fix: prevent SSRF via Unsplash background image download
This commit is contained in:
parent
73edbb6d46
commit
a94109e1be
|
|
@ -21,6 +21,8 @@ import (
|
|||
"net/http"
|
||||
"strings"
|
||||
|
||||
"code.vikunja.io/api/pkg/utils"
|
||||
|
||||
"github.com/labstack/echo/v5"
|
||||
)
|
||||
|
||||
|
|
@ -30,7 +32,7 @@ func unsplashImage(url string, c *echo.Context) error {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is hardcoded to images.unsplash.com
|
||||
resp, err := utils.NewSSRFSafeHTTPClient().Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -37,6 +37,7 @@ import (
|
|||
"code.vikunja.io/api/pkg/models"
|
||||
"code.vikunja.io/api/pkg/modules/background"
|
||||
"code.vikunja.io/api/pkg/modules/keyvalue"
|
||||
"code.vikunja.io/api/pkg/utils"
|
||||
"code.vikunja.io/api/pkg/web"
|
||||
)
|
||||
|
||||
|
|
@ -260,7 +261,7 @@ func (p *Provider) Set(s *xorm.Session, image *background.Image, project *models
|
|||
if err != nil {
|
||||
return
|
||||
}
|
||||
resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is from Unsplash API response
|
||||
resp, err := utils.NewSSRFSafeHTTPClient().Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -372,7 +373,7 @@ func pingbackByPhotoID(photoID string) {
|
|||
if err != nil {
|
||||
log.Errorf("Unsplash Pingback Failed: %s", err.Error())
|
||||
}
|
||||
_, err = (&http.Client{}).Do(req) // #nosec G704 -- URL is hardcoded to views.unsplash.com
|
||||
_, err = utils.NewSSRFSafeHTTPClient().Do(req)
|
||||
if err != nil {
|
||||
log.Errorf("Unsplash Pingback Failed: %s", err.Error())
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue