a plugin which allows for requests to fail when requests are crafted to
use IPs considered internal or reserved for specific usages. these SSRF
vulnerabilities happen when one allows requests with urls input by an
external user.
This plugin is inspired, and heavily makes use of routines existing in
the ssrf_filter gem: https://github.com/arkadiyt/ssrf_filter/ .
this has been working for a while, but was silently failing in HTTP/1, due to our inability to test it in CI (HTTP/1 setup is not yet using keep-alive)
a misinterpretation of the spec on http-2-next led to the introduction
of the max_requests option, a cap of requests on a given connection,
which in http/2 case, would be initialized with MAX_CONCURRENT_STREAMS,
which means something else.
This has been fixed already in http-2-next, and this is the summary of
changes required to support it.
The `max_requests` option is kept, as it can still be useful from a user
perspective, but the default in http/2 is now INFINITY, which disables
it effectively. The HTTP/1 cap is bumped to 200, but it may fall as
well soon.
most of the code was moved to the transcoder layer.
The `compression_threshold_size` option has been removed.
The `:compression/brotli` plugin becomes only ´:brotli`, and depends on
the new transcoding APIs.
options to skip compression and decompression were added.
when closed, connections are now placed in a place called eden_connections; whenever a connection is matched for, after checking the live connections and finding none, a match is looked in eden connections; the match is accepted **if** the IP is considered fresh (the input is validated in the cache, or input was an ip or in /etc/hosts, or it's an external socket) and, if a TLS connection, the stored TLS session did not expire; if these conditions do not match, the connection is dropped from the eden and a new connection will started instead; this will therefore allow reusing ruby objects, reusing TLS sessions, and still respect the DNs cache
when connections get reset due to max number of requests being reached,
the same TLS session is going to be reused, as long as it's valid.
This change is ported from the same feature in net-http, including [the
tls 1.3
improvements](ddf5c52b5f)
The reference for a request verb is now the string which is used
everywhere else, instead of the symbol corresponding to it. This was an
artifact from the import from httprb, and there is no advantage in it,
since these strings are frozen in most use cases, and the
transformations from symbol to strings being performed everywhere are
prooof that keeping the atom isn't really bringing any benefit.
this is achieved by a rework of the upgrade plugin, and the addition of
an h2 upgrade plugin. The idea is the following: if a response carries
an Upgrade header, and there's a handler for it, we should go for it.
The difference is:
* when the response is 101, this means that the negotiation must take
place before the actual response comes in;
* when the response is 200, upgrading means reconnecting to the channel,
and assume the new protocol for subsequent requests only.
