From 363aa6642352b08fc8bc6aaff2f3a550393af1cf Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 23 Mar 2026 16:10:38 +0100 Subject: [PATCH] fix: prevent SSRF via OpenID Connect avatar download (GHSA-g9xj-752q-xh63) --- pkg/utils/avatar.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/utils/avatar.go b/pkg/utils/avatar.go index b5c7ad296..75fae20be 100644 --- a/pkg/utils/avatar.go +++ b/pkg/utils/avatar.go @@ -101,7 +101,7 @@ func DownloadImage(url string) ([]byte, error) { return nil, fmt.Errorf("failed to create HTTP request: %w", err) } - resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL comes from OIDC provider picture claim + resp, err := NewSSRFSafeHTTPClient().Do(req) if err != nil { return nil, fmt.Errorf("failed to download image: %w", err) }