ssrf_filter 1.1.2 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 315ab29498751c0bb60964f06932464d8663ec66e50ed403b04c2e19c9fce5e6
-  data.tar.gz: 8b3475337b149bf8e04dd11e379e9c0698f74d05528524fea847ed996aff405c
+  metadata.gz: c7b6cb5db50edebd286cc411415c02c7e461815da7e21b75d5cc2d0780b149cb
+  data.tar.gz: e48564883db3e5db9b7e0d54a134680fe035f8f33f8f74a378dc75448545347a
 SHA512:
-  metadata.gz: 299b91d225b906faa91a1ebd4a8ad32ce46889deaeffa89d5a7488b871310e68ed7f73332c9ee25fd0ff3d01a25dd949907a390e8ce44926910657e2fa054f3e
-  data.tar.gz: 89b6051cb2a8f232336e1e25e95a5898c71ba4439f582224452effbcc41b3a68af13d1e16d855f8ebb7634c013fefd3301c661d5d6bf72f3d98894feb867f47f
+  metadata.gz: cdc1bb1de979857312fe2d59d3b09c03ce3a58a63b768414bac40bba56e7ed87fc003a08249d0bc5df04328067aa914528cbffb41cf7bd1b648b531f36e44776
+  data.tar.gz: 8e733db18680051554b6a69148088837880a86a62a31c6427e2131966653bd9ebd4e5957e2ea42d8e58260eb474bdd5a00bde1776a25d679fadab65bbfbb6853

data/lib/ssrf_filter/ssrf_filter.rb

@@ -10,7 +10,7 @@ class SsrfFilter
     mask_addr = ipaddr.instance_variable_get('@mask_addr')
     raise ArgumentError, 'Invalid mask' if mask_addr.zero?
 
-    while (mask_addr & 0x1).zero?
+    while mask_addr.nobits?(0x1)
       mask_addr >>= 1
     end
 
@@ -84,8 +84,6 @@ class SsrfFilter
     patch: ::Net::HTTP::Patch
   }.freeze
 
-  FIBER_HOSTNAME_KEY = :__ssrf_filter_hostname
-
   class Error < ::StandardError
   end
 
@@ -106,8 +104,6 @@ class SsrfFilter
 
   %i[get put post delete head patch].each do |method|
     define_singleton_method(method) do |url, options = {}, &block|
-      ::SsrfFilter::Patch::SSLSocket.apply!
-
       original_url = url
       scheme_whitelist = options.fetch(:scheme_whitelist, DEFAULT_SCHEME_WHITELIST)
       resolver = options.fetch(:resolver, DEFAULT_RESOLVER)
@@ -156,16 +152,16 @@ class SsrfFilter
   end
   private_class_method :ipaddr_has_mask?
 
-  def self.host_header(hostname, uri)
+  def self.normalized_hostname(uri)
     # Attach port for non-default as per RFC2616
     if (uri.port == 80 && uri.scheme == 'http') ||
        (uri.port == 443 && uri.scheme == 'https')
-      hostname
+      uri.hostname
     else
-      "#{hostname}:#{uri.port}"
+      "#{uri.hostname}:#{uri.port}"
     end
   end
-  private_class_method :host_header
+  private_class_method :normalized_hostname
 
   def self.fetch_once(uri, ip, verb, options, &block)
     if options[:params]
@@ -174,11 +170,8 @@ class SsrfFilter
       uri.query = ::URI.encode_www_form(params)
     end
 
-    hostname = uri.hostname
-    uri.hostname = ip
-
     request = VERB_MAP[verb].new(uri)
-    request['host'] = host_header(hostname, uri)
+    request['host'] = normalized_hostname(uri)
 
     Array(options[:headers]).each do |header, value|
       request[header] = value
@@ -189,24 +182,24 @@ class SsrfFilter
     options[:request_proc].call(request) if options[:request_proc].respond_to?(:call)
     validate_request(request)
 
-    http_options = options[:http_options] || {}
-    http_options[:use_ssl] = (uri.scheme == 'https')
+    http_options = (options[:http_options] || {}).merge(
+      use_ssl: uri.scheme == 'https',
+      ipaddr: ip
+    )
 
-    with_forced_hostname(hostname) do
-      ::Net::HTTP.start(uri.hostname, uri.port, **http_options) do |http|
-        response = http.request(request) do |res|
-          block&.call(res)
-        end
-        case response
-        when ::Net::HTTPRedirection
-          url = response['location']
-          # Handle relative redirects
-          url = "#{uri.scheme}://#{hostname}:#{uri.port}#{url}" if url.start_with?('/')
-        else
-          url = nil
-        end
-        return response, url
+    ::Net::HTTP.start(uri.hostname, uri.port, **http_options) do |http|
+      response = http.request(request) do |res|
+        block&.call(res)
+      end
+      case response
+      when ::Net::HTTPRedirection
+        url = response['location']
+        # Handle relative redirects
+        url = "#{uri.scheme}://#{normalized_hostname(uri)}#{url}" if url.start_with?('/')
+      else
+        url = nil
       end
+      return response, url
     end
   end
   private_class_method :fetch_once
@@ -223,12 +216,4 @@ class SsrfFilter
     end
   end
   private_class_method :validate_request
-
-  def self.with_forced_hostname(hostname, &_block)
-    ::Thread.current[FIBER_HOSTNAME_KEY] = hostname
-    yield
-  ensure
-    ::Thread.current[FIBER_HOSTNAME_KEY] = nil
-  end
-  private_class_method :with_forced_hostname
 end

data/lib/ssrf_filter/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 class SsrfFilter
-  VERSION = '1.1.2'
+  VERSION = '1.2.0'
 end

data/lib/ssrf_filter.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
 
-require 'ssrf_filter/patch/ssl_socket'
 require 'ssrf_filter/ssrf_filter'
 require 'ssrf_filter/version'

metadata

@@ -1,29 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: ssrf_filter
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.2.0
 platform: ruby
 authors:
 - Arkadiy Tetelman
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-01 00:00:00.000000000 Z
+date: 2024-11-08 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
 - !ruby/object:Gem::Dependency
   name: bundler-audit
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.1
+        version: 0.9.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.9.1
+        version: 0.9.2
 - !ruby/object:Gem::Dependency
   name: pry-byebug
   requirement: !ruby/object:Gem::Requirement
@@ -44,42 +58,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.12.0
+        version: 3.13.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.12.0
+        version: 3.13.0
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.35.0
+        version: 1.68.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.35.0
+        version: 1.68.0
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.12.1
+        version: 3.2.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.12.1
+        version: 3.2.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +128,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.18.0
+        version: 3.24.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.18.0
+        version: 3.24.0
 - !ruby/object:Gem::Dependency
   name: webrick
   requirement: !ruby/object:Gem::Requirement
@@ -144,7 +158,6 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/ssrf_filter.rb
-- lib/ssrf_filter/patch/ssl_socket.rb
 - lib/ssrf_filter/ssrf_filter.rb
 - lib/ssrf_filter/version.rb
 homepage: https://github.com/arkadiyt/ssrf_filter
@@ -160,7 +173,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.6.0
+      version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="

data/lib/ssrf_filter/patch/ssl_socket.rb

@@ -1,66 +0,0 @@
-# frozen_string_literal: true
-
-class SsrfFilter
-  module Patch
-    module SSLSocket
-      def self.apply!
-        return if instance_variable_defined?(:@patched_ssl_socket)
-
-        @patched_ssl_socket = true
-
-        ::OpenSSL::SSL::SSLSocket.class_eval do
-          # When fetching a url we'd like to have the following workflow:
-          # 1) resolve the hostname www.example.com, and choose a public ip address to connect to
-          # 2) connect to that specific ip address, to prevent things like DNS TOCTTOU bugs or other trickery
-          #
-          # Ideally this would happen by the ruby http library giving us control over DNS resolution,
-          # but it doesn't. Instead, when making the request we set the uri.hostname to the chosen ip address,
-          # and send a 'Host' header of the original hostname, i.e. connect to 'http://93.184.216.34/' and send
-          # a 'Host: www.example.com' header.
-          #
-          # This works for the http case, http://www.example.com. For the https case, this causes certificate
-          # validation failures, since the server certificate for https://www.example.com will not have a
-          # Subject Alternate Name for 93.184.216.34.
-          #
-          # Thus we perform the monkey-patch below, modifying SSLSocket's `post_connection_check(hostname)`
-          # and `hostname=(hostname)` methods:
-          # If our fiber local variable is set, use that for the hostname instead, otherwise behave as usual.
-          # The only time the variable will be set is if you are executing inside a `with_forced_hostname` block,
-          # which is used in ssrf_filter.rb.
-          #
-          # An alternative approach could be to pass in our own OpenSSL::X509::Store with a custom
-          # `verify_callback` to the ::Net::HTTP.start call, but this would require reimplementing certification
-          # validation, which is dangerous. This way we can piggyback on the existing validation and simply pretend
-          # that we connected to the desired hostname.
-
-          original_post_connection_check = instance_method(:post_connection_check)
-          define_method(:post_connection_check) do |hostname|
-            original_post_connection_check.bind(self).call(::Thread.current[::SsrfFilter::FIBER_HOSTNAME_KEY] ||
-              hostname)
-          end
-
-          if method_defined?(:hostname=)
-            original_hostname = instance_method(:hostname=)
-            define_method(:hostname=) do |hostname|
-              original_hostname.bind(self).call(::Thread.current[::SsrfFilter::FIBER_HOSTNAME_KEY] || hostname)
-            end
-          end
-
-          # This patch is the successor to https://github.com/arkadiyt/ssrf_filter/pull/54
-          # Due to some changes in Ruby's net/http library (namely https://github.com/ruby/net-http/pull/36),
-          # the SSLSocket in the request was no longer getting `s.hostname` set.
-          # The original fix tried to monkey-patch the Regexp class to cause the original code path to execute,
-          # but this caused other problems (like https://github.com/arkadiyt/ssrf_filter/issues/61)
-          # This fix attempts a different approach to set the hostname on the socket
-          original_initialize = instance_method(:initialize)
-          define_method(:initialize) do |*args|
-            original_initialize.bind(self).call(*args)
-            if ::Thread.current.key?(::SsrfFilter::FIBER_HOSTNAME_KEY)
-              self.hostname = ::Thread.current[::SsrfFilter::FIBER_HOSTNAME_KEY]
-            end
-          end
-        end
-      end
-    end
-  end
-end