server/router/api/v1 · 17fc8383dff5c8f41eaf2133a6dc7c3248a04fb4 · Vũ Hoàng Anh / canifa_note

fix(webhook): remediate SSRF vulnerability in webhook dispatcher · 150371d2

Steven authored Feb 23, 2026

- Add plugin/webhook/validate.go as single source of truth for SSRF
  protection: reserved CIDR list parsed once at init(), isReservedIP(),
  and exported ValidateURL() used at registration/update time
- Replace unguarded http.Client in webhook.go with safeClient whose
  Transport uses a custom DialContext that re-resolves hostnames at
  dial time, defeating DNS rebinding attacks
- Call webhook.ValidateURL() in CreateUserWebhook and both
  UpdateUserWebhook paths to reject non-http/https schemes and
  reserved/private IP targets before persisting
- Strip internal service response body from non-2xx error log messages
  to prevent data leakage via application logs

150371d2

Name	Last commit	Last update
..
test		Loading commit data...
acl_config.go		Loading commit data...
acl_config_test.go		Loading commit data...
activity_service.go		Loading commit data...
attachment_exif_test.go		Loading commit data...
attachment_service.go		Loading commit data...
auth_service.go		Loading commit data...
auth_service_client_info_test.go		Loading commit data...
common.go		Loading commit data...
connect_handler.go		Loading commit data...
connect_interceptors.go		Loading commit data...
connect_services.go		Loading commit data...
header_carrier.go		Loading commit data...
health_service.go		Loading commit data...
idp_service.go		Loading commit data...
instance_service.go		Loading commit data...
memo_attachment_service.go		Loading commit data...
memo_relation_service.go		Loading commit data...
memo_service.go		Loading commit data...
memo_service_converter.go		Loading commit data...
memo_service_filter.go		Loading commit data...
reaction_service.go		Loading commit data...
resource_name.go		Loading commit data...
shortcut_service.go		Loading commit data...
user_service.go		Loading commit data...
user_service_stats.go		Loading commit data...
v1.go		Loading commit data...