From 73edbb6d467bb1c01f928568c6f28f3d5eabe807 Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 23 Mar 2026 16:12:57 +0100 Subject: [PATCH] fix: prevent SSRF via Microsoft Todo migration pagination links --- pkg/modules/migration/microsoft-todo/microsoft_todo.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/modules/migration/microsoft-todo/microsoft_todo.go b/pkg/modules/migration/microsoft-todo/microsoft_todo.go index aa31cf3c8..0e04e4865 100644 --- a/pkg/modules/migration/microsoft-todo/microsoft_todo.go +++ b/pkg/modules/migration/microsoft-todo/microsoft_todo.go @@ -31,6 +31,7 @@ import ( "code.vikunja.io/api/pkg/models" "code.vikunja.io/api/pkg/modules/migration" "code.vikunja.io/api/pkg/user" + "code.vikunja.io/api/pkg/utils" ) const apiScopes = `tasks.read tasks.read.shared` @@ -187,7 +188,7 @@ func makeAuthenticatedGetRequest(token, urlPart string, v interface{}) error { } req.Header.Set("Authorization", "Bearer "+token) - resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is constructed from a hardcoded API prefix + resp, err := utils.NewSSRFSafeHTTPClient().Do(req) if err != nil { return err }