clone/vikunja
1
0
Fork 0
mirror of https://github.com/go-vikunja/vikunja.git synced 2026-05-03 02:16:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fc9c21915df25827cdc4e421ddc07a22c375526c
vikunja/pkg/utils/httpclient.go
kolaente 0266fffad2 feat: add shared SSRF-safe HTTP client utility
2026-03-23 16:34:22 +00:00

65 lines
2.2 KiB
Go
Raw Blame History

// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package utils
import (
"encoding/base64"
"net"
"net/http"
"net/url"
"code.vikunja.io/api/pkg/config"
"code.vikunja.io/api/pkg/version"
"code.dny.dev/ssrf"
)
// NewSSRFSafeHTTPClient returns an *http.Client with SSRF protection applied.
// It blocks connections to non-globally-routable IP addresses (loopback,
// private ranges, link-local, etc.) unless outgoingrequests.allownonroutableips
// is set to true. It also configures proxy settings from outgoingrequests config.
//
// Deprecated webhooks.* config keys are migrated to outgoingrequests.* at
// config init time (see config.InitDefaultConfig), so this function only
// reads the new keys.
func NewSSRFSafeHTTPClient() *http.Client {
client := &http.Client{}
transport := &http.Transport{}
if !config.OutgoingRequestsAllowNonRoutableIPs.GetBool() {
guardian := ssrf.New(ssrf.WithAnyPort())
transport.DialContext = (&net.Dialer{
Control: guardian.Safe,
}).DialContext
}
proxyURL := config.OutgoingRequestsProxyURL.GetString()
proxyPassword := config.OutgoingRequestsProxyPassword.GetString()
if proxyURL != "" && proxyPassword != "" {
parsedURL, _ := url.Parse(proxyURL)
transport.Proxy = http.ProxyURL(parsedURL)
transport.ProxyConnectHeader = http.Header{
"Proxy-Authorization": []string{"Basic " + base64.StdEncoding.EncodeToString([]byte("vikunja:"+proxyPassword))},
"User-Agent": []string{"Vikunja/" + version.Version},
}
}
client.Transport = transport
return client
}
Reference in New Issue View Git Blame Copy Permalink