From 79354059664e386584438b441fa17fd5d8ef27ce Mon Sep 17 00:00:00 2001
From: "linear-code[bot]" <222613912+linear-code[bot]@users.noreply.github.com>
Date: Tue, 23 Jun 2026 14:04:19 +0000
Subject: [PATCH] chore: upgrade golang.org/x/net to ^0.55.0 in zoekt build to
 address CVE-2026-42502

Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1430/sourcebot-devsourcebot-cve-2026-42502-parsing-arbitrary-html-which-is#agent-session-5ec895d8)

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
---
 CHANGELOG.md | 3 +++
 Dockerfile   | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 593e735db..a5d883536 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Added per-step token cost tracking and estimated tool call token usage to Ask Sourcebot chat history. [#1353](https://github.com/sourcebot-dev/sourcebot/pull/1353)
 
+### Fixed
+- Upgraded `golang.org/x/net` to `^0.55.0` in the zoekt build to address CVE-2026-42502. [#1364](https://github.com/sourcebot-dev/sourcebot/pull/1364)
+
 ## [5.0.4] - 2026-06-18
 
 ### Changed
diff --git a/Dockerfile b/Dockerfile
index 6c6b2439f..b2c8c53eb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -26,6 +26,11 @@ WORKDIR /zoekt
 COPY vendor/zoekt/go.mod vendor/zoekt/go.sum ./
 RUN go mod download
 COPY vendor/zoekt ./
+# Force-upgrade golang.org/x/net to a patched version to address CVE-2026-42502
+# (HTML parsed and re-rendered via Render can produce an unexpected tree, enabling XSS).
+# This pulls the fixed version into the built zoekt binaries; remove once vendor/zoekt
+# pins >= v0.55.0.
+RUN go get golang.org/x/net@v0.55.0
 RUN CGO_ENABLED=0 GOOS=linux go build -o /cmd/ ./cmd/...
 # -------------------------