Polish GHSA-r98x-p6m8-xcrv fix

sferik · sferik · commit 896dcffb30ff · 2026-05-26T10:48:35.000-07:00
Three small follow-ups to c7517ab: 1. Hoist the duplicate `./` guard above the if/elsif. The guard is a no-op when neither base_uri nor persistent is set, so it's safe to factor out — and it lets the two-branch comment collapse into one. 2. Strengthen the persistent regression test. Asserting only on `req.uri.host` hides an intermediate where make_request_uri returns a URI with host "example.com." (trailing dot), which only normalises away because HTTP::URI#normalize_host strips trailing dots. Pin the full URI (`origin` + `to_s`) so a future change to normalize_host that lets the dot leak through is caught here. 3. CHANGELOG accuracy. The persistent branch never called `URI#merge` — it was string concatenation. Distinguish the two branches and reference RFC 3986 §5.2 for the underlying rule.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,9 +11,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - `HTTP::Request::Builder#make_request_uri` now rejects protocol-relative inputs
   (`//host/path`) when resolving against a configured `base_uri` or `persistent`
-  origin. Previously such inputs flowed into `URI#merge` and replaced the base
-  authority, allowing an attacker who controlled the path argument to redirect
-  the request to an arbitrary host and leak any connection-scoped headers
+  origin. Previously such inputs were treated as network-path references per
+  RFC 3986 §5.2 and replaced the base authority — via `URI#join` on the
+  `base_uri` branch and via string concatenation on the `persistent` branch —
+  allowing an attacker who controlled the path argument to redirect the
+  request to an arbitrary host and leak any connection-scoped headers
   (`HTTP.auth(...)`, etc.). See `GHSA-r98x-p6m8-xcrv` for details.
 
 ## [6.0.3] - 2026-04-20
diff --git a/lib/http/request/builder.rb b/lib/http/request/builder.rb
@@ -83,19 +83,17 @@ def wrap(request)
       def make_request_uri(uri)
         uri = uri.to_s
 
+        # A leading "//" makes the input a protocol-relative (network-path)
+        # reference per RFC 3986 §4.2 / §5.2. On the base_uri branch it would
+        # replace the base authority via URI#join; on the persistent branch
+        # naive concatenation produces "scheme://persistent//evil/path" which
+        # HTTP::URI.parse normalises into scheme://evil/path. Prepend "./" so
+        # it resolves as a normal relative path under the configured base.
+        uri = "./#{uri}" if (@options.base_uri? || @options.persistent?) && uri.start_with?("//")
+
         if @options.base_uri? && uri !~ HTTP_OR_HTTPS_RE
-          # A leading "//" makes the input a protocol-relative (network-path)
-          # reference per RFC 3986 §4.2 / §5.2. Passing it to base.join /
-          # URI#merge would replace the base authority with the input's host,
-          # turning a base_uri-scoped request into one to an arbitrary host.
-          # Prepend "./" so it resolves as a normal relative path under base.
-          uri = "./#{uri}" if uri.start_with?("//")
           uri = resolve_against_base(uri)
         elsif @options.persistent? && uri !~ HTTP_OR_HTTPS_RE
-          # Same hazard against the persistent-host concatenation: a leading
-          # "//" produces "scheme://persistent//evil/path" which HTTP::URI.parse
-          # normalises into scheme://evil/path. Force a relative-path prefix.
-          uri = "./#{uri}" if uri.start_with?("//")
           uri = "#{@options.persistent}#{uri}"
         end
 
diff --git a/test/http/request/builder_test.rb b/test/http/request/builder_test.rb
@@ -660,7 +660,12 @@ def test_build_with_persistent_and_protocol_relative_does_not_override_host
     builder = build_builder(persistent: "http://example.com")
     req = builder.build(:get, "//evil.com/leak")
 
-    assert_equal "example.com", req.uri.host
+    # Pin the full URI: concatenation produces "http://example.com.//..."
+    # whose host is `example.com.`; HTTP::URI#normalize_host strips the
+    # trailing dot. Asserting on origin/to_s guards against a future
+    # change to normalize_host that would let the dot leak through.
+    assert_equal "http://example.com", req.uri.origin
+    assert_equal "http://example.com///evil.com/leak", req.uri.to_s
     refute_equal "evil.com", req.uri.host
   end
 
