Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/gradio-app/safehttpx

https://github.com/gradio-app/safehttpx

Science Score: 13.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (10.4%) to scientific vocabulary
Last synced: 6 months ago · JSON representation

Repository

Basic Info
  • Host: GitHub
  • Owner: gradio-app
  • License: apache-2.0
  • Language: Python
  • Default Branch: main
  • Size: 33.2 KB
Statistics
  • Stars: 70
  • Watchers: 2
  • Forks: 6
  • Open Issues: 2
  • Releases: 0
Created over 1 year ago · Last pushed 10 months ago
Metadata Files
Readme License

README.md

safehttpx

A small Python library created to help developers protect their applications from Server Side Request Forgery (SSRF) attacks. It implements an asynchronous GET method called safehttpx.get(), which is a wrapper around httpx.AsyncClient.get() while performing DNS validation on the supplied URL using Google DNS.

It also implements mitigation for DNS rebinding attacks.

Why?

Server Side Request Forgery (SSRF) attacks can be particularly dangerous as they allow attackers to make arbitrary HTTP requests from your server, potentially accessing sensitive internal services that are normally unreachable from the internet. This could enable attackers to scan internal networks, access metadata services in cloud environments (like "AWS Instance Metadata Service"), or hit internal APIs - all while appearing to come from your trusted server. By validating URLs against public DNS servers and implementing protections against DNS rebinding, safehttpx helps prevent attackers from coercing your application into making requests to internal or otherwise restricted network resources.

Usage

Installation

bash $ pip install safehttpx Also avalaible through Conda bash $ conda install safehttpx -c conda-forge or bash $ mamba install safehttpx -c conda-forge

Basic Usage

```py import safehttpx as sh

await sh.get("https://huggingface.co")

await sh.get("http://127.0.0.1")

ValueError: Hostname 127.0.0.1 failed validation ```

Note on Async Usage:

The example snippets above will work in environments like IPython or Jupyter notebooks where an asyncio event loop is already running. For regular Python scripts, you'll need to explicitly create and run an asyncio event loop. Here's how you can structure your code to use safehttpx in a standard Python script:

```python import asyncio import safehttpx as sh

asyncio.run(sh.get("https://huggingface.co"))

```

Whitelisted Domains

You may want to whitelist certain domains from being validated. For example, if you are running code on a server that implements DNS splitting, then even public URLs may appear as internal URLs. You can whitelist domains like this:

```py import safehttpx as sh

PUBLICHOSTNAMEWHITELIST = ["hf.co", "huggingface.co"]

await sh.get("https://huggingface.co", domainwhitelist=PUBLICHOSTNAME_WHITELIST)

```

Custom Transports (Advanced)

If you know what you are doing, and what to pass in a custom instance of httpx.AsyncBaseTransport, you can use the _transport parameter in sh.get(). Setting this to False explicitly will use no secure transport (effectively making sh.get equivalent to httpx.AsyncClient.get()).

More Information

This library was created as a result of Trail of Bits' security audit of Gradio 5 (Hugging Face), and is used in the Gradio library to make secure requests to arbitrary user-specified URLs. We are releasing this as a standalone library so that other developers can benefit from our learnings. In the interest of transparency and the spirit of open-source, we are making the full security audit public.

If you find a security issue in this library, please email the Gradio team at gradio-team@huggingface.co. Thanks!

Owner

  • Name: Gradio
  • Login: gradio-app
  • Kind: organization
  • Email: admin@gradio.app
  • Location: Mountain View, CA

Delightfully easy-to-use open-source tools that make machine learning easier and more accessible

GitHub Events

Total
  • Issues event: 7
  • Watch event: 56
  • Issue comment event: 7
  • Push event: 35
  • Pull request review event: 2
  • Pull request review comment event: 1
  • Pull request event: 16
  • Fork event: 7
  • Create event: 4
Last Year
  • Issues event: 7
  • Watch event: 56
  • Issue comment event: 7
  • Push event: 35
  • Pull request review event: 2
  • Pull request review comment event: 1
  • Pull request event: 16
  • Fork event: 7
  • Create event: 4

Committers

Last synced: 11 months ago

All Time
  • Total Commits: 43
  • Total Committers: 3
  • Avg Commits per committer: 14.333
  • Development Distribution Score (DDS): 0.116
Past Year
  • Commits: 43
  • Committers: 3
  • Avg Commits per committer: 14.333
  • Development Distribution Score (DDS): 0.116
Top Committers
Name Email Commits
Abubakar Abid a****r@h****o 38
Ali Abid a****4@g****m 3
HeavyTony2 9****2 2
Committer Domains (Top 20 + Academic)
huggingface.co: 1

Issues and Pull Requests

Last synced: 8 months ago

All Time
  • Total issues: 4
  • Total pull requests: 9
  • Average time to close issues: 3 days
  • Average time to close pull requests: 5 days
  • Total issue authors: 3
  • Total pull request authors: 3
  • Average comments per issue: 1.0
  • Average comments per pull request: 0.22
  • Merged pull requests: 8
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 4
  • Pull requests: 9
  • Average time to close issues: 3 days
  • Average time to close pull requests: 5 days
  • Issue authors: 3
  • Pull request authors: 3
  • Average comments per issue: 1.0
  • Average comments per pull request: 0.22
  • Merged pull requests: 8
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
  • freddyaboulton (2)
  • abidlabs (2)
  • HeavyTony2 (1)
Pull Request Authors
  • abidlabs (10)
  • HeavyTony2 (2)
  • aliabid94 (2)
Top Labels
Issue Labels
Pull Request Labels

Packages

  • Total packages: 1
  • Total downloads:
    • pypi 2,093,351 last-month
  • Total dependent packages: 0
  • Total dependent repositories: 0
  • Total versions: 4
  • Total maintainers: 2
pypi.org: safehttpx

A small Python library created to help developers protect their applications from Server Side Request Forgery (SSRF) attacks.

  • Versions: 4
  • Dependent Packages: 0
  • Dependent Repositories: 0
  • Downloads: 2,093,351 Last month
Rankings
Dependent packages count: 10.2%
Average: 33.7%
Dependent repos count: 57.2%
Maintainers (2)
aabid93 dawoodkhan82
Last synced: 7 months ago

Dependencies

pyproject.toml pypi
  • httpx *
.github/workflows/publish.yml actions
  • actions/checkout v4 composite
  • actions/setup-python v4 composite