mattnite
/
forgejo-tickets
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request 'Validate proxy download URL host to prevent SSRF' (#42) from fix/ssrf-proxy-download into main 

Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/42
This commit is contained in:
Matthew Knight 2026-02-18 00:13:09 +00:00
parent f1b20edbe3 c56b803010
commit fdcccce476
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
internal/forgejo/client.go
View File

@ -868,7 +868,20 @@ func (c *Client) GetAttachmentURL(apiURL string) (string, error) {
} }
// ProxyDownload fetches a file from the given Forgejo URL with authentication and streams it back. // ProxyDownload fetches a file from the given Forgejo URL with authentication and streams it back.
// The URL host must match the configured Forgejo base URL to prevent SSRF.
func (c *Client) ProxyDownload(downloadURL string) (*http.Response, error) { func (c *Client) ProxyDownload(downloadURL string) (*http.Response, error) {
parsed, err := url.Parse(downloadURL)
if err != nil {
return nil, fmt.Errorf("invalid download URL: %w", err)
}
base, err := url.Parse(c.baseURL)
if err != nil {
return nil, fmt.Errorf("invalid base URL: %w", err)
}
if parsed.Host != base.Host {
return nil, fmt.Errorf("download URL host %q does not match Forgejo host %q", parsed.Host, base.Host)
}
httpReq, err := http.NewRequest("GET", downloadURL, nil) httpReq, err := http.NewRequest("GET", downloadURL, nil)
if err != nil { if err != nil {
return nil, err return nil, err