dnswatcher/internal/notify
user 21e516e86c fix: validate webhook URL scheme/host against SSRF (gosec G704)
Replace bare url.ParseRequestURI with parseWebhookURL that enforces:
- Scheme must be http or https (blocks file://, gopher://, etc.)
- Host must be non-empty

This provides actual SSRF protection at config load time. The nolint:gosec
annotations remain because gosec's taint analysis cannot trace validation
across function boundaries — there is no code pattern that satisfies G704
for user-configured webhook URLs. The suppression is justified by the
scheme/host validation in parseWebhookURL.
2026-02-20 00:13:02 -08:00
..
notify.go fix: validate webhook URL scheme/host against SSRF (gosec G704) 2026-02-20 00:13:02 -08:00