From 5ec074208c69dbbafbf968a988768d7e4fe4f15e Mon Sep 17 00:00:00 2001 From: Ralph Slooten Date: Thu, 14 May 2026 15:13:52 +1200 Subject: [PATCH] Use httpClient for HTTP requests in loadIDs and saveMessages functions --- internal/dump/dump.go | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/internal/dump/dump.go b/internal/dump/dump.go index 9cf38d7..4e8b609 100644 --- a/internal/dump/dump.go +++ b/internal/dump/dump.go @@ -7,10 +7,10 @@ import ( "io" "net/http" "os" - "path" "path/filepath" "regexp" "strings" + "time" "github.com/axllent/mailpit/config" "github.com/axllent/mailpit/internal/logger" @@ -19,6 +19,11 @@ import ( "github.com/axllent/mailpit/server/apiv1" ) +// httpClient bounds each remote request so a slow or hostile --http endpoint +// cannot hang the dump indefinitely. Body size is independently capped by +// maxRawSize / maxSummarySize via io.LimitReader. +var httpClient = &http.Client{Timeout: time.Minute} + // maxRawSize caps the bytes read per remote message to prevent a hostile // server from exhausting local disk via an unbounded response body. const maxRawSize = 50 * 1024 * 1024 // 50 MiB @@ -83,7 +88,7 @@ func loadIDs() error { if base != "" { // remote logger.Log().Debugf("Fetching messages summary from %s", base) - res, err := http.Get(base + "api/v1/messages?limit=0") + res, err := httpClient.Get(base + "api/v1/messages?limit=0") if err != nil { return err @@ -143,7 +148,7 @@ func saveMessages() error { continue } - out := path.Join(outDir, m.ID+".eml") + out := filepath.Join(outDir, m.ID+".eml") // skip if message exists if tools.IsFile(out) { @@ -153,7 +158,7 @@ func saveMessages() error { var b []byte if base != "" { - res, err := http.Get(base + "api/v1/message/" + m.ID + "/raw") + res, err := httpClient.Get(base + "api/v1/message/" + m.ID + "/raw") if err != nil { logger.Log().Errorf("error fetching message %s: %s", m.ID, err.Error())