Class: WSDL::HTTPAdapter

Inherits:
Object
  • Object
show all
Includes:
RedirectGuard, Log
Defined in:
lib/wsdl/http_adapter.rb,
lib/wsdl/http_adapter/config.rb,
lib/wsdl/http_adapter/redirect_guard.rb

Overview

HTTP adapter using Ruby's stdlib +net/http+.

This is the default HTTP adapter used by WSDL. It provides a simple interface for making GET and POST requests with no external dependencies.

== Security Defaults

This adapter applies secure defaults out of the box:

  • Open timeout: 30 seconds
  • Write timeout: 60 seconds
  • Read timeout: 120 seconds
  • Redirect limit: 5 redirects maximum
  • SSL verification: Enabled by default (VERIFY_PEER)
  • Redirect SSRF protection: Blocks redirects to private/reserved networks
  • Scheme downgrade protection: Blocks HTTPS-to-HTTP redirects

These defaults prevent indefinite hangs, redirect loops, man-in-the-middle attacks, and SSRF via open redirects. You can customize them via #config which returns a Config instance.

== Redirect Security

HTTP redirects are validated before following. The adapter blocks redirects that target private or reserved IP addresses to prevent SSRF (Server-Side Request Forgery) attacks. This protects against scenarios where a malicious WSDL endpoint redirects to internal network addresses such as cloud metadata services (+169.254.169.254+), loopback interfaces (+127.0.0.1+), or RFC 1918 private networks.

Blocked address ranges:

  • Loopback: +127.0.0.0/8+, +::1+
  • Private: +10.0.0.0/8+, +172.16.0.0/12+, +192.168.0.0/16+
  • Link-local: +169.254.0.0/16+, +fe80::/10+
  • Current network: +0.0.0.0/8+
  • Shared address space: +100.64.0.0/10+

Both IP address literals in the URL and DNS-resolved addresses are checked. HTTPS-to-HTTP scheme downgrades are also blocked.

Examples:

Configuring timeouts

client = WSDL::Client.new('https://example.com/service?wsdl')
client.http.open_timeout = 10
client.http.read_timeout = 60

Using a custom CA certificate

client = WSDL::Client.new('https://example.com/service?wsdl')
client.http.ca_file = '/path/to/ca-bundle.crt'

Client certificate authentication (mutual TLS)

client = WSDL::Client.new('https://example.com/service?wsdl')
client.http.cert = OpenSSL::X509::Certificate.new(File.read('/path/to/client.crt'))
client.http.key = OpenSSL::PKey::RSA.new(File.read('/path/to/client.key'))

Creating a custom adapter

class MyHTTPAdapter
  def initialize
    @connection = Faraday.new
  end

  # Expose the Faraday connection for user configuration
  # (e.g. client.http.options.timeout = 30).
  attr_reader :connection
  alias config connection

  def cache_key
    'my-http-adapter:v1'
  end

  def get(url)
    resp = @connection.get(url)
    WSDL::HTTPResponse.new(status: resp.status, headers: resp.headers, body: resp.body)
  end

  def post(url, headers, body)
    resp = @connection.post(url, body, headers)
    WSDL::HTTPResponse.new(status: resp.status, headers: resp.headers, body: resp.body)
  end
end

WSDL.http_adapter = MyHTTPAdapter

See Also:

Defined Under Namespace

Modules: RedirectGuard Classes: Config

Constant Summary collapse

REDIRECT_CODES =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

HTTP redirect status codes.

[301, 302, 303, 307, 308].freeze
REDIRECT_TO_GET_CODES =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Redirect codes that change the method to GET (RFC 7231).

[301, 302, 303].freeze
DEFAULT_OPEN_TIMEOUT =

Default open (connection) timeout in seconds.

30
DEFAULT_WRITE_TIMEOUT =

Default write (send) timeout in seconds.

60
DEFAULT_READ_TIMEOUT =

Default read (receive) timeout in seconds.

120
DEFAULT_REDIRECT_LIMIT =

Default maximum number of redirects to follow. Prevents redirect loops and excessive redirect chains.

5

Constants included from RedirectGuard

RedirectGuard::DNS_RESOLUTION_TIMEOUT, RedirectGuard::PRIVATE_IP_RANGES

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Log

#logger

Constructor Details

#initializeHTTPAdapter

Creates a new HTTPAdapter instance with secure defaults.



108
109
110
 
# File 'lib/wsdl/http_adapter.rb', line 108

def initialize
  @config = Config.new
end

Instance Attribute Details

#configConfig (readonly)

Returns the Config instance for customizing timeouts, SSL, and redirects.

Returns:

  • (Config)

    the configuration object



115
116
117
 
# File 'lib/wsdl/http_adapter.rb', line 115

def config
  @config
end

Instance Method Details

#cache_keyString

Returns a stable cache fingerprint for parser cache partitioning.

Returns:

  • (String)

    adapter cache identity



120
121
122
 
# File 'lib/wsdl/http_adapter.rb', line 120

def cache_key
  self.class.name
end

#get(url) ⇒ HTTPResponse

Executes an HTTP GET request.

Parameters:

  • url (String)

    the URL to request

Returns:



128
129
130
131
 
# File 'lib/wsdl/http_adapter.rb', line 128

def get(url)
  warn_if_ssl_verification_disabled
  request_with_redirects(:get, URI(url))
end

#post(url, headers, body) ⇒ HTTPResponse

Executes an HTTP POST request.

Parameters:

  • url (String)

    the URL to post to

  • headers (Hash)

    HTTP headers to include in the request

  • body (String)

    the request body

Returns:



139
140
141
142
 
# File 'lib/wsdl/http_adapter.rb', line 139

def post(url, headers, body)
  warn_if_ssl_verification_disabled
  request_with_redirects(:post, URI(url), headers, body)
end

#ssl_verification_disabled?Boolean

Checks if SSL certificate verification is currently disabled.

Returns:

  • (Boolean)

    true if SSL verification is disabled



147
148
149
 
# File 'lib/wsdl/http_adapter.rb', line 147

def ssl_verification_disabled?
  @config.verify_mode == OpenSSL::SSL::VERIFY_NONE
end