From 97ccb365ecc8312a07f561792be4075e43c43d96 Mon Sep 17 00:00:00 2001
From: Joe Chen <jc@unknwon.io>
Date: Sat, 25 Jun 2022 20:36:05 +0800
Subject: [PATCH] webhook: validate against hostname instead of full URL
 (#7075)

---
 CHANGELOG.md           |  1 +
 internal/db/webhook.go | 10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d66e03423..e797c026c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,6 +24,7 @@ All notable changes to Gogs are documented in this file.
 ### Fixed
 
 - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
+- Unable to send webhooks to local network addresses after configured `[security] LOCAL_NETWORK_ALLOWLIST`. [#7074](https://github.com/gogs/gogs/issues/7074)
 
 ### Removed
 
diff --git a/internal/db/webhook.go b/internal/db/webhook.go
index 2cebd3fa1..3e816061e 100644
--- a/internal/db/webhook.go
+++ b/internal/db/webhook.go
@@ -11,6 +11,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"io/ioutil"
+	"net/url"
 	"strings"
 	"time"
 
@@ -695,8 +696,13 @@ func TestWebhook(repo *Repository, event HookEventType, p api.Payloader, webhook
 }
 
 func (t *HookTask) deliver() {
-	if netutil.IsBlockedLocalHostname(t.URL, conf.Security.LocalNetworkAllowlist) {
-		t.ResponseContent = "Payload URL resolved to a local network address that is implicitly blocked."
+	payloadURL, err := url.Parse(t.URL)
+	if err != nil {
+		t.ResponseContent = fmt.Sprintf(`{"body": "Cannot parse payload URL: %v"}`, err)
+		return
+	}
+	if netutil.IsBlockedLocalHostname(payloadURL.Hostname(), conf.Security.LocalNetworkAllowlist) {
+		t.ResponseContent = `{"body": "Payload URL resolved to a local network address that is implicitly blocked."}`
 		return
 	}