Merge pull request #1579 from hodyhq/feat/allow-private-webhook-targets

Author: mattwoberts

.example.env

@@ -3,6 +3,9 @@ GO_ENV=development
 DATABASE_URL=postgres://fider:fider_pw@localhost:5555/fider?sslmode=disable
 JWT_SECRET=hsjl]W;&ZcHxT&FK;s%bgIQF:#ch=~#Al4:5]N;7V<qPZ3e9lT4'%;go;LIkc%k
 # ALLOW_ALLOWED_SCHEMES=false
+# Relaxes the SSRF guard so webhooks and OAuth token/profile URLs may target
+# private/internal network addresses (LAN, loopback, link-local). Self-hosted only.
+# ALLOW_PRIVATE_NETWORK_TARGETS=true
 
 LOG_LEVEL=DEBUG
 LOG_CONSOLE=true

app/pkg/env/env.go

@@ -56,6 +56,7 @@ type config struct {
 	JWTSecret                   string `env:"JWT_SECRET,required"`
 	PostCreationWithTagsEnabled bool   `env:"POST_CREATION_WITH_TAGS_ENABLED,default=false"`
 	AllowAllowedSchemes         bool   `env:"ALLOW_ALLOWED_SCHEMES,default=true"`
+	AllowPrivateNetworkTargets  bool   `env:"ALLOW_PRIVATE_NETWORK_TARGETS,default=false"`
 	Stripe                      struct {
 		SecretKey      string `env:"STRIPE_SECRET_KEY"`
 		WebhookSecret  string `env:"STRIPE_WEBHOOK_SECRET"`

app/pkg/validate/general.go

@@ -56,7 +56,12 @@ func URL(ctx context.Context, rawurl string) []string {
 	return []string{}
 }
 
-// WebhookURL validates that a URL is well-formed and does not target private/internal networks
+// WebhookURL validates that a URL is well-formed and, by default, does not target
+// private/internal networks. This is a shared SSRF guard: besides webhooks it also
+// validates OAuth token/profile URLs. Self-hosted instances that need to reach
+// internal services (e.g. an integration server on a LAN) can relax the network
+// check by setting ALLOW_PRIVATE_NETWORK_TARGETS=true; format validation (valid URL,
+// scheme http/https) still applies in that mode.
 func WebhookURL(rawurl string) []string {
 	u, err := url.Parse(rawurl)
 	if err != nil || u.Host == "" {
@@ -68,6 +73,10 @@ func WebhookURL(rawurl string) []string {
 		return []string{"Only http and https URLs are allowed."}
 	}
 
+	if env.Config.AllowPrivateNetworkTargets {
+		return []string{}
+	}
+
 	hostname := u.Hostname()
 
 	if strings.EqualFold(hostname, "localhost") {

app/pkg/validate/general_test.go

@@ -7,6 +7,7 @@ import (
 	"github.com/getfider/fider/app/models/query"
 	. "github.com/getfider/fider/app/pkg/assert"
 	"github.com/getfider/fider/app/pkg/bus"
+	"github.com/getfider/fider/app/pkg/env"
 	"github.com/getfider/fider/app/pkg/rand"
 	"github.com/getfider/fider/app/pkg/validate"
 )
@@ -114,6 +115,45 @@ func TestWebhookURL_AllowedAddresses(t *testing.T) {
 	}
 }
 
+func TestWebhookURL_PrivateIPsAllowedWhenOptedIn(t *testing.T) {
+	RegisterT(t)
+
+	original := env.Config.AllowPrivateNetworkTargets
+	env.Config.AllowPrivateNetworkTargets = true
+	t.Cleanup(func() { env.Config.AllowPrivateNetworkTargets = original })
+
+	for _, rawurl := range []string{
+		"http://localhost/hook",
+		"http://127.0.0.1/hook",
+		"http://10.0.0.1/hook",
+		"http://172.16.0.1/hook",
+		"http://192.168.1.1:8080/hook",
+		"http://[::1]/hook",
+		"http://internal.lan/hook",
+	} {
+		messages := validate.WebhookURL(rawurl)
+		Expect(messages).HasLen(0)
+	}
+}
+
+func TestWebhookURL_OptInDoesNotBypassFormatValidation(t *testing.T) {
+	RegisterT(t)
+
+	original := env.Config.AllowPrivateNetworkTargets
+	env.Config.AllowPrivateNetworkTargets = true
+	t.Cleanup(func() { env.Config.AllowPrivateNetworkTargets = original })
+
+	for _, rawurl := range []string{
+		"ftp://example.com/hook",
+		"file:///etc/passwd",
+		"not a url at all",
+		"",
+	} {
+		messages := validate.WebhookURL(rawurl)
+		Expect(len(messages) > 0).IsTrue()
+	}
+}
+
 func TestInvalidCNAME(t *testing.T) {
 	RegisterT(t)