When we use URI.parse("http://#{http_host}/"), we assume that http_host holds a valid, sanitized hostname. However, URI.parse is fairly permissive in what it accepts. This can lead to unexpected (and potentially unsafe) behavior if http_host is user-controlled or not rigorously validated before parsing. Attackers can craft unusual or malicious values to manipulate the resulting URI in ways that are not obviously valid domain names. The same applies to SERVER_NAME.

Below is a condensed list of potentially unusual or invalid values that URI.parse("http://#{string}/") would still parse:

1. Userinfo embedded

   • user:[email protected]
     (Parses as http://user:[email protected]/)

2. Port numbers and paths

   • example.com:8080/path/to/endpoint
     (Parses as http://example.com:8080/path/to/endpoint/)

3. Query or fragment

   • example.com?foo=bar#frag
     (Parses as http://example.com?foo=bar#frag/)