fix: Improve http.Client usage for security and performance #1910
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jentfoo
commented
Feb 6, 2025
jentfoo
commented
Feb 6, 2025
jentfoo
force-pushed
the
jent/http.Client_handling
branch
from
f8ee52c to
da0f385
Compare
jrschumacher
reviewed
Feb 7, 2025
jrschumacher
reviewed
Feb 7, 2025
This change switches us from maintaining a tls config which we then on-demand initialize an `http.Client` with to instead maintain and reuse an `http.Client` instance. This enables us to utilize the connection pooling which occurs within the `http.Transport` to reduce ssl handshakes and thus reduce latency. In addition this change provides us a central place to configure out `http.Client` (`httputil`). Allowing us to easily set configuration options to reduce the security risks of using an unconfigured `http.Client`. Notably timeouts to reduce DoS risks, and control around following redirects to prevent blind SSRF's. This change will provide significant benefit without making API changes. A future PR will update the service and also cleanup some of the API.
jentfoo
force-pushed
the
jent/http.Client_handling
branch
from
06093c7 to
c7026b8
Compare
dmihalcik-virtru
previously approved these changes
Feb 13, 2025
dmihalcik-virtru
approved these changes
Feb 13, 2025
strantalis
approved these changes
Feb 14, 2025
jentfoo
added a commit
that referenced
this pull request
Feb 18, 2025
This PR follows #1910 by updating `service` to utilize the new `httputil` helper for constructing a client which wont follow redirects, and has sensible timeouts. The prior auth API was marked as deprecated. There is no remaining use within this repo, so it may be able to be removed. Merging this should fully resolve #1891.
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed Changes
This change switches us from maintaining a tls config which we then on-demand initialize an
http.Clientwith to instead maintain and reuse anhttp.Clientinstance. This enables us to utilize the connection pooling which occurs within thehttp.Transportto reduce ssl handshakes and thus reduce latency.In addition this change provides us a central place to configure out
http.Client(httputil). Allowing us to easily set configuration options to reduce the security risks of using an unconfiguredhttp.Client. Notably timeouts to reduce DoS risks, and control around following redirects to prevent blind SSRF's.This PR 3/4 addresses #1891. After it's merged a small change will be made in the
serviceto fully utilize the API being introduced in the SDK here.Checklist
Testing Instructions