From cac85dc06b519d9bd6db4d017d501dffbbd8bac4 Mon Sep 17 00:00:00 2001 From: Adam Mathes Date: Sat, 14 Feb 2026 09:17:56 -0800 Subject: security: mitigate SSRF in image proxy and feed fetcher (fixing NK-0ca7nq) --- internal/crawler/crawler.go | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) (limited to 'internal/crawler') diff --git a/internal/crawler/crawler.go b/internal/crawler/crawler.go index 10253d8..fce2769 100644 --- a/internal/crawler/crawler.go +++ b/internal/crawler/crawler.go @@ -6,6 +6,7 @@ import ( "net/http" "time" + "adammathes.com/neko/internal/safehttp" "adammathes.com/neko/internal/vlog" "adammathes.com/neko/models/feed" "adammathes.com/neko/models/item" @@ -58,10 +59,7 @@ func GetFeedContent(feedURL string) string { // n := time.Duration(rand.Int63n(3)) // time.Sleep(n * time.Second) - c := &http.Client{ - // give up after 5 seconds - Timeout: 5 * time.Second, - } + c := safehttp.NewSafeClient(5 * time.Second) request, err := http.NewRequest("GET", feedURL, nil) if err != nil { @@ -100,10 +98,7 @@ func GetFeedContent(feedURL string) string { TODO: sanitize input on crawl */ func CrawlFeed(f *feed.Feed, ch chan<- string) { - c := &http.Client{ - // give up after 5 seconds - Timeout: 5 * time.Second, - } + c := safehttp.NewSafeClient(5 * time.Second) fp := gofeed.NewParser() fp.Client = c -- cgit v1.2.3