httpclient

func BoundedRedirects ¶ added in v1.55.0

func BoundedRedirects(maxHops int) func(*http.Request, []*http.Request) error

BoundedRedirects returns an http.Client.CheckRedirect that limits a redirect chain to maxHops. SSRF on each redirect target is enforced by the transport's dialer; this only prevents infinite loops.

func ContextWithSessionID ¶ added in v1.55.0

func ContextWithSessionID(ctx context.Context, id string) context.Context

ContextWithSessionID returns a new context carrying the given session ID. When set, [userAgentTransport.RoundTrip] forwards it as the `X-Cagent-Session-Id` header — but only on gateway-bound requests (those already carrying `X-Cagent-Forward`), to keep the identifier out of direct provider calls and unrelated outbound HTTP.

func HTTPSOnlyRedirects ¶ added in v1.55.0

func HTTPSOnlyRedirects(maxHops int) func(*http.Request, []*http.Request) error

HTTPSOnlyRedirects returns an http.Client.CheckRedirect that limits the redirect chain to maxHops AND rejects redirects whose Location is not https://. Use this when the original request is required to be HTTPS and a TLS downgrade through a Location header must be prevented.

func IsPublicIP ¶ added in v1.55.0

func IsPublicIP(ip net.IP) bool

IsPublicIP reports whether ip is a routable public address. It rejects loopback (127/8, ::1), RFC1918 private ranges, link-local (incl. the 169.254.169.254 cloud metadata endpoint), multicast and the unspecified address (0.0.0.0, ::).

func NewHTTPClient ¶

func NewHTTPClient(ctx context.Context, opts ...Opt) *http.Client

func NewSSRFSafeTransport ¶ added in v1.55.0

func NewSSRFSafeTransport() *http.Transport

NewSSRFSafeTransport returns a clone of http.DefaultTransport whose dialer enforces SSRFDialControl on every connection. All other settings — proxy, idle pool, HTTP/2, timeouts — are inherited so the transport keeps up with future stdlib changes.

Use this for outbound HTTP that may follow attacker-influenced URLs (OpenAPI specs whose servers[] list is taken from the spec body, user-configured API endpoints, etc.). It does not enforce HTTPS — callers that require it must validate the request URL themselves and/or supply a CheckRedirect on the surrounding *http.Client.

func NewSafeClient ¶ added in v1.55.0

func NewSafeClient(timeout time.Duration, unsafe bool) *http.Client

NewSafeClient returns the HTTP client used by built-in tools that issue outbound calls to URLs the operator (or a fetched OpenAPI spec) supplies.

The default refuses connections to non-public IPs at dial time — defeating DNS rebinding to loopback / RFC1918 / link-local incl. cloud metadata at 169.254.169.254 — and bounds the redirect chain at 10 hops.

When unsafe is true the client uses http.DefaultTransport. This branch exists ONLY for tests, which use [httptest.NewServer] (binds to 127.0.0.1) and therefore cannot pass the SSRF check.

func SSRFDialControl ¶ added in v1.55.0

func SSRFDialControl(_, address string, _ syscall.RawConn) error

SSRFDialControl is invoked by net.Dialer after DNS resolution but before the TCP handshake. It rejects addresses that are not safe to fetch from over the public internet.

Performing the check post-resolution defeats DNS rebinding: an attacker cannot point a public hostname at 127.0.0.1 or 169.254.169.254 to bypass us, because we re-validate the resolved IP itself.

func SessionIDFromContext ¶ added in v1.55.0

func SessionIDFromContext(ctx context.Context) string

SessionIDFromContext returns the session ID stored on ctx by ContextWithSessionID, or the empty string if none is set.

func WrapWithOTel ¶ added in v1.55.0

func WrapWithOTel(rt http.RoundTripper) http.RoundTripper

WrapWithOTel returns rt wrapped with otelhttp when OpenTelemetry is enabled (OTEL_EXPORTER_OTLP_ENDPOINT set, matching the gating in cmd/root/otel.go), or rt unchanged otherwise. Exposed so callers that build their own transports outside of NewHTTPClient can opt into the same env-gated instrumentation without duplicating the gating logic.