From 4fba1f79911710c180c2c85bf62cde0458aee93a Mon Sep 17 00:00:00 2001 From: Gubarz <1037896+Gubarz@users.noreply.github.com> Date: Sat, 30 May 2026 22:48:13 -0600 Subject: [PATCH] fix(httputil): restrict redirects and enforce HTTPS --- internal/httputil/get.go | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/internal/httputil/get.go b/internal/httputil/get.go index 41324ca..2a4915d 100644 --- a/internal/httputil/get.go +++ b/internal/httputil/get.go @@ -3,20 +3,40 @@ package httputil import ( "context" + "errors" "fmt" "io" "net/http" + "time" ) // Get fetches the given URL with a GET request, returning the response body if // the status code is 200 OK. The caller is responsible for closing the body. + func Get(ctx context.Context, url string) (io.ReadCloser, error) { req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) if err != nil { return nil, fmt.Errorf("build request: %w", err) } - resp, err := http.DefaultClient.Do(req) + if req.URL.Scheme != "https" { + return nil, fmt.Errorf("insecure scheme %q: only https is allowed", req.URL.Scheme) + } + + client := &http.Client{ + Timeout: 30 * time.Second, + CheckRedirect: func(req *http.Request, via []*http.Request) error { + if len(via) >= 10 { + return errors.New("stopped after 10 redirects") + } + if req.URL.Scheme != "https" { + return errors.New("insecure redirect: only https is allowed") + } + return nil + }, + } + + resp, err := client.Do(req) if err != nil { return nil, fmt.Errorf("execute request: %w", err) }