fix: prevent SSRF via migration file attachment URLs (GHSA-g66v-54v9-52pr)
This commit is contained in:
parent
363aa66423
commit
9329774223
|
|
@ -47,8 +47,8 @@ func DownloadFileWithHeaders(url string, headers http.Header) (buf *bytes.Buffer
|
|||
}
|
||||
}
|
||||
|
||||
hc := http.Client{}
|
||||
resp, err := hc.Do(req) // #nosec G704 -- URL is from migration provider API
|
||||
hc := utils.NewSSRFSafeHTTPClient()
|
||||
resp, err := hc.Do(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -66,7 +66,7 @@ func DoPost(url string, form url.Values) (resp *http.Response, err error) {
|
|||
|
||||
// DoGetWithHeaders makes an HTTP GET request with custom headers
|
||||
func DoGetWithHeaders(urlStr string, headers map[string]string) (resp *http.Response, err error) {
|
||||
hc := http.Client{}
|
||||
hc := utils.NewSSRFSafeHTTPClient()
|
||||
|
||||
err = utils.RetryWithBackoff("HTTP GET "+urlStr, func() error {
|
||||
req, reqErr := http.NewRequestWithContext(context.Background(), http.MethodGet, urlStr, nil)
|
||||
|
|
@ -108,7 +108,7 @@ func DoGetWithHeaders(urlStr string, headers map[string]string) (resp *http.Resp
|
|||
|
||||
// DoPostWithHeaders does an api request and allows to pass in arbitrary headers
|
||||
func DoPostWithHeaders(urlStr string, form url.Values, headers map[string]string) (resp *http.Response, err error) {
|
||||
hc := http.Client{}
|
||||
hc := utils.NewSSRFSafeHTTPClient()
|
||||
|
||||
err = utils.RetryWithBackoff("HTTP POST "+urlStr, func() error {
|
||||
req, reqErr := http.NewRequestWithContext(context.Background(), http.MethodPost, urlStr, strings.NewReader(form.Encode()))
|
||||
|
|
|
|||
|
|
@ -36,6 +36,8 @@ func TestMain(m *testing.M) {
|
|||
|
||||
// Set default config
|
||||
config.InitDefaultConfig()
|
||||
// Allow non-routable IPs in tests so httptest.NewServer (127.0.0.1) works
|
||||
config.OutgoingRequestsAllowNonRoutableIPs.Set("true")
|
||||
|
||||
// Some tests use the file engine, so we'll need to initialize that
|
||||
files.InitTests()
|
||||
|
|
|
|||
Loading…
Reference in New Issue