USEFULL
/
gogs
mirror of https://github.com/gogs/gogs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

webhook: validate against hostname instead of full URL (#7075)

pull/7077/head
Joe Chen 2022-06-25 20:36:05 +08:00 committed by GitHub
parent 083c3ee659
commit 97ccb365ec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -24,6 +24,7 @@ All notable changes to Gogs are documented in this file.
### Fixed ### Fixed
- Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761) - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761)
- Unable to send webhooks to local network addresses after configured `[security] LOCAL_NETWORK_ALLOWLIST`. [#7074](https://github.com/gogs/gogs/issues/7074)
### Removed ### Removed

10
internal/db/webhook.go
View File

@ -11,6 +11,7 @@ import (
"encoding/hex" "encoding/hex"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net/url"
"strings" "strings"
"time" "time"
@ -695,8 +696,13 @@ func TestWebhook(repo *Repository, event HookEventType, p api.Payloader, webhook
} }
func (t *HookTask) deliver() { func (t *HookTask) deliver() {
if netutil.IsBlockedLocalHostname(t.URL, conf.Security.LocalNetworkAllowlist) { payloadURL, err := url.Parse(t.URL)
t.ResponseContent = "Payload URL resolved to a local network address that is implicitly blocked." if err != nil {
t.ResponseContent = fmt.Sprintf(`{"body": "Cannot parse payload URL: %v"}`, err)
return
}
if netutil.IsBlockedLocalHostname(payloadURL.Hostname(), conf.Security.LocalNetworkAllowlist) {
t.ResponseContent = `{"body": "Payload URL resolved to a local network address that is implicitly blocked."}`
return return
} }