3aaa059a15
- Updated UsersPage tests to check for specific URL formats instead of regex patterns. - Increased timeout for Go coverage report generation to handle larger repositories. - Cleaned up generated artifacts before running CodeQL analysis to reduce false positives. - Removed outdated QA testing report for authentication fixes on the certificates page. - Added final report confirming successful resolution of authentication issues with certificate endpoints. - Deleted previous test output files to maintain a clean test results directory.
35 lines
979 B
Go
35 lines
979 B
Go
package network
|
|
|
|
import (
|
|
"net/http"
|
|
"time"
|
|
)
|
|
|
|
// NewInternalServiceHTTPClient returns an HTTP client intended for internal service calls
|
|
// that are already constrained by an explicit hostname allowlist + expected port policy.
|
|
//
|
|
// Security posture:
|
|
// - Ignores proxy environment variables.
|
|
// - Disables redirects.
|
|
// - Uses strict, caller-provided timeouts.
|
|
func NewInternalServiceHTTPClient(timeout time.Duration) *http.Client {
|
|
transport := &http.Transport{
|
|
// Explicitly ignore proxy environment variables for SSRF-sensitive requests.
|
|
Proxy: nil,
|
|
DisableKeepAlives: true,
|
|
MaxIdleConns: 1,
|
|
IdleConnTimeout: timeout,
|
|
TLSHandshakeTimeout: timeout,
|
|
ResponseHeaderTimeout: timeout,
|
|
}
|
|
|
|
return &http.Client{
|
|
Timeout: timeout,
|
|
Transport: transport,
|
|
// Explicit redirect policy per call site: disable.
|
|
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
|
return http.ErrUseLastResponse
|
|
},
|
|
}
|
|
}
|