Backport security fix for CVE-2026-25765 to 1.x branch (#1665)

Protocol-relative URLs (e.g. `//evil.com/path`) bypassed the existing
relative-URL guard in `build_exclusive_url`, allowing an attacker-controlled
URL to override the connection's base host. The `//` prefix matched the
`/` check in `start_with?`, so these URLs were passed through to
`URI#+` which treated them as authority references, replacing the host.

Extend the guard condition so that URLs starting with `//` are prefixed
with `./`, neutralizing the authority component and keeping requests
scoped to the configured base host.

This backport maintains backward compatibility with the 1.x branch's
colon-escaping behavior for opaque URIs like `service:search`.

Security: CVE-2026-25765, GHSA-33mh-2634-fwr2

Co-authored-by: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>

Author: iMacTia

lib/faraday/connection.rb

@@ -545,6 +545,8 @@ def build_exclusive_url(url = nil, params = nil, params_encoder = nil)
       if url && base.path && base.path !~ %r{/$}
         base.path = "#{base.path}/" # ensure trailing slash
       end
+      # Ensure protocol-relative URLs are handled correctly (CVE-2026-25765)
+      url = "./#{url}" if url.respond_to?(:start_with?) && url.start_with?('//')
       url = url && URI.parse(url.to_s).opaque ? url.to_s.gsub(':', '%3A') : url
       uri = url ? base + url : base
       if params

spec/faraday/connection_spec.rb

@@ -307,6 +307,39 @@
         expect(uri.to_s).to eq('http://service.com/api/service%3Asearch?limit=400')
       end
     end
+
+    context 'with protocol-relative URL (CVE-2026-25765)' do
+      it 'does not allow host override with //evil.com/path' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('//evil.com/path')
+        expect(uri.host).to eq('httpbingo.org')
+      end
+
+      it 'does not allow host override with //evil.com:8080/path' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('//evil.com:8080/path')
+        expect(uri.host).to eq('httpbingo.org')
+      end
+
+      it 'does not allow host override with //user:pass@evil.com/path' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('//user:pass@evil.com/path')
+        expect(uri.host).to eq('httpbingo.org')
+      end
+
+      it 'does not allow host override with ///evil.com' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('///evil.com')
+        expect(uri.host).to eq('httpbingo.org')
+      end
+
+      it 'still allows single-slash absolute paths' do
+        conn.url_prefix = 'http://httpbingo.org/api'
+        uri = conn.build_exclusive_url('/safe/path')
+        expect(uri.host).to eq('httpbingo.org')
+        expect(uri.path).to eq('/safe/path')
+      end
+    end
   end
 
   describe '#build_url' do