From e80e5744f7b3c911e9cb0ea1cf1fdf8bd33014f7 Mon Sep 17 00:00:00 2001 From: Crumb Owl Date: Sun, 6 Jul 2025 19:20:53 +0000 Subject: [PATCH] ProductBarcode: backend: improve security of image fetching --- backend/app/api/handlers/v1/v1_ctrl_product_search.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/backend/app/api/handlers/v1/v1_ctrl_product_search.go b/backend/app/api/handlers/v1/v1_ctrl_product_search.go index 421bea87..dd0412a2 100644 --- a/backend/app/api/handlers/v1/v1_ctrl_product_search.go +++ b/backend/app/api/handlers/v1/v1_ctrl_product_search.go @@ -7,6 +7,7 @@ import ( "fmt" "io" "net/http" + "net/url" "github.com/hay-kot/httpkit/errchain" "github.com/rs/zerolog/log" @@ -242,6 +243,13 @@ func (ctrl *V1Controller) HandleProductSearchFromBarcode(conf config.BarcodeAPIC continue } + // Validate URL is HTTPS + u, err := url.Parse(p.ImageURL) + if err != nil || u.Scheme != "https" { + log.Warn().Msg("Skipping non-HTTPS image URL: " + p.ImageURL) + continue + } + res, err := http.Get(p.ImageURL) if err != nil { log.Warn().Msg("Cannot fetch image for URL: " + p.ImageURL + ": " + err.Error())