Documentation
¶
Overview ¶
Package httpx provides small HTTP helpers shared across providers.
Index ¶
- func DenyInternalRedirect(req *http.Request, via []*http.Request) error
- func DoWithRetry(ctx context.Context, client *http.Client, attempts int, ...) (*http.Response, error)
- func RequestID(h http.Header) string
- func SanitizeHeader(s string) string
- func SecureClient(timeout time.Duration) *http.Client
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DenyInternalRedirect ¶
DenyInternalRedirect is an http.Client CheckRedirect that caps the redirect chain and refuses a redirect to a private/loopback/link-local target — closing the redirect → 169.254.169.254 (cloud metadata) SSRF exfil path. It fails CLOSED on an unresolvable target; public redirects are still followed.
It guards only chains that ORIGINATED at a public address — the actual SSRF threat (a public endpoint steered at an internal target). A chain that started internal (an in-cluster model/metrics/logs backend behind a proxy, or a plain http→https / trailing -slash redirect on a private host) is legitimate and is allowed, so the guard never breaks in-cluster traffic. Dial-time DNS-rebinding protection is out of scope.
func DoWithRetry ¶
func DoWithRetry(ctx context.Context, client *http.Client, attempts int, build func() (*http.Request, error)) (*http.Response, error)
DoWithRetry issues build()'s request with bounded backoff, retrying on a network error, HTTP 429, or 5xx — a transient upstream failure shouldn't fail the whole investigation. Other 4xx and 2xx return immediately. build is invoked fresh each attempt so a consumed request body is rebuilt. On a 429 the wait honors the server's Retry-After / retry-after-ms hint (capped); otherwise it uses capped exponential backoff. The wait respects ctx cancellation. The last response (a 429/5xx) is returned so the caller can surface its status.
func RequestID ¶
RequestID returns the first present upstream request-id header (by the precedence in requestIDHeaders), sanitized for safe logging. It returns "" when none is set. The result is operator-trusted correlation metadata — not body content — suitable for an error surfaced at Error level.
func SanitizeHeader ¶
SanitizeHeader makes an upstream-supplied header value safe to embed in a log line: it drops control characters (anything below 0x20 plus DEL 0x7f, which includes CR/LF/TAB/NUL and ANSI ESC) so the value cannot forge log structure or inject terminal escapes, then caps the length and trims surrounding space.
func SecureClient ¶
SecureClient returns an http.Client with the given timeout and the DenyInternalRedirect policy. Use it for every outbound call to an operator- or externally-configurable endpoint (model, forge, notifier, metrics/logs) so a redirect can't be steered at an internal address.
Types ¶
This section is empty.