#4105
93%
master: 92%

Ran 07 Feb 2026 03:12PM UTC

Jobs 1

Files 32

Run time 1min

Badge

Embed ▾

Committed 07 Feb 2026 03:11PM UTC coverage: 94.951% (+0.007%) from 94.944%

Build # #4105

Build Type

push

Committed by

web-flow

Commit Message

Merge commit from fork

Protocol-relative URLs (e.g. `//evil.com/path`) bypassed the existing
relative-URL guard in `build_exclusive_url`, allowing an attacker-controlled
URL to override the connection's base host. The `//` prefix matched the
`/` check in `start_with?`, so these URLs were passed through to
`URI#+` which treated them as authority references, replacing the host.

Extend the guard condition so that URLs starting with `//` are also
prefixed with `./`, neutralising the authority component and keeping
requests scoped to the configured base host.

Security: GHSA-33mh-2634-fwr2

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Run Details

2 of 2 new or added lines in 1 file covered. (100.0%)

1448 of 1525 relevant lines covered (94.95%)

152.48 hits per line

Jobs

ID	Job ID	Ran	Files	Coverage
1	#4105.1	07 Feb 2026 03:12PM UTC	32	94.95

lostisland / faraday / #4105
93%
master: 92%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build #4105

lostisland / faraday / #4105 93% master: 92%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build #4105

lostisland / faraday / #4105
93%
master: 92%

README BADGES
x