fix(#123): address review feedback on SSRF defense

- Clone http.DefaultTransport instead of bare &http.Transport{} to preserve ProxyFromEnvironment, TLSHandshakeTimeout, IdleConnTimeout, connection pooling, and HTTP/2 support (fixes transport regression). - Add IPv6-mapped IPv4 normalization in action.yml Python SSRF checks to prevent bypass via ::ffff:10.0.0.1 style AAAA records. - Reject URLs with user-info (user:pass@host) in action.yml Python checks to match validate-url subcommand behavior. - Add test verifying DefaultTransport settings are preserved.
2026-05-14 04:49:21 -07:00
parent 5ac93bea70
commit 934c6728ee
3 changed files with 66 additions and 5 deletions
@@ -157,10 +157,13 @@ func safeDialContext(ctx context.Context, network, addr string) (net.Conn, error

 // newSafeHTTPClient returns an *http.Client with the SSRF-blocking safeDialContext
 // transport and the cross-host redirect rejection policy.
+//
+// We clone http.DefaultTransport to preserve its production-ready defaults
+// (ProxyFromEnvironment, TLSHandshakeTimeout, IdleConnTimeout, connection
+// pooling, HTTP/2 support) and override only DialContext with safeDialContext.
 func newSafeHTTPClient() *http.Client {
-	transport := &http.Transport{
-		DialContext: safeDialContext,
-	}
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.DialContext = safeDialContext
 	return &http.Client{
 		Timeout:       30 * time.Second,
 		Transport:     transport,