fix: disable redirects to guard against possible SSRFs

2023-04-24 17:46:58 -07:00
parent b8fe446152
commit f40135dbf2
2 changed files with 15 additions and 2 deletions
--- a/activitypub/webfinger/webfinger.go
+++ b/activitypub/webfinger/webfinger.go
@@ -29,7 +29,14 @@ func GetWebfingerLinks(account string) ([]map[string]interface{}, error) {
 	query.Add("resource", fmt.Sprintf("acct:%s", account))
 	requestURL.RawQuery = query.Encode()

-	response, err := http.DefaultClient.Get(requestURL.String())
+	// Do not support redirects.
+	client := &http.Client{
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+
+	response, err := client.Get(requestURL.String())
 	if err != nil {
 		return nil, err
 	}