feat: integrate request_service and use ssrf_filter strategy by default

Author: gildesmarais

app.rb

@@ -4,6 +4,9 @@
 require 'rack/cache'
 require_relative 'roda/roda_plugins/basic_auth'
 
+require 'html2rss'
+require_relative 'app/ssrf_filter_strategy'
+
 module Html2rss
   module Web
     ##
@@ -13,6 +16,10 @@ module Web
     class App < Roda
       CONTENT_TYPE_RSS = 'application/xml'
 
+      Html2rss::RequestService.register_strategy(:ssrf_filter, SsrfFilterStrategy)
+      Html2rss::RequestService.default_strategy = :ssrf_filter
+      Html2rss::RequestService.unregister_strategy(:faraday)
+
       def self.development? = ENV['RACK_ENV'] == 'development'
 
       opts[:check_dynamic_arity] = false

app/ssrf_filter_strategy.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'ssrf_filter'
+require 'html2rss'
+require_relative '../app/local_config'
+
+module Html2rss
+  module Web
+    ##
+    # Strategy to fetch a URL using the SSRF filter.
+    class SsrfFilterStrategy < Html2rss::RequestService::Strategy
+      def execute
+        headers = LocalConfig.global.fetch(:headers, {}).merge(
+          ctx.headers.transform_keys(&:to_sym)
+        )
+        request = SsrfFilter.get(ctx.url, headers:)
+
+        Html2rss::RequestService::Response.new(body: request.body,
+                                               headers: request.to_hash.transform_values(&:first))
+      end
+    end
+  end
+end

helpers/auto_source.rb

@@ -3,7 +3,6 @@
 require 'addressable'
 require 'base64'
 require 'html2rss'
-require 'ssrf_filter'
 
 module Html2rss
   module Web
@@ -20,20 +19,6 @@ def self.allowed_origins = ENV.fetch('AUTO_SOURCE_ALLOWED_ORIGINS', '')
                                     .reject(&:empty?)
                                     .to_set
 
-      # @param encoded_url [String] Base64 encoded URL
-      # @return [RSS::Rss]
-      def self.build_auto_source_from_encoded_url(encoded_url)
-        url = Addressable::URI.parse Base64.urlsafe_decode64(encoded_url)
-        request = SsrfFilter.get(url, headers: LocalConfig.global.fetch(:headers, {}))
-        headers = request.to_hash.transform_values(&:first)
-
-        auto_source = Html2rss::AutoSource.new(url, body: request.body, headers:)
-
-        auto_source.channel.stylesheets << Html2rss::RssBuilder::Stylesheet.new(href: '/rss.xsl', type: 'text/xsl')
-
-        auto_source.build
-      end
-
       # @param rss [RSS::Rss]
       # @param default_in_minutes [Integer]
       # @return [Integer]

routes/auto_source.rb

@@ -6,6 +6,7 @@
 module Html2rss
   module Web
     class App
+      # rubocop:disable Metrics/BlockLength
       hash_branch 'auto_source' do |r|
         with_basic_auth(realm: 'Auto Source',
                         username: AutoSource.username,
@@ -18,15 +19,29 @@ class App
             end
 
             r.on String, method: :get do |encoded_url|
-              rss = AutoSource.build_auto_source_from_encoded_url(encoded_url)
+              strategy = request.params.fetch('strategy', :ssrf_filter).to_sym
+              unless Html2rss::RequestService.strategy_registered?(strategy)
+                raise Html2rss::RequestService::UnknownStrategy
+              end
+
+              response['Content-Type'] = CONTENT_TYPE_RSS
+
+              url = Addressable::URI.parse Base64.urlsafe_decode64(encoded_url)
+              rss = Html2rss.auto_source(url, strategy:)
 
               HttpCache.expires response,
                                 AutoSource.ttl_in_seconds(rss),
                                 cache_control: 'private, must-revalidate'
 
-              response['Content-Type'] = CONTENT_TYPE_RSS
+              # Unfortunately, Ruby's rss gem does not provide a direct method to
+              # add an XML stylesheet to the RSS::RSS object itself.
+              stylesheet = Html2rss::RssBuilder::Stylesheet.new(href: '/rss.xsl', type: 'text/xsl').to_xml
+
+              xml_content = rss.to_xml
+              xml_content.sub!(/^<\?xml version="1.0" encoding="UTF-8"\?>/,
+                               "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n#{stylesheet}")
 
-              rss.to_s
+              xml_content
             end
           else
             # auto_source feature is disabled
@@ -37,6 +52,7 @@ class App
           end
         end
       end
+      # rubocop:enable Metrics/BlockLength
     end
   end
 end

spec/html2rss/web/app/ssrf_filter_strategy_spec.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_relative '../../../ssrf_filter_strategy'
+
+RSpec.describe Html2rss::Web::SsrfFilterStrategy do
+  subject(:instance) { described_class.new(ctx) }
+
+  let(:url) { 'http://example.com' }
+  let(:headers) { { 'User-Agent': 'Mozilla/5.0' } }
+  let(:ctx) { instance_double(Html2rss::RequestService::Context, url:, headers:) }
+
+  describe '#execute' do
+    before do
+      allow(SsrfFilter).to receive(:get).with(url, headers:).and_return(
+        instance_double(Net::HTTPResponse, body: 'body', to_hash: { 'Content-Type' => ['text/html'] })
+      )
+    end
+
+    it 'returns a response', :aggregate_failures do
+      response = instance.execute
+
+      expect(SsrfFilter).to haved_received(:get).with(url, headers:)
+      expect(response).to be_a(Html2rss::RequestService::Response)
+      expect(response.body).to eq('body')
+      expect(response.headers).to eq('Content-Type' => 'text/html')
+    end
+  end
+end