MCPcopy Index your code
hub / github.com/docker/docker-agent / validateAgentURL

Function validateAgentURL

pkg/config/sources.go:489–501  ·  view source on GitHub ↗

validateAgentURL enforces that an agent URL uses HTTPS, with an exception for http://localhost which is allowed for local development. SSRF protection (rejecting connections to loopback / private / link-local addresses) is done at dial time by [httpclient.NewSSRFSafeTransport] so that DNS rebinding

(rawURL string)

Source from the content-addressed store, hash-verified

487// rebinding cannot be used to bypass it. The SSRF transport is intentionally
488// skipped for http://localhost since loopback is the whole point.
489func validateAgentURL(rawURL string) error {
490 u, err := url.Parse(rawURL)
491 if err != nil {
492 return fmt.Errorf("invalid URL %q: %w", rawURL, err)
493 }
494 if u.Scheme != "https" && !isLocalhostHTTP(rawURL) {
495 return fmt.Errorf("refusing to load agent from %q: only https:// URLs are allowed (got scheme %q)", rawURL, u.Scheme)
496 }
497 if u.Host == "" {
498 return fmt.Errorf("invalid URL %q: missing host", rawURL)
499 }
500 return nil
501}

Callers 1

ReadMethod · 0.85

Calls 2

isLocalhostHTTPFunction · 0.85
ParseMethod · 0.80

Tested by

no test coverage detected