httparty 0.13.7 → 0.24.2

data/lib/httparty/request.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+require 'erb'
+
 module HTTParty
   class Request #:nodoc:
     SupportedHTTPMethods = [
@@ -9,7 +13,10 @@ module HTTParty
       Net::HTTP::Head,
       Net::HTTP::Options,
       Net::HTTP::Move,
-      Net::HTTP::Copy
+      Net::HTTP::Copy,
+      Net::HTTP::Mkcol,
+      Net::HTTP::Lock,
+      Net::HTTP::Unlock,
     ]
 
     SupportedURISchemes  = ['http', 'https', 'webcal', nil]
@@ -26,10 +33,35 @@ module HTTParty
       end.flatten.join('&')
     end
 
+    JSON_API_QUERY_STRING_NORMALIZER = proc do |query|
+      Array(query).sort_by { |a| a[0].to_s }.map do |key, value|
+        if value.nil?
+          key.to_s
+        elsif value.respond_to?(:to_ary)
+          values = value.to_ary.map{|v| ERB::Util.url_encode(v.to_s)}
+          "#{key}=#{values.join(',')}"
+        else
+          HashConversions.to_params(key => value)
+        end
+      end.flatten.join('&')
+    end
+
+    def self._load(data)
+      http_method, path, options, last_response, last_uri, raw_request = Marshal.load(data)
+      instance = new(http_method, path, options)
+      instance.last_response = last_response
+      instance.last_uri = last_uri
+      instance.instance_variable_set("@raw_request", raw_request)
+      instance
+    end
+
     attr_accessor :http_method, :options, :last_response, :redirect, :last_uri
     attr_reader :path
 
     def initialize(http_method, path, o = {})
+      @changed_hosts = false
+      @credentials_sent = false
+
       self.http_method = http_method
       self.options = {
         limit: o.delete(:no_follow) ? 1 : 5,
@@ -50,7 +82,7 @@ module HTTParty
       @path = if uri.is_a?(uri_adapter)
         uri
       elsif String.try_convert(uri)
-        uri_adapter.parse uri
+        uri_adapter.parse(uri).normalize
       else
         raise ArgumentError,
           "bad argument (expected #{uri_adapter} object or URI string)"
@@ -66,14 +98,22 @@ module HTTParty
     end
 
     def uri
-      if redirect && path.relative? && path.path[0] != "/"
-        last_uri_host = @last_uri.path.gsub(/[^\/]+$/, "")
+      if redirect && path.relative? && path.path[0] != '/'
+        last_uri_host = @last_uri.path.gsub(/[^\/]+$/, '')
 
-        path.path = "/#{path.path}" if last_uri_host[-1] != "/"
-        path.path = last_uri_host + path.path
+        path.path = "/#{path.path}" if last_uri_host[-1] != '/'
+        path.path = "#{last_uri_host}#{path.path}"
+      end
+
+      if path.relative? && path.host
+        new_uri = options[:uri_adapter].parse("#{@last_uri.scheme}:#{path}").normalize
+      elsif path.relative?
+        new_uri = options[:uri_adapter].parse("#{base_uri}#{path}").normalize
+      else
+        new_uri = path.clone
       end
 
-      new_uri = path.relative? ? options[:uri_adapter].parse("#{base_uri}#{path}") : path.clone
+      validate_uri_safety!(new_uri) unless redirect
 
       # avoid double query string on redirects [#12]
       unless redirect
@@ -90,10 +130,10 @@ module HTTParty
     def base_uri
       if redirect
         base_uri = "#{@last_uri.scheme}://#{@last_uri.host}"
-        base_uri += ":#{@last_uri.port}" if @last_uri.port != 80
+        base_uri = "#{base_uri}:#{@last_uri.port}" if @last_uri.port != 80
         base_uri
       else
-        options[:base_uri]
+        options[:base_uri] && HTTParty.normalize_base_uri(options[:base_uri])
       end
     end
 
@@ -113,38 +153,56 @@ module HTTParty
       validate
       setup_raw_request
       chunked_body = nil
+      current_http = http
 
-      self.last_response = http.request(@raw_request) do |http_response|
-        if block
-          chunks = []
+      begin
+        self.last_response = current_http.request(@raw_request) do |http_response|
+          if block
+            chunks = []
 
-          http_response.read_body do |fragment|
-            chunks << fragment unless options[:stream_body]
-            block.call(fragment)
-          end
+            http_response.read_body do |fragment|
+              encoded_fragment = encode_text(fragment, http_response['content-type'])
+              chunks << encoded_fragment if !options[:stream_body]
+              block.call ResponseFragment.new(encoded_fragment, http_response, current_http)
+            end
 
-          chunked_body = chunks.join
+            chunked_body = chunks.join
+          end
         end
+
+        handle_host_redirection if response_redirects?
+        result = handle_unauthorized
+        result ||= handle_response(chunked_body, &block)
+        result
+      rescue *COMMON_NETWORK_ERRORS => e
+        raise options[:foul] ? HTTParty::NetworkError.new("#{e.class}: #{e.message}") : e
       end
+    end
 
-      handle_deflation unless http_method == Net::HTTP::Head
-      handle_response(chunked_body, &block)
+    def handle_unauthorized(&block)
+      return unless digest_auth? && response_unauthorized? && response_has_digest_auth_challenge?
+      return if @credentials_sent
+      @credentials_sent = true
+      perform(&block)
     end
 
     def raw_body
       @raw_request.body
     end
 
+    def _dump(_level)
+      opts = options.dup
+      opts.delete(:logger)
+      opts.delete(:parser) if opts[:parser] && opts[:parser].is_a?(Proc)
+      Marshal.dump([http_method, path, opts, last_response, @last_uri, @raw_request])
+    end
+
     private
 
     def http
       connection_adapter.call(uri, options)
     end
 
-    def body
-      options[:body].respond_to?(:to_hash) ? normalize_query(options[:body]) : options[:body]
-    end
-
     def credentials
       (options[:basic_auth] || options[:digest_auth]).to_hash
     end
@@ -170,22 +228,65 @@ module HTTParty
     end
 
     def setup_raw_request
-      @raw_request = http_method.new(request_uri(uri))
-      @raw_request.body = body if body
+      if options[:headers].respond_to?(:to_hash)
+        headers_hash = options[:headers].to_hash
+      else
+        headers_hash = nil
+      end
+
+      @raw_request = http_method.new(request_uri(uri), headers_hash)
       @raw_request.body_stream = options[:body_stream] if options[:body_stream]
-      @raw_request.initialize_http_header(options[:headers].to_hash) if options[:headers].respond_to?(:to_hash)
-      @raw_request.basic_auth(username, password) if options[:basic_auth]
-      setup_digest_auth if options[:digest_auth]
-    end
 
-    def setup_digest_auth
-      auth_request = http_method.new(uri.request_uri)
-      auth_request.initialize_http_header(options[:headers].to_hash) if options[:headers].respond_to?(:to_hash)
-      res = http.request(auth_request)
+      if options[:body]
+        body = Body.new(
+          options[:body],
+          query_string_normalizer: query_string_normalizer,
+          force_multipart: options[:multipart]
+        )
+
+        if body.multipart?
+          content_type = "multipart/form-data; boundary=#{body.boundary}"
+          @raw_request['Content-Type'] = content_type
+        elsif options[:body].respond_to?(:to_hash) && !@raw_request['Content-Type']
+          @raw_request['Content-Type'] = 'application/x-www-form-urlencoded'
+        end
 
-      if !res['www-authenticate'].nil? && res['www-authenticate'].length > 0
-        @raw_request.digest_auth(username, password, res)
+        if body.streaming? && options[:stream_body] == true
+          stream = body.to_stream
+          @raw_request.body_stream = stream
+          @raw_request['Content-Length'] = stream.size.to_s
+        else
+          @raw_request.body = body.call
+        end
       end
+
+      @raw_request.instance_variable_set(:@decode_content, decompress_content?)
+
+      if options[:basic_auth] && send_authorization_header?
+        @raw_request.basic_auth(username, password)
+        @credentials_sent = true
+      end
+      setup_digest_auth if digest_auth? && response_unauthorized? && response_has_digest_auth_challenge?
+    end
+
+    def digest_auth?
+      !!options[:digest_auth]
+    end
+
+    def decompress_content?
+      !options[:skip_decompression]
+    end
+
+    def response_unauthorized?
+      !!last_response && last_response.code == '401'
+    end
+
+    def response_has_digest_auth_challenge?
+      !last_response['www-authenticate'].nil? && last_response['www-authenticate'].length > 0
+    end
+
+    def setup_digest_auth
+      @raw_request.digest_auth(username, password, last_response)
     end
 
     def query_string(uri)
@@ -199,116 +300,77 @@ module HTTParty
         query_string_parts << options[:query] unless options[:query].nil?
       end
 
-      query_string_parts.reject!(&:empty?) unless query_string_parts == [""]
+      query_string_parts.reject!(&:empty?) unless query_string_parts == ['']
       query_string_parts.size > 0 ? query_string_parts.join('&') : nil
     end
 
-    def get_charset
-      content_type = last_response["content-type"]
-      if content_type.nil?
-        return nil
-      end
-
-      if content_type =~ /;\s*charset\s*=\s*([^=,;"\s]+)/i
-        return $1
-      end
-
-      if content_type =~ /;\s*charset\s*=\s*"((\\.|[^\\"])+)"/i
-        return $1.gsub(/\\(.)/, '\1')
-      end
-
-      nil
-    end
-
-    def encode_with_ruby_encoding(body, charset)
-      encoding = Encoding.find(charset)
-      body.force_encoding(encoding)
-    rescue
-      body
-    end
-
     def assume_utf16_is_big_endian
       options[:assume_utf16_is_big_endian]
     end
 
-    def encode_utf_16(body)
-      if body.bytesize >= 2
-        if body.getbyte(0) == 0xFF && body.getbyte(1) == 0xFE
-          return body.force_encoding("UTF-16LE")
-        elsif body.getbyte(0) == 0xFE && body.getbyte(1) == 0xFF
-          return body.force_encoding("UTF-16BE")
-        end
-      end
-
-      if assume_utf16_is_big_endian
-        body.force_encoding("UTF-16BE")
+    def handle_response(raw_body, &block)
+      if response_redirects?
+        handle_redirection(&block)
       else
-        body.force_encoding("UTF-16LE")
-      end
-    end
+        raw_body ||= last_response.body
 
-    def _encode_body(body)
-      charset = get_charset
+        body = decompress(raw_body, last_response['content-encoding']) unless raw_body.nil?
 
-      if charset.nil?
-        return body
-      end
+        unless body.nil?
+          body = encode_text(body, last_response['content-type'])
 
-      if "utf-16".casecmp(charset) == 0
-        encode_utf_16(body)
-      else
-        encode_with_ruby_encoding(body, charset)
-      end
-    end
+          if decompress_content?
+            last_response.delete('content-encoding')
+            raw_body = body
+          end
+        end
 
-    def encode_body(body)
-      if "".respond_to?(:encoding)
-        _encode_body(body)
-      else
-        body
+        Response.new(self, last_response, lambda { parse_response(body) }, body: raw_body)
       end
     end
 
-    def handle_response(body, &block)
-      if response_redirects?
-        options[:limit] -= 1
-        if options[:logger]
-          logger = HTTParty::Logger.build(options[:logger], options[:log_level], options[:log_format])
-          logger.format(self, last_response)
+    def handle_redirection(&block)
+      options[:limit] -= 1
+      if options[:logger]
+        logger = HTTParty::Logger.build(options[:logger], options[:log_level], options[:log_format])
+        logger.format(self, last_response)
+      end
+      self.path       = last_response['location']
+      self.redirect   = true
+      if last_response.class == Net::HTTPSeeOther
+        unless options[:maintain_method_across_redirects] && options[:resend_on_redirect]
+          self.http_method = Net::HTTP::Get
         end
-        self.path = last_response['location']
-        self.redirect = true
-        if last_response.class == Net::HTTPSeeOther
-          unless options[:maintain_method_across_redirects] && options[:resend_on_redirect]
-            self.http_method = Net::HTTP::Get
-          end
-        elsif last_response.code != '307' && last_response.code != '308'
-          unless options[:maintain_method_across_redirects]
-            self.http_method = Net::HTTP::Get
-          end
+      elsif last_response.code != '307' && last_response.code != '308'
+        unless options[:maintain_method_across_redirects]
+          self.http_method = Net::HTTP::Get
         end
-        capture_cookies(last_response)
-        perform(&block)
-      else
-        body ||= last_response.body
-        body = encode_body(body)
-        Response.new(self, last_response, lambda { parse_response(body) }, body: body)
       end
+      if http_method == Net::HTTP::Get
+        clear_body
+      end
+      capture_cookies(last_response)
+      perform(&block)
     end
 
-    # Inspired by Ruby 1.9
-    def handle_deflation
-      case last_response["content-encoding"]
-      when "gzip", "x-gzip"
-        body_io = StringIO.new(last_response.body)
-        last_response.body.replace Zlib::GzipReader.new(body_io).read
-        last_response.delete('content-encoding')
-      when "deflate"
-        last_response.body.replace Zlib::Inflate.inflate(last_response.body)
-        last_response.delete('content-encoding')
+    def handle_host_redirection
+      check_duplicate_location_header
+      redirect_path = options[:uri_adapter].parse(last_response['location']).normalize
+      return if redirect_path.relative? || path.host == redirect_path.host || uri.host == redirect_path.host
+      @changed_hosts = true
+    end
+
+    def check_duplicate_location_header
+      location = last_response.get_fields('location')
+      if location.is_a?(Array) && location.count > 1
+        raise DuplicateLocationHeader.new(last_response)
       end
     end
 
+    def send_authorization_header?
+      !@changed_hosts
+    end
+
     def response_redirects?
       case last_response
       when Net::HTTPNotModified # 304
@@ -322,11 +384,20 @@ module HTTParty
       parser.call(body, format)
     end
 
+    # Some Web Application Firewalls reject incoming GET requests that have a body
+    # if we redirect, and the resulting verb is GET then we will clear the body that
+    # may be left behind from the initiating request
+    def clear_body
+      options[:body] = nil
+      @raw_request.body = nil
+    end
+
     def capture_cookies(response)
       return unless response['Set-Cookie']
       cookies_hash = HTTParty::CookieHash.new
       cookies_hash.add_cookies(options[:headers].to_hash['Cookie']) if options[:headers] && options[:headers].to_hash['Cookie']
       response.get_fields('Set-Cookie').each { |cookie| cookies_hash.add_cookies(cookie) }
+
       options[:headers] ||= {}
       options[:headers]['Cookie'] = cookies_hash.to_cookie_string
     end
@@ -358,7 +429,38 @@ module HTTParty
       if path.userinfo
         username, password = path.userinfo.split(':')
         options[:basic_auth] = {username: username, password: password}
+        @credentials_sent = true
       end
     end
+
+    def decompress(body, encoding)
+      Decompressor.new(body, encoding).decompress
+    end
+
+    def encode_text(text, content_type)
+      TextEncoder.new(
+        text,
+        content_type: content_type,
+        assume_utf16_is_big_endian: assume_utf16_is_big_endian
+      ).call
+    end
+
+    def validate_uri_safety!(new_uri)
+      return if options[:skip_uri_validation]
+
+      configured_base_uri = options[:base_uri]
+      return unless configured_base_uri
+
+      normalized_base = options[:uri_adapter].parse(
+        HTTParty.normalize_base_uri(configured_base_uri)
+      )
+
+      return if new_uri.host == normalized_base.host
+
+      raise UnsafeURIError,
+        "Requested URI '#{new_uri}' has host '#{new_uri.host}' but the " \
+        "configured base_uri '#{normalized_base}' has host '#{normalized_base.host}'. " \
+        "This request could send credentials to an unintended server."
+    end
   end
 end

data/lib/httparty/response/headers.rb

@@ -1,31 +1,35 @@
+# frozen_string_literal: true
+
+require 'delegate'
+
 module HTTParty
   class Response #:nodoc:
-    class Headers
+    class Headers < ::SimpleDelegator
       include ::Net::HTTPHeader
 
-      def initialize(header = {})
-        @header = header
+      def initialize(header_values = nil)
+        @header = {}
+        if header_values
+          header_values.each_pair do |k,v|
+            if v.is_a?(Array)
+              v.each do |sub_v|
+                add_field(k, sub_v)
+              end
+            else
+              add_field(k, v)
+            end
+          end
+        end
+        super(@header)
       end
 
       def ==(other)
-        @header == other
-      end
-
-      def inspect
-        @header.inspect
-      end
-
-      def method_missing(name, *args, &block)
-        if @header.respond_to?(name)
-          @header.send(name, *args, &block)
-        else
-          super
+        if other.is_a?(::Net::HTTPHeader)
+          @header == other.instance_variable_get(:@header)
+        elsif other.is_a?(Hash)
+          @header == other || @header == Headers.new(other).instance_variable_get(:@header)
         end
       end
-
-      def respond_to?(method, include_all = false)
-        super || @header.respond_to?(method, include_all)
-      end
     end
   end
 end

data/lib/httparty/response.rb

@@ -1,9 +1,17 @@
+# frozen_string_literal: true
+
 module HTTParty
-  class Response < BasicObject
+  class Response < Object
     def self.underscore(string)
       string.gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2').gsub(/([a-z])([A-Z])/, '\1_\2').downcase
     end
 
+    def self._load(data)
+      req, resp, parsed_resp, resp_body = Marshal.load(data)
+
+      new(req, resp, -> { parsed_resp }, body: resp_body)
+    end
+
     attr_reader :request, :response, :body, :headers
 
     def initialize(request, response, parsed_block, options = {})
@@ -14,50 +22,102 @@ module HTTParty
       @headers      = Headers.new(response.to_hash)
 
       if request.options[:logger]
-        logger = ::HTTParty::Logger.build(request.options[:logger], request.options[:log_level], request.options[:log_format])
+        logger = ::HTTParty::Logger.build(
+          request.options[:logger],
+          request.options[:log_level],
+          request.options[:log_format]
+        )
         logger.format(request, self)
       end
+
+      throw_exception
     end
 
     def parsed_response
       @parsed_response ||= @parsed_block.call
     end
 
-    def class
-      Response
-    end
-
     def code
       response.code.to_i
     end
 
+    def http_version
+      response.http_version
+    end
+
     def tap
       yield self
       self
     end
 
     def inspect
-      inspect_id = ::Kernel::format "%x", (object_id * 2)
+      inspect_id = ::Kernel::format '%x', (object_id * 2)
       %(#<#{self.class}:0x#{inspect_id} parsed_response=#{parsed_response.inspect}, @response=#{response.inspect}, @headers=#{headers.inspect}>)
     end
 
     CODES_TO_OBJ = ::Net::HTTPResponse::CODE_CLASS_TO_OBJ.merge ::Net::HTTPResponse::CODE_TO_OBJ
 
     CODES_TO_OBJ.each do |response_code, klass|
-      name = klass.name.sub("Net::HTTP", '')
-      define_method("#{underscore(name)}?") do
+      name = klass.name.sub('Net::HTTP', '')
+      name = "#{underscore(name)}?".to_sym
+
+      define_method(name) do
         klass === response
       end
     end
 
     # Support old multiple_choice? method from pre 2.0.0 era.
-    if ::RUBY_VERSION >= "2.0.0" && ::RUBY_PLATFORM != "java"
+    if ::RUBY_PLATFORM != 'java'
       alias_method :multiple_choice?, :multiple_choices?
     end
 
-    def respond_to?(name, include_all = false)
-      return true if [:request, :response, :parsed_response, :body, :headers].include?(name)
-      parsed_response.respond_to?(name, include_all) || response.respond_to?(name, include_all)
+    # Support old status codes method from pre 2.6.0 era.
+    if ::RUBY_PLATFORM != 'java'
+      alias_method :gateway_time_out?,                :gateway_timeout?
+      alias_method :request_entity_too_large?,        :payload_too_large?
+      alias_method :request_time_out?,                :request_timeout?
+      alias_method :request_uri_too_long?,            :uri_too_long?
+      alias_method :requested_range_not_satisfiable?, :range_not_satisfiable?
+    end
+
+    def nil?
+      warn_about_nil_deprecation
+      response.nil? || response.body.nil? || response.body.empty?
+    end
+
+    def to_s
+      if !response.nil? && !response.body.nil? && response.body.respond_to?(:to_s)
+        response.body.to_s
+      else
+        inspect
+      end
+    end
+
+    def pretty_print(pp)
+      if !parsed_response.nil? && parsed_response.respond_to?(:pretty_print)
+        parsed_response.pretty_print(pp)
+      else
+        super
+      end
+    end
+
+    def display(port=$>)
+      if !parsed_response.nil? && parsed_response.respond_to?(:display)
+        parsed_response.display(port)
+      elsif !response.nil? && !response.body.nil? && response.body.respond_to?(:display)
+        response.body.display(port)
+      else
+        port.write(inspect)
+      end
+    end
+
+    def respond_to_missing?(name, *args)
+      return true if super
+      parsed_response.respond_to?(name) || response.respond_to?(name)
+    end
+
+    def _dump(_level)
+      Marshal.dump([request, response, parsed_response, body])
     end
 
     protected
@@ -71,6 +131,25 @@ module HTTParty
         super
       end
     end
+
+    def throw_exception
+      if @request.options[:raise_on].to_a.detect { |c| code.to_s.match(/#{c.to_s}/) }
+        ::Kernel.raise ::HTTParty::ResponseError.new(@response), "Code #{code} - #{body}"
+      end
+    end
+
+    private
+
+    def warn_about_nil_deprecation
+      trace_line = caller.reject { |line| line.include?('httparty') }.first
+      warning = "[DEPRECATION] HTTParty will no longer override `response#nil?`. " \
+        "This functionality will be removed in future versions. " \
+        "Please, add explicit check `response.body.nil? || response.body.empty?`. " \
+        "For more info refer to: https://github.com/jnunemaker/httparty/issues/568\n" \
+        "#{trace_line}"
+
+      warn(warning)
+    end
   end
 end