Remove ssrf_filter dependency

Author: gildesmarais

Gemfile

@@ -16,7 +16,6 @@ gem 'parallel'
 gem 'rack-cache'
 gem 'rack-timeout'
 gem 'roda'
-gem 'ssrf_filter'
 gem 'zeitwerk'
 
 gem 'puma', require: false

Gemfile.lock

@@ -333,7 +333,6 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.13.2)
     simplecov_json_formatter (0.1.4)
-    ssrf_filter (1.3.0)
     stackprof (0.2.28)
     thor (1.5.0)
     traces (0.18.2)
@@ -386,7 +385,6 @@ DEPENDENCIES
   ruby-lsp
   sentry-ruby
   simplecov
-  ssrf_filter
   stackprof
   vcr
   webmock
@@ -513,7 +511,6 @@ CHECKSUMS
   simplecov (0.22.0) sha256=fe2622c7834ff23b98066bb0a854284b2729a569ac659f82621fc22ef36213a5
   simplecov-html (0.13.2) sha256=bd0b8e54e7c2d7685927e8d6286466359b6f16b18cb0df47b508e8d73c777246
   simplecov_json_formatter (0.1.4) sha256=529418fbe8de1713ac2b2d612aa3daa56d316975d307244399fa4838c601b428
-  ssrf_filter (1.3.0) sha256=66882d7de7d09c019098d6d7372412950ae184ebbc7c51478002058307aba6f2
   stackprof (0.2.28) sha256=4ec2ace02f386012b40ca20ef80c030ad711831f59511da12e83b34efb0f9a04
   thor (1.5.0) sha256=e3a9e55fe857e44859ce104a84675ab6e8cd59c650a49106a05f55f136425e73
   traces (0.18.2) sha256=80f1649cb4daace1d7174b81f3b3b7427af0b93047759ba349960cb8f315e214

README.md

@@ -15,7 +15,7 @@ html2rss-web converts arbitrary websites into RSS 2.0 feeds with a slim Ruby bac
 - Responsive Preact interface for demo, sign-in, conversion, and result flows.
 - Automatic source discovery with token-scoped permissions.
 - Signed public feed URLs that work in standard RSS readers.
-- Built-in SSRF defences, input validation, and HMAC-protected tokens.
+- Built-in URL validation, scoped feed access controls, and HMAC-protected tokens.
 
 ## Architecture
 

app/web/config/local_config.rb

@@ -97,8 +97,8 @@ def embedded_feed_config(normalized_name)
           deep_dup(Html2rss::Configs.find_by_name(normalized_name))
         rescue Html2rss::Configs::ConfigNotFound
           nil
-        rescue RuntimeError => e
-          return nil if e.message == 'name must be in folder/file format'
+        rescue RuntimeError => error
+          return nil if error.message == 'name must be in folder/file format'
 
           raise
         end

docs/README.md

@@ -48,7 +48,7 @@ Frontend verification lives at `http://127.0.0.1:4001/` while the dev container
 - Keep route composition in `app/web/routes/**`.
 - Keep `/api/v1` contract-specific code in `app/web/api/**`.
 - Keep feed fetching, caching, and orchestration in `app/web/feeds/**`.
-- Keep auth, token handling, SSRF strategy, and security logging in `app/web/security/**`.
+- Keep auth, token handling, URL validation, and security logging in `app/web/security/**`.
 - Keep request-scoped context in `app/web/request/**`.
 - Keep boot/runtime setup in `app/web/boot/**`.
 - Do not create generic buckets such as `services`, `helpers`, `utils`, or `concerns`.

frontend/src/__tests__/useFeedConversion.test.ts

@@ -77,9 +77,9 @@ describe('useFeedConversion', () => {
     const { result } = renderHook(() => useFeedConversion());
 
     await act(async () => {
-      await expect(
-        result.current.convertFeed('https://example.com', 'faraday', 'testtoken')
-      ).rejects.toThrow('Bad Request');
+      await expect(result.current.convertFeed('https://example.com', 'faraday', 'testtoken')).rejects.toThrow(
+        'Bad Request'
+      );
     });
 
     expect(result.current.isConverting).toBe(false);
@@ -93,9 +93,9 @@ describe('useFeedConversion', () => {
     const { result } = renderHook(() => useFeedConversion());
 
     await act(async () => {
-      await expect(
-        result.current.convertFeed('https://example.com', 'faraday', 'testtoken')
-      ).rejects.toThrow('Network error');
+      await expect(result.current.convertFeed('https://example.com', 'faraday', 'testtoken')).rejects.toThrow(
+        'Network error'
+      );
     });
 
     expect(result.current.isConverting).toBe(false);

frontend/src/components/AppPanels.tsx

@@ -158,7 +158,11 @@ export function CreateFeedPanel({
                   </p>
                 ))}
                 <p>
-                  <a href="https://html2rss.github.io/web-application/how-to/use-included-configs/" target="_blank" rel="noopener noreferrer">
+                  <a
+                    href="https://html2rss.github.io/web-application/how-to/use-included-configs/"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                  >
                     Learn how included configs work.
                   </a>
                 </p>

spec/html2rss/web/app_spec.rb

@@ -160,7 +160,7 @@ def app = described_class
 
       get '/missing-feed'
 
-      expect(last_response.status).to eq(500)
+      expect(last_response.status).to eq(404)
       expect(last_response.headers['Content-Type']).to eq('application/xml')
       expect(last_response.body).to eq('<error/>')
     end
@@ -169,8 +169,15 @@ def app = described_class
       get '/missing-feed.json'
 
       expect(json_feed_error_tuple).to eq(
-        [500, 'application/feed+json', { 'version' => 'https://jsonfeed.org/version/1.1', 'title' => 'Error',
-                                         'description' => 'Failed to generate feed: Internal Server Error' }]
+        [
+          404,
+          'application/feed+json',
+          {
+            'version' => 'https://jsonfeed.org/version/1.1',
+            'title' => 'Error',
+            'description' => "Failed to generate feed: Feed 'missing-feed' is not available on this instance"
+          }
+        ]
       )
     end
 

spec/html2rss/web/feeds/source_resolver_spec.rb

@@ -62,7 +62,9 @@ def resolved_tuple(resolved)
       end
 
       it 'returns a not-found error when the static feed is unavailable' do
-        allow(Html2rss::Web::LocalConfig).to receive(:find).with('legacy')
+        allow(Html2rss::Web::LocalConfig)
+          .to receive(:find)
+          .with('legacy')
           .and_raise(Html2rss::Web::LocalConfig::NotFound, 'missing')
 
         expect { described_class.call(feed_request) }

spec/html2rss/web/local_config_spec.rb

@@ -23,9 +23,13 @@ def titles_for(*names)
     end
 
     it 'falls back to embedded configs when the feed is not in local yaml' do
-      stub_const('Html2rss::Configs', Module.new)
+      stub_const('Html2rss::Configs', Module.new do
+        def self.find_by_name(_name); end
+      end)
       stub_const('Html2rss::Configs::ConfigNotFound', Class.new(StandardError))
-      allow(Html2rss::Configs).to receive(:find_by_name).with('support.apple.com/en_gb_ht201222')
+      allow(Html2rss::Configs)
+        .to receive(:find_by_name)
+        .with('support.apple.com/en_gb_ht201222')
         .and_return({ channel: { title: 'Apple security releases' } })
       allow(described_class).to receive(:snapshot)
         .and_return(Html2rss::Web::ConfigSnapshot::Snapshot.new(global: {}, feeds: {}, accounts: []))