protocol-http 0.53.0 → 0.55.0

data/releases.md

@@ -1,5 +1,63 @@
 # Releases
 
+## v0.55.0
+
+  - **Breaking**: Move `Protocol::HTTP::Header::QuotedString` to `Protocol::HTTP::QuotedString` for better reusability.
+  - **Breaking**: Handle cookie key/value pairs using `QuotedString` as per RFC 6265.
+      - Don't use URL encoding for cookie key/value.
+  - **Breaking**: Remove `Protocol::HTTP::URL` and `Protocol::HTTP::Reference` – replaced by `Protocol::URL` gem.
+      - `Protocol::HTTP::URL` -\> `Protocol::URL::Encoding`.
+      - `Protocol::HTTP::Reference` -\> `Protocol::URL::Reference`.
+
+## v0.54.0
+
+  - Introduce rich support for `Header::Digest`, `Header::ServerTiming`, `Header::TE`, `Header::Trailer` and `Header::TransferEncoding`.
+
+### Improved HTTP Trailer Security
+
+This release introduces significant security improvements for HTTP trailer handling, addressing potential HTTP request smuggling vulnerabilities by implementing a restrictive-by-default policy for trailer headers.
+
+  - **Security-by-default**: HTTP trailers are now validated and restricted by default to prevent HTTP request smuggling attacks.
+  - Only safe headers are permitted in trailers:
+      - `date` - Response generation timestamps (safe metadata)
+      - `digest` - Content integrity verification (safe metadata)
+      - `etag` - Cache validation tags (safe metadata)
+      - `server-timing` - Performance metrics (safe metadata)
+  - All other trailers are ignored by default.
+
+If you are using this library for gRPC, you will need to use a custom policy to allow the `grpc-status` and `grpc-message` trailers:
+
+``` ruby
+module GRPCStatus
+	def self.new(value)
+		Integer(value)
+	end
+	
+	def self.trailer?
+		true
+	end
+end
+
+module GRPCMessage
+	def self.new(value)
+		value
+	end
+	
+	def self.trailer?
+		true
+	end
+end
+
+GRPC_POLICY = Protocol::HTTP::Headers::POLICY.dup
+GRPC_POLICY['grpc-status'] = GRPCStatus
+GRPC_POLICY['grpc-message'] = GRPCMessage
+
+# Reinterpret the headers using the new policy:
+response.headers.policy = GRPC_POLICY
+response.headers['grpc-status'] # => 0
+response.headers['grpc-message'] # => "OK"
+```
+
 ## v0.53.0
 
   - Improve consistency of Body `#inspect`.
@@ -76,3 +134,160 @@ def call(request)
 	# ...
 end
 ```
+
+## v0.29.0
+
+  - Introduce `rewind` and `rewindable?` methods for body rewinding capabilities.
+  - Add support for output buffer in `read_partial`/`readpartial` methods.
+  - `Reader#buffered!` now returns `self` for method chaining.
+
+## v0.28.0
+
+  - Add convenient `Reader#buffered!` method to buffer the body.
+  - Modernize gem infrastructure with RuboCop integration.
+
+## v0.27.0
+
+  - Expand stream interface to support `gets`/`puts` operations.
+  - Skip empty key/value pairs in header processing.
+  - Prefer lowercase method names for consistency.
+  - Add `as_json` support to avoid default Rails implementation.
+  - Use `@callback` to track invocation state.
+  - Drop `base64` gem dependency.
+
+## v0.26.0
+
+  - Prefer connection `close` over `keep-alive` when both are present.
+  - Add support for `#readpartial` method.
+  - Add `base64` dependency.
+
+## v0.25.0
+
+  - Introduce explicit support for informational responses (1xx status codes).
+  - Add `cache-control` support for `must-revalidate`, `proxy-revalidate`, and `s-maxage` directives.
+  - Add `#strong_match?` and `#weak_match?` methods to `ETags` header.
+  - Fix `last-modified`, `if-modified-since` and `if-unmodified-since` headers to use proper `Date` parsing.
+  - Improve date/expires header parsing.
+  - Add tests for `Stream#close_read`.
+  - Check if input is closed before raising `IOError`.
+  - Ensure saved files truncate existing file by default.
+
+## v0.24.0
+
+  - Add output stream `#<<` as alias for `#write`.
+  - Add support for `Headers#include?` and `#key?` methods.
+  - Fix URL unescape functionality.
+  - Fix cookie parsing issues.
+  - Fix superclass mismatch in `Protocol::HTTP::Middleware::Builder`.
+  - Allow trailers without explicit `trailer` header.
+  - Fix cookie handling and Ruby 2 keyword arguments.
+
+## v0.23.0
+
+  - Improve argument handling.
+  - Rename `path` parameter to `target` to better match RFCs.
+
+## v0.22.0
+
+  - Rename `trailers` to `trailer` for consistency.
+
+## v0.21.0
+
+  - Streaming interface improvements.
+  - Rename `Streamable` to `Completable`.
+
+## v0.20.0
+
+  - Improve `Authorization` header implementation.
+
+## v0.19.0
+
+  - Expose `Body#ready?` for more efficient response handling.
+
+## v0.18.0
+
+  - Add `#trailers` method which enumerates trailers without marking tail.
+  - Don't clear trailers in `#dup`, move functionality to `flatten!`.
+  - All requests and responses must have mutable headers instance.
+
+## v0.17.0
+
+  - Remove deferred headers due to complexity.
+  - Remove deprecated `Headers#slice!`.
+  - Add support for static, dynamic and streaming content to `cache-control` model.
+  - Initial support for trailers.
+  - Add support for `Response#not_modified?`.
+
+## v0.16.0
+
+  - Add support for `if-match` and `if-none-match` headers.
+  - Revert `Request#target` change for HTTP/2 compatibility.
+
+## v0.15.0
+
+  - Prefer `Request#target` over `Request#path`.
+  - Add body implementation to support HEAD requests.
+  - Add support for computing digest on buffered body.
+  - Add `Headers#set(key, value)` to replace existing values.
+  - Add support for `vary` header.
+  - Add support for `no-cache` & `no-store` cache directives.
+
+## v0.14.0
+
+  - Add `Cacheable` body for buffering and caching responses.
+  - Add support for `cache-control` header.
+
+## v0.13.0
+
+  - Add support for `connection` header.
+  - Fix handling of keyword arguments.
+
+## v0.12.0
+
+  - Improved handling of `cookie` header.
+  - Add `Headers#clear` method.
+
+## v0.11.0
+
+  - Ensure `Body#call` invokes `stream.close` when done.
+
+## v0.10.0
+
+  - Allow user to specify size for character devices.
+
+## v0.9.1
+
+  - Add support for `authorization` header.
+
+## v0.8.0
+
+  - Remove `reason` from `Response`.
+
+## v0.7.0
+
+  - Explicit path handling in `Reference#with`.
+
+## v0.6.0
+
+  - Initial version with basic HTTP protocol support.
+
+## v0.5.1
+
+  - Fix path splitting behavior when path is empty.
+  - Add `connect` method.
+  - Support protocol in `[]` constructor.
+  - Incorporate middleware functionality.
+
+## v0.4.0
+
+  - Add `Request`, `Response` and `Body` classes from `async-http`.
+  - Allow deletion of non-existent header fields.
+
+## v0.3.0
+
+  - **Initial release** of `protocol-http` gem.
+  - Initial implementation of HTTP/2 flow control.
+  - Support for connection preface and settings frames.
+  - Initial headers support.
+  - Implementation of `Connection`, `Client` & `Server` classes.
+  - HTTP/2 protocol framing and headers.

metadata

@@ -1,20 +1,20 @@
 --- !ruby/object:Gem::Specification
 name: protocol-http
 version: !ruby/object:Gem::Version
-  version: 0.53.0
+  version: 0.55.0
 platform: ruby
 authors:
 - Samuel Williams
 - Thomas Morgan
 - Bruno Sutic
 - Herrick Fang
+- William T. Nelson
 - Bryan Powell
 - Dan Olson
 - Earlopain
 - Genki Takiuchi
 - Marcelo Junior
 - Olle Jonsson
-- William T. Nelson
 - Yuta Iwama
 bindir: bin
 cert_chain:
@@ -55,6 +55,7 @@ extra_rdoc_files: []
 files:
 - context/design-overview.md
 - context/getting-started.md
+- context/headers.md
 - context/hypertext-references.md
 - context/index.yaml
 - context/message-body.md
@@ -90,22 +91,25 @@ files:
 - lib/protocol/http/header/connection.rb
 - lib/protocol/http/header/cookie.rb
 - lib/protocol/http/header/date.rb
+- lib/protocol/http/header/digest.rb
 - lib/protocol/http/header/etag.rb
 - lib/protocol/http/header/etags.rb
 - lib/protocol/http/header/multiple.rb
 - lib/protocol/http/header/priority.rb
-- lib/protocol/http/header/quoted_string.rb
+- lib/protocol/http/header/server_timing.rb
 - lib/protocol/http/header/split.rb
+- lib/protocol/http/header/te.rb
+- lib/protocol/http/header/trailer.rb
+- lib/protocol/http/header/transfer_encoding.rb
 - lib/protocol/http/header/vary.rb
 - lib/protocol/http/headers.rb
 - lib/protocol/http/methods.rb
 - lib/protocol/http/middleware.rb
 - lib/protocol/http/middleware/builder.rb
 - lib/protocol/http/peer.rb
-- lib/protocol/http/reference.rb
+- lib/protocol/http/quoted_string.rb
 - lib/protocol/http/request.rb
 - lib/protocol/http/response.rb
-- lib/protocol/http/url.rb
 - lib/protocol/http/version.rb
 - license.md
 - readme.md
@@ -130,7 +134,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 3.7.2
 specification_version: 4
 summary: Provides abstractions to handle HTTP protocols.
 test_files: []

metadata.gz.sig

@@ -1,3 +1,3 @@
-��<�!/3A�鶶R�����W��{�Q��9�++VH�3HDɖ\>9�\�k��$�Ͳ>0z�0�'&�XW7؆��EhJ����TiO��sI����J֥�:18}O	;�ý�s�k��ڂ|���������;���+ɤ��JuaY�0�
-}�?��������r9h��py˨��p���Y��O���-�ZT�%8���O��b@�eQ�Ku[1���`��-��L��̄-�Jq��S*���2mՅ�6�x�"0 ��'���h	1��e�lrՆ�iS�h,��
-�鸛	*G����^�>8?V�Z3L����msP�����.D�5U=u�aEڕچ�
+����&1>[�.�]�k��iտ	�GZ^��a��Ak��8�-�$\t�:&�7Ն���=���@r~ܔ�ʌ3b͐�)���:�5���—�c��kgV�~z����2$cog���O�
+K��\�үm�����������J��{B��Y��������w
�n����c@�>O1י\�4[�"��p�wlX�0�b��iT�u�2���Fݴ��Y�L:ȼIs�C��{ҙK�K-'��x"�����@3eͦa1�x�EЋ##�m΀���p��	F@E,Y�u;�J0�n�P�ц�?�S��mh�c=�:�Z��%��:����Cus�uK�
+0��ç�4�\�a�	{��8o�G�Z

data/lib/protocol/http/header/quoted_string.rb

@@ -1,49 +0,0 @@
-# frozen_string_literal: true
-
-# Released under the MIT License.
-# Copyright, 2025, by Samuel Williams.
-
-module Protocol
-	module HTTP
-		module Header
-			# According to https://tools.ietf.org/html/rfc7231#appendix-C
-			TOKEN = /[!#$%&'*+\-.^_`|~0-9A-Z]+/i
-			
-			QUOTED_STRING = /"(?:.(?!(?<!\\)"))*.?"/
-			
-			# https://tools.ietf.org/html/rfc7231#section-5.3.1
-			QVALUE = /0(\.[0-9]{0,3})?|1(\.[0]{0,3})?/
-			
-			# Handling of HTTP quoted strings.
-			module QuotedString
-				# Unquote a "quoted-string" value according to <https://tools.ietf.org/html/rfc7230#section-3.2.6>. It should already match the QUOTED_STRING pattern above by the parser.
-				def self.unquote(value, normalize_whitespace = true)
-					value = value[1...-1]
-					
-					value.gsub!(/\\(.)/, '\1')
-					
-					if normalize_whitespace
-						# LWS = [CRLF] 1*( SP | HT )
-						value.gsub!(/[\r\n]+\s+/, " ")
-					end
-					
-					return value
-				end
-				
-				QUOTES_REQUIRED = /[()<>@,;:\\"\/\[\]?={} \t]/
-				
-				# Quote a string for HTTP header values if required.
-				#
-				# @raises [ArgumentError] if the value contains invalid characters like control characters or newlines.
-				def self.quote(value, force = false)
-					# Check if quoting is required:
-					if value =~ QUOTES_REQUIRED or force
-						"\"#{value.gsub(/["\\]/, '\\\\\0')}\""
-					else
-						value
-					end
-				end
-			end
-		end
-	end
-end

data/lib/protocol/http/reference.rb

@@ -1,253 +0,0 @@
-# frozen_string_literal: true
-
-# Released under the MIT License.
-# Copyright, 2018-2025, by Samuel Williams.
-
-require_relative "url"
-
-module Protocol
-	module HTTP
-		# A relative reference, excluding any authority. The path part of an HTTP request.
-		class Reference
-			include Comparable
-			
-			# Generate a reference from a path and user parameters. The path may contain a `#fragment` or `?query=parameters`.
-			def self.parse(path = "/", parameters = nil)
-				base, fragment = path.split("#", 2)
-				path, query = base.split("?", 2)
-				
-				self.new(path, query, fragment, parameters)
-			end
-			
-			# Initialize the reference.
-			#
-			# @parameter path [String] The path component, e.g. `/foo/bar/index.html`.
-			# @parameter query [String | Nil] The un-parsed query string, e.g. 'x=10&y=20'.
-			# @parameter fragment [String | Nil] The fragment, the part after the '#'.
-			# @parameter parameters [Hash | Nil] User supplied parameters that will be appended to the query part.
-			def initialize(path = "/", query = nil, fragment = nil, parameters = nil)
-				@path = path
-				@query = query
-				@fragment = fragment
-				@parameters = parameters
-			end
-			
-			# @attribute [String] The path component, e.g. `/foo/bar/index.html`.
-			attr_accessor :path
-			
-			# @attribute [String] The un-parsed query string, e.g. 'x=10&y=20'.
-			attr_accessor :query
-			
-			# @attribute [String] The fragment, the part after the '#'.
-			attr_accessor :fragment
-			
-			# @attribute [Hash] User supplied parameters that will be appended to the query part.
-			attr_accessor :parameters
-			
-			# Freeze the reference.
-			#
-			#	@returns [Reference] The frozen reference.
-			def freeze
-				return self if frozen?
-				
-				@path.freeze
-				@query.freeze
-				@fragment.freeze
-				@parameters.freeze
-				
-				super
-			end
-			
-			# Implicit conversion to an array.
-			#
-			# @returns [Array] The reference as an array, `[path, query, fragment, parameters]`.
-			def to_ary
-				[@path, @query, @fragment, @parameters]
-			end
-			
-			# Compare two references.
-			#
-			# @parameter other [Reference] The other reference to compare.
-			# @returns [Integer] -1, 0, 1 if the reference is less than, equal to, or greater than the other reference.
-			def <=> other
-				to_ary <=> other.to_ary
-			end
-			
-			# Type-cast a reference.
-			#
-			# @parameter reference [Reference | String] The reference to type-cast.
-			# @returns [Reference] The type-casted reference.
-			def self.[] reference
-				if reference.is_a? self
-					return reference
-				else
-					return self.parse(reference)
-				end
-			end
-			
-			# @returns [Boolean] Whether the reference has parameters.
-			def parameters?
-				@parameters and !@parameters.empty?
-			end
-			
-			# @returns [Boolean] Whether the reference has a query string.
-			def query?
-				@query and !@query.empty?
-			end
-			
-			# @returns [Boolean] Whether the reference has a fragment.
-			def fragment?
-				@fragment and !@fragment.empty?
-			end
-			
-			# Append the reference to the given buffer.
-			def append(buffer = String.new)
-				if query?
-					buffer << URL.escape_path(@path) << "?" << @query
-					buffer << "&" << URL.encode(@parameters) if parameters?
-				else
-					buffer << URL.escape_path(@path)
-					buffer << "?" << URL.encode(@parameters) if parameters?
-				end
-				
-				if fragment?
-					buffer << "#" << URL.escape(@fragment)
-				end
-				
-				return buffer
-			end
-			
-			# Convert the reference to a string, e.g. `/foo/bar/index.html?x=10&y=20#section`
-			#
-			# @returns [String] The reference as a string.
-			def to_s
-				append
-			end
-			
-			# Merges two references as specified by RFC2396, similar to `URI.join`.
-			def + other
-				other = self.class[other]
-				
-				self.class.new(
-					expand_path(self.path, other.path, true),
-					other.query,
-					other.fragment,
-					other.parameters,
-				)
-			end
-			
-			# Just the base path, without any query string, parameters or fragment.
-			def base
-				self.class.new(@path, nil, nil, nil)
-			end
-			
-			# Update the reference with the given path, parameters and fragment.
-			#
-			# @parameter path [String] Append the string to this reference similar to `File.join`.
-			# @parameter parameters [Hash] Append the parameters to this reference.
-			# @parameter fragment [String] Set the fragment to this value.
-			# @parameter pop [Boolean] If the path contains a trailing filename, pop the last component of the path before appending the new path.
-			# @parameter merge [Boolean] If the parameters are specified, merge them with the existing parameters, otherwise replace them (including query string).
-			def with(path: nil, parameters: false, fragment: @fragment, pop: false, merge: true)
-				if merge
-					# Merge mode: combine new parameters with existing, keep query:
-					# parameters = (@parameters || {}).merge(parameters || {})
-					if @parameters
-						if parameters
-							parameters = @parameters.merge(parameters)
-						else
-							parameters = @parameters
-						end
-					elsif !parameters
-						parameters = @parameters
-					end
-					
-					query = @query
-				else
-					# Replace mode: use new parameters if provided, clear query when replacing:
-					if parameters == false
-						# No new parameters provided, keep existing:
-						parameters = @parameters
-						query = @query
-					else
-						# New parameters provided, replace and clear query:
-						# parameters = parameters
-						query = nil
-					end
-				end
-				
-				if path
-					path = expand_path(@path, path, pop)
-				else
-					path = @path
-				end
-				
-				self.class.new(path, query, fragment, parameters)
-			end
-			
-			private
-			
-			def split(path)
-				if path.empty?
-					[path]
-				else
-					path.split("/", -1)
-				end
-			end
-			
-			def expand_absolute_path(path, parts)
-				parts.each do |part|
-					if part == ".."
-						path.pop
-					elsif part == "."
-						# Do nothing.
-					else
-						path << part
-					end
-				end
-				
-				if path.first != ""
-					path.unshift("")
-				end
-			end
-			
-			def expand_relative_path(path, parts)
-				parts.each do |part|
-					if part == ".." and path.any?
-						path.pop
-					elsif part == "."
-						# Do nothing.
-					else
-						path << part
-					end
-				end
-			end
-			
-			# @param pop [Boolean] whether to remove the last path component of the base path, to conform to URI merging behaviour, as defined by RFC2396.
-			def expand_path(base, relative, pop = true)
-				if relative.start_with? "/"
-					return relative
-				end
-				
-				path = split(base)
-				
-				# RFC2396 Section 5.2:
-				# 6) a) All but the last segment of the base URI's path component is
-				# copied to the buffer.  In other words, any characters after the
-				# last (right-most) slash character, if any, are excluded.
-				path.pop if pop or path.last == ""
-				
-				parts = split(relative)
-				
-				# Absolute path:
-				if path.first == ""
-					expand_absolute_path(path, parts)
-				else
-					expand_relative_path(path, parts)
-				end	
-				
-				return path.join("/")
-			end
-		end
-	end
-end