fix(providers/azure): harden Synapse nil HTTP client fallback#1228
fix(providers/azure): harden Synapse nil HTTP client fallback#1228cristim wants to merge 3 commits into
Conversation
|
Important Review skippedNo new commits to review since the last review. ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthrough
ChangesSSRF Hardening for Nil HTTP Client Fallback
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
NewClientWithHTTP in the Synapse client was the only one of the Azure NewClientWithHTTP constructors substituting http.DefaultClient when the injected client is nil, bypassing the SSRF/IMDS-blocking transport from the project httpclient package. Replace the fallback with httpclient.New() to match the production NewClient constructor and the established savingsplans/managedredis pattern, and add a regression test asserting the nil fallback is never http.DefaultClient and rejects IMDS connections. Closes #1143
|
@coderabbitai review |
✅ Action performedReview finished.
|
Replace nolint:bodyclose with proper deferred body close guarded by nil check, per the no-nolint policy.
Adversarial review (PR #1228)Reviewed against the SEC-03 finding (#1143) and the five risk surfaces from the brief. Fix is correct, narrowly scoped, well tested. Nothing to push here; one defensive-consistency follow-up filed. Verified
Fixes pushedNone — the diff stands as-is. Fix is correct, regression test is solid, and CR has zero inline findings ( Follow-up filed
UNSTABLE stateThree failing checks ( VerdictLGTM. CR re-ping below. |
|
@coderabbitai review |
✅ Action performedReview finished.
|
Problem
Code-review finding SEC-03 (codebase-review-2026-06-10): the Azure Synapse client's
NewClientWithHTTPconstructor was the only one of the AzureNewClientWithHTTPconstructors that fell back tohttp.DefaultClienton nil injection.http.DefaultClienthas no IMDS-blocking transport, so a future non-testNewClientWithHTTP(..., nil)caller would reopen the SSRF surface the hardenedhttpclient.New()client closes.Fix
Replace the nil fallback with
httpclient.New()(SSRF/IMDS-blocking), matching the productionNewClientconstructor and the established pattern already used by the savingsplans and managedredis clients, and update the doc comment accordingly.Test evidence
TestNewClientWithHTTP_NilFallbackIsHardened, mirroring the savingsplans regression test: asserts the nil fallback is non-nil, is nothttp.DefaultClient, and that a request tohttp://169.254.169.254/metadata/instanceis rejected with a "blocked" error.http.DefaultClient) and passes post-fix.go build ./...succeeds in both the root module and theproviders/azuremodule;go test ./services/synapse/ -count=1passes (44 tests).Closes #1143
Summary by CodeRabbit
Bug Fixes
Tests