add proxy support #10
Conversation
|
Do you mind giving a bit more of motivation ? This looks like just emulating Python
|
|
I think hf-hub is not a simple request library, it's more like a tool to manage huggingface models. async version will add soon(missed) |
|
Do you mind trying to make this land upstream: algesten/ureq#322 Seems reqwest already has support: seanmonstar/reqwest#1856 |
I'll try. |
|
TBH I didn't know this variable existed. Seems like a great way to exfiltrate traffic for any attacker.. I don't think env variables should be used for this IMHO, even if it does seems quite widespread. |
|
it's safe enough, because we use tls. |
|
upstream pr opened: algesten/ureq#649 |
|
tls doesn't seem like a great justification. You're still intercepting all traffic.
|
|
requests's CURL_CA_BUNDLE issuse tells about a empty-string-bug, it's not about env is insecure. attackers could modify your traffic in many ways if they can change your env. proxy env or ca-bundle env is in the same security level. |
|
Really ? How ? |
|
If attackers can change your env, that would be the one of ways below
all the ways above indicate that the attacker have got the file-write permission, then they could change your script/app to do everything, even got the root privilege. |
This is called privilege escalation, it's not an easy feat on a decently setup machine. user space global proxy seems like a pretty bad vector to me. In any case it's definitely not the purpose of this lib to do this. |
There's lots of things can do at normal user privilege, e.g. read $HF_HOME/token. when your system is injected, that's not important your env would be changed, there be lots of ways to get/change data they want |
|
It's like a knife, just a tool. just like browser permits javascript be executed. |
support
HTTP_PROXY/HTTPS_PROXY/ALL_PROXYenvironments