Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

HttpClient scope analyzer #545

Open
mthjones opened this issue Apr 27, 2020 · 2 comments
Open

HttpClient scope analyzer #545

mthjones opened this issue Apr 27, 2020 · 2 comments
Labels
new analyzer

Comments

@mthjones
Copy link
Member

mthjones commented Apr 27, 2020
edited
Loading

Problem

If HttpClient is used improperly, it can lead to port exhaustion on the app server due to opening and closing ports frequently instead of reusing the ports already available. This generally happens when HttpClient is created and destroyed too frequently in a low-level function instead of being shared across multiple calls.

Analyzer

An analyzer is added to warn when an HttpClient is created within a function. This would most likely need to work on a whitelist basis to allow for proper uses, such as the creation of an HttpClient within Main.

Failure Criteria

  • HttpClient is created within a non-constructor function
  • HttpClient is used within the function
    • Filter out factory methods

Example

public async Task MakeRequest() {
    using( var client = new HttpClient() ) {
//         ^---- WARN: HttpClient scope may be too small which can lead to port exhaustion.
//                     Consider sharing this HttpClient across multiple requests.
        var response = await client.GetAsync( "http://example.com" );
        // do something
    }
}

Additional Resources
@omsmith
Copy link
Contributor

omsmith commented Apr 27, 2020

Holding onto new HttpClient() forever is also wrong without other mitigations.

Within the LMS, the correct analyzer would be to ban it altogether and tell people to use IHttpClientFactory where we can potentially do the right thing. After that, it likely matters less whether the end-user keeps it as long-held or not (though the details of that would be dependent on how the factory wants to be consumed in ths end).

@mthjones
Copy link
Member Author

Holding onto new HttpClient() forever is also wrong without other mitigations.

++. I think this is something that could be mitigated as well. (e.g. ban HttpClient field in Singleton objects or as static fields)

Within the LMS, the correct analyzer would be to ban it altogether and tell people to use IHttpClientFactory where we can potentially do the right thing. After that, it likely matters less whether the end-user keeps it as long-held or not (though the details of that would be dependent on how the factory wants to be consumed in ths end).

I agree -- that seems like the best option long-term. However, this is currently causing issues today with port exhaustion due to improper usage of the HttpClient from IHttpClientFactory (D2L, not .NET) because it doesn't do the right thing yet. If fixing that is relatively simple, then let's do that instead.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
new analyzer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mthjones @omsmith