elliottt requested fitzgen for a review on PR #7383.
elliottt requested wasmtime-core-reviewers for a review on PR #7383.
elliottt opened PR #7383 from elliottt:trevor/fallible-fields-operations
to bytecodealliance:main
:
Add the ability to return errors when calls to
fields.set
orfields.append
contain headers that are forbidden, and add the validation functions toWasiHttpView
for extensibility. This change also necessitates tracking the intended use offields
values, implicitly set when thefields
is constructed from anincoming-request
orincoming-response
, or explicitly set when usingfields.constructor
.
elliottt edited PR #7383:
Add the ability to return errors when calls to
fields.set
orfields.append
contain headers that are forbidden, and add the validation functions toWasiHttpView
for extensibility. This change also necessitates tracking the intended use offields
values, implicitly set when thefields
is constructed from anincoming-request
orincoming-response
, or explicitly set when usingfields.constructor
.Fixes #7270
elliottt requested pchickey for a review on PR #7383.
elliottt submitted PR review.
elliottt created PR review comment:
I don't like this trap when the fields provided aren't meant for a request. This pushes me towards thinking that we shouldn't use a
constructor
here, but instead a static method for making a request that can fail.
elliottt created PR review comment:
I'd appreciate some input on what a good default set of forbidden headers is for requests and responses.
elliottt submitted PR review.
elliottt updated PR #7383.
elliottt submitted PR review.
elliottt created PR review comment:
Would it be useful to add the
HeaderMap
that's being added to as an argument here as well?
elliottt updated PR #7383.
elliottt updated PR #7383.
elliottt edited PR #7383:
This PR includes two approaches to handling fallible
fields
methods. Both make the return values offields.set
andfields.append
fallible, though they differ in what they consider errors to report at that point.
- Adds the ability to return errors when calls to
fields.set
orfields.append
contain headers that are forbidden, and add the validation functions toWasiHttpView
for extensibility. This change also necessitates tracking the intended use offields
values, implicitly set when thefields
is constructed from anincoming-request
orincoming-response
, or explicitly set when usingfields.constructor
.- Rejects malformed header names in
fields.set
andfields.append
, but allows forbidden headers at that point. Instead of plumbing through the intended ultimate use in thefields
type, validation of forbidden headers is done in the consumer of theoutbound-response
oroutbound-request
values (response-outparam.set
or theoutgoing-handler.handle
functions).The last commit implements approach 2, and approach 1 can be seen by reverting it.
Fixes #7270
elliottt updated PR #7383.
lukewagner submitted PR review.
lukewagner created PR review comment:
I think in the case of header errors, the set of failure reasons is disjoint from all the other places that produce
error
s, which I think makes it worth having a separate variant just for header errors such as:variant header-error { invalid-syntax, forbidden }
(I know we don't usually maximally-specialize error variants, but it seems like in cases where they're fully disjoint like this, it's worthwhile.)
lukewagner submitted PR review.
lukewagner created PR review comment:
If we reject invalid headers eagerly, then I think there shouldn't be any error possible here. In particular, the
set
operation shouldn't be describing the actual sending of the response over the network (that kind of error would be reflecting in the streaming operations for writing to and finishing the response body); this operation should be the equivalent of*outparam = result;
. Or am I missing something else that can happen here?
lukewagner submitted PR review.
lukewagner created PR review comment:
Note also that if we expand the WASI HTTP spec to distinguish "definitely-forbidden" headers (listed by the WASI HTTP spec) and "host-forbidden" headers (that's purely up to the current running host), we'd probably split
forbidden
into two cases to reflect the difference.
elliottt submitted PR review.
elliottt created PR review comment:
I like that specific error type more than extending the more general
error
variant, thanks! I'm not sure about differentiating between definitely forbidden and host forbidden though: what would a guest do differently if it knew the difference between definitely forbidden and host forbidden?
elliottt updated PR #7383.
elliottt submitted PR review.
elliottt created PR review comment:
Good point. Switching to having forbidden headers rejected at
fields.set
andfields.append
removes the need to allow validation here.
elliottt updated PR #7383.
elliottt edited PR #7383:
This PR makes the
fields.set
andfields.append
methods fallible, and introduces a new error type for describing the ways in which those operations can fail. Additionally it adds a notion of forbidden headers, which will always include the following:
- Connection
- Keep-Alive
- Proxy-Authenticate
- Proxy-Authorization
- Proxy-Connection
- TE
- Transfer-Encoding
- Upgrade
- HTTP2-Settings
There's an embedder-defined hook for adding additional header name validation, but that underlying set of headers can't be altered.
Fixes #7270
elliottt updated PR #7383.
elliottt updated PR #7383.
elliottt updated PR #7383.
elliottt updated PR #7383.
elliottt updated PR #7383.
lukewagner created PR review comment:
unexpected-error(string)
lukewagner submitted PR review.
elliottt updated PR #7383.
elliottt updated PR #7383.
pchickey submitted PR review:
Looks great overall - rather than trap in the fields constructor, lets make the constructor create an empty set of fields, and have a static function that takes the list<tuple<...>> repr and returns result<fields, header-error>
elliottt updated PR #7383.
elliottt updated PR #7383.
elliottt updated PR #7383.
alexcrichton merged PR #7383.
Last updated: Dec 23 2024 at 12:05 UTC