Polish GHSA-r98x-p6m8-xcrv fix

Three small follow-ups to c7517ab:

1. Hoist the duplicate `./` guard above the if/elsif. The guard is a
   no-op when neither base_uri nor persistent is set, so it's safe to
   factor out — and it lets the two-branch comment collapse into one.

2. Strengthen the persistent regression test. Asserting only on
   `req.uri.host` hides an intermediate where make_request_uri returns
   a URI with host "example.com." (trailing dot), which only normalises
   away because HTTP::URI#normalize_host strips trailing dots. Pin the
   full URI (`origin` + `to_s`) so a future change to normalize_host
   that lets the dot leak through is caught here.

3. CHANGELOG accuracy. The persistent branch never called `URI#merge`
   — it was string concatenation. Distinguish the two branches and
   reference RFC 3986 §5.2 for the underlying rule.

Author: sferik

CHANGELOG.md

@@ -11,9 +11,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - `HTTP::Request::Builder#make_request_uri` now rejects protocol-relative inputs
   (`//host/path`) when resolving against a configured `base_uri` or `persistent`
-  origin. Previously such inputs flowed into `URI#merge` and replaced the base
-  authority, allowing an attacker who controlled the path argument to redirect
-  the request to an arbitrary host and leak any connection-scoped headers
+  origin. Previously such inputs were treated as network-path references per
+  RFC 3986 §5.2 and replaced the base authority — via `URI#join` on the
+  `base_uri` branch and via string concatenation on the `persistent` branch —
+  allowing an attacker who controlled the path argument to redirect the
+  request to an arbitrary host and leak any connection-scoped headers
   (`HTTP.auth(...)`, etc.). See `GHSA-r98x-p6m8-xcrv` for details.
 
 ## [6.0.3] - 2026-04-20

lib/http/request/builder.rb

@@ -81,21 +81,11 @@ def wrap(request)
       # @return [HTTP::URI] the constructed URI
       # @api private
       def make_request_uri(uri)
-        uri = uri.to_s
+        uri = neutralize_protocol_relative(uri.to_s)
 
         if @options.base_uri? && uri !~ HTTP_OR_HTTPS_RE
-          # A leading "//" makes the input a protocol-relative (network-path)
-          # reference per RFC 3986 §4.2 / §5.2. Passing it to base.join /
-          # URI#merge would replace the base authority with the input's host,
-          # turning a base_uri-scoped request into one to an arbitrary host.
-          # Prepend "./" so it resolves as a normal relative path under base.
-          uri = "./#{uri}" if uri.start_with?("//")
           uri = resolve_against_base(uri)
         elsif @options.persistent? && uri !~ HTTP_OR_HTTPS_RE
-          # Same hazard against the persistent-host concatenation: a leading
-          # "//" produces "scheme://persistent//evil/path" which HTTP::URI.parse
-          # normalises into scheme://evil/path. Force a relative-path prefix.
-          uri = "./#{uri}" if uri.start_with?("//")
           uri = "#{@options.persistent}#{uri}"
         end
 
@@ -111,6 +101,26 @@ def make_request_uri(uri)
         uri
       end
 
+      # Neutralize a leading "//" so it resolves as a relative path under base
+      #
+      # A "//"-prefixed input is a protocol-relative (network-path) reference
+      # per RFC 3986 §4.2 / §5.2. On the base_uri branch it would replace the
+      # base authority via URI#join; on the persistent branch naive
+      # concatenation produces "scheme://persistent//evil/path" which
+      # HTTP::URI.parse normalises into scheme://evil/path. Prepending "./"
+      # forces the input to resolve as an ordinary relative path under the
+      # configured base.
+      #
+      # @param uri [String] the input URI
+      # @return [String] uri unchanged, or "./" + uri when neutralization applies
+      # @api private
+      def neutralize_protocol_relative(uri)
+        return uri unless @options.base_uri? || @options.persistent?
+        return uri unless uri.start_with?("//")
+
+        "./#{uri}"
+      end
+
       # Resolve a relative URI against the configured base URI
       #
       # Ensures the base URI path has a trailing slash so that relative

sig/http.rbs

@@ -818,6 +818,7 @@ module HTTP
       private
 
       def make_request_uri: (String | URI uri) -> URI
+      def neutralize_protocol_relative: (String uri) -> String
       def resolve_against_base: (String uri) -> String
       def merge_query_params!: (URI uri) -> void
       def make_request_headers: () -> Headers

test/http/request/builder_test.rb

@@ -660,7 +660,12 @@ def test_build_with_persistent_and_protocol_relative_does_not_override_host
     builder = build_builder(persistent: "http://example.com")
     req = builder.build(:get, "//evil.com/leak")
 
-    assert_equal "example.com", req.uri.host
+    # Pin the full URI: concatenation produces "http://example.com.//..."
+    # whose host is `example.com.`; HTTP::URI#normalize_host strips the
+    # trailing dot. Asserting on origin/to_s guards against a future
+    # change to normalize_host that would let the dot leak through.
+    assert_equal "http://example.com", req.uri.origin
+    assert_equal "http://example.com///evil.com/leak", req.uri.to_s
     refute_equal "evil.com", req.uri.host
   end