Merge branch 'main' into renovate/github.com-modelcontextprotocol-go-sdk-1.x

ChrisJBurns · web-flow · commit 5419955ec2ca · 2026-02-28T16:24:49.000Z
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -37,7 +37,7 @@ jobs:
         run: task test
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: fetch-server
           path: build/fetch-server
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/stackloklabs/gofetch
 
-go 1.25.6
+go 1.25.7
 
 require (
 	github.com/JohannesKaufmann/html-to-markdown/v2 v2.5.0
diff --git a/pkg/fetcher/fetcher.go b/pkg/fetcher/fetcher.go
@@ -45,11 +45,11 @@ type FetchRequest struct {
 
 // FetchURL retrieves and processes content from the specified URL
 func (f *HTTPFetcher) FetchURL(req *FetchRequest) (string, error) {
-	log.Printf("Fetching URL: %s", req.URL)
+	log.Printf("Fetching URL: %s", sanitizeLogValue(req.URL))
 
 	// Check robots.txt
 	if !f.robotsChecker.IsAllowed(req.URL) {
-		log.Printf("Access denied by robots.txt for URL: %s", req.URL)
+		log.Printf("Access denied by robots.txt for URL: %s", sanitizeLogValue(req.URL))
 		return "", fmt.Errorf("access to %s is disallowed by robots.txt", req.URL)
 	}
 
@@ -62,16 +62,23 @@ func (f *HTTPFetcher) FetchURL(req *FetchRequest) (string, error) {
 	// Apply formatting
 	formattedContent := f.processor.FormatContent(content, req.StartIndex, req.MaxLength)
 
-	log.Printf("Fetch completed successfully for %s, returning %d characters", req.URL, len(formattedContent))
+	log.Printf("Fetch completed successfully for %s, returning %d characters", sanitizeLogValue(req.URL), len(formattedContent))
 	return formattedContent, nil
 }
 
+// sanitizeLogValue removes newlines and carriage returns to prevent log injection.
+func sanitizeLogValue(s string) string {
+	s = strings.ReplaceAll(s, "\n", "")
+	s = strings.ReplaceAll(s, "\r", "")
+	return s
+}
+
 // fetchURL retrieves content from the specified URL
 func (f *HTTPFetcher) fetchURL(url string, raw bool) (string, error) {
 	// Create HTTP request
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
-		log.Printf("Failed to create HTTP request for %s: %v", url, err)
+		log.Printf("Failed to create HTTP request for %s: %v", sanitizeLogValue(url), err)
 		return "", fmt.Errorf("failed to create request: %v", err)
 	}
 
@@ -80,29 +87,33 @@ func (f *HTTPFetcher) fetchURL(url string, raw bool) (string, error) {
 	req.Header.Set("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
 
 	// Make HTTP request
-	resp, err := f.httpClient.Do(req)
+	resp, err := f.httpClient.Do(req) //nolint:gosec // This is a fetch server; fetching user-provided URLs is its core purpose
 	if err != nil {
-		log.Printf("HTTP request failed for %s: %v", url, err)
+		log.Printf("HTTP request failed for %s: %v", sanitizeLogValue(url), err)
 		return "", fmt.Errorf("failed to fetch URL: %v", err)
 	}
 	defer resp.Body.Close()
 
-	log.Printf("HTTP %d response from %s (Content-Type: %s)", resp.StatusCode, url, resp.Header.Get("Content-Type"))
+	//nolint:gosec // URL sanitized by sanitizeLogValue; gosec can't track custom sanitizers
+	log.Printf("HTTP %d response from %s (Content-Type: %s)",
+		resp.StatusCode, sanitizeLogValue(url), resp.Header.Get("Content-Type"))
 
 	// Check status code
 	if resp.StatusCode != http.StatusOK {
-		log.Printf("Non-200 status code %d for %s: %s", resp.StatusCode, url, resp.Status)
+		//nolint:gosec // URL sanitized by sanitizeLogValue; gosec can't track custom sanitizers
+		log.Printf("Non-200 status code %d for %s: %s",
+			resp.StatusCode, sanitizeLogValue(url), resp.Status)
 		return "", fmt.Errorf("HTTP %d: %s", resp.StatusCode, resp.Status)
 	}
 
 	// Read response body
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		log.Printf("Failed to read response body from %s: %v", url, err)
+		log.Printf("Failed to read response body from %s: %v", sanitizeLogValue(url), err)
 		return "", fmt.Errorf("failed to read response body: %v", err)
 	}
 
-	log.Printf("Successfully fetched %d bytes from %s", len(body), url)
+	log.Printf("Successfully fetched %d bytes from %s", len(body), sanitizeLogValue(url))
 
 	content := string(body)
 
diff --git a/pkg/robots/robots.go b/pkg/robots/robots.go
@@ -57,7 +57,7 @@ func (c *Checker) fetchRobotsContent(parsedURL *url.URL) (string, error) {
 
 	req.Header.Set("User-Agent", c.userAgent)
 
-	resp, err := c.httpClient.Do(req)
+	resp, err := c.httpClient.Do(req) //nolint:gosec // Fetching robots.txt for user-provided URLs is expected behavior
 	if err != nil || resp.StatusCode != 200 {
 		return "", fmt.Errorf("failed to fetch robots.txt")
 	}

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ func (c Checker) fetchRobotsContent(parsedURL url.URL) (string, error) {`
`57`	`57`
`58`	`58`	`req.Header.Set("User-Agent", c.userAgent)`
`59`	`59`
`60`		`- resp, err := c.httpClient.Do(req)`
	`60`	`+ resp, err := c.httpClient.Do(req) //nolint:gosec // Fetching robots.txt for user-provided URLs is expected behavior`
`61`	`61`	`if err != nil \|\| resp.StatusCode != 200 {`
`62`	`62`	`return "", fmt.Errorf("failed to fetch robots.txt")`
`63`	`63`	`}`