[AutoPR- Security] Patch rubygem-faraday for CVE-2026-25765 [MEDIUM] (#16430)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: Akarsh Chaudhary <v-akarshc@microsoft.com>

Author: 3 people

SPECS/rubygem-faraday/CVE-2026-25765.patch

@@ -0,0 +1,88 @@
+From e45ae8f935f6f87b91929b2ba48b57e5ba174435 Mon Sep 17 00:00:00 2001
+From: AllSpark <allspark@microsoft.com>
+Date: Thu, 2 Apr 2026 15:18:26 +0000
+Subject: [PATCH] build_exclusive_url: Guard against protocol-relative URLs by
+ normalising to relative path; update rubocop todo and add specs
+ (GHSA-33mh-2634-fwr2)
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://github.com/lostisland/faraday/commit/a6d3a3a0bf59c2ab307d0abd91bc126aef5561bc.patch
+---
+ .rubocop_todo.yml               |  2 +-
+ lib/faraday/connection.rb       |  3 +++
+ spec/faraday/connection_spec.rb | 33 +++++++++++++++++++++++++++++++++
+ 3 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
+index fbec6de..3c75338 100644
+--- a/.rubocop_todo.yml
++++ b/.rubocop_todo.yml
+@@ -31,7 +31,7 @@ Metrics/AbcSize:
+ # Offense count: 4
+ # Configuration parameters: CountComments, CountAsOne.
+ Metrics/ClassLength:
+-  Max: 230
++  Max: 235
+ 
+ # Offense count: 9
+ # Configuration parameters: AllowedMethods, AllowedPatterns, IgnoredMethods.
+diff --git a/lib/faraday/connection.rb b/lib/faraday/connection.rb
+index 1984f87..7056572 100644
+--- a/lib/faraday/connection.rb
++++ b/lib/faraday/connection.rb
+@@ -473,6 +473,9 @@ module Faraday
+       if url && !base.path.end_with?('/')
+         base.path = "#{base.path}/" # ensure trailing slash
+       end
++      # Ensure relative url will be parsed correctly (such as `service:search` or `//evil.com`)
++      url = "./#{url}" if url.respond_to?(:start_with?) &&
++                          (!url.start_with?('http://', 'https://', '/', './', '../') || url.start_with?('//'))
+       url = url.to_s.gsub(':', '%3A') if URI.parse(url.to_s).opaque
+       uri = url ? base + url : base
+       if params
+diff --git a/spec/faraday/connection_spec.rb b/spec/faraday/connection_spec.rb
+index d4ccb23..51392f1 100644
+--- a/spec/faraday/connection_spec.rb
++++ b/spec/faraday/connection_spec.rb
+@@ -310,6 +310,39 @@
+         expect(uri.to_s).to eq('http://service.com/api/service%3Asearch?limit=400')
+       end
+     end
++    context 'with protocol-relative URL (GHSA-33mh-2634-fwr2)' do
++      it 'does not allow host override with //evil.com/path' do
++        conn.url_prefix = 'http://httpbingo.org/api'
++        uri = conn.build_exclusive_url('//evil.com/path')
++        expect(uri.host).to eq('httpbingo.org')
++      end
++
++      it 'does not allow host override with //evil.com:8080/path' do
++        conn.url_prefix = 'http://httpbingo.org/api'
++        uri = conn.build_exclusive_url('//evil.com:8080/path')
++        expect(uri.host).to eq('httpbingo.org')
++      end
++
++      it 'does not allow host override with //user:pass@evil.com/path' do
++        conn.url_prefix = 'http://httpbingo.org/api'
++        uri = conn.build_exclusive_url('//user:pass@evil.com/path')
++        expect(uri.host).to eq('httpbingo.org')
++      end
++
++      it 'does not allow host override with ///evil.com' do
++        conn.url_prefix = 'http://httpbingo.org/api'
++        uri = conn.build_exclusive_url('///evil.com')
++        expect(uri.host).to eq('httpbingo.org')
++      end
++
++      it 'still allows single-slash absolute paths' do
++        conn.url_prefix = 'http://httpbingo.org/api'
++        uri = conn.build_exclusive_url('/safe/path')
++        expect(uri.host).to eq('httpbingo.org')
++        expect(uri.path).to eq('/safe/path')
++      end
++    end
++
+ 
+     context 'with a custom `default_uri_parser`' do
+       let(:url) { 'http://httpbingo.org' }
+-- 
+2.45.4

SPECS/rubygem-faraday/rubygem-faraday.spec

@@ -3,13 +3,14 @@
 Summary:        HTTP/REST API client library
 Name:           rubygem-faraday
 Version:        2.7.10
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          Development/Languages
 URL:            https://lostisland.github.io/faraday/
 Source0:        https://github.com/lostisland/faraday/archive/refs/tags/v%{version}.tar.gz#/%{gem_name}-%{version}.tar.gz
+Patch0:         CVE-2026-25765.patch
 BuildRequires:  ruby
 Requires:       rubygem-multipart-post < 3
 Requires:       rubygem-ruby2_keywords
@@ -22,7 +23,7 @@ many adapters (such as Net::HTTP) and embraces the concept of Rack middleware
 when processing the request/response cycle.
 
 %prep
-%setup -q -n %{gem_name}-%{version}
+%autosetup -n %{gem_name}-%{version} -p1
 
 %build
 gem build %{gem_name}
@@ -36,6 +37,9 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{gem_name}-
 %{gemdir}
 
 %changelog
+* Thu Apr 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.7.10-2
+- Patch for CVE-2026-25765
+
 * Thu Nov 02 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.7.10-1
 - Auto-upgrade to 2.7.10 - Azure Linux 3.0 - package upgrades