senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): add SSRF protection for webhook URL registration

Browse source 
SEC-07: Strengthened ValidateWebhookURL to require HTTPS only (was
allowing HTTP). Private IP ranges, localhost, and cloud metadata
endpoints remain blocked.
This commit is contained in:
senke 2026-02-22 17:31:10 +01:00
parent da3bad1b0e
commit f14574322c
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
veza-backend-api/internal/validators/url_validator.go
View file

@ -78,16 +78,16 @@ func isPrivateIP(ip net.IP) bool {
return false
}
// ValidateWebhookURL validates that a webhook URL does not target internal or private resources (SSRF protection).
// Returns an error if the URL is unsafe.
// ValidateWebhookURL validates that a webhook URL is safe for registration.
// SEC-07: Only HTTPS allowed. Blocks private/internal IPs (SSRF protection).
func ValidateWebhookURL(rawURL string) error {
parsed, err := url.Parse(rawURL)
if err != nil {
return fmt.Errorf("invalid URL: %w", err)
}
scheme := strings.ToLower(parsed.Scheme)
if scheme != "http" && scheme != "https" {
return fmt.Errorf("unsupported URL scheme %q: only http and https are allowed", parsed.Scheme)
if scheme != "https" {
return fmt.Errorf("only https URLs are allowed for webhooks (got %q)", parsed.Scheme)
}
hostname := strings.ToLower(parsed.Hostname())
if hostname == "" {