security: mitigate SSRF in image proxy and feed fetcher (fixing NK-0ca7nq)

author: Adam Mathes <adam@adammathes.com> 2026-02-14 09:17:56 -0800
committer: Adam Mathes <adam@adammathes.com> 2026-02-14 09:17:56 -0800
commit: cac85dc06b519d9bd6db4d017d501dffbbd8bac4 (patch)
tree: dc8024e501c0fbda6b9d28622ff2553475044487 /models/feed/feed.go
parent: ca1418fc0135d52a009ab218d6e24187fb355a3c (diff)
download: neko-cac85dc06b519d9bd6db4d017d501dffbbd8bac4.tar.gz
neko-cac85dc06b519d9bd6db4d017d501dffbbd8bac4.tar.bz2
neko-cac85dc06b519d9bd6db4d017d501dffbbd8bac4.zip
1 files changed, 2 insertions, 6 deletions
diff --git a/models/feed/feed.go b/models/feed/feed.go
index 95e7104..800e47c 100644
--- a/models/feed/feed.go
+++ b/models/feed/feed.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"time"
 
+	"adammathes.com/neko/internal/safehttp"
 	"adammathes.com/neko/models"
 	"github.com/PuerkitoBio/goquery"
 )
@@ -120,12 +121,7 @@ func (f *Feed) Create() error {
 
 // Given a string `url`, return to the best guess of the feed
 func ResolveFeedURL(url string) string {
-	c := &http.Client{
-		Timeout: 10 * http.DefaultClient.Timeout,
-	}
-	if c.Timeout == 0 {
-		c.Timeout = 10 * time.Second
-	}
+	c := safehttp.NewSafeClient(10 * time.Second)
 
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
author	Adam Mathes <adam@adammathes.com>	2026-02-14 09:17:56 -0800
committer	Adam Mathes <adam@adammathes.com>	2026-02-14 09:17:56 -0800
commit	cac85dc06b519d9bd6db4d017d501dffbbd8bac4 (patch)
tree	dc8024e501c0fbda6b9d28622ff2553475044487 /models/feed/feed.go
parent	ca1418fc0135d52a009ab218d6e24187fb355a3c (diff)
download	neko-cac85dc06b519d9bd6db4d017d501dffbbd8bac4.tar.gz neko-cac85dc06b519d9bd6db4d017d501dffbbd8bac4.tar.bz2 neko-cac85dc06b519d9bd6db4d017d501dffbbd8bac4.zip