httparty 0.23.2 → 0.24.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 20e6019fdfbb861c0ffe11f3cf52c76c9e404647e52007f3c7aa508d548c68fd
-  data.tar.gz: 2f7fce01ab20c8d6c268e80a95fb69d5aa8f471addd3c7d53eb2fdcd9305fcf3
+  metadata.gz: d7d431b8f544d235a5d5c3521b230d418a94e98cb452f453f3a7890888a5c8d0
+  data.tar.gz: 6800438b8d0842331240337f1f088d05fee9d1a4aa7e0e155034aad76c6dd72c
 SHA512:
-  metadata.gz: '08b4cf9fc625f8093c56ff34b2bbfc3c0ed5b5dd3e391112dc10244c0709a5dae10917d15c851ec6ad86882c07c3973556f1b45a7310aed9965c6b9e4bf45fe2'
-  data.tar.gz: 1086fee06fe7fa50351b488d62247c34d9516c335c8defc545205c16b779e7a01578271f7a0b28ae495d35d2d6e50314d5d70e916cba84b4a8134ad14f26bdbe
+  metadata.gz: 00e476b359eb3ad3d03ac5665697d9591c3aefc81a58c9a74cb1c8ac6bad52627c1a8343b99c24ff8a82d01c128535fbaf660828031283ce29acb9ae81fb111b
+  data.tar.gz: 3c8c4a7c12c1c47036c9cc940cca0ec4c0ef48cc085b6ce68768aa37ee67ab93dc8f0e5d970bed0543fabe97470f9a21da9b1a2840b2ffc27176f588a81e74d6

data/lib/httparty/exceptions.rb

@@ -59,4 +59,8 @@ module HTTParty
 
   # Exception that is raised when common network errors occur.
   class NetworkError < Foul; end
+
+  # Exception that is raised when an absolute URI is used that doesn't match
+  # the configured base_uri, which could indicate an SSRF attempt.
+  class UnsafeURIError < Foul; end
 end

data/lib/httparty/request/body.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require_relative 'multipart_boundary'
+require_relative 'streaming_multipart_body'
 
 module HTTParty
   class Request
@@ -30,6 +31,22 @@ module HTTParty
         params.respond_to?(:to_hash) && (force_multipart || has_file?(params))
       end
 
+      def streaming?
+        multipart? && has_file?(params)
+      end
+
+      def to_stream
+        return nil unless streaming?
+        StreamingMultipartBody.new(prepared_parts, boundary)
+      end
+
+      def prepared_parts
+        normalized_params = params.flat_map { |key, value| HashConversions.normalize_keys(key, value) }
+        normalized_params.map do |key, value|
+          [key, value, file?(value)]
+        end
+      end
+
       private
 
       # https://html.spec.whatwg.org/#multipart-form-data
@@ -42,20 +59,20 @@ module HTTParty
       def generate_multipart
         normalized_params = params.flat_map { |key, value| HashConversions.normalize_keys(key, value) }
 
-        multipart = normalized_params.inject(''.dup) do |memo, (key, value)|
-          memo << "--#{boundary}#{NEWLINE}"
-          memo << %(Content-Disposition: form-data; name="#{key}")
+        multipart = normalized_params.inject(''.b) do |memo, (key, value)|
+          memo << "--#{boundary}#{NEWLINE}".b
+          memo << %(Content-Disposition: form-data; name="#{key}").b
           # value.path is used to support ActionDispatch::Http::UploadedFile
           # https://github.com/jnunemaker/httparty/pull/585
-          memo << %(; filename="#{file_name(value).gsub(/["\r\n]/, MULTIPART_FORM_DATA_REPLACEMENT_TABLE)}") if file?(value)
-          memo << NEWLINE
-          memo << "Content-Type: #{content_type(value)}#{NEWLINE}" if file?(value)
-          memo << NEWLINE
+          memo << %(; filename="#{file_name(value).gsub(/["\r\n]/, MULTIPART_FORM_DATA_REPLACEMENT_TABLE)}").b if file?(value)
+          memo << NEWLINE.b
+          memo << "Content-Type: #{content_type(value)}#{NEWLINE}".b if file?(value)
+          memo << NEWLINE.b
           memo << content_body(value)
-          memo << NEWLINE
+          memo << NEWLINE.b
         end
 
-        multipart << "--#{boundary}--#{NEWLINE}"
+        multipart << "--#{boundary}--#{NEWLINE}".b
       end
 
       def has_file?(value)
@@ -83,11 +100,12 @@ module HTTParty
       def content_body(object)
         if file?(object)
           object = (file = object).read
-          object.force_encoding(Encoding::UTF_8) if object.respond_to?(:force_encoding)
+          object.force_encoding(Encoding::BINARY) if object.respond_to?(:force_encoding)
           file.rewind if file.respond_to?(:rewind)
+          object.to_s
+        else
+          object.to_s.b
         end
-
-        object.to_s
       end
 
       def content_type(object)

data/lib/httparty/request/streaming_multipart_body.rb

@@ -0,0 +1,188 @@
+# frozen_string_literal: true
+
+module HTTParty
+  class Request
+    class StreamingMultipartBody
+      NEWLINE = "\r\n"
+      CHUNK_SIZE = 64 * 1024 # 64 KB chunks
+
+      def initialize(parts, boundary)
+        @parts = parts
+        @boundary = boundary
+        @part_index = 0
+        @state = :header
+        @current_file = nil
+        @header_buffer = nil
+        @header_offset = 0
+        @footer_sent = false
+      end
+
+      def size
+        @size ||= calculate_size
+      end
+
+      def read(length = nil, outbuf = nil)
+        outbuf = outbuf ? outbuf.replace(''.b) : ''.b
+
+        return read_all(outbuf) if length.nil?
+
+        while outbuf.bytesize < length
+          chunk = read_chunk(length - outbuf.bytesize)
+          break if chunk.nil?
+          outbuf << chunk
+        end
+
+        outbuf.empty? ? nil : outbuf
+      end
+
+      def rewind
+        @part_index = 0
+        @state = :header
+        @current_file = nil
+        @header_buffer = nil
+        @header_offset = 0
+        @footer_sent = false
+        @parts.each do |_key, value, _is_file|
+          value.rewind if value.respond_to?(:rewind)
+        end
+      end
+
+      private
+
+      def read_all(outbuf)
+        while (chunk = read_chunk(CHUNK_SIZE))
+          outbuf << chunk
+        end
+        outbuf.empty? ? nil : outbuf
+      end
+
+      def read_chunk(max_length)
+        loop do
+          return nil if @part_index >= @parts.size && @footer_sent
+
+          if @part_index >= @parts.size
+            @footer_sent = true
+            return "--#{@boundary}--#{NEWLINE}".b
+          end
+
+          key, value, is_file = @parts[@part_index]
+
+          case @state
+          when :header
+            chunk = read_header_chunk(key, value, is_file, max_length)
+            return chunk if chunk
+
+          when :body
+            chunk = read_body_chunk(value, is_file, max_length)
+            return chunk if chunk
+
+          when :newline
+            @state = :header
+            @part_index += 1
+            return NEWLINE.b
+          end
+        end
+      end
+
+      def read_header_chunk(key, value, is_file, max_length)
+        if @header_buffer.nil?
+          @header_buffer = build_part_header(key, value, is_file)
+          @header_offset = 0
+        end
+
+        remaining = @header_buffer.bytesize - @header_offset
+        if remaining > 0
+          chunk_size = [remaining, max_length].min
+          chunk = @header_buffer.byteslice(@header_offset, chunk_size)
+          @header_offset += chunk_size
+          return chunk
+        end
+
+        @header_buffer = nil
+        @header_offset = 0
+        @state = :body
+        nil
+      end
+
+      def read_body_chunk(value, is_file, max_length)
+        if is_file
+          chunk = read_file_chunk(value, max_length)
+          if chunk
+            return chunk
+          else
+            @current_file = nil
+            @state = :newline
+            return nil
+          end
+        else
+          @state = :newline
+          return value.to_s.b
+        end
+      end
+
+      def read_file_chunk(file, max_length)
+        chunk_size = [max_length, CHUNK_SIZE].min
+        chunk = file.read(chunk_size)
+        return nil if chunk.nil?
+        chunk.force_encoding(Encoding::BINARY) if chunk.respond_to?(:force_encoding)
+        chunk
+      end
+
+      def build_part_header(key, value, is_file)
+        header = "--#{@boundary}#{NEWLINE}".b
+        header << %(Content-Disposition: form-data; name="#{key}").b
+        if is_file
+          header << %(; filename="#{file_name(value).gsub(/["\r\n]/, replacement_table)}").b
+          header << NEWLINE.b
+          header << "Content-Type: #{content_type(value)}#{NEWLINE}".b
+        end
+        header << NEWLINE.b
+        header
+      end
+
+      def calculate_size
+        total = 0
+        @parts.each do |key, value, is_file|
+          total += build_part_header(key, value, is_file).bytesize
+          total += content_size(value, is_file)
+          total += NEWLINE.bytesize
+        end
+        total += "--#{@boundary}--#{NEWLINE}".bytesize
+        total
+      end
+
+      def content_size(value, is_file)
+        if is_file
+          if value.respond_to?(:size)
+            value.size
+          elsif value.respond_to?(:stat)
+            value.stat.size
+          else
+            value.read.bytesize.tap { value.rewind }
+          end
+        else
+          value.to_s.b.bytesize
+        end
+      end
+
+      def content_type(object)
+        return object.content_type if object.respond_to?(:content_type)
+        require 'mini_mime'
+        mime = MiniMime.lookup_by_filename(object.path)
+        mime ? mime.content_type : 'application/octet-stream'
+      end
+
+      def file_name(object)
+        object.respond_to?(:original_filename) ? object.original_filename : File.basename(object.path)
+      end
+
+      def replacement_table
+        @replacement_table ||= {
+          '"'  => '%22',
+          "\r" => '%0D',
+          "\n" => '%0A'
+        }.freeze
+      end
+    end
+  end
+end

data/lib/httparty/request.rb

@@ -113,6 +113,8 @@ module HTTParty
         new_uri = path.clone
       end
 
+      validate_uri_safety!(new_uri) unless redirect
+
       # avoid double query string on redirects [#12]
       unless redirect
         new_uri.query = query_string(new_uri)
@@ -245,8 +247,17 @@ module HTTParty
         if body.multipart?
           content_type = "multipart/form-data; boundary=#{body.boundary}"
           @raw_request['Content-Type'] = content_type
+        elsif options[:body].respond_to?(:to_hash) && !@raw_request['Content-Type']
+          @raw_request['Content-Type'] = 'application/x-www-form-urlencoded'
+        end
+
+        if body.streaming? && options[:stream_body] != false
+          stream = body.to_stream
+          @raw_request.body_stream = stream
+          @raw_request['Content-Length'] = stream.size.to_s
+        else
+          @raw_request.body = body.call
         end
-        @raw_request.body = body.call
       end
 
       @raw_request.instance_variable_set(:@decode_content, decompress_content?)
@@ -433,5 +444,23 @@ module HTTParty
         assume_utf16_is_big_endian: assume_utf16_is_big_endian
       ).call
     end
+
+    def validate_uri_safety!(new_uri)
+      return if options[:skip_uri_validation]
+
+      configured_base_uri = options[:base_uri]
+      return unless configured_base_uri
+
+      normalized_base = options[:uri_adapter].parse(
+        HTTParty.normalize_base_uri(configured_base_uri)
+      )
+
+      return if new_uri.host == normalized_base.host
+
+      raise UnsafeURIError,
+        "Requested URI '#{new_uri}' has host '#{new_uri.host}' but the " \
+        "configured base_uri '#{normalized_base}' has host '#{normalized_base.host}'. " \
+        "This request could send credentials to an unintended server."
+    end
   end
 end

data/lib/httparty/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module HTTParty
-  VERSION = '0.23.2'
+  VERSION = '0.24.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: httparty
 version: !ruby/object:Gem::Version
-  version: 0.23.2
+  version: 0.24.0
 platform: ruby
 authors:
 - John Nunemaker
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-10-07 00:00:00.000000000 Z
+date: 2025-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: csv
@@ -118,6 +118,7 @@ files:
 - lib/httparty/request.rb
 - lib/httparty/request/body.rb
 - lib/httparty/request/multipart_boundary.rb
+- lib/httparty/request/streaming_multipart_body.rb
 - lib/httparty/response.rb
 - lib/httparty/response/headers.rb
 - lib/httparty/response_fragment.rb