Merge commit from fork

Protocol-relative URLs (e.g. `//evil.com/path`) bypassed the existing
relative-URL guard in `build_exclusive_url`, allowing an attacker-controlled
URL to override the connection's base host. The `//` prefix matched the
`/` check in `start_with?`, so these URLs were passed through to
`URI#+` which treated them as authority references, replacing the host.

Extend the guard condition so that URLs starting with `//` are also
prefixed with `./`, neutralising the authority component and keeping
requests scoped to the configured base host.

Security: GHSA-33mh-2634-fwr2

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: iMacTia

.rubocop_todo.yml

@@ -31,7 +31,7 @@ Metrics/AbcSize:
 # Offense count: 3
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ClassLength:
-  Max: 230
+  Max: 235
 
 # Offense count: 9
 # Configuration parameters: AllowedMethods, AllowedPatterns.

lib/faraday/connection.rb

@@ -481,8 +481,9 @@ def build_exclusive_url(url = nil, params = nil, params_encoder = nil)
       if url && !base.path.end_with?('/')
         base.path = "#{base.path}/" # ensure trailing slash
       end
-      # Ensure relative url will be parsed correctly (such as `service:search` )
-      url = "./#{url}" if url.respond_to?(:start_with?) && !url.start_with?('http://', 'https://', '/', './', '../')
+      # Ensure relative url will be parsed correctly (such as `service:search` or `//evil.com`)
+      url = "./#{url}" if url.respond_to?(:start_with?) &&
+                          (!url.start_with?('http://', 'https://', '/', './', '../') || url.start_with?('//'))
       uri = url ? base + url : base
       if params
         uri.query = params.to_query(params_encoder || options.params_encoder)

spec/faraday/connection_spec.rb

@@ -311,6 +311,39 @@ def decode(params)
       end
     end
 
+    context 'with protocol-relative URL (GHSA-33mh-2634-fwr2)' do
+      it 'does not allow host override with //evil.com/path' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('//evil.com/path')
+        expect(uri.host).to eq('httpbingo.org')
+      end
+
+      it 'does not allow host override with //evil.com:8080/path' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('//evil.com:8080/path')
+        expect(uri.host).to eq('httpbingo.org')
+      end
+
+      it 'does not allow host override with //user:pass@evil.com/path' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('//user:pass@evil.com/path')
+        expect(uri.host).to eq('httpbingo.org')
+      end
+
+      it 'does not allow host override with ///evil.com' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('///evil.com')
+        expect(uri.host).to eq('httpbingo.org')
+      end
+
+      it 'still allows single-slash absolute paths' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('/safe/path')
+        expect(uri.host).to eq('httpbingo.org')
+        expect(uri.path).to eq('/safe/path')
+      end
+    end
+
     context 'with a custom `default_uri_parser`' do
       let(:url) { 'http://httpbingo.org' }
       let(:parser) { Addressable::URI }