From cac85dc06b519d9bd6db4d017d501dffbbd8bac4 Mon Sep 17 00:00:00 2001
From: Adam Mathes <adam@adammathes.com>
Date: Sat, 14 Feb 2026 09:17:56 -0800
Subject: security: mitigate SSRF in image proxy and feed fetcher (fixing
 NK-0ca7nq)

---
 web/web.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'web')

diff --git a/web/web.go b/web/web.go
index 3c53edf..4868577 100644
--- a/web/web.go
+++ b/web/web.go
@@ -20,6 +20,7 @@ import (
 
 	"adammathes.com/neko/api"
 	"adammathes.com/neko/config"
+	"adammathes.com/neko/internal/safehttp"
 	"golang.org/x/crypto/bcrypt"
 )
 
@@ -74,9 +75,7 @@ func imageProxyHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// grab the img
-	c := &http.Client{
-		Timeout: 5 * time.Second,
-	}
+	c := safehttp.NewSafeClient(5 * time.Second)
 
 	request, err := http.NewRequest("GET", string(decodedURL), nil)
 	if err != nil {
-- 
cgit v1.2.3