diff options
| author | Joe Chen <jc@unknwon.io> | 2022-05-31 15:17:17 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-05-31 15:17:17 +0800 |
| commit | 7885f454a4946c4bbec1b4f8c603b5eea7429c7f (patch) | |
| tree | 00010af607268eef9f1adcb9d8f6d713f653ee34 /internal/db/webhook.go | |
| parent | 90bc75229726a24a28507d3e8178f86734f112e1 (diff) | |
webhook: revalidate local hostname before each delivery (#6988)
Diffstat (limited to 'internal/db/webhook.go')
| -rw-r--r-- | internal/db/webhook.go | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/internal/db/webhook.go b/internal/db/webhook.go index bca1fb91..fee3d1ec 100644 --- a/internal/db/webhook.go +++ b/internal/db/webhook.go @@ -24,6 +24,7 @@ import ( "gogs.io/gogs/internal/conf" "gogs.io/gogs/internal/errutil" "gogs.io/gogs/internal/httplib" + "gogs.io/gogs/internal/netutil" "gogs.io/gogs/internal/sync" ) @@ -688,6 +689,11 @@ func TestWebhook(repo *Repository, event HookEventType, p api.Payloader, webhook } func (t *HookTask) deliver() { + if netutil.IsBlockedLocalHostname(t.URL, conf.Security.LocalNetworkAllowlist) { + t.ResponseContent = "Payload URL resolved to a local network address that is implicitly blocked." + return + } + t.IsDelivered = true timeout := time.Duration(conf.Webhook.DeliverTimeout) * time.Second |