client: validate URI scheme in BaseRequest#4331
Conversation
|
Thanks for sending a PR, but I'm struggling to see what this actually protects against or why. Please can you elaborate a way in which this change would provide a real benefit? |
|
@puremourning Thanks for the feedback. The primary goal here is defense in depth. While our current handlers are hardcoded, this strict validation ensures we only ever talk over HTTP/HTTPS. It acts as a safeguard against potential local file access or unintended redirects if a handler name were ever influenced by external data or if a dynamic handler is introduced in the future. Verified the changes with the added tests in |
2 participants
PR Prelude
Thank you for working on YCM! :)
Please complete these steps and check these boxes (by putting an
xinsidethe brackets) before filing your PR:
rationale for why I haven't.
actually perform all of these steps.
Why this change is necessary and useful
Enhancing the robustness of URI construction in
base_request.pyby validating the resulting scheme. Currently,_BuildUriusesurljoinwhich can return schemes likefile://if a handler name is manipulated. Sinceurllib.request.urlopensupports various protocols, adding a strict validation to allow onlyhttpandhttpsprevents potential misuse of the request client for local file access or other unintended schemes.Validation at the
_BuildUrilevel ensures that all communication with the ycmd server stays within the expected HTTP(S) protocol boundaries. This change aligns with technical best practices for handling dynamic URL construction even in local environments.Tests in
BaseRequestTestnow verify both successful URI building with valid schemes and the expected failure when an invalid scheme is detected.This change is