http 5.1.1 → 5.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ef55bbff996952784d0917931b8eaa6f12a1adfc9cc480daf098cbc8cd8f6107
-  data.tar.gz: 222f8e8723969f89994fe2a0692c41786e450c200c45b84f5c8418f736254a64
+  metadata.gz: da85aeba1d2d3dce86f59a678ade3f74df35514397cb7488f9aaab9ea5a57220
+  data.tar.gz: 28e5143890592f55f51fa65874f787f3c3e9eac5f9f6103c589082414eff378e
 SHA512:
-  metadata.gz: 49b0c9e508fb02fca9d9e8a26d707202c5ac67bbdf73fce15b616b321545a3a32be96eb9e23f4d389687ad1720372eaba4412e18d800c5d29fab5bb0f4bc0d93
-  data.tar.gz: 1b2e22b2b33abe8059e78535556a15c53959b321fb225cd84153d5a8ea608ba4d03ead9cf018720f63b1e7c27c477f8c3f1b151cae60f2d50b6811e7dd9f5bcc
+  metadata.gz: 6b14bb800aefa920d2511b962967253fc034847bb07f8d181bb9cec6dba136ca0c51655fd0da716986897be5ef83e6023705578016db7bbd12bbd1f2ed4bbeb4
+  data.tar.gz: dc996c20d358b382fbb2b1d93af7a706f858167392c8db3d8bf11e114419c0c7ed0a61350753f9c13422ca48b469af0b359f80694fe423066a02439066bfdd07

data/.github/workflows/ci.yml

@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [ main ]
+    branches: [ main, 5-x-stable ]
   pull_request:
-    branches: [ main ]
+    branches: [ main, 5-x-stable ]
 
 env:
   BUNDLE_WITHOUT: "development"
@@ -16,11 +16,11 @@ jobs:
 
     strategy:
       matrix:
-        ruby: [ ruby-2.6, ruby-2.7, ruby-3.0, ruby-3.1 ]
+        ruby: [ ruby-2.6, ruby-2.7, ruby-3.0, ruby-3.1, ruby-3.2, ruby-3.3 ]
         os: [ ubuntu-latest ]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: ruby/setup-ruby@v1
         with:
@@ -30,14 +30,6 @@ jobs:
       - name: bundle exec rspec
         run: bundle exec rspec --format progress --force-colour
 
-      - name: Prepare Coveralls test coverage report
-        uses: coverallsapp/github-action@v1.1.2
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          flag-name: "${{ matrix.ruby }} @${{ matrix.os }}"
-          path-to-lcov: ./coverage/lcov/lcov.info
-          parallel: true
-
   test-flaky:
     runs-on: ${{ matrix.os }}
 
@@ -47,7 +39,7 @@ jobs:
         os: [ ubuntu-latest ]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: ruby/setup-ruby@v1
         with:
@@ -58,21 +50,11 @@ jobs:
         continue-on-error: true
         run: bundle exec rspec --format progress --force-colour
 
-  coveralls:
-    needs: test
-    runs-on: ubuntu-latest
-    steps:
-      - name: Finalize Coveralls test coverage report
-        uses: coverallsapp/github-action@master
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          parallel-finished: true
-
   lint:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: ruby/setup-ruby@v1
         with:

data/.rubocop/metrics.yml

@@ -0,0 +1,4 @@
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*.rb'
+    - '*.gemspec'

data/.rubocop/rspec.yml

@@ -0,0 +1,9 @@
+RSpec/ExampleLength:
+  CountAsOne:
+    - array
+    - hash
+    - heredoc
+    - method_call
+
+RSpec/MultipleExpectations:
+  Max: 5

data/.rubocop.yml

@@ -1,6 +1,7 @@
 inherit_from:
   - .rubocop_todo.yml
   - .rubocop/layout.yml
+  - .rubocop/metrics.yml
   - .rubocop/style.yml
 
 AllCops:

data/.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --auto-gen-only-exclude --exclude-limit 100`
-# on 2022-06-16 14:35:44 UTC using RuboCop version 1.30.1.
+# on 2025-06-09 02:44:43 UTC using RuboCop version 1.30.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -14,7 +14,7 @@ Gemspec/DeprecatedAttributeAssignment:
   Exclude:
     - 'http.gemspec'
 
-# Offense count: 53
+# Offense count: 55
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: leading, trailing
@@ -30,7 +30,14 @@ Layout/DotPosition:
     - 'spec/lib/http_spec.rb'
     - 'spec/support/http_handling_shared.rb'
 
-# Offense count: 176
+# Offense count: 2
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: IndentationWidth.
+# SupportedStyles: special_inside_parentheses, consistent, align_braces
+Layout/FirstHashElementIndentation:
+  EnforcedStyle: consistent
+
+# Offense count: 206
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces.
 # SupportedStyles: space, no_space, compact
@@ -62,6 +69,18 @@ Lint/MissingSuper:
     - 'lib/http/features/logging.rb'
     - 'lib/http/features/normalize_uri.rb'
 
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+Lint/RedundantCopDisableDirective:
+  Exclude:
+    - 'spec/lib/http/retriable/performer_spec.rb'
+
+# Offense count: 6
+# Configuration parameters: AllowComments, AllowNil.
+Lint/SuppressedException:
+  Exclude:
+    - 'spec/lib/http/retriable/performer_spec.rb'
+
 # Offense count: 8
 # Configuration parameters: IgnoredMethods, CountRepeatedAttributes, Max.
 Metrics/AbcSize:
@@ -74,34 +93,6 @@ Metrics/AbcSize:
     - 'lib/http/request.rb'
     - 'lib/http/response.rb'
 
-# Offense count: 70
-# Configuration parameters: CountComments, Max, CountAsOne, ExcludedMethods, IgnoredMethods.
-# IgnoredMethods: refine
-Metrics/BlockLength:
-  Exclude:
-    - '**/*.gemspec'
-    - 'spec/lib/http/client_spec.rb'
-    - 'spec/lib/http/connection_spec.rb'
-    - 'spec/lib/http/content_type_spec.rb'
-    - 'spec/lib/http/features/auto_deflate_spec.rb'
-    - 'spec/lib/http/features/auto_inflate_spec.rb'
-    - 'spec/lib/http/features/instrumentation_spec.rb'
-    - 'spec/lib/http/features/logging_spec.rb'
-    - 'spec/lib/http/headers/mixin_spec.rb'
-    - 'spec/lib/http/headers_spec.rb'
-    - 'spec/lib/http/options/merge_spec.rb'
-    - 'spec/lib/http/redirector_spec.rb'
-    - 'spec/lib/http/request/body_spec.rb'
-    - 'spec/lib/http/request/writer_spec.rb'
-    - 'spec/lib/http/request_spec.rb'
-    - 'spec/lib/http/response/body_spec.rb'
-    - 'spec/lib/http/response/parser_spec.rb'
-    - 'spec/lib/http/response/status_spec.rb'
-    - 'spec/lib/http/response_spec.rb'
-    - 'spec/lib/http/uri_spec.rb'
-    - 'spec/lib/http_spec.rb'
-    - 'spec/support/http_handling_shared.rb'
-
 # Offense count: 4
 # Configuration parameters: CountComments, Max, CountAsOne.
 Metrics/ClassLength:
@@ -118,7 +109,7 @@ Metrics/CyclomaticComplexity:
     - 'lib/http/chainable.rb'
     - 'lib/http/client.rb'
 
-# Offense count: 18
+# Offense count: 19
 # Configuration parameters: CountComments, Max, CountAsOne, ExcludedMethods, IgnoredMethods.
 Metrics/MethodLength:
   Exclude:
@@ -133,6 +124,7 @@ Metrics/MethodLength:
     - 'lib/http/request.rb'
     - 'lib/http/response.rb'
     - 'lib/http/response/body.rb'
+    - 'lib/http/retriable/performer.rb'
     - 'lib/http/timeout/global.rb'
 
 # Offense count: 1
@@ -173,6 +165,27 @@ Style/Encoding:
     - 'spec/lib/http_spec.rb'
     - 'spec/support/dummy_server/servlet.rb'
 
+# Offense count: 71
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: EnforcedStyle, EnforcedShorthandSyntax, UseHashRocketsWithSymbolValues, PreferHashRocketsForNonAlnumEndingSymbols.
+# SupportedStyles: ruby19, hash_rockets, no_mixed_keys, ruby19_no_mixed_keys
+# SupportedShorthandSyntax: always, never, either
+Style/HashSyntax:
+  Exclude:
+    - 'spec/lib/http/features/raise_error_spec.rb'
+    - 'spec/lib/http/retriable/delay_calculator_spec.rb'
+    - 'spec/lib/http/retriable/performer_spec.rb'
+    - 'spec/lib/http_spec.rb'
+
+# Offense count: 4
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: literals, strict
+Style/MutableConstant:
+  Exclude:
+    - 'lib/http/headers/normalizer.rb'
+    - 'lib/http/retriable/delay_calculator.rb'
+
 # Offense count: 17
 # Configuration parameters: SuspiciousParamNames, Allowlist.
 # SuspiciousParamNames: options, opts, args, params, parameters

data/CHANGELOG.md

@@ -0,0 +1,57 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [5.3.0] - 2025-06-09
+
+### Added
+
+- (backported) Add .retriable feature to Http
+- (backported) Add more specific ConnectionError classes
+- (backported) New feature: RaiseError
+
+### Changed
+
+- (backported) Drop depenency on base64
+- (backported) Cache header normalization to reduce object allocation
+- (backported) Use native llhttp on MRI
+
+
+## [5.2.0] - 2024-02-05
+
+### Added
+
+- Add `Connection#finished_request?`
+  ([#743](https://github.com/httprb/http/pull/743))
+- Add `Instrumentation#on_error`
+  ([#746](https://github.com/httprb/http/pull/746))
+- Add `base64` dependency (suppresses warnings on Ruby 3.0)
+  ([#759](https://github.com/httprb/http/pull/759))
+- Add `PURGE` HTTP verb
+  ([#757](https://github.com/httprb/http/pull/757))
+- Add Ruby-3.3 support
+
+### Changed
+
+- **BREAKING** Process features in reverse order
+  ([#766](https://github.com/httprb/http/pull/766))
+- **BREAKING** Downcase Content-Type charset name
+  ([#753](https://github.com/httprb/http/pull/753))
+- **BREAKING** Make URI normalization more conservative
+  ([#758](https://github.com/httprb/http/pull/758))
+
+### Fixed
+
+- Close sockets on initialize failure
+  ([#762](https://github.com/httprb/http/pull/762))
+- Prevent CRLF injection due to broken URL normalizer
+  ([#765](https://github.com/httprb/http/pull/765))
+
+[unreleased]: https://github.com/httprb/http/compare/v5.3.0...5-x-stable
+[5.3.0]: https://github.com/httprb/http/compare/v5.2.0...v5.3.0
+[5.2.0]: https://github.com/httprb/http/compare/v5.1.1...v5.2.0

data/{CHANGES.md → CHANGES_OLD.md}

@@ -54,7 +54,7 @@
   Use features on redirected requests.
   ([@nomis])
 
-* [#678](https://github.com/schwern)
+* [#678](https://github.com/httprb/http/pull/678)
   Restore `HTTP::Response` `:uri` option for backwards compatibility.
   ([@schwern])
 

data/Gemfile

@@ -37,6 +37,7 @@ group :test do
 
   gem "rspec", "~> 3.10"
   gem "rspec-its"
+  gem "rspec-memory"
 
   gem "yardstick"
 end

data/README.md

@@ -110,11 +110,13 @@ and call `#readpartial` on it repeatedly until it returns `nil`:
 This library aims to support and is [tested against][build-link]
 the following Ruby  versions:
 
+- JRuby 9.3
 - Ruby 2.6
 - Ruby 2.7
 - Ruby 3.0
 - Ruby 3.1
-- JRuby 9.3
+- Ruby 3.2
+- Ruby 3.3
 
 If something doesn't work on one of these versions, it's a bug.
 
@@ -160,5 +162,5 @@ See LICENSE.txt for further details.
 [//]: # (links)
 
 [documentation]: https://github.com/httprb/http/wiki
-[requests]: http://docs.python-requests.org/en/latest/
+[requests]: https://docs.python-requests.org/en/latest/
 [llhttp]: https://llhttp.org/

data/SECURITY.md

@@ -1,5 +1,17 @@
 # Security Policy
 
+## Supported Versions
+
+Security updates are applied only to the most recent release.
+
 ## Reporting a Vulnerability
 
-Please report security issues to `bascule@gmail.com`
+If you have discovered a security vulnerability in this project, please report
+it privately. **Do not disclose it as a public issue.** This gives us time to
+work with you to fix the issue before public exposure, reducing the chance that
+the exploit will be used before a patch is released.
+
+Please disclose it at [security advisory](https://github.com/httprb/http/security/advisories/new).
+
+This project is maintained by a team of volunteers on a reasonable-effort basis.
+As such, please give us at least 90 days to work on a fix before public exposure.

data/http.gemspec

@@ -30,7 +30,13 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency "addressable",    "~> 2.8"
   gem.add_runtime_dependency "http-cookie",    "~> 1.0"
   gem.add_runtime_dependency "http-form_data", "~> 2.2"
-  gem.add_runtime_dependency "llhttp-ffi",     "~> 0.4.0"
+
+  # Use native llhttp for MRI (more performant) and llhttp-ffi for other interpreters (better compatibility)
+  if RUBY_ENGINE == "ruby"
+    gem.add_runtime_dependency "llhttp",     "~> 0.5.0"
+  else
+    gem.add_runtime_dependency "llhttp-ffi", "~> 0.5.0"
+  end
 
   gem.add_development_dependency "bundler", "~> 2.0"
 
@@ -38,7 +44,7 @@ Gem::Specification.new do |gem|
     "source_code_uri"       => "https://github.com/httprb/http",
     "wiki_uri"              => "https://github.com/httprb/http/wiki",
     "bug_tracker_uri"       => "https://github.com/httprb/http/issues",
-    "changelog_uri"         => "https://github.com/httprb/http/blob/v#{HTTP::VERSION}/CHANGES.md",
+    "changelog_uri"         => "https://github.com/httprb/http/blob/v#{HTTP::VERSION}/CHANGELOG.md",
     "rubygems_mfa_required" => "true"
   }
 end

data/lib/http/base64.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module HTTP
+  module Base64
+    module_function
+
+    # Equivalent to Base64.strict_encode64
+    def encode64(input)
+      [input].pack("m0")
+    end
+  end
+end

data/lib/http/chainable.rb

@@ -1,11 +1,12 @@
 # frozen_string_literal: true
 
-require "base64"
-
+require "http/base64"
 require "http/headers"
 
 module HTTP
   module Chainable
+    include HTTP::Base64
+
     # Request a get sans response body
     # @param uri
     # @option options [Hash]
@@ -215,7 +216,7 @@ module HTTP
       pass  = opts.fetch(:pass)
       creds = "#{user}:#{pass}"
 
-      auth("Basic #{Base64.strict_encode64(creds)}")
+      auth("Basic #{encode64(creds)}")
     end
 
     # Get options for HTTP
@@ -242,11 +243,34 @@ module HTTP
     # * instrumentation
     # * logging
     # * normalize_uri
+    # * raise_error
     # @param features
     def use(*features)
       branch default_options.with_features(features)
     end
 
+    # Returns retriable client instance, which retries requests if they failed
+    # due to some socket errors or response status is `5xx`.
+    #
+    # @example Usage
+    #
+    #   # Retry max 5 times with randomly growing delay between retries
+    #   HTTP.retriable.get(url)
+    #
+    #   # Retry max 3 times with randomly growing delay between retries
+    #   HTTP.retriable(times: 3).get(url)
+    #
+    #   # Retry max 3 times with 1 sec delay between retries
+    #   HTTP.retriable(times: 3, delay: proc { 1 }).get(url)
+    #
+    #   # Retry max 3 times with geometrically progressed delay between retries
+    #   HTTP.retriable(times: 3, delay: proc { |i| 1 + i*i }).get(url)
+    #
+    # @param (see Performer#initialize)
+    def retriable(**options)
+      Retriable::Client.new(Retriable::Performer.new(options), default_options)
+    end
+
     private
 
     # :nodoc:

data/lib/http/client.rb

@@ -184,7 +184,7 @@ module HTTP
         form
       when opts.json
         body = MimeType[:json].encode opts.json
-        headers[Headers::CONTENT_TYPE] ||= "application/json; charset=#{body.encoding.name}"
+        headers[Headers::CONTENT_TYPE] ||= "application/json; charset=#{body.encoding.name.downcase}"
         body
       end
     end

data/lib/http/connection.rb

@@ -46,6 +46,9 @@ module HTTP
       reset_timer
     rescue IOError, SocketError, SystemCallError => e
       raise ConnectionError, "failed to connect: #{e}", e.backtrace
+    rescue TimeoutError
+      close
+      raise
     end
 
     # @see (HTTP::Response::Parser#status_code)
@@ -102,10 +105,11 @@ module HTTP
 
     # Reads data from socket up until headers are loaded
     # @return [void]
+    # @raise [ResponseHeaderError] when unable to read response headers
     def read_headers!
       until @parser.headers?
         result = read_more(BUFFER_SIZE)
-        raise ConnectionError, "couldn't read response headers" if result == :eof
+        raise ResponseHeaderError, "couldn't read response headers" if result == :eof
       end
 
       set_keep_alive
@@ -126,12 +130,16 @@ module HTTP
     # Close the connection
     # @return [void]
     def close
-      @socket.close unless @socket.closed?
+      @socket.close unless @socket&.closed?
 
       @pending_response = false
       @pending_request  = false
     end
 
+    def finished_request?
+      !@pending_request && !@pending_response
+    end
+
     # Whether we're keeping the conn alive
     # @return [Boolean]
     def keep_alive?
@@ -210,6 +218,7 @@ module HTTP
 
     # Feeds some more data into parser
     # @return [void]
+    # @raise [SocketReadError] when unable to read from socket
     def read_more(size)
       return if @parser.finished?
 
@@ -221,7 +230,7 @@ module HTTP
         @parser << value
       end
     rescue IOError, SocketError, SystemCallError => e
-      raise ConnectionError, "error reading from socket: #{e}", e.backtrace
+      raise SocketReadError, "error reading from socket: #{e}", e.backtrace
     end
   end
 end

data/lib/http/errors.rb

@@ -7,6 +7,11 @@ module HTTP
   # Generic Connection error
   class ConnectionError < Error; end
 
+  # Types of Connection errors
+  class ResponseHeaderError < ConnectionError; end
+  class SocketReadError < ConnectionError; end
+  class SocketWriteError < ConnectionError; end
+
   # Generic Request error
   class RequestError < Error; end
 
@@ -16,6 +21,17 @@ module HTTP
   # Requested to do something when we're in the wrong state
   class StateError < ResponseError; end
 
+  # When status code indicates an error
+  class StatusError < ResponseError
+    attr_reader :response
+
+    def initialize(response)
+      @response = response
+
+      super("Unexpected status code #{response.code}")
+    end
+  end
+
   # Generic Timeout error
   class TimeoutError < Error; end
 

data/lib/http/feature.rb

@@ -20,6 +20,7 @@ end
 
 require "http/features/auto_inflate"
 require "http/features/auto_deflate"
-require "http/features/logging"
 require "http/features/instrumentation"
+require "http/features/logging"
 require "http/features/normalize_uri"
+require "http/features/raise_error"

data/lib/http/features/instrumentation.rb

@@ -19,11 +19,12 @@ module HTTP
     #    and `finish` so the duration of the request can be calculated.
     #
     class Instrumentation < Feature
-      attr_reader :instrumenter, :name
+      attr_reader :instrumenter, :name, :error_name
 
       def initialize(instrumenter: NullInstrumenter.new, namespace: "http")
         @instrumenter = instrumenter
         @name = "request.#{namespace}"
+        @error_name = "error.#{namespace}"
       end
 
       def wrap_request(request)
@@ -39,6 +40,10 @@ module HTTP
         response
       end
 
+      def on_error(request, error)
+        instrumenter.instrument(error_name, :request => request, :error => error)
+      end
+
       HTTP::Options.register_feature(:instrumentation, self)
 
       class NullInstrumenter

data/lib/http/features/raise_error.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module HTTP
+  module Features
+    class RaiseError < Feature
+      def initialize(ignore: [])
+        super()
+
+        @ignore = ignore
+      end
+
+      def wrap_response(response)
+        return response if response.code < 400
+        return response if @ignore.include?(response.code)
+
+        raise HTTP::StatusError, response
+      end
+
+      HTTP::Options.register_feature(:raise_error, self)
+    end
+  end
+end

data/lib/http/headers/normalizer.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+module HTTP
+  class Headers
+    class Normalizer
+      # Matches HTTP header names when in "Canonical-Http-Format"
+      CANONICAL_NAME_RE = /\A[A-Z][a-z]*(?:-[A-Z][a-z]*)*\z/
+
+      # Matches valid header field name according to RFC.
+      # @see http://tools.ietf.org/html/rfc7230#section-3.2
+      COMPLIANT_NAME_RE = /\A[A-Za-z0-9!#$%&'*+\-.^_`|~]+\z/
+
+      NAME_PARTS_SEPARATOR_RE = /[\-_]/
+
+      # @private
+      # Normalized header names cache
+      class Cache
+        MAX_SIZE = 200
+
+        def initialize
+          @store = {}
+        end
+
+        def get(key)
+          @store[key]
+        end
+        alias [] get
+
+        def set(key, value)
+          # Maintain cache size
+          @store.delete(@store.each_key.first) while MAX_SIZE <= @store.size
+
+          @store[key] = value
+        end
+        alias []= set
+      end
+
+      def initialize
+        @cache = Cache.new
+      end
+
+      # Transforms `name` to canonical HTTP header capitalization
+      def call(name)
+        name  = -name.to_s
+        value = (@cache[name] ||= -normalize_header(name))
+
+        value.dup
+      end
+
+      private
+
+      # Transforms `name` to canonical HTTP header capitalization
+      #
+      # @param [String] name
+      # @raise [HeaderError] if normalized name does not
+      #   match {COMPLIANT_NAME_RE}
+      # @return [String] canonical HTTP header name
+      def normalize_header(name)
+        return name if CANONICAL_NAME_RE.match?(name)
+
+        normalized = name.split(NAME_PARTS_SEPARATOR_RE).each(&:capitalize!).join("-")
+
+        return normalized if COMPLIANT_NAME_RE.match?(normalized)
+
+        raise HeaderError, "Invalid HTTP header field name: #{name.inspect}"
+      end
+    end
+  end
+end