Merge commit from fork

The webhook dispatcher validated webhook.url before posting but called
requests.post() without allow_redirects=False, so a webhook destination
could return a 3xx redirect to an internal address (cloud metadata,
internal services) and have the worker fetch it and persist the
response body to webhook_logs, readable back via the webhook-logs API.

Pass allow_redirects=False so the original validate_url() guard is
authoritative. Matches the pattern already used by safe_get() in
work_item_link_task.py and the behavior of GitHub/Stripe/Slack webhooks.
This commit is contained in:
sriram veeraghanta
2026-05-25 13:59:04 +05:30
committed by GitHub
parent fd613dc738
commit 41b03bb142

View File

@@ -334,7 +334,15 @@ def webhook_send_task(
)
# Send the webhook event
response = requests.post(webhook.url, headers=headers, json=payload, timeout=30)
# allow_redirects=False prevents SSRF via 3xx hops to internal addresses
# bypassing the validate_url() check above (GHSA-mq87-52pf-hm3h).
response = requests.post(
webhook.url,
headers=headers,
json=payload,
timeout=30,
allow_redirects=False,
)
# Log the webhook request
save_webhook_log(