fix: prevent SSRF via Unsplash background image download

This commit is contained in:
kolaente 2026-03-23 16:13:25 +01:00 committed by kolaente
parent 73edbb6d46
commit a94109e1be
2 changed files with 6 additions and 3 deletions

View File

@ -21,6 +21,8 @@ import (
"net/http"
"strings"
"code.vikunja.io/api/pkg/utils"
"github.com/labstack/echo/v5"
)
@ -30,7 +32,7 @@ func unsplashImage(url string, c *echo.Context) error {
if err != nil {
return err
}
resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is hardcoded to images.unsplash.com
resp, err := utils.NewSSRFSafeHTTPClient().Do(req)
if err != nil {
return err
}

View File

@ -37,6 +37,7 @@ import (
"code.vikunja.io/api/pkg/models"
"code.vikunja.io/api/pkg/modules/background"
"code.vikunja.io/api/pkg/modules/keyvalue"
"code.vikunja.io/api/pkg/utils"
"code.vikunja.io/api/pkg/web"
)
@ -260,7 +261,7 @@ func (p *Provider) Set(s *xorm.Session, image *background.Image, project *models
if err != nil {
return
}
resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is from Unsplash API response
resp, err := utils.NewSSRFSafeHTTPClient().Do(req)
if err != nil {
return err
}
@ -372,7 +373,7 @@ func pingbackByPhotoID(photoID string) {
if err != nil {
log.Errorf("Unsplash Pingback Failed: %s", err.Error())
}
_, err = (&http.Client{}).Do(req) // #nosec G704 -- URL is hardcoded to views.unsplash.com
_, err = utils.NewSSRFSafeHTTPClient().Do(req)
if err != nil {
log.Errorf("Unsplash Pingback Failed: %s", err.Error())
}