feat: integrate request_service and use ssrf_filter strategy by default

Signed-off-by: Gil Desmarais <[email protected]>

Author: gildesmarais

app.rb

@@ -4,6 +4,9 @@
 require 'rack/cache'
 require_relative 'roda/roda_plugins/basic_auth'
 
+require 'html2rss'
+require_relative 'app/ssrf_filter_strategy'
+
 module Html2rss
   module Web
     ##
@@ -13,6 +16,10 @@ module Web
     class App < Roda
       CONTENT_TYPE_RSS = 'application/xml'
 
+      Html2rss::RequestService.register_strategy(:ssrf_filter, SsrfFilterStrategy)
+      Html2rss::RequestService.default_strategy_name = :ssrf_filter
+      Html2rss::RequestService.unregister_strategy(:faraday)
+
       def self.development? = ENV['RACK_ENV'] == 'development'
 
       opts[:check_dynamic_arity] = false
@@ -64,6 +71,8 @@ def self.development? = ENV['RACK_ENV'] == 'development'
         end
       end
 
+      @show_backtrace = !ENV['CI'].to_s.empty? || development?
+
       route do |r|
         r.public
         r.hash_branches('')

app/ssrf_filter_strategy.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'ssrf_filter'
+require 'html2rss'
+require_relative '../app/local_config'
+
+module Html2rss
+  module Web
+    ##
+    # Strategy to fetch a URL using the SSRF filter.
+    class SsrfFilterStrategy < Html2rss::RequestService::Strategy
+      def execute
+        headers = LocalConfig.global.fetch(:headers, {}).merge(
+          ctx.headers.transform_keys(&:to_sym)
+        )
+        response = SsrfFilter.get(ctx.url, headers:)
+
+        Html2rss::RequestService::Response.new(body: response.body,
+                                               headers: response.to_hash.transform_values(&:first))
+      end
+    end
+  end
+end

helpers/auto_source.rb

@@ -3,7 +3,6 @@
 require 'addressable'
 require 'base64'
 require 'html2rss'
-require 'ssrf_filter'
 
 module Html2rss
   module Web
@@ -20,20 +19,6 @@ def self.allowed_origins = ENV.fetch('AUTO_SOURCE_ALLOWED_ORIGINS', '')
                                     .reject(&:empty?)
                                     .to_set
 
-      # @param encoded_url [String] Base64 encoded URL
-      # @return [RSS::Rss]
-      def self.build_auto_source_from_encoded_url(encoded_url)
-        url = Addressable::URI.parse Base64.urlsafe_decode64(encoded_url)
-        request = SsrfFilter.get(url, headers: LocalConfig.global.fetch(:headers, {}))
-        headers = request.to_hash.transform_values(&:first)
-
-        auto_source = Html2rss::AutoSource.new(url, body: request.body, headers:)
-
-        auto_source.channel.stylesheets << Html2rss::RssBuilder::Stylesheet.new(href: '/rss.xsl', type: 'text/xsl')
-
-        auto_source.build
-      end
-
       # @param rss [RSS::Rss]
       # @param default_in_minutes [Integer]
       # @return [Integer]

routes/auto_source.rb

@@ -2,10 +2,12 @@
 
 require_relative '../app/http_cache'
 require_relative '../helpers/auto_source'
+require 'html2rss'
 
 module Html2rss
   module Web
     class App
+      # rubocop:disable Metrics/BlockLength
       hash_branch 'auto_source' do |r|
         with_basic_auth(realm: 'Auto Source',
                         username: AutoSource.username,
@@ -18,15 +20,29 @@ class App
             end
 
             r.on String, method: :get do |encoded_url|
-              rss = AutoSource.build_auto_source_from_encoded_url(encoded_url)
+              strategy = request.params['strategy'].to_sym || :ssrf_filter
+              unless Html2rss::RequestService.strategy_registered?(strategy)
+                raise Html2rss::RequestService::UnknownStrategy
+              end
+
+              response['Content-Type'] = CONTENT_TYPE_RSS
+
+              url = Addressable::URI.parse Base64.urlsafe_decode64(encoded_url)
+              rss = Html2rss.auto_source(url, strategy:)
+
+              # Unfortunately, Ruby's rss gem does not provide a direct method to
+              # add an XML stylesheet to the RSS::RSS object itself.
+              stylesheet = Html2rss::RssBuilder::Stylesheet.new(href: '/rss.xsl', type: 'text/xsl').to_xml
+
+              xml_content = rss.to_xml
+              xml_content.sub!(/^<\?xml version="1.0" encoding="UTF-8"\?>/,
+                               "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n#{stylesheet}")
 
               HttpCache.expires response,
                                 AutoSource.ttl_in_seconds(rss),
                                 cache_control: 'private, must-revalidate'
 
-              response['Content-Type'] = CONTENT_TYPE_RSS
-
-              rss.to_s
+              xml_content
             end
           else
             # auto_source feature is disabled
@@ -37,6 +53,7 @@ class App
           end
         end
       end
+      # rubocop:enable Metrics/BlockLength
     end
   end
 end

spec/fixtures/vcr_cassettes/auto_source-github-h2r-web.yml

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_relative '../../../../app/ssrf_filter_strategy'
+
+RSpec.describe Html2rss::Web::SsrfFilterStrategy do
+  subject(:instance) { described_class.new(ctx) }
+
+  let(:url) { 'http://example.com' }
+  let(:headers) { { 'User-Agent': 'Mozilla/5.0' } }
+  let(:ctx) { instance_double(Html2rss::RequestService::Context, url:, headers:) }
+
+  describe '#execute' do
+    before do
+      allow(SsrfFilter).to receive(:get).with(url, headers:).and_return(
+        instance_double(Net::HTTPResponse, body: 'body', to_hash: { 'Content-Type' => ['text/html'] })
+      )
+    end
+
+    it 'returns a response', :aggregate_failures do
+      response = instance.execute
+
+      expect(SsrfFilter).to have_received(:get).with(url, headers:)
+      expect(response).to be_a(Html2rss::RequestService::Response)
+      expect(response.body).to eq('body')
+      expect(response.headers).to eq('Content-Type' => 'text/html')
+    end
+  end
+end

spec/html2rss/web/app/ssrf_filter_strategy_spec.rb

@@ -149,31 +149,4 @@
     end
   end
   # rubocop:enable RSpec/NamedSubject, RSpec/MessageSpies
-
-  describe '.build_auto_source_from_encoded_url' do
-    subject(:feed) do
-      VCR.use_cassette('auto_source-github-h2r-web', match_requests_on: %i[method path]) do
-        described_class.build_auto_source_from_encoded_url(encoded_url)
-      end
-    end
-
-    before do
-      allow(SsrfFilter).to receive(:get).with(any_args).and_call_original
-    end
-
-    let(:url) { 'https://github.com/html2rss/html2rss-web/commits/master' }
-    let(:encoded_url) { Base64.urlsafe_encode64(url) }
-
-    it 'returns an RSS::Rss object' do
-      expect(feed).to be_a(RSS::Rss)
-    end
-
-    it 'sets headers in the http request' do
-      feed
-      expect(SsrfFilter).to have_received(:get).with(Addressable::URI.parse(url),
-                                                     headers: {
-                                                       'User-Agent': 'Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36' # rubocop:disable Layout/LineLength
-                                                     })
-    end
-  end
 end

spec/html2rss/web/helpers/auto_source_spec.rb

@@ -3,6 +3,7 @@
 require 'spec_helper'
 require 'rss'
 require_relative '../../app'
+require 'html2rss'
 
 RSpec.describe Html2rss::Web::App do # rubocop:disable RSpec/SpecFilePathFormat
   include Rack::Test::Methods
@@ -11,6 +12,7 @@ def app = described_class
   let(:request_headers) do
     { 'HTTP_HOST' => 'localhost' }
   end
+  let(:encoded_url) { Base64.urlsafe_encode64('https://github.com/html2rss/html2rss-web/commits/master') }
 
   let(:username) { 'username' }
   let(:password) { 'password' }
@@ -27,8 +29,7 @@ def app = described_class
     allow(Html2rss::Web::AutoSource).to receive_messages(enabled?: true,
                                                          username:,
                                                          password:,
-                                                         allowed_origins: Set['localhost'],
-                                                         build_auto_source_from_encoded_url: feed)
+                                                         allowed_origins: Set['localhost'])
   end
 
   describe "GET '/auto_source/'" do
@@ -66,18 +67,35 @@ def app = described_class
   describe "GET '/auto_source/:encoded_url'" do
     context 'with provided basic auth' do
       subject(:response) do
-        get "/auto_source/#{Base64.urlsafe_encode64('https://github.com/html2rss/html2rss-web')}",
-            {},
-            request_headers.merge('HTTP_AUTHORIZATION' => basic_authorize(username, password))
+        VCR.use_cassette('auto_source-github-h2r-web') do
+          get "/auto_source/#{encoded_url}?strategy",
+              {},
+              request_headers.merge('HTTP_AUTHORIZATION' => basic_authorize(username, password))
+        end
       end
 
       it 'responds successfully', :aggregate_failures do
         expect(response).to be_ok
         expect(response.body).to start_with '<?xml version="1.0" encoding="UTF-8"?>'
-        expect(response.get_header('cache-control')).to eq 'must-revalidate, private, max-age=3600'
+        expect(response.get_header('cache-control')).to eq 'must-revalidate, private, max-age=0'
         expect(response.get_header('content-type')).to eq described_class::CONTENT_TYPE_RSS
       end
     end
+
+    context 'when strategy is not registered' do
+      subject(:response) do
+        VCR.use_cassette('auto_source-github-h2r-web', match_requests_on: [:path]) do
+          get "/auto_source/#{encoded_url}?strategy=nope",
+              {},
+              request_headers.merge('HTTP_AUTHORIZATION' => basic_authorize(username, password))
+        end
+      end
+
+      it 'responds with Error', :aggregate_failures do
+        expect(response.status).to eq 422
+        expect(response.body).to match(/UnknownStrategy/)
+      end
+    end
   end
 
   context 'when auto_source feature is disabled' do
@@ -96,7 +114,7 @@ def app = described_class
 
     describe "GET '/auto_source/:encoded_url'" do
       it 'responds with 400 Bad Request', :aggregate_failures do
-        get "/auto_source/#{Base64.urlsafe_encode64('https://github.com/html2rss/html2rss-web')}",
+        get "/auto_source/#{encoded_url}",
             {},
             request_headers.merge('HTTP_AUTHORIZATION' => basic_authorize(username, password))