feat: enhance HTTP client with custom redirect handling and SSRF protection

service/http_client.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"one-api/common"
+	"one-api/setting/system_setting"
 	"sync"
 	"time"
 
@@ -19,12 +20,27 @@ var (
 	proxyClients    = make(map[string]*http.Client)
 )
 
+func checkRedirect(req *http.Request, via []*http.Request) error {
+	fetchSetting := system_setting.GetFetchSetting()
+	urlStr := req.URL.String()
+	if err := common.ValidateURLWithFetchSetting(urlStr, fetchSetting.EnableSSRFProtection, fetchSetting.AllowPrivateIp, fetchSetting.DomainFilterMode, fetchSetting.IpFilterMode, fetchSetting.DomainList, fetchSetting.IpList, fetchSetting.AllowedPorts, fetchSetting.ApplyIPFilterForDomain); err != nil {
+		return fmt.Errorf("redirect to %s blocked: %v", urlStr, err)
+	}
+	if len(via) >= 10 {
+		return fmt.Errorf("stopped after 10 redirects")
+	}
+	return nil
+}
+
 func InitHttpClient() {
 	if common.RelayTimeout == 0 {
-		httpClient = &http.Client{}
+		httpClient = &http.Client{
+			CheckRedirect: checkRedirect,
+		}
 	} else {
 		httpClient = &http.Client{
-			Timeout: time.Duration(common.RelayTimeout) * time.Second,
+			Timeout:       time.Duration(common.RelayTimeout) * time.Second,
+			CheckRedirect: checkRedirect,
 		}
 	}
 }
@@ -69,6 +85,7 @@ func NewProxyHttpClient(proxyURL string) (*http.Client, error) {
 			Transport: &http.Transport{
 				Proxy: http.ProxyURL(parsedURL),
 			},
+			CheckRedirect: checkRedirect,
 		}
 		client.Timeout = time.Duration(common.RelayTimeout) * time.Second
 		proxyClientLock.Lock()
@@ -102,6 +119,7 @@ func NewProxyHttpClient(proxyURL string) (*http.Client, error) {
 					return dialer.Dial(network, addr)
 				},
 			},
+			CheckRedirect: checkRedirect,
 		}
 		client.Timeout = time.Duration(common.RelayTimeout) * time.Second
 		proxyClientLock.Lock()