Module: Utils::Curl Private

Extended by:

T::Sig

Included in:

CurlDownloadStrategy, GitHubReleases, SPDX, SPDX, SharedAudits, SharedAudits

Defined in:

utils/curl.rb

Overview

This module is part of a private API. This module may only be used in the Homebrew/brew repository. Third parties should avoid using this module if possible, as it may be removed or changed without warning.

Helper function for interacting with curl.

Class Method Summary

• .curl(*args, print_stdout: true, **options) ⇒ Object private
• .curl_args(*extra_args, connect_timeout: nil, max_time: nil, retries: Homebrew::EnvConfig.curl_retries.to_i, retry_max_time: nil, show_output: false, user_agent: nil) ⇒ Array<T.untyped> private
• .curl_check_http_content(url, url_type, specs: {}, user_agents: [:default], check_content: false, strict: false, use_homebrew_curl: false) ⇒ Object private
• .curl_download(*args, to: nil, try_partial: true, **options) ⇒ Object private
• .curl_executable(use_homebrew_curl: false) ⇒ Object private
• .curl_http_content_headers_and_checksum(url, specs: {}, hash_needed: false, use_homebrew_curl: false, user_agent: :default) ⇒ Object private
• .curl_output(*args, **options) ⇒ Object private
• .curl_path ⇒ Object private
• .curl_supports_tls13? ⇒ Boolean private
• .curl_with_workarounds(*args, secrets: nil, print_stdout: nil, print_stderr: nil, debug: nil, verbose: nil, env: {}, timeout: nil, use_homebrew_curl: false, **options) ⇒ Object private
• .http_status_ok?(status) ⇒ Boolean private
• .parse_headers(headers) ⇒ Object private
• .url_protected_by_cloudflare?(details) ⇒ Boolean private

  Check if a URL is protected by CloudFlare (e.g. badlion.net and jaxx.io).

• .url_protected_by_incapsula?(details) ⇒ Boolean private

  Check if a URL is protected by Incapsula (e.g. corsair.com).

Class Method Details

.curl(*args, print_stdout: true, **options) ⇒ Object

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

# File 'utils/curl.rb', line 142

def curl(*args, print_stdout: true, **options)
  result = curl_with_workarounds(*args, print_stdout: print_stdout, **options)
  result.assert_success!
  result
end

.curl_args(*extra_args, connect_timeout: nil, max_time: nil, retries: Homebrew::EnvConfig.curl_retries.to_i, retry_max_time: nil, show_output: false, user_agent: nil) ⇒ Array<T.untyped>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• extra_args (T.untyped)
• connect_timeout (Integer, Float, nil) (defaults to: nil)
• max_time (Integer, Float, nil) (defaults to: nil)
• retries (Integer, nil) (defaults to: Homebrew::EnvConfig.curl_retries.to_i)
• retry_max_time (Integer, Float, nil) (defaults to: nil)
• show_output (Boolean, nil) (defaults to: false)
• user_agent (String, Symbol, nil) (defaults to: nil)

Returns:

• (Array<T.untyped>)

# File 'utils/curl.rb', line 40

def curl_args(
  *extra_args,
  connect_timeout: nil,
  max_time: nil,
  retries: Homebrew::EnvConfig.curl_retries.to_i,
  retry_max_time: nil,
  show_output: false,
  user_agent: nil
)
  args = []

  # do not load .curlrc unless requested (must be the first argument)
  args << "--disable" unless Homebrew::EnvConfig.curlrc?

  # echo any cookies received on a redirect
  args << "--cookie" << "/dev/null"

  args << "--globoff"

  args << "--show-error"

  args << "--user-agent" << case user_agent
  when :browser, :fake
    HOMEBREW_USER_AGENT_FAKE_SAFARI
  when :default, nil
    HOMEBREW_USER_AGENT_CURL
  when String
    user_agent
  else
    raise TypeError, ":user_agent must be :browser/:fake, :default, or a String"
  end

  args << "--header" << "Accept-Language: en"

  unless show_output == true
    args << "--fail"
    args << "--progress-bar" unless Context.current.verbose?
    args << "--verbose" if Homebrew::EnvConfig.curl_verbose?
    args << "--silent" unless $stdout.tty?
  end

  args << "--connect-timeout" << connect_timeout.round(3) if connect_timeout.present?
  args << "--max-time" << max_time.round(3) if max_time.present?

  # A non-positive integer (e.g., 0) or `nil` will omit this argument
  args << "--retry" << retries if retries&.positive?

  args << "--retry-max-time" << retry_max_time.round if retry_max_time.present?

  args + extra_args
end

.curl_check_http_content(url, url_type, specs: {}, user_agents: [:default], check_content: false, strict: false, use_homebrew_curl: false) ⇒ Object

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

# File 'utils/curl.rb', line 202

def curl_check_http_content(url, url_type, specs: {}, user_agents: [:default],
                            check_content: false, strict: false, use_homebrew_curl: false)
  return unless url.start_with? "http"

  secure_url = url.sub(/\Ahttp:/, "https:")
  secure_details = nil
  hash_needed = false
  if url != secure_url
    user_agents.each do |user_agent|
      secure_details = begin
        curl_http_content_headers_and_checksum(
          secure_url,
          specs:             specs,
          hash_needed:       true,
          use_homebrew_curl: use_homebrew_curl,
          user_agent:        user_agent,
        )
      rescue Timeout::Error
        next
      end

      next unless http_status_ok?(secure_details[:status])

      hash_needed = true
      user_agents = [user_agent]
      break
    end
  end

  details = nil
  user_agents.each do |user_agent|
    details =
      curl_http_content_headers_and_checksum(
        url,
        specs:             specs,
        hash_needed:       hash_needed,
        use_homebrew_curl: use_homebrew_curl,
        user_agent:        user_agent,
      )
    break if http_status_ok?(details[:status])
  end

  unless details[:status]
    # Hack around https://github.com/Homebrew/brew/issues/3199
    return if MacOS.version == :el_capitan

    return "The #{url_type} #{url} is not reachable"
  end

  unless http_status_ok?(details[:status])
    return if url_protected_by_cloudflare?(details) || url_protected_by_incapsula?(details)

    return "The #{url_type} #{url} is not reachable (HTTP status code #{details[:status]})"
  end

  if url.start_with?("https://") && Homebrew::EnvConfig.no_insecure_redirect? &&
     !details[:final_url].start_with?("https://")
    return "The #{url_type} #{url} redirects back to HTTP"
  end

  return unless secure_details

  return if !http_status_ok?(details[:status]) || !http_status_ok?(secure_details[:status])

  etag_match = details[:etag] &&
               details[:etag] == secure_details[:etag]
  content_length_match =
    details[:content_length] &&
    details[:content_length] == secure_details[:content_length]
  file_match = details[:file_hash] == secure_details[:file_hash]

  if (etag_match || content_length_match || file_match) &&
     secure_details[:final_url].start_with?("https://") &&
     url.start_with?("http://")
    return "The #{url_type} #{url} should use HTTPS rather than HTTP"
  end

  return unless check_content

  no_protocol_file_contents = %r{https?:\\?/\\?/}
  http_content = details[:file]&.gsub(no_protocol_file_contents, "/")
  https_content = secure_details[:file]&.gsub(no_protocol_file_contents, "/")

  # Check for the same content after removing all protocols
  if (http_content && https_content) && (http_content == https_content) &&
     url.start_with?("http://") && secure_details[:final_url].start_with?("https://")
    return "The #{url_type} #{url} should use HTTPS rather than HTTP"
  end

  return unless strict

  # Same size, different content after normalization
  # (typical causes: Generated ID, Timestamp, Unix time)
  if http_content.length == https_content.length
    return "The #{url_type} #{url} may be able to use HTTPS rather than HTTP. Please verify it in a browser."
  end

  lenratio = (100 * https_content.length / http_content.length).to_i
  return unless (90..110).cover?(lenratio)

  "The #{url_type} #{url} may be able to use HTTPS rather than HTTP. Please verify it in a browser."
end

.curl_download(*args, to: nil, try_partial: true, **options) ⇒ Object

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

# File 'utils/curl.rb', line 158

def curl_download(*args, to: nil, try_partial: true, **options)
  destination = Pathname(to)
  destination.dirname.mkpath

  if try_partial
    range_stdout = curl_output("--location", "--head", *args, **options).stdout
    headers = parse_headers(range_stdout.split("\r\n\r\n").first)

    # Any value for `accept-ranges` other than none indicates that the server supports partial requests.
    # Its absence indicates no support.
    supports_partial = headers.key?("accept-ranges") && headers["accept-ranges"] != "none"

    if supports_partial &&
       destination.exist? &&
       destination.size == headers["content-length"].to_i
      return # We've already downloaded all the bytes
    end
  end

  args = ["--location", "--remote-time", "--output", destination, *args]
  # continue-at shouldn't be used with servers that don't support partial requests.
  args = ["--continue-at", "-", *args] if destination.exist? && supports_partial

  curl(*args, **options)
end

.curl_executable(use_homebrew_curl: false) ⇒ Object

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

# File 'utils/curl.rb', line 19

def curl_executable(use_homebrew_curl: false)
  return Pathname.new(ENV["HOMEBREW_BREWED_CURL_PATH"]) if use_homebrew_curl

  @curl_executable ||= HOMEBREW_SHIMS_PATH/"shared/curl"
end

.curl_http_content_headers_and_checksum(url, specs: {}, hash_needed: false, use_homebrew_curl: false, user_agent: :default) ⇒ Object

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

# File 'utils/curl.rb', line 305

def curl_http_content_headers_and_checksum(
  url, specs: {}, hash_needed: false,
  use_homebrew_curl: false, user_agent: :default
)
  file = Tempfile.new.tap(&:close)

  # Convert specs to options. This is mostly key-value options,
  # unless the value is a boolean in which case treat as as flag.
  specs = specs.flat_map do |option, argument|
    next [] if argument == false # No flag.

    args = ["--#{option.to_s.tr("_", "-")}"]
    args << argument unless argument == true # It's a flag.
    args
  end

  max_time = hash_needed ? 600 : 25
  output, _, status = curl_output(
    *specs, "--dump-header", "-", "--output", file.path, "--location", url,
    use_homebrew_curl: use_homebrew_curl,
    connect_timeout:   15,
    max_time:          max_time,
    retry_max_time:    max_time,
    user_agent:        user_agent
  )

  status_code = :unknown
  while status_code == :unknown || status_code.to_s.start_with?("3")
    headers, _, output = output.partition("\r\n\r\n")
    status_code = headers[%r{HTTP/.* (\d+)}, 1]
    location = headers[/^Location:\s*(.*)$/i, 1]
    final_url = location.chomp if location
  end

  if status.success?
    file_contents = File.read(file.path)
    file_hash = Digest::SHA2.hexdigest(file_contents) if hash_needed
  end

  final_url ||= url

  {
    url:            url,
    final_url:      final_url,
    status:         status_code,
    etag:           headers[%r{ETag: ([wW]/)?"(([^"]|\\")*)"}, 2],
    content_length: headers[/Content-Length: (\d+)/, 1],
    headers:        headers,
    file_hash:      file_hash,
    file:           file_contents,
  }
ensure
  file.unlink
end

.curl_output(*args, **options) ⇒ Object

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

# File 'utils/curl.rb', line 184

def curl_output(*args, **options)
  curl_with_workarounds(*args, print_stderr: false, show_output: true, **options)
end

.curl_path ⇒ Object

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

# File 'utils/curl.rb', line 25

def curl_path
  @curl_path ||= Utils.popen_read(curl_executable, "--homebrew=print-path").chomp.presence
end

.curl_supports_tls13? ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Boolean)

# File 'utils/curl.rb', line 360

def curl_supports_tls13?
  @curl_supports_tls13 ||= Hash.new do |h, key|
    h[key] = quiet_system(curl_executable, "--tlsv1.3", "--head", "https://brew.sh/")
  end
  @curl_supports_tls13[ENV["HOMEBREW_CURL"]]
end

.curl_with_workarounds(*args, secrets: nil, print_stdout: nil, print_stderr: nil, debug: nil, verbose: nil, env: {}, timeout: nil, use_homebrew_curl: false, **options) ⇒ Object

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Raises:

• (Timeout::Error)

# File 'utils/curl.rb', line 92

def curl_with_workarounds(
  *args,
  secrets: nil, print_stdout: nil, print_stderr: nil, debug: nil,
  verbose: nil, env: {}, timeout: nil, use_homebrew_curl: false, **options
)
  end_time = Time.now + timeout if timeout

  command_options = {
    secrets:      secrets,
    print_stdout: print_stdout,
    print_stderr: print_stderr,
    debug:        debug,
    verbose:      verbose,
  }.compact

  result = system_command curl_executable(use_homebrew_curl: use_homebrew_curl),
                          args:    curl_args(*args, **options),
                          env:     env,
                          timeout: end_time&.remaining,
                          **command_options

  return result if result.success? || !args.exclude?("--http1.1")

  raise Timeout::Error, result.stderr.lines.last.chomp if timeout && result.status.exitstatus == 28

  # Error in the HTTP2 framing layer
  if result.status.exitstatus == 16
    return curl_with_workarounds(
      *args, "--http1.1",
      timeout: end_time&.remaining, **command_options, **options
    )
  end

  # This is a workaround for https://github.com/curl/curl/issues/1618.
  if result.status.exitstatus == 56 # Unexpected EOF
    out = curl_output("-V").stdout

    # If `curl` doesn't support HTTP2, the exception is unrelated to this bug.
    return result unless out.include?("HTTP2")

    # The bug is fixed in `curl` >= 7.60.0.
    curl_version = out[/curl (\d+(\.\d+)+)/, 1]
    return result if Gem::Version.new(curl_version) >= Gem::Version.new("7.60.0")

    return curl_with_workarounds(*args, "--http1.1", **command_options, **options)
  end

  result
end

.http_status_ok?(status) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Boolean)

# File 'utils/curl.rb', line 367

def http_status_ok?(status)
  (100..299).cover?(status.to_i)
end

.parse_headers(headers) ⇒ Object

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

# File 'utils/curl.rb', line 148

def parse_headers(headers)
  return {} if headers.blank?

  # Skip status code
  headers.split("\r\n")[1..].to_h do |h|
    name, content = h.split(": ")
    [name.downcase, content]
  end
end

.url_protected_by_cloudflare?(details) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Check if a URL is protected by CloudFlare (e.g. badlion.net and jaxx.io).

Returns:

• (Boolean)

# File 'utils/curl.rb', line 189

def url_protected_by_cloudflare?(details)
  [403, 503].include?(details[:status].to_i) &&
    details[:headers].match?(/^Set-Cookie: (__cfduid|__cf_bm)=/i) &&
    details[:headers].match?(/^Server: cloudflare/i)
end

.url_protected_by_incapsula?(details) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Check if a URL is protected by Incapsula (e.g. corsair.com).

Returns:

• (Boolean)

# File 'utils/curl.rb', line 196

def url_protected_by_incapsula?(details)
  details[:status].to_i == 403 &&
    details[:headers].match?(/^Set-Cookie: visid_incap_/i) &&
    details[:headers].match?(/^Set-Cookie: incap_ses_/i)
end