fix: prevent SSRF via Microsoft Todo migration pagination links

This commit is contained in:
kolaente 2026-03-23 16:12:57 +01:00 committed by kolaente
parent 9329774223
commit 73edbb6d46
1 changed files with 2 additions and 1 deletions

View File

@ -31,6 +31,7 @@ import (
"code.vikunja.io/api/pkg/models"
"code.vikunja.io/api/pkg/modules/migration"
"code.vikunja.io/api/pkg/user"
"code.vikunja.io/api/pkg/utils"
)
const apiScopes = `tasks.read tasks.read.shared`
@ -187,7 +188,7 @@ func makeAuthenticatedGetRequest(token, urlPart string, v interface{}) error {
}
req.Header.Set("Authorization", "Bearer "+token)
resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is constructed from a hardcoded API prefix
resp, err := utils.NewSSRFSafeHTTPClient().Do(req)
if err != nil {
return err
}