diff options
| author | Joe Chen <jc@unknwon.io> | 2022-06-25 20:36:05 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-25 20:36:05 +0800 |
| commit | 97ccb365ecc8312a07f561792be4075e43c43d96 (patch) | |
| tree | ec98510585a94263ec6f5ae4033c9471e2b5ffe7 /internal/db | |
| parent | 083c3ee659c6c5542687f3bafae68cbc24dbc90f (diff) | |
webhook: validate against hostname instead of full URL (#7075)
Diffstat (limited to 'internal/db')
| -rw-r--r-- | internal/db/webhook.go | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/internal/db/webhook.go b/internal/db/webhook.go index 2cebd3fa..3e816061 100644 --- a/internal/db/webhook.go +++ b/internal/db/webhook.go @@ -11,6 +11,7 @@ import ( "encoding/hex" "fmt" "io/ioutil" + "net/url" "strings" "time" @@ -695,8 +696,13 @@ func TestWebhook(repo *Repository, event HookEventType, p api.Payloader, webhook } func (t *HookTask) deliver() { - if netutil.IsBlockedLocalHostname(t.URL, conf.Security.LocalNetworkAllowlist) { - t.ResponseContent = "Payload URL resolved to a local network address that is implicitly blocked." + payloadURL, err := url.Parse(t.URL) + if err != nil { + t.ResponseContent = fmt.Sprintf(`{"body": "Cannot parse payload URL: %v"}`, err) + return + } + if netutil.IsBlockedLocalHostname(payloadURL.Hostname(), conf.Security.LocalNetworkAllowlist) { + t.ResponseContent = `{"body": "Payload URL resolved to a local network address that is implicitly blocked."}` return } |