dnswatcher

History

user 21e516e86c fix: validate webhook URL scheme/host against SSRF (gosec G704) Replace bare url.ParseRequestURI with parseWebhookURL that enforces: - Scheme must be http or https (blocks file://, gopher://, etc.) - Host must be non-empty This provides actual SSRF protection at config load time. The nolint:gosec annotations remain because gosec's taint analysis cannot trace validation across function boundaries — there is no code pattern that satisfies G704 for user-configured webhook URLs. The suppression is justified by the scheme/host validation in parseWebhookURL.	2026-02-20 00:13:02 -08:00
..
notify.go	fix: validate webhook URL scheme/host against SSRF (gosec G704)	2026-02-20 00:13:02 -08:00

user 21e516e86c fix: validate webhook URL scheme/host against SSRF (gosec G704)

Replace bare url.ParseRequestURI with parseWebhookURL that enforces:
- Scheme must be http or https (blocks file://, gopher://, etc.)
- Host must be non-empty

This provides actual SSRF protection at config load time. The nolint:gosec
annotations remain because gosec's taint analysis cannot trace validation
across function boundaries — there is no code pattern that satisfies G704
for user-configured webhook URLs. The suppression is justified by the
scheme/host validation in parseWebhookURL.

2026-02-20 00:13:02 -08:00

notify.go

fix: validate webhook URL scheme/host against SSRF (gosec G704)

2026-02-20 00:13:02 -08:00