Skip to content

fix: add request timeouts, restore TLS verify, and stop logging secrets#639

Open
tiantt wants to merge 1 commit into
mainfrom
fix/request-timeouts-and-secret-logging
Open

fix: add request timeouts, restore TLS verify, and stop logging secrets#639
tiantt wants to merge 1 commit into
mainfrom
fix/request-timeouts-and-secret-logging

Conversation

@tiantt

@tiantt tiantt commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

What

Defensive-default hardening surfaced by a reliability/security/observability review. Five small, self-contained changes across two themes.

Reliability — bound outbound calls

  • veadk/utils/volcengine_sign.py: both signed-request helpers (volcengine_signed_request and request) previously called requests.request(...) with no timeout, so a hung Volcengine endpoint could block the caller indefinitely. Added an overridable timeout parameter defaulting to (10, 60) (10s connect / 60s read). This single change bounds the ~82 OpenAPI call sites that route through these two helpers; slow control-plane calls (deploy/upload) can pass a larger value.
  • veadk/tools/builtin_tools/web_scraper.py and vesearch.py: added a 30s timeout to their direct requests.post calls (these are on the agent's tool path).

Security / log hygiene

  • web_scraper.py: dropped verify=False (restored TLS certificate verification) on a request that carries X-VE-API-Key.
  • llm_shield.py: stopped logging the full API key at debug level — now logs only whether it is configured. (Default log level is DEBUG, so the key was being emitted in normal runs.)
  • ve_credential_service.py: fixed a docstring example that printed a bearer token.

Reviewer note ⚠️

The verify=False removal in web_scraper is a behavior change: if TOOL_WEB_SCRAPER_ENDPOINT serves a self-signed / private-CA certificate, requests will now fail TLS verification. If that endpoint is not publicly trusted, the correct fix is verify=<ca_bundle_path> rather than re-disabling verification. Please confirm the endpoint uses a publicly-trusted cert before merging.

Scope

These are the low-risk, no-design-needed items from the review. Not included here (need design/product decisions): unverified-JWT auth path, A2A hub authz, trace_content default, and the pre-existing type issues in web_scraper (unbound response in except, return-type mismatch). CI will validate; changes byte-compile clean.

Tighten defensive defaults on outbound calls and remove secret leakage
surfaced by a reliability/security/observability review.

Reliability:
- volcengine_sign: add an overridable `timeout` (default 10s connect /
  60s read) to both signed-request helpers, which previously issued
  requests.request(...) with no timeout. A hung Volcengine endpoint could
  block the caller forever; this bounds the ~82 OpenAPI call sites that
  route through these two helpers. Slow control-plane calls can override.
- web_scraper / vesearch: add a 30s timeout to their direct requests.post.

Security / log hygiene:
- web_scraper: drop `verify=False` (restore TLS certificate verification)
  on a request that carries X-VE-API-Key.
- llm_shield: stop logging the full API key at debug level; log only
  whether it is configured.
- ve_credential_service: fix a docstring example that printed a bearer token.

@cuericlee cuericlee left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants