-
Steven authored
- Add plugin/webhook/validate.go as single source of truth for SSRF protection: reserved CIDR list parsed once at init(), isReservedIP(), and exported ValidateURL() used at registration/update time - Replace unguarded http.Client in webhook.go with safeClient whose Transport uses a custom DialContext that re-resolves hostnames at dial time, defeating DNS rebinding attacks - Call webhook.ValidateURL() in CreateUserWebhook and both UpdateUserWebhook paths to reject non-http/https schemes and reserved/private IP targets before persisting - Strip internal service response body from non-2xx error log messages to prevent data leakage via application logs
150371d2
| Name |
Last commit
|
Last update |
|---|---|---|
| .. | ||
| cron | ||
| filter | ||
| httpgetter | ||
| idp | ||
| markdown | ||
| scheduler | ||
| storage/s3 | ||
| webhook |