From a94109e1beab683277fb1524514fcd7368cd071d Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 23 Mar 2026 16:13:25 +0100 Subject: [PATCH] fix: prevent SSRF via Unsplash background image download --- pkg/modules/background/unsplash/proxy.go | 4 +++- pkg/modules/background/unsplash/unsplash.go | 5 +++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/pkg/modules/background/unsplash/proxy.go b/pkg/modules/background/unsplash/proxy.go index cd55d9893..8f36e961f 100644 --- a/pkg/modules/background/unsplash/proxy.go +++ b/pkg/modules/background/unsplash/proxy.go @@ -21,6 +21,8 @@ import ( "net/http" "strings" + "code.vikunja.io/api/pkg/utils" + "github.com/labstack/echo/v5" ) @@ -30,7 +32,7 @@ func unsplashImage(url string, c *echo.Context) error { if err != nil { return err } - resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is hardcoded to images.unsplash.com + resp, err := utils.NewSSRFSafeHTTPClient().Do(req) if err != nil { return err } diff --git a/pkg/modules/background/unsplash/unsplash.go b/pkg/modules/background/unsplash/unsplash.go index fc4d38408..cbf688e02 100644 --- a/pkg/modules/background/unsplash/unsplash.go +++ b/pkg/modules/background/unsplash/unsplash.go @@ -37,6 +37,7 @@ import ( "code.vikunja.io/api/pkg/models" "code.vikunja.io/api/pkg/modules/background" "code.vikunja.io/api/pkg/modules/keyvalue" + "code.vikunja.io/api/pkg/utils" "code.vikunja.io/api/pkg/web" ) @@ -260,7 +261,7 @@ func (p *Provider) Set(s *xorm.Session, image *background.Image, project *models if err != nil { return } - resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is from Unsplash API response + resp, err := utils.NewSSRFSafeHTTPClient().Do(req) if err != nil { return err } @@ -372,7 +373,7 @@ func pingbackByPhotoID(photoID string) { if err != nil { log.Errorf("Unsplash Pingback Failed: %s", err.Error()) } - _, err = (&http.Client{}).Do(req) // #nosec G704 -- URL is hardcoded to views.unsplash.com + _, err = utils.NewSSRFSafeHTTPClient().Do(req) if err != nil { log.Errorf("Unsplash Pingback Failed: %s", err.Error()) }