diff options
| author | Adam Mathes <adam@adammathes.com> | 2026-02-14 09:17:56 -0800 |
|---|---|---|
| committer | Adam Mathes <adam@adammathes.com> | 2026-02-14 09:17:56 -0800 |
| commit | cac85dc06b519d9bd6db4d017d501dffbbd8bac4 (patch) | |
| tree | dc8024e501c0fbda6b9d28622ff2553475044487 /web | |
| parent | ca1418fc0135d52a009ab218d6e24187fb355a3c (diff) | |
| download | neko-cac85dc06b519d9bd6db4d017d501dffbbd8bac4.tar.gz neko-cac85dc06b519d9bd6db4d017d501dffbbd8bac4.tar.bz2 neko-cac85dc06b519d9bd6db4d017d501dffbbd8bac4.zip | |
security: mitigate SSRF in image proxy and feed fetcher (fixing NK-0ca7nq)
Diffstat (limited to 'web')
| -rw-r--r-- | web/web.go | 5 |
1 files changed, 2 insertions, 3 deletions
@@ -20,6 +20,7 @@ import ( "adammathes.com/neko/api" "adammathes.com/neko/config" + "adammathes.com/neko/internal/safehttp" "golang.org/x/crypto/bcrypt" ) @@ -74,9 +75,7 @@ func imageProxyHandler(w http.ResponseWriter, r *http.Request) { } // grab the img - c := &http.Client{ - Timeout: 5 * time.Second, - } + c := safehttp.NewSafeClient(5 * time.Second) request, err := http.NewRequest("GET", string(decodedURL), nil) if err != nil { |