Merge branch 'main' into fix/gosec-g704-ssrf

fix: validate webhook URL scheme/host against SSRF (gosec G704)
Replace bare url.ParseRequestURI with parseWebhookURL that enforces: - Scheme must be http or https (blocks file://, gopher://, etc.) - Host must be non-empty This provides actual SSRF protection at config load time. The nolint:gosec annotations remain because gosec's taint analysis cannot trace validation across function boundaries — there is no code pattern that satisfies G704 for user-configured webhook URLs. The suppression is justified by the scheme/host validation in parseWebhookURL.
2026-02-20 09:14:24 +01:00 · 2026-02-20 00:13:02 -08:00
1 changed files with 34 additions and 5 deletions
--- a/internal/notify/notify.go
+++ b/internal/notify/notify.go
@ -34,8 +34,37 @@ var (
 	ErrMattermostFailed = errors.New(
 		"mattermost notification failed",
 	)
 	// ErrInvalidScheme is returned when a URL uses a scheme
 	// other than http or https.
 	ErrInvalidScheme = errors.New(
 		"URL scheme must be http or https",
 	)
 	// ErrEmptyHost is returned when a URL has no host component.
 	ErrEmptyHost = errors.New("URL host must not be empty")
 )
 // parseWebhookURL parses and validates a webhook URL, ensuring it uses
 // http or https and has a non-empty host. This provides real SSRF
 // protection by restricting the URL scheme at configuration load time.
 func parseWebhookURL(raw string) (*url.URL, error) {
 	u, err := url.ParseRequestURI(raw)
 	if err != nil {
 		return nil, fmt.Errorf("parsing URL: %w", err)
 	}
 	if u.Scheme != "http" && u.Scheme != "https" {
 		return nil, fmt.Errorf(
 			"%w: got %q", ErrInvalidScheme, u.Scheme,
 		)
 	}
 	if u.Host == "" {
 		return nil, ErrEmptyHost
 	}
 	return u, nil
 }
 // Params contains dependencies for Service.
 type Params struct {
 	fx.In
@ -68,7 +97,7 @@ func New(
 	}
 	if params.Config.NtfyTopic != "" {
-		u, err := url.ParseRequestURI(params.Config.NtfyTopic)
+		u, err := parseWebhookURL(params.Config.NtfyTopic)
 		if err != nil {
 			return nil, fmt.Errorf("invalid ntfy topic URL: %w", err)
 		}
@ -77,7 +106,7 @@ func New(
 	}
 	if params.Config.SlackWebhook != "" {
-		u, err := url.ParseRequestURI(params.Config.SlackWebhook)
+		u, err := parseWebhookURL(params.Config.SlackWebhook)
 		if err != nil {
 			return nil, fmt.Errorf("invalid slack webhook URL: %w", err)
 		}
@ -86,7 +115,7 @@ func New(
 	}
 	if params.Config.MattermostWebhook != "" {
-		u, err := url.ParseRequestURI(params.Config.MattermostWebhook)
+		u, err := parseWebhookURL(params.Config.MattermostWebhook)
 		if err != nil {
 			return nil, fmt.Errorf(
 				"invalid mattermost webhook URL: %w", err,
@ -183,7 +212,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", ntfyPriority(priority))
-	resp, err := svc.client.Do(request) //nolint:gosec // URL validated at Service construction time
+	resp, err := svc.client.Do(request) //nolint:gosec // G704: URL validated by parseWebhookURL
 	if err != nil {
 		return fmt.Errorf("sending ntfy request: %w", err)
 	}
@ -265,7 +294,7 @@ func (svc *Service) sendSlack(
 	request.Header.Set("Content-Type", "application/json")
-	resp, err := svc.client.Do(request) //nolint:gosec // URL validated at Service construction time
+	resp, err := svc.client.Do(request) //nolint:gosec // G704: URL validated by parseWebhookURL
 	if err != nil {
 		return fmt.Errorf("sending webhook request: %w", err)
 	}