diff --git a/pkg/modules/migration/helpers.go b/pkg/modules/migration/helpers.go index 5519089de..40d18ca0a 100644 --- a/pkg/modules/migration/helpers.go +++ b/pkg/modules/migration/helpers.go @@ -47,8 +47,8 @@ func DownloadFileWithHeaders(url string, headers http.Header) (buf *bytes.Buffer } } - hc := http.Client{} - resp, err := hc.Do(req) // #nosec G704 -- URL is from migration provider API + hc := utils.NewSSRFSafeHTTPClient() + resp, err := hc.Do(req) if err != nil { return nil, err } @@ -66,7 +66,7 @@ func DoPost(url string, form url.Values) (resp *http.Response, err error) { // DoGetWithHeaders makes an HTTP GET request with custom headers func DoGetWithHeaders(urlStr string, headers map[string]string) (resp *http.Response, err error) { - hc := http.Client{} + hc := utils.NewSSRFSafeHTTPClient() err = utils.RetryWithBackoff("HTTP GET "+urlStr, func() error { req, reqErr := http.NewRequestWithContext(context.Background(), http.MethodGet, urlStr, nil) @@ -108,7 +108,7 @@ func DoGetWithHeaders(urlStr string, headers map[string]string) (resp *http.Resp // DoPostWithHeaders does an api request and allows to pass in arbitrary headers func DoPostWithHeaders(urlStr string, form url.Values, headers map[string]string) (resp *http.Response, err error) { - hc := http.Client{} + hc := utils.NewSSRFSafeHTTPClient() err = utils.RetryWithBackoff("HTTP POST "+urlStr, func() error { req, reqErr := http.NewRequestWithContext(context.Background(), http.MethodPost, urlStr, strings.NewReader(form.Encode())) diff --git a/pkg/modules/migration/main_test.go b/pkg/modules/migration/main_test.go index a9a671357..d4fcbd3f2 100644 --- a/pkg/modules/migration/main_test.go +++ b/pkg/modules/migration/main_test.go @@ -36,6 +36,8 @@ func TestMain(m *testing.M) { // Set default config config.InitDefaultConfig() + // Allow non-routable IPs in tests so httptest.NewServer (127.0.0.1) works + config.OutgoingRequestsAllowNonRoutableIPs.Set("true") // Some tests use the file engine, so we'll need to initialize that files.InitTests()