fix: prevent SSRF via migration file attachment URLs (GHSA-g66v-54v9-52pr)

This commit is contained in:
kolaente 2026-03-23 16:12:35 +01:00 committed by kolaente
parent 363aa66423
commit 9329774223
2 changed files with 6 additions and 4 deletions

View File

@ -47,8 +47,8 @@ func DownloadFileWithHeaders(url string, headers http.Header) (buf *bytes.Buffer
}
}
hc := http.Client{}
resp, err := hc.Do(req) // #nosec G704 -- URL is from migration provider API
hc := utils.NewSSRFSafeHTTPClient()
resp, err := hc.Do(req)
if err != nil {
return nil, err
}
@ -66,7 +66,7 @@ func DoPost(url string, form url.Values) (resp *http.Response, err error) {
// DoGetWithHeaders makes an HTTP GET request with custom headers
func DoGetWithHeaders(urlStr string, headers map[string]string) (resp *http.Response, err error) {
hc := http.Client{}
hc := utils.NewSSRFSafeHTTPClient()
err = utils.RetryWithBackoff("HTTP GET "+urlStr, func() error {
req, reqErr := http.NewRequestWithContext(context.Background(), http.MethodGet, urlStr, nil)
@ -108,7 +108,7 @@ func DoGetWithHeaders(urlStr string, headers map[string]string) (resp *http.Resp
// DoPostWithHeaders does an api request and allows to pass in arbitrary headers
func DoPostWithHeaders(urlStr string, form url.Values, headers map[string]string) (resp *http.Response, err error) {
hc := http.Client{}
hc := utils.NewSSRFSafeHTTPClient()
err = utils.RetryWithBackoff("HTTP POST "+urlStr, func() error {
req, reqErr := http.NewRequestWithContext(context.Background(), http.MethodPost, urlStr, strings.NewReader(form.Encode()))

View File

@ -36,6 +36,8 @@ func TestMain(m *testing.M) {
// Set default config
config.InitDefaultConfig()
// Allow non-routable IPs in tests so httptest.NewServer (127.0.0.1) works
config.OutgoingRequestsAllowNonRoutableIPs.Set("true")
// Some tests use the file engine, so we'll need to initialize that
files.InitTests()