Expand description
HTTP client helper with native-tls support for the self-update subsystem.
§Security Design
All network requests made by the self-update subsystem go through
validate_update_url before any network I/O occurs. Two invariants are
enforced:
-
HTTPS only — plain HTTP,
file://, and any other non-HTTPS scheme are rejected unconditionally. This prevents a network-level attacker from downgrading the connection and serving a malicious binary. -
Host allowlist — only the four GitHub hostnames in [
ALLOWED_HOSTS] are accepted. This prevents a compromised DNS server or a SSRF-style redirect from pointing the updater at an attacker-controlled server.
Additionally, response bodies are capped at MAX_API_RESPONSE_SIZE (API calls)
and MAX_DOWNLOAD_SIZE (binary downloads) to prevent memory exhaustion, and
downloaded binaries are checked for the correct platform magic bytes via
validate_binary_content.
Constants§
- MAX_
API_ RESPONSE_ SIZE - Maximum response body size for API responses (10 MB).
- MAX_
DOWNLOAD_ SIZE - Maximum response body size for file downloads (50 MB).
Functions§
- agent
- Create a new HTTP agent configured with native-tls and a global timeout.
- download_
file - Download a file from a URL and return its bytes.
- validate_
binary_ content - Validate that downloaded binary content is plausible for the current platform.
- validate_
update_ url - Validate that a URL is safe to use for update operations.