Replace requests with httpx client for non blocking execution#6942
Replace requests with httpx client for non blocking execution#6942
Conversation
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| # Make the GET request with headers | ||
| response = requests.get(url, headers=headers) | ||
| async with httpx.AsyncClient() as client: | ||
| response = await client.get(url, headers=headers, timeout=10.0) |
Check warning
Code scanning / SonarCloud
Server-side requests should not be vulnerable to forging attacks Medium
| # Make the GET request with headers | ||
| response = requests.get(url, headers=headers) | ||
| async with httpx.AsyncClient() as client: | ||
| response = await client.get(url, headers=headers, timeout=10.0) |
There was a problem hiding this comment.
This change is great, but it flagged an error - rightly so too.
The user could pass in the URL to a malicious script here easily.
Can we pass in something like the user id here and construct the URL on the backend?
(and on that note, do we pass a URL to any other endpoints in TM?)
There was a problem hiding this comment.
Thank you Sam. We allow redirect uri to be passed in login. Although, by default, it is being fetched from config but can be overridden but will be handled by oauth app and it should be ok on that part.
There was a problem hiding this comment.
Redirect URI is fine, as it's not actually called by the backend. The problem is fetching the URL in the backend code, with a lib like requests / httpx
|
Closing as its captured in PR 6943 where the updated ohsome apis are implemented. |
3 participants
What type of PR is this? (check all applicable)
Describe this PR
Using requests (a sync lib) in an async context might block the thread, degrading performance.
Replace requests with httpx client for non blocking execution.