[SECURITY] fix: add SSRF protection to webhook URL validation (critical)#2920
[SECURITY] fix: add SSRF protection to webhook URL validation (critical)#2920namann5 wants to merge 1 commit into
Conversation
send_webhook_notification() made HTTP requests to arbitrary URLs without any validation, allowing SSRF attacks to internal networks. Added _validate_webhook_url() that: - Ensures only http/https schemes are allowed - Blocks localhost, 127.0.0.1, ::1, 0.0.0.0 - Blocks .local and .internal hostnames - Resolves hostname and blocks private (RFC1918), loopback, and link-local IP ranges - Returns 403-level rejection logged at error level This prevents attackers from using the webhook endpoint to scan internal network services or access cloud metadata endpoints.
|
@namann5 is attempting to deploy a commit to the ritesh Team on Vercel. A member of the Team first needs to authorize it. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0bb1218cf9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
1 participant
🔒 Security Fix: SSRF Protection for Webhook URLs
Fixes #2915
Vulnerability
send_webhook_notification()made HTTP POST requests to user-supplied URLs without any validation, enabling SSRF attacks against internal network services (cloud metadata, Docker internals, private IPs).Fix
Added
_validate_webhook_url()that:http/httpsschemes127.0.0.1,::1,0.0.0.0.localand.internalhostnamesVerification
backend/services/webhook_service.pySeverity: Critical — CVSS 8.6 (SSRF)
Level:
critical|advanced