-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adopt requests new get_connection API #164
Conversation
# elastic-transport is not vulnerable to CVE-2024-35195 because it uses | ||
# requests.Session and an SSLContext without using the verify parameter. | ||
# We should remove this branch when requiring requests 2.32 or later. | ||
adapter.get_connection(self.base_url) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to preserve the type: ignore
here? And are there any typing considerations for the new call?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't, the types were fixed in typeshed yesterday: python/typeshed#12000.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
Would it be worth testing two requests versions from before and after this change? Considering the new code appears to let through an invalid TLS combination, which is what that remaining test failure looks like.
Yes, we should probably test using an older version of requests too. Waiting for requests 2.32.3 to proceed further here. |
The remaining failure is due to psf/requests#6716. It will go away when requests 2.32.3 is released. |
I'm merging this now because it improves the situation and I checked that the tests pass with the main branch of requests, which should be released any time now: psf/requests#6721. |
* Fix requests 2.32 compatibility * Test minimum dependencies in CI (cherry picked from commit d89e9f0)
* Fix requests 2.32 compatibility * Test minimum dependencies in CI (cherry picked from commit d89e9f0)
To fix a security vulnerability, requests removed
HTTPAdapter.get_connection()
in favor ofHTTPAdapter.get_connection_with_tls_context()
. This breaks the transport and client when using requests 2.32 or later, as the transport directly calls the removed API. This pull request fixes the issue.See psf/requests#6710 for more details.