diff options
| author | Adam Mathes <adam@adammathes.com> | 2026-02-14 09:17:56 -0800 |
|---|---|---|
| committer | Adam Mathes <adam@adammathes.com> | 2026-02-14 09:17:56 -0800 |
| commit | cac85dc06b519d9bd6db4d017d501dffbbd8bac4 (patch) | |
| tree | dc8024e501c0fbda6b9d28622ff2553475044487 /internal/crawler/crawler.go | |
| parent | ca1418fc0135d52a009ab218d6e24187fb355a3c (diff) | |
| download | neko-cac85dc06b519d9bd6db4d017d501dffbbd8bac4.tar.gz neko-cac85dc06b519d9bd6db4d017d501dffbbd8bac4.tar.bz2 neko-cac85dc06b519d9bd6db4d017d501dffbbd8bac4.zip | |
security: mitigate SSRF in image proxy and feed fetcher (fixing NK-0ca7nq)
Diffstat (limited to 'internal/crawler/crawler.go')
| -rw-r--r-- | internal/crawler/crawler.go | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/internal/crawler/crawler.go b/internal/crawler/crawler.go index 10253d8..fce2769 100644 --- a/internal/crawler/crawler.go +++ b/internal/crawler/crawler.go @@ -6,6 +6,7 @@ import ( "net/http" "time" + "adammathes.com/neko/internal/safehttp" "adammathes.com/neko/internal/vlog" "adammathes.com/neko/models/feed" "adammathes.com/neko/models/item" @@ -58,10 +59,7 @@ func GetFeedContent(feedURL string) string { // n := time.Duration(rand.Int63n(3)) // time.Sleep(n * time.Second) - c := &http.Client{ - // give up after 5 seconds - Timeout: 5 * time.Second, - } + c := safehttp.NewSafeClient(5 * time.Second) request, err := http.NewRequest("GET", feedURL, nil) if err != nil { @@ -100,10 +98,7 @@ func GetFeedContent(feedURL string) string { TODO: sanitize input on crawl */ func CrawlFeed(f *feed.Feed, ch chan<- string) { - c := &http.Client{ - // give up after 5 seconds - Timeout: 5 * time.Second, - } + c := safehttp.NewSafeClient(5 * time.Second) fp := gofeed.NewParser() fp.Client = c |