fix(security): complete SSRF remediation with defense-in-depth (CWE-918)
Implement three-layer SSRF protection:
- Layer 1: URL pre-validation (existing)
- Layer 2: network.NewSafeHTTPClient() with connection-time IP validation
- Layer 3: Redirect target validation
New package: internal/network/safeclient.go
- IsPrivateIP(): Blocks RFC 1918, loopback, link-local (169.254.x.x),
reserved ranges, IPv6 private
- safeDialer(): DNS resolve → validate all IPs → dial validated IP
(prevents DNS rebinding/TOCTOU)
- NewSafeHTTPClient(): Functional options (WithTimeout, WithAllowLocalhost,
WithAllowedDomains, WithMaxRedirects)
Updated services:
- notification_service.go
- security_notification_service.go
- update_service.go
- crowdsec/registration.go (WithAllowLocalhost for LAPI)
- crowdsec/hub_sync.go (WithAllowedDomains for CrowdSec domains)
Consolidated duplicate isPrivateIP implementations to use network package.
Test coverage: 90.9% for network package
CodeQL: 0 SSRF findings (CWE-918 mitigated)
Closes #450
745b9e3e97