncom"'
+      end
+
       it "uses the default URI normalizer" do
         client = HTTP.use :normalize_uri
         expect(HTTP::URI::NORMALIZER).to receive(:call).and_call_original
-        response = client.get("#{dummy.endpoint}/hello world")
+        response = client.get("#{dummy.endpoint}/héllö-wörld")
         expect(response.to_s).to eq("hello world")
       end
     end

data/spec/support/dummy_server/servlet.rb

@@ -1,15 +1,17 @@
 # encoding: UTF-8
 # frozen_string_literal: true
 
+require "cgi"
+
 class DummyServer < WEBrick::HTTPServer
   class Servlet < WEBrick::HTTPServlet::AbstractServlet # rubocop:disable Metrics/ClassLength
     def self.sockets
       @sockets ||= []
     end
 
-    def not_found(_req, res)
+    def not_found(req, res)
       res.status = 404
-      res.body   = "Not Found"
+      res.body   = "#{req.unparsed_uri} not found"
     end
 
     def self.handlers
@@ -25,7 +27,7 @@ class DummyServer < WEBrick::HTTPServer
         def do_#{method.upcase}(req, res)
           handler = self.class.handlers["#{method}:\#{req.path}"]
           return instance_exec(req, res, &handler) if handler
-          not_found
+          not_found(req, res)
         end
       RUBY
     end
@@ -66,7 +68,7 @@ class DummyServer < WEBrick::HTTPServer
     end
 
     get "/params" do |req, res|
-      next not_found unless "foo=bar" == req.query_string
+      next not_found(req, res) unless "foo=bar" == req.query_string
 
       res.status = 200
       res.body   = "Params!"
@@ -75,7 +77,7 @@ class DummyServer < WEBrick::HTTPServer
     get "/multiple-params" do |req, res|
       params = CGI.parse req.query_string
 
-      next not_found unless {"foo" => ["bar"], "baz" => ["quux"]} == params
+      next not_found(req, res) unless {"foo" => ["bar"], "baz" => ["quux"]} == params
 
       res.status = 200
       res.body   = "More Params!"
@@ -147,7 +149,7 @@ class DummyServer < WEBrick::HTTPServer
       res.body   = req.body
     end
 
-    get "/hello world" do |_req, res|
+    get "/héllö-wörld".b do |_req, res|
       res.status = 200
       res.body   = "hello world"
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: http
 version: !ruby/object:Gem::Version
-  version: 5.1.0
+  version: 5.2.0
 platform: ruby
 authors:
 - Tony Arcieri
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-06-17 00:00:00.000000000 Z
+date: 2024-02-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
@@ -27,6 +27,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
 - !ruby/object:Gem::Dependency
   name: http-cookie
   requirement: !ruby/object:Gem::Requirement
@@ -61,14 +75,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.0
+        version: 0.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.4.0
+        version: 0.5.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -96,10 +110,12 @@ files:
 - ".rspec"
 - ".rubocop.yml"
 - ".rubocop/layout.yml"
+- ".rubocop/metrics.yml"
 - ".rubocop/style.yml"
 - ".rubocop_todo.yml"
 - ".yardopts"
-- CHANGES.md
+- CHANGELOG.md
+- CHANGES_OLD.md
 - CONTRIBUTING.md
 - Gemfile
 - Guardfile
@@ -169,6 +185,7 @@ files:
 - spec/lib/http/response/parser_spec.rb
 - spec/lib/http/response/status_spec.rb
 - spec/lib/http/response_spec.rb
+- spec/lib/http/uri/normalizer_spec.rb
 - spec/lib/http/uri_spec.rb
 - spec/lib/http_spec.rb
 - spec/regression_specs.rb
@@ -192,7 +209,7 @@ metadata:
   source_code_uri: https://github.com/httprb/http
   wiki_uri: https://github.com/httprb/http/wiki
   bug_tracker_uri: https://github.com/httprb/http/issues
-  changelog_uri: https://github.com/httprb/http/blob/v5.1.0/CHANGES.md
+  changelog_uri: https://github.com/httprb/http/blob/v5.2.0/CHANGELOG.md
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
@@ -209,7 +226,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.5.4
 signing_key:
 specification_version: 4
 summary: HTTP should be easy
@@ -240,6 +257,7 @@ test_files:
 - spec/lib/http/response/parser_spec.rb
 - spec/lib/http/response/status_spec.rb
 - spec/lib/http/response_spec.rb
+- spec/lib/http/uri/normalizer_spec.rb
 - spec/lib/http/uri_spec.rb
 - spec/lib/http_spec.rb
 - spec/regression_specs.rb