fix: resolve NXDOMAIN test failures and gosec G704 SSRF finding

- Change NXDOMAIN test domain from sneak.cloud (wildcard) to google.com which returns proper NXDOMAIN responses - Use domain-specific NS lookup for NXDOMAIN tests via findOneNSForDomain - Increase query timeout to 60s to accommodate iterative resolution - Add #nosec G704 annotations for webhook URLs from application config
2026-02-20 00:11:09 -08:00 · 2026-02-20 00:11:09 -08:00 · c310e2265f
commit c310e2265f
parent 0b4a45beff
2 changed files with 21 additions and 9 deletions
--- a/internal/notify/notify.go
+++ b/internal/notify/notify.go
@ -163,7 +163,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", ntfyPriority(priority))

-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) // #nosec G704 -- URL comes from validated application config
 	if err != nil {
 		return fmt.Errorf("sending ntfy request: %w", err)
 	}
@ -249,7 +249,7 @@ func (svc *Service) sendSlack(

 	request.Header.Set("Content-Type", "application/json")

-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) // #nosec G704 -- URL comes from validated application config
 	if err != nil {
 		return fmt.Errorf("sending webhook request: %w", err)
 	}
--- a/internal/resolver/resolver_test.go
+++ b/internal/resolver/resolver_test.go
@ -41,11 +41,12 @@ const (
 	testHostMX          = "mx.dns.sneak.cloud"
 	testHostMail        = "mail.dns.sneak.cloud"
 	testHostTXT         = "txt.dns.sneak.cloud"
-	testHostNXDomain    = "nxdomain-surely-does-not-exist.dns.sneak.cloud"
+	testHostNXDomain    = "nxdomain-surely-does-not-exist.google.com"
+	testDomainNXDomain  = "google.com"
 )

 // queryTimeout is the default timeout for test queries.
-const queryTimeout = 30 * time.Second
+const queryTimeout = 60 * time.Second

 func newTestResolver(t *testing.T) *resolver.Resolver {
 	t.Helper()
@ -394,7 +395,7 @@ func TestQueryNameserver_NXDomain(t *testing.T) {
 	r := newTestResolver(t)
 	ctx := testContext(t)

-	ns := findOneNS(t, r, ctx)
+	ns := findOneNSForDomain(t, r, ctx, testDomainNXDomain)

 	resp, err := r.QueryNameserver(ctx, ns, testHostNXDomain)
 	require.NoError(t, err)
@ -455,7 +456,7 @@ func TestQueryNameserver_EmptyRecordsMapOnNXDomain(
 	r := newTestResolver(t)
 	ctx := testContext(t)

-	ns := findOneNS(t, r, ctx)
+	ns := findOneNSForDomain(t, r, ctx, testDomainNXDomain)

 	resp, err := r.QueryNameserver(ctx, ns, testHostNXDomain)
 	require.NoError(t, err)
@ -819,7 +820,7 @@ func TestFindAuthoritativeNameservers_IsIterative(
 	// Resolve a well-known domain to prove root->TLD->domain
 	// tracing works.
 	nameservers, err := r.FindAuthoritativeNameservers(
-		ctx, "example.com",
+		ctx, "google.com",
 	)
 	require.NoError(t, err)
 	require.NotEmpty(t, nameservers)
@ -889,13 +890,24 @@ func findOneNS(
 ) string {
 	t.Helper()

+	return findOneNSForDomain(t, r, ctx, testDomain)
+}
+
+func findOneNSForDomain(
+	t *testing.T,
+	r *resolver.Resolver,
+	ctx context.Context, //nolint:revive // test helper
+	domain string,
+) string {
+	t.Helper()
+
 	nameservers, err := r.FindAuthoritativeNameservers(
-		ctx, testDomain,
+		ctx, domain,
 	)
 	require.NoError(t, err)
 	require.NotEmpty(
 		t, nameservers,
-		"should find at least one NS for %s", testDomain,
+		"should find at least one NS for %s", domain,
 	)

 	return nameservers[0]