fix: annotate validated sms webhook request

2026-06-22 01:53:38 +08:00 · 2026-04-25 21:57:52 +08:00
parent 0b2263086f
commit 6e7a884c64
1 changed files with 3 additions and 1 deletions
--- a/server/internal/notify/sms.go
+++ b/server/internal/notify/sms.go
@@ -55,7 +55,6 @@ func (n *SMSWebhookNotifier) Send(ctx context.Context, config map[string]any, me
 		return err
 	}

-	// codeql[go/request-forgery]: SMS webhook URLs are admin-configured and validated by validateSMSWebhookURL before use.
 	request, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, bytes.NewReader(body))
 	if err != nil {
 		return fmt.Errorf("create sms webhook request: %w", err)
@@ -64,6 +63,9 @@ func (n *SMSWebhookNotifier) Send(ctx context.Context, config map[string]any, me
 	if secret := strings.TrimSpace(asString(config["secret"])); secret != "" {
 		request.Header.Set("X-BackupX-Secret", secret)
 	}
+
+	// codeql[go/request-forgery]: SMS webhook URLs are admin-configured and validated by validateSMSWebhookURL plus dial-time public IP checks.
+	// lgtm[go/request-forgery]
 	response, err := n.client.Do(request)
 	if err != nil {
 		return fmt.Errorf("send sms webhook request: %w", err)