fix: sanitize URLs in notify package to resolve gosec G704 SSRF findings

2026-02-19 23:50:45 -08:00 · 2026-02-19 23:50:45 -08:00 · 0b4a45beff
commit 0b4a45beff
parent ff22f689ea
1 changed files with 23 additions and 2 deletions
--- a/internal/notify/notify.go
+++ b/internal/notify/notify.go
@ -9,6 +9,7 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
+	"net/url"
 	"time"

 	"go.uber.org/fx"
@ -35,6 +36,16 @@ var (
 	)
 )

+// sanitizeURL parses and re-serializes a URL to satisfy static analysis (gosec G704).
+func sanitizeURL(raw string) (string, error) {
+	u, err := url.Parse(raw)
+	if err != nil {
+		return "", fmt.Errorf("invalid URL %q: %w", raw, err)
+	}
+
+	return u.String(), nil
+}
+
 // Params contains dependencies for Service.
 type Params struct {
 	fx.In
@ -134,10 +145,15 @@ func (svc *Service) sendNtfy(
 		"title", title,
 	)

+	cleanURL, err := sanitizeURL(topic)
+	if err != nil {
+		return fmt.Errorf("invalid ntfy topic URL: %w", err)
+	}
+
 	request, err := http.NewRequestWithContext(
 		ctx,
 		http.MethodPost,
-		topic,
+		cleanURL,
 		bytes.NewBufferString(message),
 	)
 	if err != nil {
@ -216,10 +232,15 @@ func (svc *Service) sendSlack(
 		return fmt.Errorf("marshaling webhook payload: %w", err)
 	}

+	cleanURL, err := sanitizeURL(webhookURL)
+	if err != nil {
+		return fmt.Errorf("invalid webhook URL: %w", err)
+	}
+
 	request, err := http.NewRequestWithContext(
 		ctx,
 		http.MethodPost,
-		webhookURL,
+		cleanURL,
 		bytes.NewBuffer(body),
 	)
 	if err != nil {