Merge branch 'main' into fix/gosec-g704-ssrf

fix: validate webhook URL scheme/host against SSRF (gosec G704)
Replace bare url.ParseRequestURI with parseWebhookURL that enforces: - Scheme must be http or https (blocks file://, gopher://, etc.) - Host must be non-empty This provides actual SSRF protection at config load time. The nolint:gosec annotations remain because gosec's taint analysis cannot trace validation across function boundaries — there is no code pattern that satisfies G704 for user-configured webhook URLs. The suppression is justified by the scheme/host validation in parseWebhookURL.
2026-02-20 09:14:24 +01:00 · 2026-02-20 00:13:02 -08:00
1 changed files with 34 additions and 5 deletions
--- a/internal/notify/notify.go
+++ b/internal/notify/notify.go
@ -34,8 +34,37 @@ var (
 	ErrMattermostFailed = errors.New(
 		"mattermost notification failed",
 	)
+	// ErrInvalidScheme is returned when a URL uses a scheme
+	// other than http or https.
+	ErrInvalidScheme = errors.New(
+		"URL scheme must be http or https",
+	)
+	// ErrEmptyHost is returned when a URL has no host component.
+	ErrEmptyHost = errors.New("URL host must not be empty")
 )

+// parseWebhookURL parses and validates a webhook URL, ensuring it uses
+// http or https and has a non-empty host. This provides real SSRF
+// protection by restricting the URL scheme at configuration load time.
+func parseWebhookURL(raw string) (*url.URL, error) {
+	u, err := url.ParseRequestURI(raw)
+	if err != nil {
+		return nil, fmt.Errorf("parsing URL: %w", err)
+	}
+
+	if u.Scheme != "http" && u.Scheme != "https" {
+		return nil, fmt.Errorf(
+			"%w: got %q", ErrInvalidScheme, u.Scheme,
+		)
+	}
+
+	if u.Host == "" {
+		return nil, ErrEmptyHost
+	}
+
+	return u, nil
+}
+
 // Params contains dependencies for Service.
 type Params struct {
 	fx.In
@ -68,7 +97,7 @@ func New(
 	}

 	if params.Config.NtfyTopic != "" {
-		u, err := url.ParseRequestURI(params.Config.NtfyTopic)
+		u, err := parseWebhookURL(params.Config.NtfyTopic)
 		if err != nil {
 			return nil, fmt.Errorf("invalid ntfy topic URL: %w", err)
 		}
@ -77,7 +106,7 @@ func New(
 	}

 	if params.Config.SlackWebhook != "" {
-		u, err := url.ParseRequestURI(params.Config.SlackWebhook)
+		u, err := parseWebhookURL(params.Config.SlackWebhook)
 		if err != nil {
 			return nil, fmt.Errorf("invalid slack webhook URL: %w", err)
 		}
@ -86,7 +115,7 @@ func New(
 	}

 	if params.Config.MattermostWebhook != "" {
-		u, err := url.ParseRequestURI(params.Config.MattermostWebhook)
+		u, err := parseWebhookURL(params.Config.MattermostWebhook)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"invalid mattermost webhook URL: %w", err,
@ -183,7 +212,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", ntfyPriority(priority))

-	resp, err := svc.client.Do(request) //nolint:gosec // URL validated at Service construction time
+	resp, err := svc.client.Do(request) //nolint:gosec // G704: URL validated by parseWebhookURL
 	if err != nil {
 		return fmt.Errorf("sending ntfy request: %w", err)
 	}
@ -265,7 +294,7 @@ func (svc *Service) sendSlack(

 	request.Header.Set("Content-Type", "application/json")

-	resp, err := svc.client.Do(request) //nolint:gosec // URL validated at Service construction time
+	resp, err := svc.client.Do(request) //nolint:gosec // G704: URL validated by parseWebhookURL
 	if err != nil {
 		return fmt.Errorf("sending webhook request: %w", err)
 	}