mirror of
https://github.com/makeplane/plane.git
synced 2026-07-09 20:10:06 +02:00
Merge commit from fork
The webhook dispatcher validated webhook.url before posting but called requests.post() without allow_redirects=False, so a webhook destination could return a 3xx redirect to an internal address (cloud metadata, internal services) and have the worker fetch it and persist the response body to webhook_logs, readable back via the webhook-logs API. Pass allow_redirects=False so the original validate_url() guard is authoritative. Matches the pattern already used by safe_get() in work_item_link_task.py and the behavior of GitHub/Stripe/Slack webhooks.
This commit is contained in:
committed by
GitHub
parent
fd613dc738
commit
41b03bb142
@@ -334,7 +334,15 @@ def webhook_send_task(
|
||||
)
|
||||
|
||||
# Send the webhook event
|
||||
response = requests.post(webhook.url, headers=headers, json=payload, timeout=30)
|
||||
# allow_redirects=False prevents SSRF via 3xx hops to internal addresses
|
||||
# bypassing the validate_url() check above (GHSA-mq87-52pf-hm3h).
|
||||
response = requests.post(
|
||||
webhook.url,
|
||||
headers=headers,
|
||||
json=payload,
|
||||
timeout=30,
|
||||
allow_redirects=False,
|
||||
)
|
||||
|
||||
# Log the webhook request
|
||||
save_webhook_log(
|
||||
|
||||
Reference in New Issue
Block a user