1_2_0.md

doc/release_notes/1_2_0.md
Last Update: 2024-12-18 13:38:28 +0000

1.2.0

Features

:ssrf_filter plugin

The :ssrf_filter plugin prevents server-side request forgery attacks, by blocking requests to the internal network. This is useful when the URLs used to perform requests aren’t under the developer control (such as when they are inserted via a web application form).

http = HTTPX.plugin(:ssrf_filter)

# this works
response = http.get("https://example.com")

# this doesn't
response = http.get("http://localhost:3002")
response = http.get("http://[::1]:3002")
response = http.get("http://169.254.169.254/latest/meta-data/")

More info under honeyryderchuck.gitlab.io/httpx/wiki/SSRF-Filter

:callbacks plugin

The session callbacks introduced in v0.24.0 are in its own plugin. Older code will still work and emit a deprecation warning.

More info under honeyryderchuck.gitlab.io/httpx/wiki/Callbacks

:redirect_on option for :follow_redirects plugin

This option allows passing a callback which, when returning false, can interrupt the redirect loop.

http = HTTPX.plugin(:follow_redirects).with(redirect_on: ->(location_uri) { BLACKLIST_HOSTS.include?(location_uri.host) })

:close_on_handshake_timeout timeout

A new :timeout option, :close_handshake_timeout, is added, which monitors connection readiness when performing HTTP/2 connection termination handshake.

Improvements

  • Internal “eden connections” concept was removed, and connection objects are now kept-and-reused during the lifetime of a session, even when closed. This simplified connectio pool implementation and improved performance.

  • request using :proxy and :retries plugin enabled sessions will now retry on proxy connection establishment related errors.

Bugfixes

  • webmock adapter: mocked responses storing decoded payloads won’t try to decode them again (fixes vcr/webmock integrations).

  • webmock adapter: fix issue related with making real requests over webmock-enabled connection.