Audit ureq

Question

Audit ureq

Shnatsel opened this issue 5 years ago · comments

Sergey "Shnatsel" Davidoff commented 5 years ago

ureq is a minimal HTTP request library that has a small dependency tree with minimal amounts of unsafe in it (aside of smallvec).

Unlike the more complex solutions, it is a good candidate for an Actually Secure™ HTTP client. It also survived the test of downloading the frontpages of the top million websites without crashes or hangs - while reqwest and even curl failed.

Right now ureq has 3 unsafe blocks of its own.

Sergey "Shnatsel" Davidoff · Answer 1 · Thu Jan 23 2020 07:03:55 GMT+0800 (China Standard Time)

PR removing the last of unsafe code is open:
algesten/ureq#31

Lokathor · Answer 2 · Thu Jan 23 2020 07:15:47 GMT+0800 (China Standard Time)

Is this a tinyvec canidate?

Sergey "Shnatsel" Davidoff · Answer 3 · Thu Jan 23 2020 21:49:13 GMT+0800 (China Standard Time)

It has a transitive dependency on smallvec via unicode-normalization. So it is, but indirectly.

Thomas B · Answer 4 · Thu Jan 30 2020 23:36:09 GMT+0800 (China Standard Time)

There has even been a benchmark for transition to tinyvec:
https://pastebin.com/zJnMAGrk

Source: https://medium.com/@shnatsel/smoke-testing-rust-http-clients-b8f2ee5db4e6

Waldir Pimenta · Answer 5 · Tue Jun 16 2020 16:25:55 GMT+0800 (China Standard Time)

@Shnatsel algesten/ureq#31 has been fixed via algesten/ureq#68! 🎉