-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add proxy support #10
Conversation
Do you mind giving a bit more of motivation ? This looks like just emulating Python
|
I think hf-hub is not a simple request library, it's more like a tool to manage huggingface models. async version will add soon(missed) |
Do you mind trying to make this land upstream: algesten/ureq#322 Seems reqwest already has support: seanmonstar/reqwest#1856 |
I'll try. |
TBH I didn't know this variable existed. Seems like a great way to exfiltrate traffic for any attacker.. I don't think env variables should be used for this IMHO, even if it does seems quite widespread. |
it's safe enough, because we use tls. |
upstream pr opened: algesten/ureq#649 |
tls doesn't seem like a great justification. You're still intercepting all traffic.
|
requests's CURL_CA_BUNDLE issuse tells about a empty-string-bug, it's not about env is insecure. attackers could modify your traffic in many ways if they can change your env. proxy env or ca-bundle env is in the same security level. |
Really ? How ? |
If attackers can change your env, that would be the one of ways below
all the ways above indicate that the attacker have got the file-write permission, then they could change your script/app to do everything, even got the root privilege. |
This is called privilege escalation, it's not an easy feat on a decently setup machine. user space global proxy seems like a pretty bad vector to me. In any case it's definitely not the purpose of this lib to do this. |
There's lots of things can do at normal user privilege, e.g. read $HF_HOME/token. when your system is injected, that's not important your env would be changed, there be lots of ways to get/change data they want |
It's like a knife, just a tool. just like browser permits javascript be executed. |
support
HTTP_PROXY/HTTPS_PROXY/ALL_PROXY
environments