botocore icon indicating copy to clipboard operation
botocore copied to clipboard

Published 20 hours ago verified publisher icon boto

Fix unconditional key removal from `request.headers`

Open thejcannon opened this issue 2 years ago • 4 comments

This code mirrors https://github.com/boto/botocore/blob/97ba59024bdc313df6d18865f9ef233d24d60f95/botocore/auth.py#L191 and https://github.com/boto/botocore/blob/97ba59024bdc313df6d18865f9ef233d24d60f95/botocore/auth.py#L449

thejcannon avatar May 19 '23 15:05 thejcannon

Codecov Report

Patch coverage: 100.00% and project coverage change: -0.01 :warning:

Comparison is base (97ba590) 93.29% compared to head (e3430fd) 93.29%.

:exclamation: Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

Additional details and impacted files 
@@             Coverage Diff             @@
##           develop    #2948      +/-   ##
===========================================
- Coverage    93.29%   93.29%   -0.01%     
===========================================
  Files           64       64              
  Lines        13588    13593       +5     
===========================================
+ Hits         12677    12681       +4     
- Misses         911      912       +1
Impacted Files Coverage Δ
botocore/auth.py 97.85% <100.00%> (+<0.01%) :arrow_up:

... and 2 files with indirect coverage changes

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.

codecov-commenter avatar Jul 02 '23 19:07 codecov-commenter

This appears correct at first glance. Can you share how you discovered this problem? I am surprised that this code has existed for 9 years. Having some details on how to reproduce it will help find any related issues and create test coverage.

jonemo avatar Jul 03 '23 20:07 jonemo

In the linked issue (https://github.com/pantsbuild/pants/pull/19056) it is mentioned this was only an issue when using token-based auth. See if @thejcannon can fill in more details.

kaos avatar Jul 04 '23 13:07 kaos

Admittedly, my usage was using a plain dict instead of the botocore types because we're already doing a bit of monkeypatching. I wanted to reduce how much from botocore we were using.

When I hit this behavior I figured the N other places something similar is being done (delete before replacement) meant this code was just either forgotten about or came later. IIUC the behavior is likely possible? It seems like the other locations are to avoid the multiple-values-for-one-header behavior.

After this issue, I found out that botocore is using the email message header class from stdlib and just switched to that. So our specific use case is OK. I suspect there is a still a bug with multiple headers though (likely only through the programmatic API).

thejcannon avatar Jul 04 '23 13:07 thejcannon