Skip to content

Commit

Permalink
Don't patch ssl
Browse files Browse the repository at this point in the history
  • Loading branch information
arkadiyt committed Nov 3, 2024
1 parent 651a711 commit d80c373
Show file tree
Hide file tree
Showing 11 changed files with 70 additions and 213 deletions.
5 changes: 2 additions & 3 deletions .github/workflows/build-test.yml
Original file line number Diff line number Diff line change
@@ -1,15 +1,14 @@
name: Build-test

on:
push:
pull_request_target:
pull_request:
workflow_call:

jobs:
build-test:
strategy:
matrix:
ruby-version: [2.6.0, 2.7.0, 3.0.0, 3.1.0, 3.2.0, head]
ruby-version: [2.7.0, 3.0.0, 3.1.0, 3.2.0, 3.3.0, head]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
Expand Down
3 changes: 2 additions & 1 deletion .rspec
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
--color
--order random
--warning
--order random
--require spec_helper
--format documentation
10 changes: 5 additions & 5 deletions .rubocop.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ require:
AllCops:
NewCops: enable

Gemspec/RequiredRubyVersion:
Enabled: false
Gemspec/DevelopmentDependencies:
EnforcedStyle: gemspec

Metrics/AbcSize:
Enabled: false
Expand Down Expand Up @@ -52,15 +52,15 @@ Layout/SpaceInsideHashLiteralBraces:
RSpec/BeforeAfterAll:
Enabled: false

RSpec/IndexedLet:
Enabled: false

RSpec/MultipleExpectations:
Enabled: false

RSpec/ExampleLength:
Max: 40

RSpec/FilePath:
SpecSuffixOnly: true

RSpec/MessageSpies:
EnforcedStyle: receive

Expand Down
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
### main
* Drop support for ruby 2.6, add support for ruby 3.3
* Stop patching OpenSSL (resolves https://github.com/arkadiyt/ssrf_filter/issues/72) (([arkadiyt](https://github.com/arkadiyt/ssrf_filter/pull/73)))

### 1.1.2 (9/11/2023)
* Fix a bug introduced in 1.1.0 when reading non-streaming bodies from responses ([mshibuya](https://github.com/arkadiyt/ssrf_filter/pull/60))
* Test against ruby 3.2 ([petergoldstein](https://github.com/arkadiyt/ssrf_filter/pull/62))
Expand Down
3 changes: 1 addition & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,5 @@ RUN apt update && apt-get install -y vim tmux tig
WORKDIR app
COPY Gemfile ssrf_filter.gemspec .
COPY lib/ssrf_filter/version.rb lib/ssrf_filter/version.rb
RUN bundle update
RUN bundle install
ENV CI=1
COPY . .
1 change: 0 additions & 1 deletion lib/ssrf_filter.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
# frozen_string_literal: true

require 'ssrf_filter/patch/ssl_socket'
require 'ssrf_filter/ssrf_filter'
require 'ssrf_filter/version'
66 changes: 0 additions & 66 deletions lib/ssrf_filter/patch/ssl_socket.rb

This file was deleted.

59 changes: 22 additions & 37 deletions lib/ssrf_filter/ssrf_filter.rb
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ def self.prefixlen_from_ipaddr(ipaddr)
mask_addr = ipaddr.instance_variable_get('@mask_addr')
raise ArgumentError, 'Invalid mask' if mask_addr.zero?

while (mask_addr & 0x1).zero?
while mask_addr.nobits?(0x1)
mask_addr >>= 1
end

Expand Down Expand Up @@ -84,8 +84,6 @@ def self.prefixlen_from_ipaddr(ipaddr)
patch: ::Net::HTTP::Patch
}.freeze

FIBER_HOSTNAME_KEY = :__ssrf_filter_hostname

class Error < ::StandardError
end

Expand All @@ -106,8 +104,6 @@ class CRLFInjection < Error

%i[get put post delete head patch].each do |method|
define_singleton_method(method) do |url, options = {}, &block|
::SsrfFilter::Patch::SSLSocket.apply!

original_url = url
scheme_whitelist = options.fetch(:scheme_whitelist, DEFAULT_SCHEME_WHITELIST)
resolver = options.fetch(:resolver, DEFAULT_RESOLVER)
Expand Down Expand Up @@ -156,16 +152,16 @@ def self.ipaddr_has_mask?(ipaddr)
end
private_class_method :ipaddr_has_mask?

def self.host_header(hostname, uri)
def self.normalized_hostname(uri)
# Attach port for non-default as per RFC2616
if (uri.port == 80 && uri.scheme == 'http') ||
(uri.port == 443 && uri.scheme == 'https')
hostname
uri.hostname
else
"#{hostname}:#{uri.port}"
"#{uri.hostname}:#{uri.port}"
end
end
private_class_method :host_header
private_class_method :normalized_hostname

def self.fetch_once(uri, ip, verb, options, &block)
if options[:params]
Expand All @@ -174,11 +170,8 @@ def self.fetch_once(uri, ip, verb, options, &block)
uri.query = ::URI.encode_www_form(params)
end

hostname = uri.hostname
uri.hostname = ip

request = VERB_MAP[verb].new(uri)
request['host'] = host_header(hostname, uri)
request['host'] = normalized_hostname(uri)

Array(options[:headers]).each do |header, value|
request[header] = value
Expand All @@ -189,24 +182,24 @@ def self.fetch_once(uri, ip, verb, options, &block)
options[:request_proc].call(request) if options[:request_proc].respond_to?(:call)
validate_request(request)

http_options = options[:http_options] || {}
http_options[:use_ssl] = (uri.scheme == 'https')
http_options = (options[:http_options] || {}).merge(
use_ssl: uri.scheme == 'https',
ipaddr: ip
)

with_forced_hostname(hostname) do
::Net::HTTP.start(uri.hostname, uri.port, **http_options) do |http|
response = http.request(request) do |res|
block&.call(res)
end
case response
when ::Net::HTTPRedirection
url = response['location']
# Handle relative redirects
url = "#{uri.scheme}://#{hostname}:#{uri.port}#{url}" if url.start_with?('/')
else
url = nil
end
return response, url
::Net::HTTP.start(uri.hostname, uri.port, **http_options) do |http|
response = http.request(request) do |res|
block&.call(res)
end
case response
when ::Net::HTTPRedirection
url = response['location']
# Handle relative redirects
url = "#{uri.scheme}://#{normalized_hostname(uri)}#{url}" if url.start_with?('/')
else
url = nil
end
return response, url
end
end
private_class_method :fetch_once
Expand All @@ -223,12 +216,4 @@ def self.validate_request(request)
end
end
private_class_method :validate_request

def self.with_forced_hostname(hostname, &_block)
::Thread.current[FIBER_HOSTNAME_KEY] = hostname
yield
ensure
::Thread.current[FIBER_HOSTNAME_KEY] = nil
end
private_class_method :with_forced_hostname
end
15 changes: 0 additions & 15 deletions spec/lib/patch/ssl_socket_spec.rb

This file was deleted.

Loading

0 comments on commit d80c373

Please sign in to comment.