diff options
| author | Joe Chen <jc@unknwon.io> | 2022-06-25 20:36:05 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-25 20:36:05 +0800 |
| commit | 97ccb365ecc8312a07f561792be4075e43c43d96 (patch) | |
| tree | ec98510585a94263ec6f5ae4033c9471e2b5ffe7 | |
| parent | 083c3ee659c6c5542687f3bafae68cbc24dbc90f (diff) | |
webhook: validate against hostname instead of full URL (#7075)
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | internal/db/webhook.go | 10 |
2 files changed, 9 insertions, 2 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index d66e0342..e797c026 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,6 +24,7 @@ All notable changes to Gogs are documented in this file. ### Fixed - Unable to use LDAP authentication on ARM machines. [#6761](https://github.com/gogs/gogs/issues/6761) +- Unable to send webhooks to local network addresses after configured `[security] LOCAL_NETWORK_ALLOWLIST`. [#7074](https://github.com/gogs/gogs/issues/7074) ### Removed diff --git a/internal/db/webhook.go b/internal/db/webhook.go index 2cebd3fa..3e816061 100644 --- a/internal/db/webhook.go +++ b/internal/db/webhook.go @@ -11,6 +11,7 @@ import ( "encoding/hex" "fmt" "io/ioutil" + "net/url" "strings" "time" @@ -695,8 +696,13 @@ func TestWebhook(repo *Repository, event HookEventType, p api.Payloader, webhook } func (t *HookTask) deliver() { - if netutil.IsBlockedLocalHostname(t.URL, conf.Security.LocalNetworkAllowlist) { - t.ResponseContent = "Payload URL resolved to a local network address that is implicitly blocked." + payloadURL, err := url.Parse(t.URL) + if err != nil { + t.ResponseContent = fmt.Sprintf(`{"body": "Cannot parse payload URL: %v"}`, err) + return + } + if netutil.IsBlockedLocalHostname(payloadURL.Hostname(), conf.Security.LocalNetworkAllowlist) { + t.ResponseContent = `{"body": "Payload URL resolved to a local network address that is implicitly blocked."}` return } |