forked from microsoft/azurelinux
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCVE-2026-25765.patch
More file actions
88 lines (84 loc) · 3.5 KB
/
CVE-2026-25765.patch
File metadata and controls
88 lines (84 loc) · 3.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
From e45ae8f935f6f87b91929b2ba48b57e5ba174435 Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Thu, 2 Apr 2026 15:18:26 +0000
Subject: [PATCH] build_exclusive_url: Guard against protocol-relative URLs by
normalising to relative path; update rubocop todo and add specs
(GHSA-33mh-2634-fwr2)
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc.patch
---
.rubocop_todo.yml | 2 +-
lib/faraday/connection.rb | 3 +++
spec/faraday/connection_spec.rb | 33 +++++++++++++++++++++++++++++++++
3 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
index fbec6de..3c75338 100644
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -31,7 +31,7 @@ Metrics/AbcSize:
# Offense count: 4
# Configuration parameters: CountComments, CountAsOne.
Metrics/ClassLength:
- Max: 230
+ Max: 235
# Offense count: 9
# Configuration parameters: AllowedMethods, AllowedPatterns, IgnoredMethods.
diff --git a/lib/faraday/connection.rb b/lib/faraday/connection.rb
index 1984f87..7056572 100644
--- a/lib/faraday/connection.rb
+++ b/lib/faraday/connection.rb
@@ -473,6 +473,9 @@ module Faraday
if url && !base.path.end_with?('/')
base.path = "#{base.path}/" # ensure trailing slash
end
+ # Ensure relative url will be parsed correctly (such as `service:search` or `//evil.com`)
+ url = "./#{url}" if url.respond_to?(:start_with?) &&
+ (!url.start_with?('http://', 'https://', '/', './', '../') || url.start_with?('//'))
url = url.to_s.gsub(':', '%3A') if URI.parse(url.to_s).opaque
uri = url ? base + url : base
if params
diff --git a/spec/faraday/connection_spec.rb b/spec/faraday/connection_spec.rb
index d4ccb23..51392f1 100644
--- a/spec/faraday/connection_spec.rb
+++ b/spec/faraday/connection_spec.rb
@@ -310,6 +310,39 @@
expect(uri.to_s).to eq('http://service.com/api/service%3Asearch?limit=400')
end
end
+ context 'with protocol-relative URL (GHSA-33mh-2634-fwr2)' do
+ it 'does not allow host override with //evil.com/path' do
+ conn.url_prefix = 'http://httpbingo.org/api'
+ uri = conn.build_exclusive_url('//evil.com/path')
+ expect(uri.host).to eq('httpbingo.org')
+ end
+
+ it 'does not allow host override with //evil.com:8080/path' do
+ conn.url_prefix = 'http://httpbingo.org/api'
+ uri = conn.build_exclusive_url('//evil.com:8080/path')
+ expect(uri.host).to eq('httpbingo.org')
+ end
+
+ it 'does not allow host override with //user:pass@evil.com/path' do
+ conn.url_prefix = 'http://httpbingo.org/api'
+ uri = conn.build_exclusive_url('//user:pass@evil.com/path')
+ expect(uri.host).to eq('httpbingo.org')
+ end
+
+ it 'does not allow host override with ///evil.com' do
+ conn.url_prefix = 'http://httpbingo.org/api'
+ uri = conn.build_exclusive_url('///evil.com')
+ expect(uri.host).to eq('httpbingo.org')
+ end
+
+ it 'still allows single-slash absolute paths' do
+ conn.url_prefix = 'http://httpbingo.org/api'
+ uri = conn.build_exclusive_url('/safe/path')
+ expect(uri.host).to eq('httpbingo.org')
+ expect(uri.path).to eq('/safe/path')
+ end
+ end
+
context 'with a custom `default_uri_parser`' do
let(:url) { 'http://httpbingo.org' }
--
2.45.4