fix(connect): rewrite Session to use rebuild_method override#468
Open
fix(connect): rewrite Session to use rebuild_method override#468
Conversation
Replace the hand-rolled redirect loop in Session.post with a minimal rebuild_method override. Inheriting from requests.SessionRedirectMixin restores rebuild_auth (strips Authorization on cross-origin hops), cookie propagation, response.history, TooManyRedirects, proxy rebuild, and streaming semantics — all of which the previous implementation silently dropped. Supersedes the defensive patch in #464.
☂️ Python Coverage
Overall Coverage
New FilesNo new covered files... Modified Files
|
tdstein
force-pushed
the
fix/sessions-use-rebuild-method
branch
from
7637f6a to
5d5e377
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the hand-rolled redirect loop in
Session.post(src/posit/connect/sessions.py) with a minimalrebuild_methodoverride on top ofrequests.Session. The previous implementation reimplemented redirect handling from scratch and silently dropped everythingrequests.SessionRedirectMixinprovides.What the rewrite restores for free:
rebuild_auth— stripsAuthorizationon cross-origin hops (the original CVE behind fix(connect): strip Authorization on cross-origin redirects in custom Session #464)extract_cookies_to_jaron every hopresponse.historyfor the full redirect chainTooManyRedirectsraised instead of silently returning the last 3xx responserebuild_proxies,Refererhandling, and streaming semanticsallow_redirects=Falseis no longer forced on every POSTBehavior preserved:
preserve_post=True(default) keeps POST across 301/302, matching libcurlCURL_REDIR_POST_301|302.preserve_post=Falsefalls back to the RFC 7231 default (downgrade to GET on 301/302).max_redirectsis still accepted onpost()and now enforced byrequestsitself.Behavior change worth calling out:
max_redirectsexceeded now raisesrequests.exceptions.TooManyRedirectsinstead of returning the last 302 response. The old behavior was surprising and undocumented.Relationship to other PRs
Test plan
tests/posit/connect/test_sessions.pypass, including:AuthorizationAuthorizationresponse.historyis populatedmax_redirectsexceeded raisesTooManyRedirectsPOST /__api__/v1/tasksstyle endpoints