Don't patch ssl

.github/workflows/build-test.yml

@@ -1,15 +1,14 @@
 name: Build-test
 
 on:
-  push:
-  pull_request_target:
+  pull_request:
   workflow_call:
 
 jobs:
   build-test:
     strategy:
       matrix:
-        ruby-version: [2.6.0, 2.7.0, 3.0.0, 3.1.0, 3.2.0, head]
+        ruby-version: [2.7.0, 3.0.0, 3.1.0, 3.2.0, 3.3.0, head]
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3

.rspec

@@ -1,4 +1,5 @@
 --color
---order random
 --warning
+--order random
 --require spec_helper
+--format documentation

.rubocop.yml

@@ -7,8 +7,8 @@ require:
 AllCops:
   NewCops: enable
 
-Gemspec/RequiredRubyVersion:
-  Enabled: false
+Gemspec/DevelopmentDependencies:
+  EnforcedStyle: gemspec
 
 Metrics/AbcSize:
   Enabled: false
@@ -52,15 +52,15 @@ Layout/SpaceInsideHashLiteralBraces:
 RSpec/BeforeAfterAll:
   Enabled: false
 
+RSpec/IndexedLet:
+  Enabled: false
+
 RSpec/MultipleExpectations:
   Enabled: false
 
 RSpec/ExampleLength:
   Max: 40
 
-RSpec/FilePath:
-  SpecSuffixOnly: true
-
 RSpec/MessageSpies:
   EnforcedStyle: receive
 

Dockerfile

@@ -5,6 +5,5 @@ RUN apt update && apt-get install -y vim tmux tig
 WORKDIR app
 COPY Gemfile ssrf_filter.gemspec .
 COPY lib/ssrf_filter/version.rb lib/ssrf_filter/version.rb
-RUN bundle update
+RUN bundle install
 ENV CI=1
-COPY . .

lib/ssrf_filter.rb

@@ -1,5 +1,4 @@
 # frozen_string_literal: true
 
-require 'ssrf_filter/patch/ssl_socket'
 require 'ssrf_filter/ssrf_filter'
 require 'ssrf_filter/version'

lib/ssrf_filter/ssrf_filter.rb

@@ -10,7 +10,7 @@ def self.prefixlen_from_ipaddr(ipaddr)
     mask_addr = ipaddr.instance_variable_get('@mask_addr')
     raise ArgumentError, 'Invalid mask' if mask_addr.zero?
 
-    while (mask_addr & 0x1).zero?
+    while mask_addr.nobits?(0x1)
       mask_addr >>= 1
     end
 
@@ -84,8 +84,6 @@ def self.prefixlen_from_ipaddr(ipaddr)
     patch: ::Net::HTTP::Patch
   }.freeze
 
-  FIBER_HOSTNAME_KEY = :__ssrf_filter_hostname
-
   class Error < ::StandardError
   end
 
@@ -106,8 +104,6 @@ class CRLFInjection < Error
 
   %i[get put post delete head patch].each do |method|
     define_singleton_method(method) do |url, options = {}, &block|
-      ::SsrfFilter::Patch::SSLSocket.apply!
-
       original_url = url
       scheme_whitelist = options.fetch(:scheme_whitelist, DEFAULT_SCHEME_WHITELIST)
       resolver = options.fetch(:resolver, DEFAULT_RESOLVER)
@@ -156,16 +152,16 @@ def self.ipaddr_has_mask?(ipaddr)
   end
   private_class_method :ipaddr_has_mask?
 
-  def self.host_header(hostname, uri)
+  def self.normalized_hostname(uri)
     # Attach port for non-default as per RFC2616
     if (uri.port == 80 && uri.scheme == 'http') ||
        (uri.port == 443 && uri.scheme == 'https')
-      hostname
+      uri.hostname
     else
-      "#{hostname}:#{uri.port}"
+      "#{uri.hostname}:#{uri.port}"
     end
   end
-  private_class_method :host_header
+  private_class_method :normalized_hostname
 
   def self.fetch_once(uri, ip, verb, options, &block)
     if options[:params]
@@ -174,11 +170,8 @@ def self.fetch_once(uri, ip, verb, options, &block)
       uri.query = ::URI.encode_www_form(params)
     end
 
-    hostname = uri.hostname
-    uri.hostname = ip
-
     request = VERB_MAP[verb].new(uri)
-    request['host'] = host_header(hostname, uri)
+    request['host'] = normalized_hostname(uri)
 
     Array(options[:headers]).each do |header, value|
       request[header] = value
@@ -189,24 +182,24 @@ def self.fetch_once(uri, ip, verb, options, &block)
     options[:request_proc].call(request) if options[:request_proc].respond_to?(:call)
     validate_request(request)
 
-    http_options = options[:http_options] || {}
-    http_options[:use_ssl] = (uri.scheme == 'https')
+    http_options = (options[:http_options] || {}).merge(
+      use_ssl: uri.scheme == 'https',
+      ipaddr: ip
+    )
 
-    with_forced_hostname(hostname) do
-      ::Net::HTTP.start(uri.hostname, uri.port, **http_options) do |http|
-        response = http.request(request) do |res|
-          block&.call(res)
-        end
-        case response
-        when ::Net::HTTPRedirection
-          url = response['location']
-          # Handle relative redirects
-          url = "#{uri.scheme}://#{hostname}:#{uri.port}#{url}" if url.start_with?('/')
-        else
-          url = nil
-        end
-        return response, url
+    ::Net::HTTP.start(uri.hostname, uri.port, **http_options) do |http|
+      response = http.request(request) do |res|
+        block&.call(res)
+      end
+      case response
+      when ::Net::HTTPRedirection
+        url = response['location']
+        # Handle relative redirects
+        url = "#{uri.scheme}://#{normalized_hostname(uri)}#{url}" if url.start_with?('/')
+      else
+        url = nil
       end
+      return response, url
     end
   end
   private_class_method :fetch_once
@@ -223,12 +216,4 @@ def self.validate_request(request)
     end
   end
   private_class_method :validate_request
-
-  def self.with_forced_hostname(hostname, &_block)
-    ::Thread.current[FIBER_HOSTNAME_KEY] = hostname
-    yield
-  ensure
-    ::Thread.current[FIBER_HOSTNAME_KEY] = nil
-  end
-  private_class_method :with_forced_hostname
 end