Guard DefaultTransport assertion in transportForAuth

thardeck · thardeck · commit e487ccbba515 · 2026-03-23T09:03:23.000+01:00
Fall back to &amp;http.Transport{} if DefaultTransport is not a
*http.Transport, to avoid a panic when another component has replaced
the global default.
diff --git a/internal/bundlereader/charturl.go b/internal/bundlereader/charturl.go
@@ -290,7 +290,13 @@ func transportForAuth(insecureSkipVerify bool, caBundle []byte) http.RoundTrippe
 	}
 
 	// Create new transport
-	transport := http.DefaultTransport.(*http.Transport).Clone()
+	baseTransport, ok := http.DefaultTransport.(*http.Transport)
+	if !ok {
+		// Another component has replaced the global default transport.
+		// Use a plain transport rather than panicking on the failed assertion.
+		baseTransport = &http.Transport{}
+	}
+	transport := baseTransport.Clone()
 	transport.TLSClientConfig = &tls.Config{
 		InsecureSkipVerify: insecureSkipVerify, //nolint:gosec
 	}
diff --git a/internal/bundlereader/charturl_internal_test.go b/internal/bundlereader/charturl_internal_test.go
@@ -0,0 +1,47 @@
+package bundlereader
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// fakeRoundTripper is a RoundTripper that is not *http.Transport, so substituting
+// it for http.DefaultTransport triggers the type-assertion path in transportForAuth.
+type fakeRoundTripper struct{}
+
+func (fakeRoundTripper) RoundTrip(*http.Request) (*http.Response, error) { return nil, nil }
+
+// TestTransportForAuthNonDefaultTransport verifies that transportForAuth does not
+// panic when http.DefaultTransport has been replaced by a value that is not
+// *http.Transport, and that it still returns a usable RoundTripper.
+//
+// Not parallel: the test mutates the process-global http.DefaultTransport.
+func TestTransportForAuthNonDefaultTransport(t *testing.T) {
+	orig := http.DefaultTransport
+	t.Cleanup(func() { http.DefaultTransport = orig })
+
+	http.DefaultTransport = fakeRoundTripper{}
+
+	// The transport cache is package-level; clear it so a fresh entry is built.
+	transportsCacheMutex.Lock()
+	transportsCache = map[string]http.RoundTripper{}
+	transportsCacheMutex.Unlock()
+
+	require.NotPanics(t, func() {
+		rt := transportForAuth(false, nil)
+		assert.NotNil(t, rt)
+	}, "transportForAuth must not panic when http.DefaultTransport is not *http.Transport")
+
+	// Also verify the custom-CA path does not panic.
+	transportsCacheMutex.Lock()
+	transportsCache = map[string]http.RoundTripper{}
+	transportsCacheMutex.Unlock()
+
+	require.NotPanics(t, func() {
+		rt := transportForAuth(false, []byte("not-a-real-cert"))
+		assert.NotNil(t, rt)
+	}, "transportForAuth must not panic with a CA bundle when DefaultTransport is not *http.Transport")
+}

Original file line number	Diff line number	Diff line change
`@@ -290,7 +290,13 @@ func transportForAuth(insecureSkipVerify bool, caBundle []byte) http.RoundTrippe`
`290`	`290`	`}`
`291`	`291`
`292`	`292`	`// Create new transport`
`293`		`- transport := http.DefaultTransport.(*http.Transport).Clone()`
	`293`	`+ baseTransport, ok := http.DefaultTransport.(*http.Transport)`
	`294`	`+ if !ok {`
	`295`	`+ // Another component has replaced the global default transport.`
	`296`	`+ // Use a plain transport rather than panicking on the failed assertion.`
	`297`	`+ baseTransport = &http.Transport{}`
	`298`	`+ }`
	`299`	`+ transport := baseTransport.Clone()`
`294`	`300`	`transport.TLSClientConfig = &tls.Config{`
`295`	`301`	`InsecureSkipVerify: insecureSkipVerify, //nolint:gosec`
`296`	`302`	`}`