akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

fix: rename variable for clarity and security verification in TestURLConnectivity

Browse Source
This commit is contained in:
GitHub Actions
2026-01-01 03:53:44 +00:00
parent a1ff78a92f
commit cfafe70d17
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
backend/internal/utils/url_testing.go
View File

@@ -137,7 +137,7 @@ func TestURLConnectivity(rawURL string, transport ...http.RoundTripper) (reachab
// - Production code performs full DNS/IP validation
// - Test code uses mock transport (bypasses network entirely)
// - ssrfSafeDialer() provides defense-in-depth at connection time
var requestURL string // Final URL for HTTP request (always validated)
var validatedRequestURL string // Validated/sanitized URL for HTTP request (security-verified)
if len(transport) == 0 || transport[0] == nil {
// Production path: Full security validation with DNS/IP checks
validatedURL, err := security.ValidateExternalURL(rawURL,
@@ -184,7 +184,7 @@ func TestURLConnectivity(rawURL string, transport ...http.RoundTripper) (reachab
metrics.RecordURLValidation("allowed", "validated")
// ENHANCEMENT: Audit log successful validation
security.LogURLTest(parsed.Hostname(), requestID, "system", "", "allowed")
requestURL = validatedURL // Use validated URL for production requests (breaks taint chain)
validatedRequestURL = validatedURL // Use validated URL for production requests (breaks taint chain)
} else {
// Test path: Basic validation without DNS (test transport handles network)
// Reconstruct URL to break taint chain for static analysis
@@ -198,7 +198,7 @@ func TestURLConnectivity(rawURL string, transport ...http.RoundTripper) (reachab
return false, 0, fmt.Errorf("only http and https schemes are allowed")
}
// Reconstruct URL to break taint chain (creates new string value)
requestURL = testParsed.String()
validatedRequestURL = testParsed.String()
}
// Create HTTP client with optional custom transport
@@ -238,7 +238,7 @@ func TestURLConnectivity(rawURL string, transport ...http.RoundTripper) (reachab
// Parse the validated URL to construct request from validated components
// This breaks the taint chain for static analysis by using parsed URL components
validatedParsed, err := url.Parse(requestURL)
validatedParsed, err := url.Parse(validatedRequestURL)
if err != nil {
return false, 0, fmt.Errorf("failed to parse validated URL: %w", err)
}