-
client: allow injecting a requests.Session + stop following redirects
amiller released this
2026-06-04 16:41:12 +00:00 | 2 commits to master since this releaseThe HTTP Session was hardcoded with no injection point and followed
redirects by default, so a server-side caller pointing the client at an
attacker-influenced base_url (a tenant's prime_endpoint) had no way to
attach an SSRF policy, and a public endpoint could 302-redirect the
request to an internal address (e.g. the cloud metadata service).- Client/DragonchainSDK now accept an optional
sessionso callers can
inject a Session whose transport adapter refuses internal IPs. Default
stays unguarded for trusted/CLI use — the guard belongs in the server. - Requests are sent with allow_redirects=False; Prime never legitimately
redirects, and a 3xx now surfaces to the caller instead of being followed.
Downloads
- Client/DragonchainSDK now accept an optional