requests-hardened 1.0.0__tar.gz

requests_hardened-1.0.0/LICENSE

@@ -0,0 +1,28 @@
+BSD 3-Clause License
+
+Copyright (c) 2023, Saleor Commerce
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

requests_hardened-1.0.0/PKG-INFO

@@ -0,0 +1,180 @@
+Metadata-Version: 2.1
+Name: requests-hardened
+Version: 1.0.0
+Summary: A library that overrides the default behaviors of the requests library, and adds new security features.
+License: BSD-3-Clause
+Author: Saleor Commerce
+Author-email: hello@saleor.io
+Requires-Python: >=3.9,<4.0
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: BSD License
+Classifier: Natural Language :: English
+Classifier: Operating System :: MacOS :: MacOS X
+Classifier: Operating System :: Microsoft :: Windows
+Classifier: Operating System :: POSIX
+Classifier: Operating System :: POSIX :: BSD
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Programming Language :: Python
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: Implementation :: CPython
+Classifier: Programming Language :: Python :: Implementation :: PyPy
+Classifier: Topic :: Security
+Requires-Dist: requests (>=2.32.3,<3.0.0)
+Project-URL: Changelog, https://github.com/saleor/requests-hardened/releases/
+Project-URL: Homepage, https://github.com/saleor/requests-hardened/
+Project-URL: Issues, https://github.com/saleor/requests-hardened/issues
+Project-URL: Source, https://github.com/saleor/requests-hardened/
+Description-Content-Type: text/x-rst
+
+=================
+requests-hardened
+=================
+
+|pypi-latest-version| |pypi-python-versions| |pypi-implementations|
+
+
+``requests-hardened`` is a library that overrides the default behaviors of the ``requests``
+library, and adds new security features.
+
+Installation
+============
+
+The project is available on PyPI_:
+
+.. code-block::
+
+  pip install requests-hardened
+
+Features
+========
+
+- `SSRF Filters`_: blocks private and loopback IP ranges.
+- HTTP Redirects: can be used safely alongside the SSRF filter feature.
+- `Proxy Support`_: proxies can be used in combination with SSRF Filters for a defense in depth.
+- Handy `Overrides of Defaults`_: allows to enforce secure defaults globally, such as to
+  mitigate DoS attacks.
+
+Overrides of Defaults
+---------------------
+
+This library allows to override some default values from the ``requests`` library
+that can have a security impact:
+
+- ``Config.never_redirect = False`` always reject HTTP redirects
+- ``Config.default_timeout = (2, 10)`` sets the default timeout value when no value or ``None`` is passed
+- ``Config.user_agent_override = None`` optional config to override ``User-Agent`` header. When set to ``None``, ``requests`` library will set its `default user-agent <https://github.com/psf/requests/blob/ee93fac6b2f715151f1aa9a1a06ddba9f7dcc59a/src/requests/utils.py#L886-L892>`_.
+
+SSRF Filters
+------------
+
+A SSRF IP filter can be used to reject HTTP(S) requests targeting private and loopback
+IP addresses.
+
+Settings:
+
+- ``Config.ip_filter_enable`` whether or not to filter the IP addresses
+- ``ip_filter_allow_loopback_ips`` whether or not to allow loopback IP addresses
+
+Proxy Support
+^^^^^^^^^^^^^
+
+The SSRF IP filter's behavior with proxies are as follows:
+
+- **Proxy's IP Address:** does not block private and loopback IP addresses (no filtering).
+  Instead, the filter assumes that the proxy URL is never tainted with untrusted
+  user input.
+- **Target IP Address (Tunneled HTTP Requests):** by default, the tunneled requests are
+  filtered for potential SSRF attacks.
+- **Protocols Supported:** SOCKS4, SOCKS5, HTTP, and HTTPS proxy server protocols are supported.
+
+  .. note::
+
+    We rely on the ``requests`` and ``urllib3`` thus the list may change over time.
+
+  .. warning::
+
+    For SOCKS4 and SOCKS5, you need to run ``pip install requests[socks]``
+
+Example Usage:
+
+.. code-block:: python
+
+  from requests_hardened import Config, Manager
+
+  http_manager = Manager(
+      Config(
+          default_timeout=(2, 10),
+          never_redirect=False,
+          # Enable SSRF IP filter
+          ip_filter_enable=True,
+          ip_filter_allow_loopback_ips=False,
+      )
+  )
+
+  # List of proxies
+  proxies = {
+    "https": "socks5://127.0.0.1:8888",
+    "http": "socks5://127.0.0.1:8888",
+  }
+
+  # Sends the HTTP request using the proxy
+  resp = http_manager.send_request("GET", "https://example.com", proxies=proxies)
+  print(resp)
+
+
+.. note::
+
+  For more details on using proxies with the ``requests`` library, see the `official
+  documentation <https://docs.python-requests.org/en/latest/user/advanced/#proxies>`_.
+
+
+Full Example
+============
+
+.. code-block:: python
+
+  from requests_hardened import Config, Manager
+
+  # Creates a global "manager" that can be used to create ``requests.Session``
+  # objects with hardening in place.
+  http_manager = Manager(
+      Config(
+          default_timeout=(2, 10),
+          never_redirect=False,
+          ip_filter_enable=True,
+          ip_filter_allow_loopback_ips=False,
+          user_agent_override=None
+      )
+  )
+
+  # Sends an HTTP request without re-using ``requests.Session``:
+  resp = http_manager.send_request("GET", "https://example.com")
+  print(resp)
+
+  # Sends HTTP requests with reusable ``requests.Session``:
+  with http_manager.get_session() as sess:
+      sess.request("GET", "https://example.com")
+      sess.request("POST", "https://example.com", json={"foo": "bar"})
+
+
+.. _PyPI: https://pypi.org/project/requests-hardened
+
+.. |pypi-latest-version| image:: https://img.shields.io/pypi/v/requests-hardened.svg
+  :alt: Latest Version
+  :target: `PyPI`_
+
+.. |pypi-python-versions| image:: https://img.shields.io/pypi/pyversions/requests-hardened.svg
+  :alt: Supported Python Versions
+  :target: `PyPI`_
+
+.. |pypi-implementations| image:: https://img.shields.io/pypi/implementation/requests-hardened.svg
+  :alt: Supported Implementations
+  :target: `PyPI`_
+

requests_hardened-1.0.0/README.rst

@@ -0,0 +1,144 @@
+=================
+requests-hardened
+=================
+
+|pypi-latest-version| |pypi-python-versions| |pypi-implementations|
+
+
+``requests-hardened`` is a library that overrides the default behaviors of the ``requests``
+library, and adds new security features.
+
+Installation
+============
+
+The project is available on PyPI_:
+
+.. code-block::
+
+  pip install requests-hardened
+
+Features
+========
+
+- `SSRF Filters`_: blocks private and loopback IP ranges.
+- HTTP Redirects: can be used safely alongside the SSRF filter feature.
+- `Proxy Support`_: proxies can be used in combination with SSRF Filters for a defense in depth.
+- Handy `Overrides of Defaults`_: allows to enforce secure defaults globally, such as to
+  mitigate DoS attacks.
+
+Overrides of Defaults
+---------------------
+
+This library allows to override some default values from the ``requests`` library
+that can have a security impact:
+
+- ``Config.never_redirect = False`` always reject HTTP redirects
+- ``Config.default_timeout = (2, 10)`` sets the default timeout value when no value or ``None`` is passed
+- ``Config.user_agent_override = None`` optional config to override ``User-Agent`` header. When set to ``None``, ``requests`` library will set its `default user-agent <https://github.com/psf/requests/blob/ee93fac6b2f715151f1aa9a1a06ddba9f7dcc59a/src/requests/utils.py#L886-L892>`_.
+
+SSRF Filters
+------------
+
+A SSRF IP filter can be used to reject HTTP(S) requests targeting private and loopback
+IP addresses.
+
+Settings:
+
+- ``Config.ip_filter_enable`` whether or not to filter the IP addresses
+- ``ip_filter_allow_loopback_ips`` whether or not to allow loopback IP addresses
+
+Proxy Support
+^^^^^^^^^^^^^
+
+The SSRF IP filter's behavior with proxies are as follows:
+
+- **Proxy's IP Address:** does not block private and loopback IP addresses (no filtering).
+  Instead, the filter assumes that the proxy URL is never tainted with untrusted
+  user input.
+- **Target IP Address (Tunneled HTTP Requests):** by default, the tunneled requests are
+  filtered for potential SSRF attacks.
+- **Protocols Supported:** SOCKS4, SOCKS5, HTTP, and HTTPS proxy server protocols are supported.
+
+  .. note::
+
+    We rely on the ``requests`` and ``urllib3`` thus the list may change over time.
+
+  .. warning::
+
+    For SOCKS4 and SOCKS5, you need to run ``pip install requests[socks]``
+
+Example Usage:
+
+.. code-block:: python
+
+  from requests_hardened import Config, Manager
+
+  http_manager = Manager(
+      Config(
+          default_timeout=(2, 10),
+          never_redirect=False,
+          # Enable SSRF IP filter
+          ip_filter_enable=True,
+          ip_filter_allow_loopback_ips=False,
+      )
+  )
+
+  # List of proxies
+  proxies = {
+    "https": "socks5://127.0.0.1:8888",
+    "http": "socks5://127.0.0.1:8888",
+  }
+
+  # Sends the HTTP request using the proxy
+  resp = http_manager.send_request("GET", "https://example.com", proxies=proxies)
+  print(resp)
+
+
+.. note::
+
+  For more details on using proxies with the ``requests`` library, see the `official
+  documentation <https://docs.python-requests.org/en/latest/user/advanced/#proxies>`_.
+
+
+Full Example
+============
+
+.. code-block:: python
+
+  from requests_hardened import Config, Manager
+
+  # Creates a global "manager" that can be used to create ``requests.Session``
+  # objects with hardening in place.
+  http_manager = Manager(
+      Config(
+          default_timeout=(2, 10),
+          never_redirect=False,
+          ip_filter_enable=True,
+          ip_filter_allow_loopback_ips=False,
+          user_agent_override=None
+      )
+  )
+
+  # Sends an HTTP request without re-using ``requests.Session``:
+  resp = http_manager.send_request("GET", "https://example.com")
+  print(resp)
+
+  # Sends HTTP requests with reusable ``requests.Session``:
+  with http_manager.get_session() as sess:
+      sess.request("GET", "https://example.com")
+      sess.request("POST", "https://example.com", json={"foo": "bar"})
+
+
+.. _PyPI: https://pypi.org/project/requests-hardened
+
+.. |pypi-latest-version| image:: https://img.shields.io/pypi/v/requests-hardened.svg
+  :alt: Latest Version
+  :target: `PyPI`_
+
+.. |pypi-python-versions| image:: https://img.shields.io/pypi/pyversions/requests-hardened.svg
+  :alt: Supported Python Versions
+  :target: `PyPI`_
+
+.. |pypi-implementations| image:: https://img.shields.io/pypi/implementation/requests-hardened.svg
+  :alt: Supported Implementations
+  :target: `PyPI`_

requests_hardened-1.0.0/pyproject.toml

@@ -0,0 +1,82 @@
+[build-system]
+build-backend = "poetry.core.masonry.api"
+requires = ["poetry-core>=1.5.0"]
+
+[tool.poetry]
+name = "requests-hardened"
+readme = "README.rst"
+description = "A library that overrides the default behaviors of the requests library, and adds new security features."
+authors = [
+    "Saleor Commerce <hello@saleor.io>"
+]
+license = "BSD-3-Clause"
+version = "1.0.0"
+classifiers = [
+    "Development Status :: 5 - Production/Stable",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: BSD License",
+    "Natural Language :: English",
+    "Topic :: Security",
+    "Operating System :: POSIX",
+    "Operating System :: POSIX :: BSD",
+    "Operating System :: POSIX :: Linux",
+    "Operating System :: MacOS :: MacOS X",
+    'Operating System :: Microsoft :: Windows',
+    "Programming Language :: Python",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3 :: Only",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: Implementation :: CPython",
+    "Programming Language :: Python :: Implementation :: PyPy",
+]
+
+[tool.poetry.urls]
+Homepage = "https://github.com/saleor/requests-hardened/"
+Source = "https://github.com/saleor/requests-hardened/"
+Issues = "https://github.com/saleor/requests-hardened/issues"
+Changelog = "https://github.com/saleor/requests-hardened/releases/"
+
+[tool.poetry.dependencies]
+python = ">=3.9,<4.0"
+# We require >=2.32.3 due to depending on `get_connection_with_tls_context`.
+requests = ">=2.32.3,<3.0.0"
+
+[tool.poetry.group.dev.dependencies]
+pytest = "^7.4.0"
+mypy = "^1.5.1"
+types-requests = ">=2.32.0,<3.0.0"
+trustme = ">=1.1.0,<2.0.0"
+pytest-socket = "^0.7.0"
+pproxy = "^2.7.9"
+requests = { version = ">=2.32.3,<3.0.0" , extras = ["socks"] }
+
+[tool.setuptools]
+zip-safe = false
+packages = ["requests_hardened"]
+
+[tool.pytest.ini_options]
+# Disallow creating sockets (using 'pytest-socket' library)
+# We block sockets during tests in order to detect unexpected
+# leaks/connections being made.
+addopts = "--disable-socket"
+
+[tool.mypy]
+# Checks
+check_untyped_defs = true
+ignore_missing_imports = true
+allow_redefinition = true
+
+# Error messages
+pretty = true
+show_column_numbers = true
+show_error_codes = true
+show_error_context = true
+show_traceback = true
+
+exclude = [
+    "tests/"
+]

requests_hardened-1.0.0/requests_hardened/__init__.py

@@ -0,0 +1,3 @@
+from requests_hardened.client import HTTPSession
+from requests_hardened.config import Config
+from requests_hardened.manager import Manager

requests_hardened-1.0.0/requests_hardened/client.py

@@ -0,0 +1,51 @@
+from typing import Union, Any
+
+import requests
+from requests import Request, PreparedRequest, Response
+
+from requests_hardened.config import Config
+from requests_hardened.ip_filter_adapter import IPFilterAdapter
+
+T_TIMEOUT = Union[int, float]
+
+
+class HTTPSession(requests.Session):
+    def __init__(self, config: Config, **kwargs):
+        super().__init__(**kwargs)
+
+        if config.ip_filter_enable is True:
+            self.mount(
+                "http://",
+                IPFilterAdapter(
+                    is_https_proto=False,  # We use http:// (insecure)
+                    allow_loopback=config.ip_filter_allow_loopback_ips,
+                    tls_sni_support=config.ip_filter_tls_sni_support,
+                ),
+            )
+            self.mount(
+                "https://",
+                IPFilterAdapter(
+                    is_https_proto=True,  # We use https:// (SSL/TLS)
+                    allow_loopback=config.ip_filter_allow_loopback_ips,
+                    tls_sni_support=config.ip_filter_tls_sni_support,
+                ),
+            )
+
+        self._config = config
+
+    def send(self, request: PreparedRequest, **kwargs: Any) -> Response:
+        allow_redirects = kwargs.setdefault(
+            "allow_redirects", not self._config.never_redirect
+        )
+        if allow_redirects and self._config.never_redirect:
+            kwargs["allow_redirects"] = False
+
+        timeout = kwargs.setdefault("timeout", self._config.default_timeout)
+        if not timeout:
+            kwargs["timeout"] = self._config.default_timeout
+        return super().send(request, **kwargs)
+
+    def prepare_request(self, request: Request) -> PreparedRequest:
+        if self._config.user_agent_override is not None:
+            request.headers.update({"User-Agent": self._config.user_agent_override})
+        return super().prepare_request(request)

requests_hardened-1.0.0/requests_hardened/config.py

@@ -0,0 +1,27 @@
+import dataclasses
+from typing import Optional
+
+from requests_hardened.types import T_TIMEOUT_TUPLE
+
+
+@dataclasses.dataclass
+class Config:
+    # If ``True``, then any private and loopback IP will be rejected.
+    ip_filter_enable: bool
+
+    # If ``True``, then loopback IPs are allowed
+    # when ``ip_filter_enable`` is set to ``True``.
+    ip_filter_allow_loopback_ips: bool
+
+    # If True, then HTTP redirects are never allowed.
+    never_redirect: bool
+
+    # The default timeout value to set to all requests.
+    default_timeout: Optional[T_TIMEOUT_TUPLE]
+
+    # Override the default User-Agent header of the requests library.
+    user_agent_override: Optional[str] = None
+
+    # Whether to enable support for TLS SNI for IP filtering.
+    # Do not disable this option unless you are absolutely sure of what you are doing!
+    ip_filter_tls_sni_support: bool = True

requests_hardened-1.0.0/requests_hardened/ip_filter.py

@@ -0,0 +1,80 @@
+import ipaddress
+import logging
+import socket
+from typing import Tuple, Union
+
+import requests.exceptions
+from urllib3.util.connection import (  # type: ignore[attr-defined] # `allowed_gai_family` exists. # noqa: E501
+    allowed_gai_family,
+)
+
+logger = logging.getLogger(__name__)
+
+
+class InvalidIPAddress(requests.RequestException):
+    pass
+
+
+def get_ip_address(
+    hostname: str, port: int, allow_loopback: bool
+) -> Tuple[Union[ipaddress.IPv4Address, ipaddress.IPv6Address], int]:
+    # Development safeguard, hostname shouldn't be surrounded by brackets
+    # when calling this function.
+    assert not hostname.startswith("[")
+
+    addresses = socket.getaddrinfo(
+        hostname, port, family=allowed_gai_family(), type=socket.SOCK_STREAM
+    )
+
+    af, socktype, proto, _canonname, socket_address = addresses[0]
+
+    if af != socket.AF_INET and af != socket.AF_INET6:
+        # This code shouldn't be reachable.
+        raise ValueError(
+            "Only AF_INET and AF_INET6 socket address families are supported"
+        )
+    port = socket_address[1]
+    ip = ipaddress.ip_address(socket_address[0])
+
+    # Python considers special IP ranges representing IPv4 addresses as being
+    # private ranges, such as ::ffff:0:0/96, ::/128.
+    # Because of that, we need to check the IPv4 address instead of the IPv6 one.
+    # https://github.com/python/cpython/commit/ed391090cc8332406e6225d40877db6ff44a7104
+    if ip.version == 6 and (ipv4 := ip.ipv4_mapped) is not None:
+        ip = ipv4
+
+    if allow_loopback and ip.is_loopback:
+        return ip, port
+    elif ip.is_private:
+        logger.warning(
+            "Forbidden IP address: %s for hostname %s",
+            ip,
+            hostname,
+            # Extra arguments may clash with logger configuration
+            # if it injects extra JSON fields, such as:
+            # https://github.com/saleor/saleor/blob/5e7c57dad9e64b09477ebdcee53f0277359bc598/saleor/core/logging.py#L13
+            # Because of that, we prefix the extra arguments in order to
+            # reduce the chance of clashing with logging configs.
+            extra={"dst_ip": ip, "dst_hostname": hostname},
+        )
+        raise InvalidIPAddress(ip)
+    return ip, port
+
+
+def filter_host(
+    hostname: str, port: int, *, allow_loopback: bool
+) -> str:
+    if not hostname:
+        raise requests.exceptions.InvalidURL("Invalid URL: missing hostname")
+
+    try:
+        ip_addr, port = get_ip_address(
+            hostname, port, allow_loopback=allow_loopback
+        )
+    except socket.gaierror as exc:
+        raise requests.ConnectionError("Failed to resolve domain") from exc
+    except socket.timeout as exc:
+        raise requests.ConnectTimeout("Failed to connect to host") from exc
+
+    ip_addr_str = str(ip_addr) if ip_addr.version != 6 else f"[{ip_addr}]"
+    return ip_addr_str

requests_hardened-1.0.0/requests_hardened/ip_filter_adapter.py

@@ -0,0 +1,76 @@
+from requests.adapters import HTTPAdapter
+from requests_hardened.ip_filter import filter_host
+
+
+class IPFilterAdapter(HTTPAdapter):
+    def __init__(
+        self,
+        is_https_proto: bool,
+        allow_loopback: bool = False,
+        tls_sni_support: bool = True,
+    ):
+        """
+        :param is_https_proto: whether it is HTTPS or insecure HTTP.
+        :param allow_loopback: whether to allow loopback IP addresses in IP filtering.
+        :param tls_sni_support: whether to add support for TLS SNI (enabled by default,
+            and shouldn't be changed unless you are certain).
+        """
+        super().__init__()
+        self._is_https_proto = is_https_proto
+        self._allow_loopback = allow_loopback
+        self._tls_sni_support = tls_sni_support
+
+    def build_connection_pool_key_attributes(self, request, verify, cert=None):
+        host_params, pool_kwargs = super().build_connection_pool_key_attributes(
+            request, verify, cert
+        )
+
+        # Copy headers before mutating them as they may be a global variable used by
+        # subsequent requests.
+        # e.g., https://github.com/lepture/authlib/blob/a7d68b4c3b8a3a7fe0b62943b5228669f2f3dfec/authlib/oauth2/client.py#L205-L206
+        if request.headers:
+            request.headers = dict(**request.headers)
+        else:
+            request.headers = {}
+
+        # Adds the original URL hostname as the 'Host' header.
+        original_host = request.headers["Host"] = host_params["host"]
+
+        # Set the original hostname for certificate validation otherwise
+        # urllib3 will try to match the pinned resolved IP address against the
+        # certificate.
+        #
+        # Note: assert_hostname and server_hostname cannot be passed
+        #       when using insecure HTTP (http://) as it's not a valid argument for
+        #       `urllib3.connectionpool.HTTPConnectionPool`.
+        if self._is_https_proto is True:
+            # For non-TLS SNI servers.
+            pool_kwargs["assert_hostname"] = original_host  # type: ignore[typeddict-unknown-key] # Valid parameter for urllib3.connectionpool.HTTPSConnectionPool
+
+            # Support TLS servers with SNI callbacks.
+            if self._tls_sni_support is True:
+                pool_kwargs["server_hostname"] = original_host  # type: ignore[typeddict-unknown-key] # Valid parameter for urllib3.connectionpool.HTTPSConnectionPool
+
+        # Override the connection hostname to the resolved IP address,
+        # and reject if it's a private IP.
+        host_params["host"] = filter_host(
+            original_host,
+            host_params["port"],
+            allow_loopback=self._allow_loopback,
+        )
+        return host_params, pool_kwargs
+
+    def get_connection(self, url, proxies=None):
+        # Note: we do not support this method due to being deprecated since May 2024.
+        #       Only `get_connection_with_tls_context` is supported by our package,
+        #       due to the deprecated `get_connection` being largely different
+        #       and is unlikely to still be used by other packages.
+        # Additional references:
+        #   - https://github.com/psf/requests/pull/6655
+        #   - https://github.com/psf/requests/pull/6710
+        #   - https://github.com/advisories/GHSA-9wx4-h78v-vm56
+        raise NotImplementedError(
+            "get_connection is not supported in requests-hardened>=v1.0.0b5\n"
+            "Upgrade your 'requests' package to >=2.32.2 and your dependencies "
+            "if they rely on `requests.adapters.HTTPAdapter.get_connection`."
+        )

requests_hardened-1.0.0/requests_hardened/manager.py

@@ -0,0 +1,21 @@
+from copy import copy
+
+from requests_hardened import HTTPSession
+from requests_hardened.config import Config
+
+
+class Manager:
+    __slots__ = ("config",)
+
+    def __init__(self, config: Config):
+        self.config = config
+
+    def clone(self):
+        return Manager(config=copy(self.config))
+
+    def get_session(self):
+        return HTTPSession(self.config)
+
+    def send_request(self, method: str, url: str, **kwargs):
+        with self.get_session() as sess:
+            return sess.request(method, url, **kwargs)

requests_hardened-1.0.0/requests_hardened/types.py

@@ -0,0 +1,5 @@
+from typing import Union, Tuple
+
+T_TIMEOUT = Union[int, float]
+T_TIMEOUT_TUPLE = Tuple[T_TIMEOUT, T_TIMEOUT]
+T_REQUESTS_TIMEOUT_ARG = Union[T_TIMEOUT, Tuple[T_TIMEOUT, T_TIMEOUT]]