From cac85dc06b519d9bd6db4d017d501dffbbd8bac4 Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Sat, 14 Feb 2026 09:17:56 -0800
Subject: security: mitigate SSRF in image proxy and feed fetcher (fixing
 NK-0ca7nq)

---
 models/feed/feed.go | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

(limited to 'models')

diff --git a/models/feed/feed.go b/models/feed/feed.go
index 95e7104..800e47c 100644
--- a/models/feed/feed.go
+++ b/models/feed/feed.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"time"
 
+	"adammathes.com/neko/internal/safehttp"
 	"adammathes.com/neko/models"
 	"github.com/PuerkitoBio/goquery"
 )
@@ -120,12 +121,7 @@ func (f *Feed) Create() error {
 
 // Given a string `url`, return to the best guess of the feed
 func ResolveFeedURL(url string) string {
-	c := &http.Client{
-		Timeout: 10 * http.DefaultClient.Timeout,
-	}
-	if c.Timeout == 0 {
-		c.Timeout = 10 * time.Second
-	}
+	c := safehttp.NewSafeClient(10 * time.Second)
 
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
-- 
cgit v1.2.3