diff --git a/pkg/modules/background/unsplash/proxy.go b/pkg/modules/background/unsplash/proxy.go index cd55d9893..8f36e961f 100644 --- a/pkg/modules/background/unsplash/proxy.go +++ b/pkg/modules/background/unsplash/proxy.go @@ -21,6 +21,8 @@ import ( "net/http" "strings" + "code.vikunja.io/api/pkg/utils" + "github.com/labstack/echo/v5" ) @@ -30,7 +32,7 @@ func unsplashImage(url string, c *echo.Context) error { if err != nil { return err } - resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is hardcoded to images.unsplash.com + resp, err := utils.NewSSRFSafeHTTPClient().Do(req) if err != nil { return err } diff --git a/pkg/modules/background/unsplash/unsplash.go b/pkg/modules/background/unsplash/unsplash.go index fc4d38408..cbf688e02 100644 --- a/pkg/modules/background/unsplash/unsplash.go +++ b/pkg/modules/background/unsplash/unsplash.go @@ -37,6 +37,7 @@ import ( "code.vikunja.io/api/pkg/models" "code.vikunja.io/api/pkg/modules/background" "code.vikunja.io/api/pkg/modules/keyvalue" + "code.vikunja.io/api/pkg/utils" "code.vikunja.io/api/pkg/web" ) @@ -260,7 +261,7 @@ func (p *Provider) Set(s *xorm.Session, image *background.Image, project *models if err != nil { return } - resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is from Unsplash API response + resp, err := utils.NewSSRFSafeHTTPClient().Do(req) if err != nil { return err } @@ -372,7 +373,7 @@ func pingbackByPhotoID(photoID string) { if err != nil { log.Errorf("Unsplash Pingback Failed: %s", err.Error()) } - _, err = (&http.Client{}).Do(req) // #nosec G704 -- URL is hardcoded to views.unsplash.com + _, err = utils.NewSSRFSafeHTTPClient().Do(req) if err != nil { log.Errorf("Unsplash Pingback Failed: %s", err.Error()) }