From a0fe3fae8da393a1f8222ac1ff56a2160225efe1 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Wed, 26 Feb 2025 16:04:29 +0900
Subject: [PATCH 1/3] Truncate userinfo with URI#join, URI#merge and URI#+

---
 lib/uri/generic.rb       |  6 +++++-
 test/uri/test_generic.rb | 11 +++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
index cfa0de6..23d2398 100644
--- a/lib/uri/generic.rb
+++ b/lib/uri/generic.rb
@@ -1131,7 +1131,11 @@ def merge(oth)
       end
 
       # RFC2396, Section 5.2, 7)
-      base.set_userinfo(rel.userinfo) if rel.userinfo
+      if rel.userinfo
+        base.set_userinfo(rel.userinfo)
+      else
+        base.set_userinfo(nil)
+      end
       base.set_host(rel.host)         if rel.host
       base.set_port(rel.port)         if rel.port
       base.query = rel.query       if rel.query
diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
index fdb405e..b74f8e6 100644
--- a/test/uri/test_generic.rb
+++ b/test/uri/test_generic.rb
@@ -157,6 +157,17 @@ def test_parse
     assert_equal(nil, url.user)
     assert_equal(nil, url.password)
     assert_equal(nil, url.userinfo)
+
+    # sec-2957667
+    url = URI.parse('http://user:pass@example.com').merge('//example.net')
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
+    url = URI.join('http://user:pass@example.com', '//example.net')
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
+    url = URI.parse('http://user:pass@example.com') + '//example.net'
+    assert_equal('http://example.net', url.to_s)
+    assert_nil(url.userinfo)
   end
 
   def test_parse_scheme_with_symbols

From 100b3f0098c2202d3b447637fae5e9e6ed647248 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Fri, 21 Feb 2025 18:16:28 +0900
Subject: [PATCH 2/3] Fix merger of URI with authority component

https://hackerone.com/reports/2957667

Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
---
 lib/uri/generic.rb       | 19 +++++++------------
 test/uri/test_generic.rb |  7 +++++++
 2 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
index 23d2398..2420882 100644
--- a/lib/uri/generic.rb
+++ b/lib/uri/generic.rb
@@ -1123,21 +1123,16 @@ def merge(oth)
       base.fragment=(nil)
 
       # RFC2396, Section 5.2, 4)
-      if !authority
-        base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
-      else
-        # RFC2396, Section 5.2, 4)
-        base.set_path(rel.path) if rel.path
+      if authority
+        base.set_userinfo(rel.userinfo)
+        base.set_host(rel.host)
+        base.set_port(rel.port || base.default_port)
+        base.set_path(rel.path)
+      elsif base.path && rel.path
+        base.set_path(merge_path(base.path, rel.path))
       end
 
       # RFC2396, Section 5.2, 7)
-      if rel.userinfo
-        base.set_userinfo(rel.userinfo)
-      else
-        base.set_userinfo(nil)
-      end
-      base.set_host(rel.host)         if rel.host
-      base.set_port(rel.port)         if rel.port
       base.query = rel.query       if rel.query
       base.fragment=(rel.fragment) if rel.fragment
 
diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
index b74f8e6..ade0294 100644
--- a/test/uri/test_generic.rb
+++ b/test/uri/test_generic.rb
@@ -260,6 +260,13 @@ def test_merge
     assert_equal(u0, u1)
   end
 
+  def test_merge_authority
+    u = URI.parse('http://user:pass@example.com:8080')
+    u0 = URI.parse('http://new.example.org/path')
+    u1 = u.merge('//new.example.org/path')
+    assert_equal(u0, u1)
+  end
+
   def test_route
     url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
     assert_equal('b.html', url.to_s)

From 4aeb1f2de7f3c9b7ea818a1245227672a890bea0 Mon Sep 17 00:00:00 2001
From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
Date: Wed, 26 Feb 2025 16:07:19 +0900
Subject: [PATCH 3/3] Tweak actions matrix and steps

---
 .github/workflows/test.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 15d9e30..ef0cfb5 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,16 +7,20 @@ jobs:
     name: build (${{ matrix.ruby }} / ${{ matrix.os }})
     strategy:
       matrix:
-        ruby: [ '3.0', 2.7, 2.6, 2.5, 2.4, head ]
+        ruby: [ 3.1, '3.0', 2.7, 2.6, 2.5, 2.4, head, truffleruby ]
         os: [ ubuntu-latest, macos-latest ]
+        exclude:
+          - ruby: 2.4
+            os: macos-latest
+          - ruby: 2.5
+            os: macos-latest
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}
-    - name: Install dependencies
-      run: bundle install
+    - run: bundle install --jobs 4 --retry 3
     - name: Run test
       run: rake test