[TRST-1.2-L2] Risk of indefinite blocking due to use of http.DefaultClient without timeout #535
Description
Description and context
In client/cmd/flags.go several helper functions such as getValidatorByEVMAddr and getSelfDelegation utilize http.NewRequestWithContext to associate HTTP calls with a parent context.
However, these requests are executed using http.DefaultClient.Do, which lacks a configured timeout. This design flaw means that even if the parent context is cancelled or lacks a deadline, the underlying HTTP request may block indefinitely. In the context of long-lived CLI tools or daemons, such unbounded blocking can lead to resource exhaustion, including leaked goroutines and file descriptors.
Suggested solution
We recommend replacing http.DefaultClient with a custom http.Client instance that has a reasonable Timeout value set.