Disable redirects in HTTP resolver

domdomegg · domdomegg · commit 9b9504e42c62 · 2025-08-21T22:46:41.000+01:00
diff --git a/internal/api/handlers/v0/auth/http.go b/internal/api/handlers/v0/auth/http.go
@@ -43,6 +43,11 @@ func NewDefaultHTTPKeyFetcher() *DefaultHTTPKeyFetcher {
 	return &DefaultHTTPKeyFetcher{
 		client: &http.Client{
 			Timeout: 10 * time.Second,
+			// Disable redirects for security purposes:
+			// Prevents people doing weird things like sending us to internal endpoints at different paths
+			CheckRedirect: func(req *http.Request, via []*http.Request) error {
+				return http.ErrUseLastResponse
+			},
 		},
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,11 @@ func NewDefaultHTTPKeyFetcher() *DefaultHTTPKeyFetcher {`
`43`	`43`	`return &DefaultHTTPKeyFetcher{`
`44`	`44`	`client: &http.Client{`
`45`	`45`	`Timeout: 10 * time.Second,`
	`46`	`+ // Disable redirects for security purposes:`
	`47`	`+ // Prevents people doing weird things like sending us to internal endpoints at different paths`
	`48`	`+ CheckRedirect: func(req http.Request, via []http.Request) error {`
	`49`	`+ return http.ErrUseLastResponse`
	`50`	`+ },`
`46`	`51`	`},`
`47`	`52`	`}`
`48`	`53`	`}`