Skip to content

jsonchecker: Use GitHub token for API queries, if set #236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wjt merged 1 commit into from
Oct 1, 2021
Merged

jsonchecker: Use GitHub token for API queries, if set #236

wjt merged 1 commit into from
Oct 1, 2021

Conversation

@gasinvein
Copy link
Collaborator

@gasinvein gasinvein commented Oct 1, 2021

GitHub REST API rate limit is rather low; the json checker can quickly drain it, what is currently happening with shared f-e-d-c instance on Flathub. We can authorize GitHub API queries to significantly increase this limit.

If GITHUB_TOKEN env var is set, and GitHub API host detected in JSON data url, add the token to Authorization header to authorize API request.

@gasinvein
jsonchecker: Use GitHub token for API queries, if set
1b57bb2 
If GITHUB_TOKEN env var is set and GitHub API host detected
in JSON data url, add the token to Authorization header.
@gasinvein gasinvein requested review from barthalion and wjt October 1, 2021 19:29
@coveralls
Copy link

coveralls commented Oct 1, 2021

Coverage Status

Coverage decreased (-0.02%) to 92.484% when pulling 1b57bb2 on jsonchecker-auth-github into ef7bcfd on master.

@wjt wjt merged commit cb3e68d into master Oct 1, 2021
@wjt wjt deleted the jsonchecker-auth-github branch October 1, 2021 19:37
gasinvein
gasinvein commented Oct 1, 2021
View reviewed changes
src/checkers/jsonchecker.py
url = URL(url)

headers = {}
if url.host == "api.github.com":
Copy link
Collaborator Author

@gasinvein gasinvein Oct 1, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here we rely on that yarl reliably parses URLs and can't be tricked into thinking that the host is different from what it really is. Otherwise, we can send our token to a malicious host, since the URL is provided by user.

@barthalion If you consider that this check is not enough (or you're paranoid like me), we can use different tokens for querying GitHub APIs here and opening/merging PRs in main.py.

Copy link
Member

@barthalion barthalion Oct 2, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's fine by me the way it is now, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wjt wjt wjt approved these changes

@barthalion barthalion Awaiting requested review from barthalion

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@gasinvein @coveralls @wjt @barthalion